open-vault/builtin/logical/ssh/path_keys.go

package ssh

import (
	"context"
	"fmt"

	"golang.org/x/crypto/ssh"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

type sshHostKey struct {
	Key string `json:"key"`
}

func pathKeys(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "keys/" + framework.GenericNameRegex("key_name"),
		Fields: map[string]*framework.FieldSchema{
			"key_name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "[Required] Name of the key",
			},
			"key": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "[Required] SSH private key with super user privileges in host",
			},
		},
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathKeysWrite,
			logical.DeleteOperation: b.pathKeysDelete,
		},
		HelpSynopsis:    pathKeysSyn,
		HelpDescription: pathKeysDesc,
	}
}

func (b *backend) getKey(ctx context.Context, s logical.Storage, n string) (*sshHostKey, error) {
	entry, err := s.Get(ctx, "keys/"+n)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var result sshHostKey
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}
	return &result, nil
}

func (b *backend) pathKeysDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	keyName := d.Get("key_name").(string)
	keyPath := fmt.Sprintf("keys/%s", keyName)
	err := req.Storage.Delete(ctx, keyPath)
	if err != nil {
		return nil, err
	}
	return nil, nil
}

func (b *backend) pathKeysWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	keyName := d.Get("key_name").(string)
	if keyName == "" {
		return logical.ErrorResponse("Missing key_name"), nil
	}

	keyString := d.Get("key").(string)

	// Check if the key provided is infact a private key
	signer, err := ssh.ParsePrivateKey([]byte(keyString))
	if err != nil || signer == nil {
		return logical.ErrorResponse("Invalid key"), nil
	}

	if keyString == "" {
		return logical.ErrorResponse("Missing key"), nil
	}

	keyPath := fmt.Sprintf("keys/%s", keyName)

	// Store the key
	entry, err := logical.StorageEntryJSON(keyPath, map[string]interface{}{
		"key": keyString,
	})
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}
	return nil, nil
}

const pathKeysSyn = `
Register a shared private key with Vault.
`

const pathKeysDesc = `
Vault uses this key to install and uninstall dynamic keys in remote hosts. This
key should have sudoer privileges in remote hosts. This enables installing keys
for unprivileged usernames.

If this backend is mounted as "ssh", then the endpoint for registering shared
key is "ssh/keys/<name>". The name given here can be associated with any number
of roles via the endpoint "ssh/roles/".
`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`package ssh`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`"fmt"`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`"golang.org/x/crypto/ssh"`

POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`type sshHostKey struct {`
Vault SSH: CRUD tests for named keys 2015-08-03 20:18:14 +00:00			Key string `json:"key"`
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`}`

POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`func pathKeys(b backend) framework.Path {`
			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "keys/" + framework.GenericNameRegex("key_name"),`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`Fields: map[string]*framework.FieldSchema{`
Vault SSH: Default lease duration, policy/ to role/ 2015-08-13 00:36:27 +00:00			`"key_name": &framework.FieldSchema{`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`Type: framework.TypeString,`
Vault SSH: Website page for SSH backend 2015-08-14 19:41:26 +00:00			`Description: "[Required] Name of the key",`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`},`
			`"key": &framework.FieldSchema{`
			`Type: framework.TypeString,`
Vault SSH: Website page for SSH backend 2015-08-14 19:41:26 +00:00			`Description: "[Required] SSH private key with super user privileges in host",`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`},`
			`},`
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
gofmt 2016-08-19 20:48:32 +00:00			`logical.UpdateOperation: b.pathKeysWrite,`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`logical.DeleteOperation: b.pathKeysDelete,`
			`},`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`HelpSynopsis: pathKeysSyn,`
			`HelpDescription: pathKeysDesc,`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`}`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b backend) getKey(ctx context.Context, s logical.Storage, n string) (sshHostKey, error) {`
			`entry, err := s.Get(ctx, "keys/"+n)`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

Vault SSH: CRUD tests for named keys 2015-08-03 20:18:14 +00:00			`var result sshHostKey`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP 2015-08-13 21:18:30 +00:00			`return &result, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathKeysDelete(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Vault SSH: Default lease duration, policy/ to role/ 2015-08-13 00:36:27 +00:00			`keyName := d.Get("key_name").(string)`
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`keyPath := fmt.Sprintf("keys/%s", keyName)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err := req.Storage.Delete(ctx, keyPath)`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathKeysWrite(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Vault SSH: Default lease duration, policy/ to role/ 2015-08-13 00:36:27 +00:00			`keyName := d.Get("key_name").(string)`
Vault SSH: Website page for SSH backend 2015-08-14 19:41:26 +00:00			`if keyName == "" {`
			`return logical.ErrorResponse("Missing key_name"), nil`
			`}`

POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`keyString := d.Get("key").(string)`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00			`// Check if the key provided is infact a private key`
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`signer, err := ssh.ParsePrivateKey([]byte(keyString))`
			`if err != nil \|\| signer == nil {`
			`return logical.ErrorResponse("Invalid key"), nil`
			`}`

Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`if keyString == "" {`
Vault SSH: review rework: formatted and moved code 2015-07-02 01:26:42 +00:00			`return logical.ErrorResponse("Missing key"), nil`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`}`

Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`keyPath := fmt.Sprintf("keys/%s", keyName)`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00			`// Store the key`
Vault SSH: CRUD tests for named keys 2015-08-03 20:18:14 +00:00			`entry, err := logical.StorageEntryJSON(keyPath, map[string]interface{}{`
			`"key": keyString,`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`return nil, err`
			`}`
			`return nil, nil`
			`}`

Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			const pathKeysSyn = `
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00			`Register a shared private key with Vault.`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`

Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			const pathKeysDesc = `
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00			`Vault uses this key to install and uninstall dynamic keys in remote hosts. This`
			`key should have sudoer privileges in remote hosts. This enables installing keys`
Vault SSH: Refactoring 2015-07-27 17:02:31 +00:00			`for unprivileged usernames.`

Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 20:12:38 +00:00			`If this backend is mounted as "ssh", then the endpoint for registering shared`
			`key is "ssh/keys/<name>". The name given here can be associated with any number`
			`of roles via the endpoint "ssh/roles/".`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`