2015-03-20 16:59:48 +00:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
|
2015-12-30 18:05:54 +00:00
|
|
|
"errors"
|
2016-06-20 23:51:04 +00:00
|
|
|
"strings"
|
|
|
|
|
2015-03-20 16:59:48 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
2016-06-20 23:51:04 +00:00
|
|
|
func pathListRoles(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "roles/?$",
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.ListOperation: b.pathRoleList,
|
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathListRolesHelpSyn,
|
|
|
|
HelpDescription: pathListRolesHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
func pathRoles() *framework.Path {
|
2015-03-20 16:59:48 +00:00
|
|
|
return &framework.Path{
|
2015-08-21 07:56:13 +00:00
|
|
|
Pattern: "roles/" + framework.GenericNameRegex("name"),
|
2015-03-20 16:59:48 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Name of the policy",
|
|
|
|
},
|
|
|
|
|
2015-12-30 18:05:54 +00:00
|
|
|
"arn": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "ARN Reference to a managed policy",
|
|
|
|
},
|
|
|
|
|
2015-03-20 16:59:48 +00:00
|
|
|
"policy": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
2015-04-04 04:15:59 +00:00
|
|
|
Description: "IAM policy document",
|
2015-03-20 16:59:48 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2015-04-27 21:20:28 +00:00
|
|
|
logical.DeleteOperation: pathRolesDelete,
|
|
|
|
logical.ReadOperation: pathRolesRead,
|
2016-06-20 23:51:04 +00:00
|
|
|
logical.UpdateOperation: pathRolesWrite,
|
2015-03-20 16:59:48 +00:00
|
|
|
},
|
2015-04-04 04:10:54 +00:00
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
HelpSynopsis: pathRolesHelpSyn,
|
|
|
|
HelpDescription: pathRolesHelpDesc,
|
2015-03-20 16:59:48 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-06-20 23:51:04 +00:00
|
|
|
func (b *backend) pathRoleList(
|
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
entries, err := req.Storage.List("policy/")
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return logical.ListResponse(entries), nil
|
|
|
|
}
|
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
func pathRolesDelete(
|
2015-04-19 05:13:12 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
err := req.Storage.Delete("policy/" + d.Get("name").(string))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
func pathRolesRead(
|
2015-04-19 05:13:12 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
entry, err := req.Storage.Get("policy/" + d.Get("name").(string))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if entry == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2015-12-30 18:05:54 +00:00
|
|
|
val := string(entry.Value)
|
|
|
|
if strings.HasPrefix(val, "arn:") {
|
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"arn": val,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
2015-04-19 05:13:12 +00:00
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
2015-12-30 18:05:54 +00:00
|
|
|
"policy": val,
|
2015-04-19 05:13:12 +00:00
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2015-12-30 18:05:54 +00:00
|
|
|
func useInlinePolicy(d *framework.FieldData) (bool, error) {
|
|
|
|
bp := d.Get("policy").(string) != ""
|
|
|
|
ba := d.Get("arn").(string) != ""
|
|
|
|
|
|
|
|
if !bp && !ba {
|
2015-12-30 19:41:07 +00:00
|
|
|
return false, errors.New("Either policy or arn must be provided")
|
2015-12-30 18:05:54 +00:00
|
|
|
}
|
|
|
|
if bp && ba {
|
|
|
|
return false, errors.New("Only one of policy or arn should be provided")
|
|
|
|
}
|
|
|
|
return bp, nil
|
|
|
|
}
|
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
func pathRolesWrite(
|
2015-03-20 16:59:48 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2015-04-01 00:26:41 +00:00
|
|
|
var buf bytes.Buffer
|
2015-03-20 16:59:48 +00:00
|
|
|
|
2015-12-30 18:05:54 +00:00
|
|
|
uip, err := useInlinePolicy(d)
|
2015-03-20 16:59:48 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-12-30 18:05:54 +00:00
|
|
|
if uip {
|
|
|
|
if err := json.Compact(&buf, []byte(d.Get("policy").(string))); err != nil {
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf(
|
|
|
|
"Error compacting policy: %s", err)), nil
|
|
|
|
}
|
|
|
|
// Write the policy into storage
|
|
|
|
err := req.Storage.Put(&logical.StorageEntry{
|
|
|
|
Key: "policy/" + d.Get("name").(string),
|
|
|
|
Value: buf.Bytes(),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Write the arn ref into storage
|
|
|
|
err := req.Storage.Put(&logical.StorageEntry{
|
|
|
|
Key: "policy/" + d.Get("name").(string),
|
|
|
|
Value: []byte(d.Get("arn").(string)),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-20 16:59:48 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2015-04-04 04:10:54 +00:00
|
|
|
|
2016-06-20 23:51:04 +00:00
|
|
|
const pathListRolesHelpSyn = `List the existing roles in this backend`
|
|
|
|
|
|
|
|
const pathListRolesHelpDesc = `Roles will be listed by the role name.`
|
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
const pathRolesHelpSyn = `
|
2015-12-30 19:41:07 +00:00
|
|
|
Read, write and reference IAM policies that access keys can be made for.
|
2015-04-04 04:10:54 +00:00
|
|
|
`
|
|
|
|
|
2015-04-27 21:20:28 +00:00
|
|
|
const pathRolesHelpDesc = `
|
|
|
|
This path allows you to read and write roles that are used to
|
2015-12-30 19:41:07 +00:00
|
|
|
create access keys. These roles are associated with IAM policies that
|
|
|
|
map directly to the route to read the access keys. For example, if the
|
|
|
|
backend is mounted at "aws" and you create a role at "aws/roles/deploy"
|
|
|
|
then a user could request access credentials at "aws/creds/deploy".
|
|
|
|
|
|
|
|
You can either supply a user inline policy (via the policy argument), or
|
|
|
|
provide a reference to an existing AWS policy by supplying the full arn
|
|
|
|
reference (via the arn argument). Inline user policies written are normal
|
|
|
|
IAM policies. Vault will not attempt to parse these except to validate
|
|
|
|
that they're basic JSON. No validation is performed on arn references.
|
|
|
|
|
|
|
|
To validate the keys, attempt to read an access key after writing the policy.
|
2015-04-04 04:10:54 +00:00
|
|
|
`
|