sys/config: config state endpoint

command/server.go

@@ -662,6 +662,7 @@ func (c *ServerCommand) Run(args []string) int {
 	}
 
 	coreConfig := &vault.CoreConfig{
+		RawConfig:                 config,
 		Physical:                  backend,
 		RedirectAddr:              config.Storage.RedirectAddr,
 		HAPhysical:                nil,
@@ -966,7 +967,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
 		}
 		props["max_request_size"] = fmt.Sprintf("%d", maxRequestSize)
 
-		var maxRequestDuration time.Duration = vault.DefaultMaxRequestDuration
+		maxRequestDuration := vault.DefaultMaxRequestDuration
 		if valRaw, ok := lnConfig.Config["max_request_duration"]; ok {
 			val, err := parseutil.ParseDurationSecond(valRaw)
 			if err != nil {
@@ -1387,6 +1388,8 @@ CLUSTER_SYNTHESIS_COMPLETE:
 				goto RUNRELOADFUNCS
 			}
 
+			core.SetConfig(config)
+
 			if config.LogLevel != "" {
 				configLogLevel := strings.ToLower(strings.TrimSpace(config.LogLevel))
 				switch configLogLevel {

command/server/config.go

@@ -905,3 +905,120 @@ func parseTelemetry(result *Config, list *ast.ObjectList) error {
 
 	return nil
 }
+
+// Sanitized returns a copy of the config with all values that are considered
+// sensitive stripped. It also strips all raw values that are mainly
+// used for parsing.
+//
+// Specifically, the fields that this method strips are:
+// - Storage.Config
+// - HAStorage.Config
+// - Seals.Config
+// - Telemetry.CirconusAPIToken
+func (c *Config) Sanitized() *Config {
+	// Sanitize storage stanza
+	var sanitizedStorage *Storage
+	if c.Storage != nil {
+		sanitizedStorage = &Storage{
+			Type:              c.Storage.Type,
+			RedirectAddr:      c.Storage.RedirectAddr,
+			ClusterAddr:       c.Storage.ClusterAddr,
+			DisableClustering: c.Storage.DisableClustering,
+		}
+	}
+
+	// Sanitize HA storage stanza
+	var sanitizedHAStorage *Storage
+	if c.HAStorage != nil {
+		sanitizedHAStorage = &Storage{
+			Type:              c.HAStorage.Type,
+			RedirectAddr:      c.HAStorage.RedirectAddr,
+			ClusterAddr:       c.HAStorage.ClusterAddr,
+			DisableClustering: c.HAStorage.DisableClustering,
+		}
+	}
+
+	// Sanitize seals stanza
+	var sanitizedSeals []*Seal
+	if len(c.Seals) != 0 {
+		for _, s := range c.Seals {
+			cleanSeal := &Seal{
+				Type:     s.Type,
+				Disabled: s.Disabled,
+			}
+			sanitizedSeals = append(sanitizedSeals, cleanSeal)
+		}
+	}
+
+	// Sanitize telemetry stanza
+	var sanitizedTelemetry *Telemetry
+	if c.Telemetry != nil {
+		sanitizedTelemetry = &Telemetry{
+			StatsiteAddr:                       c.Telemetry.StatsiteAddr,
+			StatsdAddr:                         c.Telemetry.StatsdAddr,
+			DisableHostname:                    c.Telemetry.DisableHostname,
+			CirconusAPIToken:                   "",
+			CirconusAPIApp:                     c.Telemetry.CirconusAPIApp,
+			CirconusAPIURL:                     c.Telemetry.CirconusAPIURL,
+			CirconusSubmissionInterval:         c.Telemetry.CirconusSubmissionInterval,
+			CirconusCheckSubmissionURL:         c.Telemetry.CirconusCheckSubmissionURL,
+			CirconusCheckID:                    c.Telemetry.CirconusCheckID,
+			CirconusCheckForceMetricActivation: c.Telemetry.CirconusCheckForceMetricActivation,
+			CirconusCheckInstanceID:            c.Telemetry.CirconusCheckInstanceID,
+			CirconusCheckSearchTag:             c.Telemetry.CirconusCheckSearchTag,
+			CirconusCheckTags:                  c.Telemetry.CirconusCheckTags,
+			CirconusCheckDisplayName:           c.Telemetry.CirconusCheckDisplayName,
+			CirconusBrokerID:                   c.Telemetry.CirconusBrokerID,
+			CirconusBrokerSelectTag:            c.Telemetry.CirconusBrokerSelectTag,
+			DogStatsDAddr:                      c.Telemetry.DogStatsDAddr,
+			DogStatsDTags:                      c.Telemetry.DogStatsDTags,
+			PrometheusRetentionTime:            c.Telemetry.PrometheusRetentionTime,
+			PrometheusRetentionTimeRaw:         c.Telemetry.PrometheusRetentionTimeRaw,
+			StackdriverProjectID:               c.Telemetry.StackdriverProjectID,
+			StackdriverLocation:                c.Telemetry.StackdriverLocation,
+			StackdriverNamespace:               c.Telemetry.StackdriverNamespace,
+		}
+	}
+
+	return &Config{
+		Listeners: c.Listeners,
+		Storage:   sanitizedStorage,
+		HAStorage: sanitizedHAStorage,
+		Seals:     sanitizedSeals,
+
+		CacheSize:             c.CacheSize,
+		DisableCache:          c.DisableCache,
+		DisableMlock:          c.DisableMlock,
+		DisablePrintableCheck: c.DisablePrintableCheck,
+
+		EnableUI: c.EnableUI,
+
+		Telemetry: sanitizedTelemetry,
+
+		MaxLeaseTTL:     c.MaxLeaseTTL,
+		DefaultLeaseTTL: c.DefaultLeaseTTL,
+
+		DefaultMaxRequestDuration: c.DefaultMaxRequestDuration,
+
+		ClusterName:         c.ClusterName,
+		ClusterCipherSuites: c.ClusterCipherSuites,
+
+		PluginDirectory: c.PluginDirectory,
+
+		LogLevel:  c.LogLevel,
+		LogFormat: c.LogFormat,
+
+		PidFile:           c.PidFile,
+		EnableRawEndpoint: c.EnableRawEndpoint,
+
+		APIAddr:           c.APIAddr,
+		ClusterAddr:       c.ClusterAddr,
+		DisableClustering: c.DisableClustering,
+
+		DisablePerformanceStandby: c.DisablePerformanceStandby,
+
+		DisableSealWrap: c.DisableSealWrap,
+
+		DisableIndexing: c.DisableIndexing,
+	}
+}

command/server/config_test.go

@@ -349,6 +349,72 @@ func TestLoadConfigDir(t *testing.T) {
 	}
 }
 
+func TestConfig_Sanitized(t *testing.T) {
+	config, err := LoadConfigFile("./test-fixtures/config3.hcl")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	expected := &Config{
+		Listeners: []*Listener{
+			&Listener{
+				Type: "tcp",
+				Config: map[string]interface{}{
+					"address": "127.0.0.1:443",
+				},
+			},
+		},
+
+		Storage: &Storage{
+			Type:         "consul",
+			RedirectAddr: "top_level_api_addr",
+			ClusterAddr:  "top_level_cluster_addr",
+		},
+
+		HAStorage: &Storage{
+			Type:              "consul",
+			RedirectAddr:      "top_level_api_addr",
+			ClusterAddr:       "top_level_cluster_addr",
+			DisableClustering: true,
+		},
+
+		Telemetry: &Telemetry{
+			StatsdAddr:              "bar",
+			PrometheusRetentionTime: prometheusDefaultRetentionTime,
+		},
+
+		Seals: []*Seal{
+			{
+				Type:     "awskms",
+				Disabled: false,
+			},
+		},
+
+		DisableCache: true,
+		DisableMlock: true,
+		EnableUI:     true,
+
+		EnableRawEndpoint: true,
+
+		DisableSealWrap: true,
+
+		MaxLeaseTTL:     10 * time.Hour,
+		DefaultLeaseTTL: 10 * time.Hour,
+		ClusterName:     "testcluster",
+
+		PidFile: "./pidfile",
+
+		APIAddr:     "top_level_api_addr",
+		ClusterAddr: "top_level_cluster_addr",
+	}
+
+	sanitizedConfig := config.Sanitized()
+
+	if !reflect.DeepEqual(sanitizedConfig, expected) {
+		t.Fatalf("expected \n\n%#v\n\n to be \n\n%#v\n\n", sanitizedConfig, expected)
+	}
+}
+
 func TestParseListeners(t *testing.T) {
 	obj, _ := hcl.Parse(strings.TrimSpace(`
 listener "tcp" {

http/forwarding_test.go

@@ -582,3 +582,24 @@ func TestHTTP_Forwarding_HelpOperation(t *testing.T) {
 	testHelp(cores[0].Client)
 	testHelp(cores[1].Client)
 }
+
+func TestHTTP_Forwarding_LocalOnly(t *testing.T) {
+	cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
+		HandlerFunc: Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+	cores := cluster.Cores
+
+	vault.TestWaitActive(t, cores[0].Core)
+
+	testLocalOnly := func(client *api.Client) {
+		_, err := client.Logical().Read("sys/config/state/sanitized")
+		if err == nil {
+			t.Fatal("expected error")
+		}
+	}
+
+	testLocalOnly(cores[1].Client)
+	testLocalOnly(cores[2].Client)
+}

http/handler.go

@@ -514,14 +514,15 @@ func parseRequest(core *vault.Core, r *http.Request, w http.ResponseWriter, out
 // falling back on the older behavior of redirecting the client
 func handleRequestForwarding(core *vault.Core, handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ns, err := namespace.FromContext(r.Context())
+		if err != nil {
+			respondError(w, http.StatusBadRequest, err)
+			return
+		}
+		path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
+
 		// If we are a performance standby we can handle the request.
 		if core.PerfStandby() {
-			ns, err := namespace.FromContext(r.Context())
-			if err != nil {
-				respondError(w, http.StatusBadRequest, err)
-				return
-			}
-			path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
 			switch {
 			case !perfStandbyAlwaysForwardPaths.HasPath(path) && !alwaysRedirectPaths.HasPath(path):
 				handler.ServeHTTP(w, r)
@@ -559,6 +560,13 @@ func handleRequestForwarding(core *vault.Core, handler http.Handler) http.Handle
 			return
 		}
 
+		// These requests should always be served locally
+		switch {
+		case strings.HasPrefix(path, "sys/config/state/"):
+			respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
+			return
+		}
+
 		forwardRequest(core, w, r)
 		return
 	})

http/logical.go

@@ -277,6 +277,13 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool) http.H
 		// success.
 		resp, ok, needsForward := request(core, w, r, req)
 		if needsForward {
+			// Do not forward these specific requests since they are only
+			// applicable to the local node.
+			if strings.HasPrefix(req.Path, "sys/config/state/") {
+				respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
+				return
+			}
+
 			if origBody != nil {
 				r.Body = origBody
 			}

http/sys_config_state_test.go

@@ -0,0 +1,70 @@
+package http
+
+import (
+	"encoding/json"
+	"net/http"
+	"reflect"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/fatih/structs"
+	"github.com/hashicorp/vault/command/server"
+	"github.com/hashicorp/vault/vault"
+)
+
+func TestSysConfigState_Sanitized(t *testing.T) {
+	var resp *http.Response
+
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	resp = testHttpGet(t, token, addr+"/v1/sys/config/state/sanitized")
+	testResponseStatus(t, resp, 200)
+
+	var actual map[string]interface{}
+	var expected map[string]interface{}
+
+	expectedConfig := new(server.Config)
+	configResp := structs.New(expectedConfig.Sanitized()).Map()
+
+	var nilObject interface{}
+	// Do some surgery on the expected config to line up the
+	// types and string the raw fields.
+	for k, v := range configResp {
+		if strings.HasSuffix(k, "Raw") {
+			delete(configResp, k)
+			continue
+		}
+		switch v.(type) {
+		case int:
+			configResp[k] = json.Number(strconv.Itoa(v.(int)))
+		case time.Duration:
+			configResp[k] = json.Number(strconv.Itoa(int(v.(time.Duration))))
+		}
+	}
+	configResp["HAStorage"] = nilObject
+	configResp["Storage"] = nilObject
+	configResp["Telemetry"] = nilObject
+
+	expected = map[string]interface{}{
+		"lease_id":       "",
+		"renewable":      false,
+		"lease_duration": json.Number("0"),
+		"wrap_info":      nil,
+		"warnings":       nil,
+		"auth":           nil,
+		"data":           configResp,
+	}
+
+	testResponseBody(t, resp, &actual)
+	expected["request_id"] = actual["request_id"]
+
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad mismatch response body:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
+	}
+
+}

vault/cluster.go

@@ -37,7 +37,8 @@ const (
 )
 
 var (
-	ErrCannotForward = errors.New("cannot forward request; no connection or address not known")
+	ErrCannotForward          = errors.New("cannot forward request; no connection or address not known")
+	ErrCannotForwardLocalOnly = errors.New("cannot forward local-only request")
 )
 
 type ClusterLeaderParams struct {