From b793dd277a9aba9aaa380fd6c9d46320a47ba2e5 Mon Sep 17 00:00:00 2001 From: Ian Ferguson Date: Thu, 10 Sep 2020 12:23:47 -0400 Subject: [PATCH] Include X-Vault-Request header on all requests --- src/main/java/io/ianferguson/vault/Vault.java | 1 + src/main/java/io/ianferguson/vault/api/Auth.java | 15 +++++++++++++++ src/main/java/io/ianferguson/vault/api/Debug.java | 1 + .../java/io/ianferguson/vault/api/Leases.java | 4 ++++ .../java/io/ianferguson/vault/api/Logical.java | 8 ++++++++ src/main/java/io/ianferguson/vault/api/Seal.java | 3 +++ .../ianferguson/vault/api/database/Database.java | 5 +++++ .../java/io/ianferguson/vault/api/pki/Pki.java | 5 +++++ 8 files changed, 42 insertions(+) diff --git a/src/main/java/io/ianferguson/vault/Vault.java b/src/main/java/io/ianferguson/vault/Vault.java index 6ad81a93..be6019d8 100644 --- a/src/main/java/io/ianferguson/vault/Vault.java +++ b/src/main/java/io/ianferguson/vault/Vault.java @@ -255,6 +255,7 @@ private Map collectSecretEngineVersions() { .url(vaultConfig.getAddress() + "/v1/sys/mounts") .header("X-Vault-Token", vaultConfig.getToken()) .header("X-Vault-Namespace", this.vaultConfig.getNameSpace()) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(vaultConfig.getOpenTimeout()) .readTimeoutSeconds(vaultConfig.getReadTimeout()) .sslVerification(vaultConfig.getSslConfig().isVerify()) diff --git a/src/main/java/io/ianferguson/vault/api/Auth.java b/src/main/java/io/ianferguson/vault/api/Auth.java index bb2250b8..b3f724e0 100644 --- a/src/main/java/io/ianferguson/vault/api/Auth.java +++ b/src/main/java/io/ianferguson/vault/api/Auth.java @@ -345,6 +345,7 @@ public AuthResponse createToken(final TokenRequest tokenRequest, final String to .url(url) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -413,6 +414,7 @@ public AuthResponse loginByAppID(final String path, final String appId, final St final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + path) .optionalHeader("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -509,6 +511,7 @@ public AuthResponse loginByAppRole(final String path, final String roleId, final final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + path + "/login") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -594,6 +597,7 @@ public AuthResponse loginByUserPass(final String username, final String password final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + mount + "/login/" + username) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -719,6 +723,7 @@ public AuthResponse loginByAwsEc2(final String role, final String identity, fina .url(config.getAddress() + "/v1/auth/" + mount + "/login") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -796,6 +801,7 @@ public AuthResponse loginByAwsEc2(final String role, final String pkcs7, final S final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + mount + "/login") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -877,6 +883,7 @@ public AuthResponse loginByAwsIam(final String role, final String iamRequestUrl, final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + mount + "/login") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -964,6 +971,7 @@ public AuthResponse loginByGithub(final String githubToken, final String githubA final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + mount + "/login") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -1030,6 +1038,7 @@ public AuthResponse loginByJwt(final String provider, final String role, final S final RestResponse restResponse = new Rest() .url(config.getAddress() + "/v1/auth/" + provider + "/login") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -1172,6 +1181,7 @@ public AuthResponse loginByCert(final String certAuthMount) throws VaultExceptio final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/auth/" + mount + "/login") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -1255,6 +1265,7 @@ public AuthResponse renewSelf(final long increment, final String tokenAuthMount) .url(config.getAddress() + "/v1/auth/" + mount + "/renew-self") .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(increment < 0 ? null : requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -1320,6 +1331,7 @@ public LookupResponse lookupSelf(final String tokenAuthMount) throws VaultExcept .url(config.getAddress() + "/v1/auth/" + mount + "/lookup-self") .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -1384,6 +1396,7 @@ public LogicalResponse lookupWrap() throws VaultException { .url(config.getAddress() + "/v1/sys/wrapping/lookup") .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -1446,6 +1459,7 @@ public void revokeSelf(final String tokenAuthMount) throws VaultException { .url(config.getAddress() + "/v1/auth/" + mount + "/revoke-self") .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -1549,6 +1563,7 @@ public AuthResponse unwrap(final String wrappedToken) throws VaultException { .url(url) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) diff --git a/src/main/java/io/ianferguson/vault/api/Debug.java b/src/main/java/io/ianferguson/vault/api/Debug.java index c7c8afdc..b9b209de 100644 --- a/src/main/java/io/ianferguson/vault/api/Debug.java +++ b/src/main/java/io/ianferguson/vault/api/Debug.java @@ -91,6 +91,7 @@ public HealthResponse health( .url(config.getAddress() + "/v1/" + path) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) diff --git a/src/main/java/io/ianferguson/vault/api/Leases.java b/src/main/java/io/ianferguson/vault/api/Leases.java index 97249f30..91c8893f 100644 --- a/src/main/java/io/ianferguson/vault/api/Leases.java +++ b/src/main/java/io/ianferguson/vault/api/Leases.java @@ -62,6 +62,7 @@ public VaultResponse revoke(final String leaseId) throws VaultException { .url(config.getAddress() + "/v1/sys/leases/revoke/" + leaseId) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -117,6 +118,7 @@ public VaultResponse revokePrefix(final String prefix) throws VaultException { .url(config.getAddress() + "/v1/sys/revoke-prefix/" + prefix) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -175,6 +177,7 @@ public VaultResponse revokeForce(final String prefix) throws VaultException { .url(config.getAddress() + "/v1/sys/revoke-force/" + prefix) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -238,6 +241,7 @@ public VaultResponse renew(final String leaseId, final long increment) throws Va .url(config.getAddress() + "/v1/sys/renew/" + leaseId) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(increment < 0 ? null : requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) diff --git a/src/main/java/io/ianferguson/vault/api/Logical.java b/src/main/java/io/ianferguson/vault/api/Logical.java index a00ad27a..198bf1b6 100644 --- a/src/main/java/io/ianferguson/vault/api/Logical.java +++ b/src/main/java/io/ianferguson/vault/api/Logical.java @@ -87,6 +87,7 @@ private LogicalResponse read(final String path, Boolean shouldRetry, final logic .url(config.getAddress() + "/v1/" + adjustPathForReadOrWrite(path, config.getPrefixPathDepth(), operation)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -155,6 +156,7 @@ public LogicalResponse read(final String path, Boolean shouldRetry, final Intege .url(config.getAddress() + "/v1/" + adjustPathForReadOrWrite(path, config.getPrefixPathDepth(), logicalOperations.readV2)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .parameter("version", version.toString()) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -257,6 +259,7 @@ private LogicalResponse write(final String path, final Map nameV .body(jsonObjectToWriteFromEngineVersion(operation, requestJson).toString().getBytes(StandardCharsets.UTF_8)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -348,6 +351,7 @@ private LogicalResponse delete(final String path, final Logical.logicalOperation .url(config.getAddress() + "/v1/" + adjustPathForDelete(path, config.getPrefixPathDepth(), operation)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -408,6 +412,7 @@ public LogicalResponse delete(final String path, final int[] versions) throws Va .url(config.getAddress() + "/v1/" + adjustPathForVersionDelete(path,config.getPrefixPathDepth())) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -479,6 +484,7 @@ public LogicalResponse unDelete(final String path, final int[] versions) throws .url(config.getAddress() + "/v1/" + adjustPathForVersionUnDelete(path,config.getPrefixPathDepth())) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -538,6 +544,7 @@ public LogicalResponse destroy(final String path, final int[] versions) throws V .url(config.getAddress() + "/v1/" + adjustPathForVersionDestroy(path,config.getPrefixPathDepth())) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -589,6 +596,7 @@ public LogicalResponse upgrade(final String kvPath) throws VaultException { .url(config.getAddress() + "/v1/sys/mounts/" + (kvPath.replaceAll("/", "") + "/tune")) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) diff --git a/src/main/java/io/ianferguson/vault/api/Seal.java b/src/main/java/io/ianferguson/vault/api/Seal.java index 80f4d977..950bd931 100644 --- a/src/main/java/io/ianferguson/vault/api/Seal.java +++ b/src/main/java/io/ianferguson/vault/api/Seal.java @@ -48,6 +48,7 @@ public void seal() throws VaultException { .url(config.getAddress() + "/v1/sys/seal") .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -108,6 +109,7 @@ public SealResponse unseal(final String key, final Boolean reset) throws VaultEx final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/sys/unseal") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -151,6 +153,7 @@ public SealResponse sealStatus() throws VaultException { final RestResponse restResponse = new Rest()//NOPMD .url(config.getAddress() + "/v1/sys/seal-status") .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) diff --git a/src/main/java/io/ianferguson/vault/api/database/Database.java b/src/main/java/io/ianferguson/vault/api/database/Database.java index 3442c38c..f2c8f660 100644 --- a/src/main/java/io/ianferguson/vault/api/database/Database.java +++ b/src/main/java/io/ianferguson/vault/api/database/Database.java @@ -86,6 +86,7 @@ public DatabaseResponse createOrUpdateRole(final String roleName, final Database .url(String.format("%s/v1/%s/roles/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -148,6 +149,7 @@ public DatabaseResponse getRole(final String roleName) throws VaultException { .url(String.format("%s/v1/%s/roles/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -215,6 +217,7 @@ public DatabaseResponse revoke(final String serialNumber) throws VaultException .url(String.format("%s/v1/%s/revoke", config.getAddress(), this.mountPath)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .body(requestJson.getBytes(StandardCharsets.UTF_8)) @@ -277,6 +280,7 @@ public DatabaseResponse deleteRole(final String roleName) throws VaultException .url(String.format("%s/v1/%s/roles/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -337,6 +341,7 @@ public DatabaseResponse creds(final String roleName) throws VaultException { .url(String.format("%s/v1/%s/creds/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) diff --git a/src/main/java/io/ianferguson/vault/api/pki/Pki.java b/src/main/java/io/ianferguson/vault/api/pki/Pki.java index d71b6df9..b3dd0b11 100644 --- a/src/main/java/io/ianferguson/vault/api/pki/Pki.java +++ b/src/main/java/io/ianferguson/vault/api/pki/Pki.java @@ -115,6 +115,7 @@ public PkiResponse createOrUpdateRole(final String roleName, final RoleOptions o .url(String.format("%s/v1/%s/roles/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) @@ -177,6 +178,7 @@ public PkiResponse getRole(final String roleName) throws VaultException { .url(String.format("%s/v1/%s/roles/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -244,6 +246,7 @@ public PkiResponse revoke(final String serialNumber) throws VaultException { .url(String.format("%s/v1/%s/revoke", config.getAddress(), this.mountPath)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .body(requestJson.getBytes(StandardCharsets.UTF_8)) @@ -306,6 +309,7 @@ public PkiResponse deleteRole(final String roleName) throws VaultException { .url(String.format("%s/v1/%s/roles/%s", config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout()) .sslVerification(config.getSslConfig().isVerify()) @@ -462,6 +466,7 @@ public PkiResponse issue( .url(String.format(endpoint, config.getAddress(), this.mountPath, roleName)) .header("X-Vault-Token", config.getToken()) .header("X-Vault-Namespace", this.nameSpace) + .header("X-Vault-Request", "true") .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) .readTimeoutSeconds(config.getReadTimeout())