open-vault/builtin/logical/ssh/path_lookup.go

package ssh

import (
	"encoding/json"
	"fmt"
	"log"
	"net"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathLookup(b *backend) *framework.Path {
	log.Printf("Vishal: ssh.pathLookup\n")
	return &framework.Path{
		Pattern: "lookup",
		Fields: map[string]*framework.FieldSchema{
			"ip": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "IP address of target",
			},
		},
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.WriteOperation: b.pathLookupWrite,
		},
		HelpSynopsis:    pathLookupSyn,
		HelpDescription: pathLookupDesc,
	}
}

func (b *backend) pathLookupWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	ip := d.Get("ip").(string)
	//ip := "127.0.0.1"
	ipAddr := net.ParseIP(ip)
	if ipAddr == nil {
		return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ip)), nil
	}
	keys, _ := req.Storage.List("policy/")
	var matchingRoles []string
	for _, item := range keys {
		if contains, _ := containsIP(req.Storage, item, ip); contains {
			matchingRoles = append(matchingRoles, item)
		}
	}
	log.Printf("Vishal: req.Path: %#v \n Keys:%#v\n", req.Path, keys)
	return &logical.Response{
		Data: map[string]interface{}{
			"roles": matchingRoles,
		},
	}, nil
}

func containsIP(s logical.Storage, roleName string, ip string) (bool, error) {
	roleEntry, err := s.Get("policy/" + roleName)
	if err != nil {
		return false, fmt.Errorf("error retrieving role '%s'", err)
	}
	if roleEntry == nil {
		return false, fmt.Errorf("role '%s' not found", roleName)
	}
	var role sshRole
	if err := roleEntry.DecodeJSON(&role); err != nil {
		return false, fmt.Errorf("error decoding role '%s'", roleName)
	}
	var cidrEntry sshCIDR
	ipMatched := false
	json.Unmarshal([]byte(role.CIDR), &cidrEntry)
	for _, item := range cidrEntry.CIDR {
		log.Println(item)
		_, cidrIPNet, _ := net.ParseCIDR(item)
		ipMatched = cidrIPNet.Contains(net.ParseIP(ip))
		if ipMatched {
			break
		}
	}
	return ipMatched, nil
}

const pathLookupSyn = `
pathLookupSyn
`

const pathLookupDesc = `
pathLoookupDesc
`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`package ssh`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"log"`
			`"net"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`func pathLookup(b backend) framework.Path {`
			`log.Printf("Vishal: ssh.pathLookup\n")`
			`return &framework.Path{`
			`Pattern: "lookup",`
			`Fields: map[string]*framework.FieldSchema{`
			`"ip": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "IP address of target",`
			`},`
			`},`
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.WriteOperation: b.pathLookupWrite,`
			`},`
			`HelpSynopsis: pathLookupSyn,`
			`HelpDescription: pathLookupDesc,`
			`}`
			`}`

			`func (b backend) pathLookupWrite(req logical.Request, d framework.FieldData) (logical.Response, error) {`
			`ip := d.Get("ip").(string)`
			`//ip := "127.0.0.1"`
			`ipAddr := net.ParseIP(ip)`
			`if ipAddr == nil {`
			`return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ip)), nil`
			`}`
			`keys, _ := req.Storage.List("policy/")`
			`var matchingRoles []string`
			`for _, item := range keys {`
			`if contains, _ := containsIP(req.Storage, item, ip); contains {`
			`matchingRoles = append(matchingRoles, item)`
			`}`
			`}`
			`log.Printf("Vishal: req.Path: %#v \n Keys:%#v\n", req.Path, keys)`
			`return &logical.Response{`
			`Data: map[string]interface{}{`
			`"roles": matchingRoles,`
			`},`
			`}, nil`
			`}`

			`func containsIP(s logical.Storage, roleName string, ip string) (bool, error) {`
			`roleEntry, err := s.Get("policy/" + roleName)`
			`if err != nil {`
			`return false, fmt.Errorf("error retrieving role '%s'", err)`
			`}`
			`if roleEntry == nil {`
			`return false, fmt.Errorf("role '%s' not found", roleName)`
			`}`
			`var role sshRole`
			`if err := roleEntry.DecodeJSON(&role); err != nil {`
			`return false, fmt.Errorf("error decoding role '%s'", roleName)`
			`}`
			`var cidrEntry sshCIDR`
			`ipMatched := false`
			`json.Unmarshal([]byte(role.CIDR), &cidrEntry)`
			`for _, item := range cidrEntry.CIDR {`
			`log.Println(item)`
			`_, cidrIPNet, _ := net.ParseCIDR(item)`
			`ipMatched = cidrIPNet.Contains(net.ParseIP(ip))`
			`if ipMatched {`
			`break`
			`}`
			`}`
			`return ipMatched, nil`
			`}`

			const pathLookupSyn = `
			`pathLookupSyn`
			`

			const pathLookupDesc = `
			`pathLoookupDesc`
			`