deb.open-vault/vault/logical_system_user_lockout.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package vault

import (
	"context"
	"fmt"
	"sort"
	"strings"

	"github.com/hashicorp/vault/helper/namespace"
)

type LockedUsersResponse struct {
	NamespaceID    string                    `json:"namespace_id" mapstructure:"namespace_id"`
	NamespacePath  string                    `json:"namespace_path" mapstructure:"namespace_path"`
	Counts         int                       `json:"counts" mapstructure:"counts"`
	MountAccessors []*ResponseMountAccessors `json:"mount_accessors" mapstructure:"mount_accessors"`
}

type ResponseMountAccessors struct {
	MountAccessor    string   `json:"mount_accessor" mapstructure:"mount_accessor"`
	Counts           int      `json:"counts" mapstructure:"counts"`
	AliasIdentifiers []string `json:"alias_identifiers" mapstructure:"alias_identifiers"`
}

// unlockUser deletes the entry for locked user from storage and userFailedLoginInfo map
func unlockUser(ctx context.Context, core *Core, mountAccessor string, aliasName string) error {
	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return err
	}

	lockedUserStoragePath := coreLockedUsersPath + ns.ID + "/" + mountAccessor + "/" + aliasName

	// remove entry for locked user from storage
	// if read only error, the error is handled by handleError in logical_system.go
	// this will be forwarded to the active node
	if err := core.barrier.Delete(ctx, lockedUserStoragePath); err != nil {
		return err
	}

	loginUserInfoKey := FailedLoginUser{
		aliasName:     aliasName,
		mountAccessor: mountAccessor,
	}

	// remove entry for locked user from userFailedLoginInfo map and storage
	if err := updateUserFailedLoginInfo(ctx, core, loginUserInfoKey, nil, true); err != nil {
		return err
	}

	return nil
}

// handleLockedUsersQuery reports the locked user metrics by namespace in the decreasing order
// of locked users
func (b *SystemBackend) handleLockedUsersQuery(ctx context.Context, mountAccessor string) (map[string]interface{}, error) {
	// Calculate the namespace response breakdowns of locked users for query namespace and child namespaces (if needed)
	totalCount, byNamespaceResponse, err := b.getLockedUsersResponses(ctx, mountAccessor)
	if err != nil {
		return nil, err
	}

	// Now populate the response based on breakdowns.
	responseData := make(map[string]interface{})
	responseData["by_namespace"] = byNamespaceResponse
	responseData["total"] = totalCount
	return responseData, nil
}

// getLockedUsersResponses returns the locked users
// for a particular mount_accessor if provided in request
// else returns it for the current namespace and all the child namespaces that has locked users
// they are sorted in the decreasing order of locked users count
func (b *SystemBackend) getLockedUsersResponses(ctx context.Context, mountAccessor string) (int, []*LockedUsersResponse, error) {
	lockedUsersResponse := make([]*LockedUsersResponse, 0)
	totalCounts := 0

	queryNS, err := namespace.FromContext(ctx)
	if err != nil {
		return 0, nil, err
	}

	if mountAccessor != "" {
		// get the locked user response for mount_accessor, here for mount_accessor in request
		totalCountForNSID, mountAccessorsResponse, err := b.getMountAccessorsLockedUsers(ctx, []string{mountAccessor + "/"},
			coreLockedUsersPath+queryNS.ID+"/")
		if err != nil {
			return 0, nil, err
		}

		totalCounts += totalCountForNSID
		lockedUsersResponse = append(lockedUsersResponse, &LockedUsersResponse{
			NamespaceID:    queryNS.ID,
			NamespacePath:  queryNS.Path,
			Counts:         totalCountForNSID,
			MountAccessors: mountAccessorsResponse,
		})
		return totalCounts, lockedUsersResponse, nil
	}

	// no mount_accessor is provided in request, get information for current namespace and its child namespaces

	// get all the namespaces of locked users
	nsIDs, err := b.Core.barrier.List(ctx, coreLockedUsersPath)
	if err != nil {
		return 0, nil, err
	}

	// identify if the namespaces must be included in response and get counts
	for _, nsID := range nsIDs {
		nsID = strings.TrimSuffix(nsID, "/")
		ns, err := NamespaceByID(ctx, nsID, b.Core)
		if err != nil {
			return 0, nil, err
		}

		if b.includeNSInLockedUsersResponse(queryNS, ns) {
			var displayPath string
			if ns == nil {
				// deleted namespace
				displayPath = fmt.Sprintf("deleted namespace %q", nsID)
			} else {
				displayPath = ns.Path
			}

			// get mount accessors of locked users for this namespace
			mountAccessors, err := b.Core.barrier.List(ctx, coreLockedUsersPath+nsID+"/")
			if err != nil {
				return 0, nil, err
			}

			// get the locked user response for mount_accessor list
			totalCountForNSID, mountAccessorsResponse, err := b.getMountAccessorsLockedUsers(ctx, mountAccessors, coreLockedUsersPath+nsID+"/")
			if err != nil {
				return 0, nil, err
			}

			totalCounts += totalCountForNSID
			lockedUsersResponse = append(lockedUsersResponse, &LockedUsersResponse{
				NamespaceID:    strings.TrimSuffix(nsID, "/"),
				NamespacePath:  displayPath,
				Counts:         totalCountForNSID,
				MountAccessors: mountAccessorsResponse,
			})

		}
	}

	// sort namespaces in response by decreasing order of counts
	sort.Slice(lockedUsersResponse, func(i, j int) bool {
		return lockedUsersResponse[i].Counts > lockedUsersResponse[j].Counts
	})

	return totalCounts, lockedUsersResponse, nil
}

// getMountAccessorsLockedUsers returns the locked users for all the mount_accessors of locked users for a namespace
// they are sorted in the decreasing order of locked users
// returns the total locked users for the namespace and  locked users response for every mount_accessor for a namespace that has locked users
func (b *SystemBackend) getMountAccessorsLockedUsers(ctx context.Context, mountAccessors []string, lockedUsersPath string) (int, []*ResponseMountAccessors, error) {
	byMountAccessorsResponse := make([]*ResponseMountAccessors, 0)
	totalCountForMountAccessors := 0

	for _, mountAccessor := range mountAccessors {
		// get the list of aliases of locked users for a mount accessor
		aliasIdentifiers, err := b.Core.barrier.List(ctx, lockedUsersPath+mountAccessor)
		if err != nil {
			return 0, nil, err
		}

		totalCountForMountAccessors += len(aliasIdentifiers)
		byMountAccessorsResponse = append(byMountAccessorsResponse, &ResponseMountAccessors{
			MountAccessor:    strings.TrimSuffix(mountAccessor, "/"),
			Counts:           len(aliasIdentifiers),
			AliasIdentifiers: aliasIdentifiers,
		})

	}

	// sort mount Accessors in response by decreasing order of counts
	sort.Slice(byMountAccessorsResponse, func(i, j int) bool {
		return byMountAccessorsResponse[i].Counts > byMountAccessorsResponse[j].Counts
	})

	return totalCountForMountAccessors, byMountAccessorsResponse, nil
}

// includeNSInLockedUsersResponse checks if the namespace is the child namespace of namespace in query
// if child namespace, it can be included in response
// locked users from deleted namespaces are listed under root namespace
func (b *SystemBackend) includeNSInLockedUsersResponse(query *namespace.Namespace, record *namespace.Namespace) bool {
	if record == nil {
		// Deleted namespace, only include in root queries
		return query.ID == namespace.RootNamespaceID
	}
	return record.HasParent(query)
}
New upstream version 1.14.8 2024-04-20 12:23:50 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package vault`

			`import (`
			`"context"`
			`"fmt"`
			`"sort"`
			`"strings"`

			`"github.com/hashicorp/vault/helper/namespace"`
			`)`

			`type LockedUsersResponse struct {`
			NamespaceID string `json:"namespace_id" mapstructure:"namespace_id"`
			NamespacePath string `json:"namespace_path" mapstructure:"namespace_path"`
			Counts int `json:"counts" mapstructure:"counts"`
			MountAccessors []*ResponseMountAccessors `json:"mount_accessors" mapstructure:"mount_accessors"`
			`}`

			`type ResponseMountAccessors struct {`
			MountAccessor string `json:"mount_accessor" mapstructure:"mount_accessor"`
			Counts int `json:"counts" mapstructure:"counts"`
			AliasIdentifiers []string `json:"alias_identifiers" mapstructure:"alias_identifiers"`
			`}`

			`// unlockUser deletes the entry for locked user from storage and userFailedLoginInfo map`
			`func unlockUser(ctx context.Context, core *Core, mountAccessor string, aliasName string) error {`
			`ns, err := namespace.FromContext(ctx)`
			`if err != nil {`
			`return err`
			`}`

			`lockedUserStoragePath := coreLockedUsersPath + ns.ID + "/" + mountAccessor + "/" + aliasName`

			`// remove entry for locked user from storage`
			`// if read only error, the error is handled by handleError in logical_system.go`
			`// this will be forwarded to the active node`
			`if err := core.barrier.Delete(ctx, lockedUserStoragePath); err != nil {`
			`return err`
			`}`

			`loginUserInfoKey := FailedLoginUser{`
			`aliasName: aliasName,`
			`mountAccessor: mountAccessor,`
			`}`

			`// remove entry for locked user from userFailedLoginInfo map and storage`
			`if err := updateUserFailedLoginInfo(ctx, core, loginUserInfoKey, nil, true); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`// handleLockedUsersQuery reports the locked user metrics by namespace in the decreasing order`
			`// of locked users`
			`func (b *SystemBackend) handleLockedUsersQuery(ctx context.Context, mountAccessor string) (map[string]interface{}, error) {`
			`// Calculate the namespace response breakdowns of locked users for query namespace and child namespaces (if needed)`
			`totalCount, byNamespaceResponse, err := b.getLockedUsersResponses(ctx, mountAccessor)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Now populate the response based on breakdowns.`
			`responseData := make(map[string]interface{})`
			`responseData["by_namespace"] = byNamespaceResponse`
			`responseData["total"] = totalCount`
			`return responseData, nil`
			`}`

			`// getLockedUsersResponses returns the locked users`
			`// for a particular mount_accessor if provided in request`
			`// else returns it for the current namespace and all the child namespaces that has locked users`
			`// they are sorted in the decreasing order of locked users count`
			`func (b SystemBackend) getLockedUsersResponses(ctx context.Context, mountAccessor string) (int, []LockedUsersResponse, error) {`
			`lockedUsersResponse := make([]*LockedUsersResponse, 0)`
			`totalCounts := 0`

			`queryNS, err := namespace.FromContext(ctx)`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`if mountAccessor != "" {`
			`// get the locked user response for mount_accessor, here for mount_accessor in request`
			`totalCountForNSID, mountAccessorsResponse, err := b.getMountAccessorsLockedUsers(ctx, []string{mountAccessor + "/"},`
			`coreLockedUsersPath+queryNS.ID+"/")`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`totalCounts += totalCountForNSID`
			`lockedUsersResponse = append(lockedUsersResponse, &LockedUsersResponse{`
			`NamespaceID: queryNS.ID,`
			`NamespacePath: queryNS.Path,`
			`Counts: totalCountForNSID,`
			`MountAccessors: mountAccessorsResponse,`
			`})`
			`return totalCounts, lockedUsersResponse, nil`
			`}`

			`// no mount_accessor is provided in request, get information for current namespace and its child namespaces`

			`// get all the namespaces of locked users`
			`nsIDs, err := b.Core.barrier.List(ctx, coreLockedUsersPath)`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`// identify if the namespaces must be included in response and get counts`
			`for _, nsID := range nsIDs {`
			`nsID = strings.TrimSuffix(nsID, "/")`
			`ns, err := NamespaceByID(ctx, nsID, b.Core)`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`if b.includeNSInLockedUsersResponse(queryNS, ns) {`
			`var displayPath string`
			`if ns == nil {`
			`// deleted namespace`
			`displayPath = fmt.Sprintf("deleted namespace %q", nsID)`
			`} else {`
			`displayPath = ns.Path`
			`}`

			`// get mount accessors of locked users for this namespace`
			`mountAccessors, err := b.Core.barrier.List(ctx, coreLockedUsersPath+nsID+"/")`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`// get the locked user response for mount_accessor list`
			`totalCountForNSID, mountAccessorsResponse, err := b.getMountAccessorsLockedUsers(ctx, mountAccessors, coreLockedUsersPath+nsID+"/")`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`totalCounts += totalCountForNSID`
			`lockedUsersResponse = append(lockedUsersResponse, &LockedUsersResponse{`
			`NamespaceID: strings.TrimSuffix(nsID, "/"),`
			`NamespacePath: displayPath,`
			`Counts: totalCountForNSID,`
			`MountAccessors: mountAccessorsResponse,`
			`})`

			`}`
			`}`

			`// sort namespaces in response by decreasing order of counts`
			`sort.Slice(lockedUsersResponse, func(i, j int) bool {`
			`return lockedUsersResponse[i].Counts > lockedUsersResponse[j].Counts`
			`})`

			`return totalCounts, lockedUsersResponse, nil`
			`}`

			`// getMountAccessorsLockedUsers returns the locked users for all the mount_accessors of locked users for a namespace`
			`// they are sorted in the decreasing order of locked users`
			`// returns the total locked users for the namespace and locked users response for every mount_accessor for a namespace that has locked users`
			`func (b SystemBackend) getMountAccessorsLockedUsers(ctx context.Context, mountAccessors []string, lockedUsersPath string) (int, []ResponseMountAccessors, error) {`
			`byMountAccessorsResponse := make([]*ResponseMountAccessors, 0)`
			`totalCountForMountAccessors := 0`

			`for _, mountAccessor := range mountAccessors {`
			`// get the list of aliases of locked users for a mount accessor`
			`aliasIdentifiers, err := b.Core.barrier.List(ctx, lockedUsersPath+mountAccessor)`
			`if err != nil {`
			`return 0, nil, err`
			`}`

			`totalCountForMountAccessors += len(aliasIdentifiers)`
			`byMountAccessorsResponse = append(byMountAccessorsResponse, &ResponseMountAccessors{`
			`MountAccessor: strings.TrimSuffix(mountAccessor, "/"),`
			`Counts: len(aliasIdentifiers),`
			`AliasIdentifiers: aliasIdentifiers,`
			`})`

			`}`

			`// sort mount Accessors in response by decreasing order of counts`
			`sort.Slice(byMountAccessorsResponse, func(i, j int) bool {`
			`return byMountAccessorsResponse[i].Counts > byMountAccessorsResponse[j].Counts`
			`})`

			`return totalCountForMountAccessors, byMountAccessorsResponse, nil`
			`}`

			`// includeNSInLockedUsersResponse checks if the namespace is the child namespace of namespace in query`
			`// if child namespace, it can be included in response`
			`// locked users from deleted namespaces are listed under root namespace`
			`func (b SystemBackend) includeNSInLockedUsersResponse(query namespace.Namespace, record *namespace.Namespace) bool {`
			`if record == nil {`
			`// Deleted namespace, only include in root queries`
			`return query.ID == namespace.RootNamespaceID`
			`}`
			`return record.HasParent(query)`
			`}`