open-vault/builtin/logical/database/path_creds_create.go

package database

import (
	"fmt"
	"time"

	"github.com/hashicorp/vault/builtin/logical/database/dbplugin"
	"github.com/hashicorp/vault/helper/strutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathCredsCreate(b *databaseBackend) *framework.Path {
	return &framework.Path{
		Pattern: "creds/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the role.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation: b.pathCredsCreateRead(),
		},

		HelpSynopsis:    pathCredsCreateReadHelpSyn,
		HelpDescription: pathCredsCreateReadHelpDesc,
	}
}

func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
	return func(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
		name := data.Get("name").(string)

		// Get the role
		role, err := b.Role(req.Storage, name)
		if err != nil {
			return nil, err
		}
		if role == nil {
			return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil
		}

		dbConfig, err := b.DatabaseConfig(req.Storage, role.DBName)
		if err != nil {
			return nil, err
		}

		// If role name isn't in the database's allowed roles, send back a
		// permission denied.
		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContains(dbConfig.AllowedRoles, name) {
			return nil, logical.ErrPermissionDenied
		}

		// Grab the read lock
		b.RLock()
		var unlockFunc func() = b.RUnlock

		// Get the Database object
		db, ok := b.getDBObj(role.DBName)
		if !ok {
			// Upgrade lock
			b.RUnlock()
			b.Lock()
			unlockFunc = b.Unlock

			// Create a new DB object
			db, err = b.createDBObj(req.Storage, role.DBName)
			if err != nil {
				unlockFunc()
				return nil, fmt.Errorf("cound not retrieve db with name: %s, got error: %s", role.DBName, err)
			}
		}

		expiration := time.Now().Add(role.DefaultTTL)

		usernameConfig := dbplugin.UsernameConfig{
			DisplayName: req.DisplayName,
			RoleName:    name,
		}

		// Create the user
		username, password, err := db.CreateUser(role.Statements, usernameConfig, expiration)
		// Unlock
		unlockFunc()
		if err != nil {
			b.closeIfShutdown(role.DBName, err)
			return nil, err
		}

		resp := b.Secret(SecretCredsType).Response(map[string]interface{}{
			"username": username,
			"password": password,
		}, map[string]interface{}{
			"username": username,
			"role":     name,
		})
		resp.Secret.TTL = role.DefaultTTL
		return resp, nil
	}
}

const pathCredsCreateReadHelpSyn = `
Request database credentials for a certain role.
`

const pathCredsCreateReadHelpDesc = `
This path reads database credentials for a certain role. The
database credentials will be generated on demand and will be automatically
revoked when the lease is up.
`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`package database`

			`import (`
			`"fmt"`
Update the interface for plugins removing functions for creating creds 2017-04-10 19:24:16 +00:00			`"time"`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`"github.com/hashicorp/vault/builtin/logical/database/dbplugin"`
Add allowed_roles parameter and checks 2017-04-13 17:33:34 +00:00			`"github.com/hashicorp/vault/helper/strutil"`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`func pathCredsCreate(b databaseBackend) framework.Path {`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`return &framework.Path{`
			`Pattern: "creds/" + framework.GenericNameRegex("name"),`
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the role.",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`logical.ReadOperation: b.pathCredsCreateRead(),`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`},`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`HelpSynopsis: pathCredsCreateReadHelpSyn,`
			`HelpDescription: pathCredsCreateReadHelpDesc,`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`}`
			`}`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {`
Update help text and comments 2017-04-11 18:50:34 +00:00			`return func(req logical.Request, data framework.FieldData) (*logical.Response, error) {`
			`name := data.Get("name").(string)`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Update help text and comments 2017-04-11 18:50:34 +00:00			`// Get the role`
			`role, err := b.Role(req.Storage, name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if role == nil {`
Don't uppercase ErrorResponses 2017-04-24 21:03:48 +00:00			`return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil`
Update help text and comments 2017-04-11 18:50:34 +00:00			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Add allowed_roles parameter and checks 2017-04-13 17:33:34 +00:00			`dbConfig, err := b.DatabaseConfig(req.Storage, role.DBName)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// If role name isn't in the database's allowed roles, send back a`
			`// permission denied.`
Default deny when allowed roles is empty 2017-04-25 18:48:24 +00:00			`if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContains(dbConfig.AllowedRoles, name) {`
Add allowed_roles parameter and checks 2017-04-13 17:33:34 +00:00			`return nil, logical.ErrPermissionDenied`
			`}`

Add an error check to reset a plugin if it is closed 2017-04-26 22:55:34 +00:00			`// Grab the read lock`
Update to a RWMutex 2017-04-26 22:23:14 +00:00			`b.RLock()`
Add an error check to reset a plugin if it is closed 2017-04-26 22:55:34 +00:00			`var unlockFunc func() = b.RUnlock`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Update help text and comments 2017-04-11 18:50:34 +00:00			`// Get the Database object`
Update to a RWMutex 2017-04-26 22:23:14 +00:00			`db, ok := b.getDBObj(role.DBName)`
			`if !ok {`
			`// Upgrade lock`
			`b.RUnlock()`
			`b.Lock()`
Add an error check to reset a plugin if it is closed 2017-04-26 22:55:34 +00:00			`unlockFunc = b.Unlock`
Update to a RWMutex 2017-04-26 22:23:14 +00:00
			`// Create a new DB object`
			`db, err = b.createDBObj(req.Storage, role.DBName)`
			`if err != nil {`
Add an error check to reset a plugin if it is closed 2017-04-26 22:55:34 +00:00			`unlockFunc()`
Update to a RWMutex 2017-04-26 22:23:14 +00:00			`return nil, fmt.Errorf("cound not retrieve db with name: %s, got error: %s", role.DBName, err)`
			`}`
Update help text and comments 2017-04-11 18:50:34 +00:00			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Update help text and comments 2017-04-11 18:50:34 +00:00			`expiration := time.Now().Add(role.DefaultTTL)`
More work on refactor and cassandra database 2016-12-20 19:46:20 +00:00
Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`usernameConfig := dbplugin.UsernameConfig{`
			`DisplayName: req.DisplayName,`
			`RoleName: name,`
			`}`

Update help text and comments 2017-04-11 18:50:34 +00:00			`// Create the user`
Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`username, password, err := db.CreateUser(role.Statements, usernameConfig, expiration)`
Add an error check to reset a plugin if it is closed 2017-04-26 22:55:34 +00:00			`// Unlock`
			`unlockFunc()`
Update help text and comments 2017-04-11 18:50:34 +00:00			`if err != nil {`
Add an error check to reset a plugin if it is closed 2017-04-26 22:55:34 +00:00			`b.closeIfShutdown(role.DBName, err)`
Update help text and comments 2017-04-11 18:50:34 +00:00			`return nil, err`
			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Update help text and comments 2017-04-11 18:50:34 +00:00			`resp := b.Secret(SecretCredsType).Response(map[string]interface{}{`
			`"username": username,`
			`"password": password,`
			`}, map[string]interface{}{`
			`"username": username,`
			`"role": name,`
			`})`
			`resp.Secret.TTL = role.DefaultTTL`
			`return resp, nil`
			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`}`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			const pathCredsCreateReadHelpSyn = `
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`Request database credentials for a certain role.`
			`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			const pathCredsCreateReadHelpDesc = `
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`This path reads database credentials for a certain role. The`
			`database credentials will be generated on demand and will be automatically`
			`revoked when the lease is up.`
			`