adding unauthenticated support for in-flight-req

hashicorp · hghaf099 · Dec 8, 2021 · Nov 3, 2021 · Nov 3, 2021 · Nov 3, 2021
commit 29c5f24bb2d2c3751931db1493a553d4105ec9f6
@@ -6,6 +6,7 @@ import (
 	"io"
 	"net"
 	"testing"
+
 )
 
 type testListenerConnFn func(net.Listener) (net.Conn, error)
@@ -66,3 +67,15 @@ func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn,
 		t.Fatalf("bad: %v", buf.String())
 	}
 }
+
+
+func TestProfilingUnauthenticatedInFlightAccess(t *testing.T) {
+
+	config, err := LoadConfigFile("./test-fixtures/profiling_unauth_in_flight_access.hcl")
+	if err != nil {
+		t.Fatalf("Error encountered when loading config %+v", err)
+	}
+	if !config.Listeners[0].Profiling.UnauthenticatedInFlightAccess {
+		t.Fatalf("failed to read UnauthenticatedInFlightAccess")
+	}
+}
diff --git a/command/server/test-fixtures/profiling_unauth_in_flight_access.hcl b/command/server/test-fixtures/profiling_unauth_in_flight_access.hcl
@@ -0,0 +1,9 @@
+storage "inmem" {}
+listener "tcp" {
+  address = "127.0.0.1:8200"
+  tls_disable = true
+  profiling {
+     unauthenticated_in_flight_request_access = true
+  }
+}
+disable_mlock = true
@@ -147,7 +147,6 @@ func Handler(props *vault.HandlerProperties) http.Handler {
 		mux.Handle("/v1/sys/leader", handleSysLeader(core))
 		mux.Handle("/v1/sys/health", handleSysHealth(core))
 		mux.Handle("/v1/sys/monitor", handleLogicalNoForward(core))
-		mux.Handle("/v1/sys/in-flight-req", handleLogicalNoForward(core))
 		mux.Handle("/v1/sys/generate-root/attempt", handleRequestForwarding(core,
 			handleAuditNonLogical(core, handleSysGenerateRootAttempt(core, vault.GenerateStandardRootTokenStrategy))))
 		mux.Handle("/v1/sys/generate-root/update", handleRequestForwarding(core,
@@ -198,6 +197,11 @@ func Handler(props *vault.HandlerProperties) http.Handler {
 			mux.Handle("/v1/sys/pprof/", handleLogicalNoForward(core))
 		}
 
+		if props.ListenerConfig != nil && props.ListenerConfig.Profiling.UnauthenticatedInFlightAccess {
+			mux.Handle("/v1/sys/in-flight-req", handleUnAuthenticatedInFlightRequest(core))
+		} else {
+			mux.Handle("/v1/sys/in-flight-req", handleLogicalNoForward(core))
+		}
 		additionalRoutes(mux, core)
 	}
 

@@ -5,12 +5,14 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"net/textproto"
 	"net/url"
 	"reflect"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -324,6 +326,80 @@ func TestHandler_InFlightRequest(t *testing.T) {
 	}
 }
 
+func TestHandler_InFlightRequestWithLoad(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	stop := make(chan string)
+
+	go func() {
+		i := 0
+		for {
+			select {
+			case <-stop:
+				return
+			default:
+				break
+			}
+			// WRITE
+			secResp := testHttpPut(t, token, addr+"/v1/secret/foo"+strconv.Itoa(i), map[string]interface{}{
+				"data": "bar",
+			})
+			testResponseStatus(t, secResp, 204)
+			i++
+		}
+	}()
+
+	timeout := time.After(10 * time.Second)
+
+	for {
+		select {
+		case <-timeout:
+			stop <- "done"
+			return
+		default:
+		}
+		req, err := http.NewRequest("GET", addr+"/v1/sys/in-flight-req", nil)
+		if err != nil {
+			t.Fatalf("err: %s", err)
+		}
+		req.Header.Set(consts.AuthHeaderName, token)
+
+		client := cleanhttp.DefaultClient()
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Fatalf("err: %s", err)
+		}
+
+		if resp == nil {
+			t.Fatalf("nil response")
+		}
+
+		var actual map[string]interface{}
+		testResponseStatus(t, resp, 200)
+		testResponseBody(t, resp, &actual)
+
+		if actual == nil {
+			t.Fatalf("")
+		}
+		inFlightReqDataRaw, ok := actual["data"]
+		if !ok {
+			t.Fatalf("failed to read in-flight-request data")
+		}
+		inFlightReqData, ok := inFlightReqDataRaw.(map[string]interface{})
+		if !ok {
+			t.Fatalf("data assertion failed")
+		}
+		if inFlightReqData != nil || len(inFlightReqData) > 0 {
+			fmt.Println("found something", inFlightReqData)
+			stop <- "done"
+			return
+		}
+	}
+}
+
 // TestHandler_MissingToken tests the response / error code if a request comes
 // in with a missing client token. See
 // https://github.com/hashicorp/vault/issues/8377

diff --git a/http/sys_in_flight_reqeusts_test.go b/http/sys_in_flight_reqeusts_test.go
@@ -0,0 +1,46 @@
+package http
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/vault"
+)
+
+func TestInFlightRequest(t *testing.T) {
+	conf := &vault.CoreConfig{}
+	core, _, token := vault.TestCoreUnsealedWithConfig(t, conf)
+	ln, addr := TestServer(t, core)
+	TestServerAuth(t, addr, token)
+
+	// Default: Only authenticated access
+	resp := testHttpGet(t, "", addr+"/v1/sys/in-flight-req")
+	testResponseStatus(t, resp, 400)
+	resp = testHttpGet(t, token, addr+"/v1/sys/in-flight-req")
+	testResponseStatus(t, resp, 200)
+
+	// Close listener
+	ln.Close()
+
+	// Setup new custom listener with unauthenticated metrics access
+	ln, addr = TestListener(t)
+	props := &vault.HandlerProperties{
+		Core: core,
+		ListenerConfig: &configutil.Listener{
+			Profiling: configutil.ListenerProfiling{
+				UnauthenticatedInFlightAccess: true,
+			},
+		},
+	}
+	TestServerWithListenerAndProperties(t, ln, addr, core, props)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// Test without token
+	resp = testHttpGet(t, "", addr+"/v1/sys/in-flight-req")
+	testResponseStatus(t, resp, 200)
+
+	// Should also work with token
+	resp = testHttpGet(t, token, addr+"/v1/sys/in-flight-req")
+	testResponseStatus(t, resp, 200)
+}
@@ -0,0 +1,45 @@
+package http
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/hashicorp/vault/vault"
+)
+
+func handleUnAuthenticatedInFlightRequest(core *vault.Core) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case "GET":
+		default:
+			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
+		}
+		now := time.Now()
+		currentInFlightReqMap := make(map[string]interface{})
+		syncMapRangeResult := true
+		core.RangeInFlightReqData(func(key, value interface{}) bool {
+			v, ok := value.(*vault.InFlightReqData)
+			if !ok {
+				syncMapRangeResult = false
+				return false
+			}
+			// don't report the request to the in-flight-req path
+			if v.ReqPath != "/v1/sys/in-flight-req" {
+				v.Duration = fmt.Sprintf("%v microseconds", now.Sub(v.StartTime).Microseconds())
+				currentInFlightReqMap[key.(string)] = v
+			}
+
+			return true
+		})
+
+		// TODO: should an error be returned here? and if so, what status code should be returned? 500 or 400?
+		if !syncMapRangeResult {
+			respondError(w, http.StatusInternalServerError, fmt.Errorf("failed to read recorded in-flight requests"))
+			return
+		}
+
+		respondOk(w, currentInFlightReqMap)
+	})
+}
@@ -24,9 +24,11 @@ type ListenerTelemetry struct {
 }
 
 type ListenerProfiling struct {
-	UnusedKeys                    UnusedKeyMap `hcl:",unusedKeyPositions"`
-	UnauthenticatedPProfAccess    bool         `hcl:"-"`
-	UnauthenticatedPProfAccessRaw interface{}  `hcl:"unauthenticated_pprof_access,alias:UnauthenticatedPProfAccessRaw"`
+	UnusedKeys                       UnusedKeyMap `hcl:",unusedKeyPositions"`
+	UnauthenticatedPProfAccess       bool         `hcl:"-"`
+	UnauthenticatedPProfAccessRaw    interface{}  `hcl:"unauthenticated_pprof_access,alias:UnauthenticatedPProfAccessRaw"`
+	UnauthenticatedInFlightAccess    bool         `hcl:"-"`
+	UnauthenticatedInFlightAccessRaw interface{}  `hcl:"unauthenticated_in_flight_request_access,alias:unauthenticatedInFlightAccessRaw"`
 }
 
 // Listener is the listener configuration for the server.
@@ -353,6 +355,11 @@ func ParseListeners(result *SharedConfig, list *ast.ObjectList) error {
 
 				l.Profiling.UnauthenticatedPProfAccessRaw = nil
 			}
+			if l.Profiling.UnauthenticatedInFlightAccessRaw != nil {
+				if l.Profiling.UnauthenticatedInFlightAccess, err = parseutil.ParseBool(l.Profiling.UnauthenticatedInFlightAccessRaw); err != nil {
+					return multierror.Prefix(fmt.Errorf("invalid value for profiling.unauthenticated_in_flight_request_access: %w", err), fmt.Sprintf("listeners.%d", i))
+				}
+			}
 		}
 
 		// CORS

@@ -2967,3 +2967,11 @@ func (c *Core) DeleteInFlightReqData(reqID string) error{
 	c.inFlightReqMap.Delete(reqID)
 	return nil
 }
+
+func (c *Core) RangeInFlightReqData(rangeFunc func(key, value interface{}) bool) error {
+	if c.inFlightReqMap == nil {
+		return fmt.Errorf("failed to range over in-flight request data. Map not initialized")
+	}
+	c.inFlightReqMap.Range(rangeFunc)
+	return nil
+}