open-nomad/nomad/structs/vault.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package structs

import (
	"fmt"

	"github.com/hashicorp/go-secure-stdlib/strutil"
	vapi "github.com/hashicorp/vault/api"
	"github.com/mitchellh/mapstructure"
)

const (
	// VaultNamespaceHeaderName is the header set to specify which namespace
	// the request is indented for. This is defined within Nomad, so we do not
	// need to import the entire Vault SDK package.
	VaultNamespaceHeaderName = "X-Vault-Namespace"
)

// VaultTokenData represents some of the fields returned in the Data map of the
// sercret returned by the Vault API when doing a token lookup request.
type VaultTokenData struct {
	CreationTTL   int      `mapstructure:"creation_ttl"`
	TTL           int      `mapstructure:"ttl"`
	Renewable     bool     `mapstructure:"renewable"`
	Policies      []string `mapstructure:"policies"`
	Role          string   `mapstructure:"role"`
	NamespacePath string   `mapstructure:"namespace_path"`

	// root caches if the token has the "root" policy to avoid travesring the
	// policies list every time.
	root *bool
}

// Root returns true if the token has the `root` policy.
func (d VaultTokenData) Root() bool {
	if d.root != nil {
		return *d.root
	}

	root := strutil.StrListContains(d.Policies, "root")
	d.root = &root

	return root
}

// VaultTokenRoleData represents some of the fields returned in the Data map of
// the sercret returned by the Vault API when reading a token role.
type VaultTokenRoleData struct {
	Name                 string `mapstructure:"name"`
	ExplicitMaxTtl       int    `mapstructure:"explicit_max_ttl"`
	TokenExplicitMaxTtl  int    `mapstructure:"token_explicit_max_ttl"`
	Orphan               bool
	Period               int
	TokenPeriod          int `mapstructure:"token_period"`
	Renewable            bool
	DisallowedPolicies   []string `mapstructure:"disallowed_policies"`
	AllowedEntityAliases []string `mapstructure:"allowed_entity_aliases"`
	AllowedPolicies      []string `mapstructure:"allowed_policies"`
}

// DecodeVaultSecretData decodes a Vault sercret Data map into a struct.
func DecodeVaultSecretData(s *vapi.Secret, out interface{}) error {
	if s == nil {
		return fmt.Errorf("cannot decode nil Vault secret")
	}

	if err := mapstructure.WeakDecode(s.Data, &out); err != nil {
		return err
	}

	return nil
}
[COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Support Vault entity aliases (#12449) Move some common Vault API data struct decoding out of the Vault client so it can be reused in other situations. Make Vault job validation its own function so it's easier to expand it. Rename the `Job.VaultPolicies` method to just `Job.Vault` since it returns the full Vault block, not just their policies. Set `ChangeMode` on `Vault.Canonicalize`. Add some missing tests. Allows specifying an entity alias that will be used by Nomad when deriving the task Vault token. An entity alias assigns an indentity to a token, allowing better control and management of Vault clients since all tokens with the same indentity alias will now be considered the same client. This helps track Nomad activity in Vault's audit logs and better control over Vault billing. Add support for a new Nomad server configuration to define a default entity alias to be used when deriving Vault tokens. This default value will be used if the task doesn't have an entity alias defined. 2022-04-05 18:18:10 +00:00			`package structs`

			`import (`
			`"fmt"`

			`"github.com/hashicorp/go-secure-stdlib/strutil"`
			`vapi "github.com/hashicorp/vault/api"`
			`"github.com/mitchellh/mapstructure"`
			`)`

vault: use an importable const for Vault header string. (#18740) (#18750) Co-authored-by: James Rasell <jrasell@users.noreply.github.com> 2023-10-13 07:11:54 +00:00			`const (`
			`// VaultNamespaceHeaderName is the header set to specify which namespace`
			`// the request is indented for. This is defined within Nomad, so we do not`
			`// need to import the entire Vault SDK package.`
			`VaultNamespaceHeaderName = "X-Vault-Namespace"`
			`)`

Support Vault entity aliases (#12449) Move some common Vault API data struct decoding out of the Vault client so it can be reused in other situations. Make Vault job validation its own function so it's easier to expand it. Rename the `Job.VaultPolicies` method to just `Job.Vault` since it returns the full Vault block, not just their policies. Set `ChangeMode` on `Vault.Canonicalize`. Add some missing tests. Allows specifying an entity alias that will be used by Nomad when deriving the task Vault token. An entity alias assigns an indentity to a token, allowing better control and management of Vault clients since all tokens with the same indentity alias will now be considered the same client. This helps track Nomad activity in Vault's audit logs and better control over Vault billing. Add support for a new Nomad server configuration to define a default entity alias to be used when deriving Vault tokens. This default value will be used if the task doesn't have an entity alias defined. 2022-04-05 18:18:10 +00:00			`// VaultTokenData represents some of the fields returned in the Data map of the`
			`// sercret returned by the Vault API when doing a token lookup request.`
			`type VaultTokenData struct {`
			CreationTTL int `mapstructure:"creation_ttl"`
			TTL int `mapstructure:"ttl"`
			Renewable bool `mapstructure:"renewable"`
			Policies []string `mapstructure:"policies"`
			Role string `mapstructure:"role"`
			NamespacePath string `mapstructure:"namespace_path"`

			`// root caches if the token has the "root" policy to avoid travesring the`
			`// policies list every time.`
			`root *bool`
			`}`

			// Root returns true if the token has the `root` policy.
			`func (d VaultTokenData) Root() bool {`
			`if d.root != nil {`
			`return *d.root`
			`}`

			`root := strutil.StrListContains(d.Policies, "root")`
			`d.root = &root`

			`return root`
			`}`

			`// VaultTokenRoleData represents some of the fields returned in the Data map of`
			`// the sercret returned by the Vault API when reading a token role.`
			`type VaultTokenRoleData struct {`
			Name string `mapstructure:"name"`
			ExplicitMaxTtl int `mapstructure:"explicit_max_ttl"`
			TokenExplicitMaxTtl int `mapstructure:"token_explicit_max_ttl"`
			`Orphan bool`
			`Period int`
			TokenPeriod int `mapstructure:"token_period"`
			`Renewable bool`
			DisallowedPolicies []string `mapstructure:"disallowed_policies"`
			AllowedEntityAliases []string `mapstructure:"allowed_entity_aliases"`
			AllowedPolicies []string `mapstructure:"allowed_policies"`
			`}`

			`// DecodeVaultSecretData decodes a Vault sercret Data map into a struct.`
			`func DecodeVaultSecretData(s *vapi.Secret, out interface{}) error {`
			`if s == nil {`
			`return fmt.Errorf("cannot decode nil Vault secret")`
			`}`

			`if err := mapstructure.WeakDecode(s.Data, &out); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`