open-vault/vault/dynamic_system_view.go

package vault

import (
	"context"
	"fmt"
	"time"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/vault/helper/consts"
	"github.com/hashicorp/vault/helper/pluginutil"
	"github.com/hashicorp/vault/helper/wrapping"
	"github.com/hashicorp/vault/logical"
)

type dynamicSystemView struct {
	core       *Core
	mountEntry *MountEntry
}

func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
	def, _ := d.fetchTTLs()
	return def
}

func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
	_, max := d.fetchTTLs()
	return max
}

func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token string) bool {
	// Resolve the token policy
	te, err := d.core.tokenStore.Lookup(ctx, token)
	if err != nil {
		d.core.logger.Error("failed to lookup token", "error", err)
		return false
	}

	// Ensure the token is valid
	if te == nil {
		d.core.logger.Error("entry not found for given token")
		return false
	}

	// Construct the corresponding ACL object
	acl, err := d.core.policyStore.ACL(ctx, te.Policies...)
	if err != nil {
		d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
		return false
	}

	// The operation type isn't important here as this is run from a path the
	// user has already been given access to; we only care about whether they
	// have sudo
	req := new(logical.Request)
	req.Operation = logical.ReadOperation
	req.Path = path
	authResults := acl.AllowOperation(req)
	return authResults.RootPrivs
}

// TTLsByPath returns the default and max TTLs corresponding to a particular
// mount point, or the system default
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
	def = d.core.defaultLeaseTTL
	max = d.core.maxLeaseTTL

	if d.mountEntry.Config.DefaultLeaseTTL != 0 {
		def = d.mountEntry.Config.DefaultLeaseTTL
	}
	if d.mountEntry.Config.MaxLeaseTTL != 0 {
		max = d.mountEntry.Config.MaxLeaseTTL
	}

	return
}

// Tainted indicates that the mount is in the process of being removed
func (d dynamicSystemView) Tainted() bool {
	return d.mountEntry.Tainted
}

// CachingDisabled indicates whether to use caching behavior
func (d dynamicSystemView) CachingDisabled() bool {
	return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
}

func (d dynamicSystemView) LocalMount() bool {
	return d.mountEntry != nil && d.mountEntry.Local
}

// Checks if this is a primary Vault instance. Caller should hold the stateLock
// in read mode.
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
	return d.core.ReplicationState()
}

// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
func (d dynamicSystemView) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
	req := &logical.Request{
		Operation: logical.CreateOperation,
		Path:      "sys/wrapping/wrap",
	}

	resp := &logical.Response{
		WrapInfo: &wrapping.ResponseWrapInfo{
			TTL: ttl,
		},
		Data: data,
	}

	if jwt {
		resp.WrapInfo.Format = "jwt"
	}

	_, err := d.core.wrapInCubbyhole(ctx, req, resp, nil)
	if err != nil {
		return nil, err
	}

	return resp.WrapInfo, nil
}

// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
// returns a PluginRunner or an error if no plugin was found.
func (d dynamicSystemView) LookupPlugin(ctx context.Context, name string) (*pluginutil.PluginRunner, error) {
	if d.core == nil {
		return nil, fmt.Errorf("system view core is nil")
	}
	if d.core.pluginCatalog == nil {
		return nil, fmt.Errorf("system view core plugin catalog is nil")
	}
	r, err := d.core.pluginCatalog.Get(ctx, name)
	if err != nil {
		return nil, err
	}
	if r == nil {
		return nil, errwrap.Wrapf(fmt.Sprintf("{{err}}: %s", name), ErrPluginNotFound)
	}

	return r, nil
}

// MlockEnabled returns the configuration setting for enabling mlock on plugins.
func (d dynamicSystemView) MlockEnabled() bool {
	return d.core.enableMlock
}

func (d dynamicSystemView) EntityInfo(entityID string) (*logical.Entity, error) {
	// Requests from token created from the token backend will not have entity information.
	// Return missing entity instead of error when requesting from MemDB.
	if entityID == "" {
		return nil, nil
	}

	if d.core == nil {
		return nil, fmt.Errorf("system view core is nil")
	}
	if d.core.identityStore == nil {
		return nil, fmt.Errorf("system view identity store is nil")
	}

	// Retrieve the entity from MemDB
	entity, err := d.core.identityStore.MemDBEntityByID(entityID, false)
	if err != nil {
		return nil, err
	}
	if entity == nil {
		return nil, nil
	}

	aliases := make([]*logical.Alias, len(entity.Aliases))
	for i, alias := range entity.Aliases {
		aliases[i] = &logical.Alias{
			MountAccessor: alias.MountAccessor,
			Name:          alias.Name,
		}
		// MountType is not stored with the entity and must be looked up
		if mount := d.core.router.validateMountByAccessor(alias.MountAccessor); mount != nil {
			aliases[i].MountType = mount.MountType
		}
	}

	// Only returning a subset of the data
	return &logical.Entity{
		ID:      entity.ID,
		Name:    entity.Name,
		Aliases: aliases,
	}, nil
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`package vault`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`"fmt"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"time"`

Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth 2017-09-01 05:02:03 +00:00			`"github.com/hashicorp/errwrap"`
Move ReplicationState to consts 2017-02-16 18:37:21 +00:00			`"github.com/hashicorp/vault/helper/consts"`
Plugin catalog 2017-04-04 00:52:29 +00:00			`"github.com/hashicorp/vault/helper/pluginutil"`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`"github.com/hashicorp/vault/helper/wrapping"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"github.com/hashicorp/vault/logical"`
			`)`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00
			`type dynamicSystemView struct {`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`core *Core`
			`mountEntry *MountEntry`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {`
			`def, _ := d.fetchTTLs()`
			`return def`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) MaxLeaseTTL() time.Duration {`
			`_, max := d.fetchTTLs()`
			`return max`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token string) bool {`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`// Resolve the token policy`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`te, err := d.core.tokenStore.Lookup(ctx, token)`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`if err != nil {`
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go 2018-04-03 00:46:59 +00:00			`d.core.logger.Error("failed to lookup token", "error", err)`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`return false`
			`}`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00
			`// Ensure the token is valid`
			`if te == nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("entry not found for given token")`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`return false`
			`}`

			`// Construct the corresponding ACL object`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`acl, err := d.core.policyStore.ACL(ctx, te.Policies...)`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`if err != nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`return false`
			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// The operation type isn't important here as this is run from a path the`
			`// user has already been given access to; we only care about whether they`
			`// have sudo`
Format dynamic_system_view.go 2017-01-20 00:54:08 +00:00			`req := new(logical.Request)`
			`req.Operation = logical.ReadOperation`
			`req.Path = path`
Sync over 2017-10-23 20:03:36 +00:00			`authResults := acl.AllowOperation(req)`
			`return authResults.RootPrivs`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`}`

Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`// TTLsByPath returns the default and max TTLs corresponding to a particular`
			`// mount point, or the system default`
Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`def = d.core.defaultLeaseTTL`
			`max = d.core.maxLeaseTTL`

Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`if d.mountEntry.Config.DefaultLeaseTTL != 0 {`
			`def = d.mountEntry.Config.DefaultLeaseTTL`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`if d.mountEntry.Config.MaxLeaseTTL != 0 {`
			`max = d.mountEntry.Config.MaxLeaseTTL`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

			`return`
			`}`
Allow backends to see taint status. This can be seen via System(). In the PKI backend, if the CA is reconfigured but not fully (e.g. an intermediate CSR is generated but no corresponding cert set) and there are already leases (issued certs), the CRL is unable to be built. As a result revocation fails. But in this case we don't actually need revocation to be successful since the CRL is useless after unmounting. By checking taint status we know if we can simply fast-path out of revocation with a success in this case. Fixes #946 2016-01-22 22:01:22 +00:00
			`// Tainted indicates that the mount is in the process of being removed`
			`func (d dynamicSystemView) Tainted() bool {`
			`return d.mountEntry.Tainted`
			`}`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`// CachingDisabled indicates whether to use caching behavior`
			`func (d dynamicSystemView) CachingDisabled() bool {`
Add option to disable caching per-backend. (#2455) 2017-03-08 14:20:09 +00:00			`return d.core.cachingDisabled \|\| (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`}`
Rejig dynamic system view to build without tags 2017-01-12 20:13:47 +00:00
Add a sysview call to determine if a mount is local. (#3899) This is useful for deciding when to run upgrade logic, e.g. if on a performance secondary but local it's fine to run. 2018-02-02 23:17:12 +00:00			`func (d dynamicSystemView) LocalMount() bool {`
			`return d.mountEntry != nil && d.mountEntry.Local`
			`}`

Update locking components from DR replication changes (#3283) * Update locking components from DR replication changes * Fix plugin backend test * Add a comment about needing the statelock: 2017-09-04 23:38:37 +00:00			`// Checks if this is a primary Vault instance. Caller should hold the stateLock`
			`// in read mode.`
Move ReplicationState to consts 2017-02-16 18:37:21 +00:00			`func (d dynamicSystemView) ReplicationState() consts.ReplicationState {`
Update replication state logic. Fixes #3727 2018-01-16 18:51:55 +00:00			`return d.core.ReplicationState()`
Rejig dynamic system view to build without tags 2017-01-12 20:13:47 +00:00			`}`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00
			`// ResponseWrapData wraps the given data in a cubbyhole and returns the`
			`// token used to unwrap.`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (d dynamicSystemView) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`req := &logical.Request{`
			`Operation: logical.CreateOperation,`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`Path: "sys/wrapping/wrap",`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`

			`resp := &logical.Response{`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`WrapInfo: &wrapping.ResponseWrapInfo{`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`TTL: ttl,`
			`},`
			`Data: data,`
			`}`

			`if jwt {`
			`resp.WrapInfo.Format = "jwt"`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`_, err := d.core.wrapInCubbyhole(ctx, req, resp, nil)`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`if err != nil {`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`return nil, err`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`

Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`return resp.WrapInfo, nil`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`
Plugin catalog 2017-04-04 00:52:29 +00:00
Mlock the plugin process 2017-04-11 00:12:52 +00:00			`// LookupPlugin looks for a plugin with the given name in the plugin catalog. It`
			`// returns a PluginRunner or an error if no plugin was found.`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (d dynamicSystemView) LookupPlugin(ctx context.Context, name string) (*pluginutil.PluginRunner, error) {`
Add plugin auto-reload capability (#3171) * Add automatic plugin reload * Refactor builtin/backend * Remove plugin reload at the core level * Refactor plugin tests * Add auto-reload test case * Change backend to use sync.RWMutex, fix dangling test plugin processes * Add a canary to plugin backends to avoid reloading many times (#3174) * Call setupPluginCatalog before mount-related operations in postUnseal * Don't create multiple system backends since core only holds a reference (#3176) to one. 2017-08-16 02:10:32 +00:00			`if d.core == nil {`
			`return nil, fmt.Errorf("system view core is nil")`
			`}`
			`if d.core.pluginCatalog == nil {`
			`return nil, fmt.Errorf("system view core plugin catalog is nil")`
			`}`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`r, err := d.core.pluginCatalog.Get(ctx, name)`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if r == nil {`
Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth 2017-09-01 05:02:03 +00:00			`return nil, errwrap.Wrapf(fmt.Sprintf("{{err}}: %s", name), ErrPluginNotFound)`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`}`

			`return r, nil`
Plugin catalog 2017-04-04 00:52:29 +00:00			`}`
Mlock the plugin process 2017-04-11 00:12:52 +00:00
Change MlockDisabled to MlockEnabled 2017-04-24 19:21:49 +00:00			`// MlockEnabled returns the configuration setting for enabling mlock on plugins.`
			`func (d dynamicSystemView) MlockEnabled() bool {`
			`return d.core.enableMlock`
Mlock the plugin process 2017-04-11 00:12:52 +00:00			`}`
Add entity information request to system view (#4681) * Add entity information request to system view * fixing a few comments * sharing types between plugin and logical * sharing types between plugin and logical * fixing output directory for proto * removing extra replacement * adding mount type lookup * empty entities return nil instead of error * adding some comments 2018-06-04 00:48:12 +00:00
			`func (d dynamicSystemView) EntityInfo(entityID string) (*logical.Entity, error) {`
			`// Requests from token created from the token backend will not have entity information.`
			`// Return missing entity instead of error when requesting from MemDB.`
			`if entityID == "" {`
			`return nil, nil`
			`}`

			`if d.core == nil {`
			`return nil, fmt.Errorf("system view core is nil")`
			`}`
			`if d.core.identityStore == nil {`
			`return nil, fmt.Errorf("system view identity store is nil")`
			`}`

			`// Retrieve the entity from MemDB`
			`entity, err := d.core.identityStore.MemDBEntityByID(entityID, false)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if entity == nil {`
			`return nil, nil`
			`}`

			`aliases := make([]*logical.Alias, len(entity.Aliases))`
			`for i, alias := range entity.Aliases {`
			`aliases[i] = &logical.Alias{`
			`MountAccessor: alias.MountAccessor,`
			`Name: alias.Name,`
			`}`
			`// MountType is not stored with the entity and must be looked up`
			`if mount := d.core.router.validateMountByAccessor(alias.MountAccessor); mount != nil {`
			`aliases[i].MountType = mount.MountType`
			`}`
			`}`

			`// Only returning a subset of the data`
			`return &logical.Entity{`
			`ID: entity.ID,`
			`Name: entity.Name,`
			`Aliases: aliases,`
			`}, nil`
			`}`