open-vault/builtin/logical/nomad/path_roles.go

package nomad

import (
	"context"
	"errors"
	"fmt"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

func pathListRoles(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "role/?$",

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ListOperation: b.pathRoleList,
		},
	}
}

func pathRoles(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "role/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": {
				Type:        framework.TypeString,
				Description: "Name of the role",
			},

			"policies": {
				Type:        framework.TypeCommaStringSlice,
				Description: "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.",
			},

			"global": {
				Type:        framework.TypeBool,
				Description: "Boolean value describing if the token should be global or not. Defaults to false.",
			},

			"type": {
				Type:    framework.TypeString,
				Default: "client",
				Description: `Which type of token to create: 'client'
or 'management'. If a 'management' token,
the "policies" parameter is not required.
Defaults to 'client'.`,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation:   b.pathRolesRead,
			logical.CreateOperation: b.pathRolesWrite,
			logical.UpdateOperation: b.pathRolesWrite,
			logical.DeleteOperation: b.pathRolesDelete,
		},

		ExistenceCheck: b.rolesExistenceCheck,
	}
}

// Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
// Returning 'true' forces an UpdateOperation, CreateOperation otherwise.
func (b *backend) rolesExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
	name := d.Get("name").(string)
	entry, err := b.Role(ctx, req.Storage, name)
	if err != nil {
		return false, err
	}
	return entry != nil, nil
}

func (b *backend) Role(ctx context.Context, storage logical.Storage, name string) (*roleConfig, error) {
	if name == "" {
		return nil, errors.New("invalid role name")
	}

	entry, err := storage.Get(ctx, "role/"+name)
	if err != nil {
		return nil, fmt.Errorf("error retrieving role: %w", err)
	}
	if entry == nil {
		return nil, nil
	}

	var result roleConfig
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}
	return &result, nil
}

func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	entries, err := req.Storage.List(ctx, "role/")
	if err != nil {
		return nil, err
	}

	return logical.ListResponse(entries), nil
}

func (b *backend) pathRolesRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	role, err := b.Role(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if role == nil {
		return nil, nil
	}

	// Generate the response
	resp := &logical.Response{
		Data: map[string]interface{}{
			"type":     role.TokenType,
			"global":   role.Global,
			"policies": role.Policies,
		},
	}
	return resp, nil
}

func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)

	role, err := b.Role(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if role == nil {
		role = new(roleConfig)
	}

	policies, ok := d.GetOk("policies")
	if ok {
		role.Policies = policies.([]string)
	}

	role.TokenType = d.Get("type").(string)
	switch role.TokenType {
	case "client":
		if len(role.Policies) == 0 {
			return logical.ErrorResponse(
				"policies cannot be empty when using client tokens"), nil
		}
	case "management":
		if len(role.Policies) != 0 {
			return logical.ErrorResponse(
				"policies should be empty when using management tokens"), nil
		}
	default:
		return logical.ErrorResponse(
			`type must be "client" or "management"`), nil
	}

	global, ok := d.GetOk("global")
	if ok {
		role.Global = global.(bool)
	}

	entry, err := logical.StorageEntryJSON("role/"+name, role)
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathRolesDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	if err := req.Storage.Delete(ctx, "role/"+name); err != nil {
		return nil, err
	}
	return nil, nil
}

type roleConfig struct {
	Policies  []string `json:"policies"`
	TokenType string   `json:"type"`
	Global    bool     `json:"global"`
}
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`package nomad`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`"errors"`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`"fmt"`
adding existence check for roles 2017-12-16 00:50:20 +00:00
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`)`

			`func pathListRoles(b backend) framework.Path {`
			`return &framework.Path{`
Unifying Storage and API path in role 2017-10-31 20:56:56 +00:00			`Pattern: "role/?$",`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ListOperation: b.pathRoleList,`
			`},`
			`}`
			`}`

minor cleanup 2017-11-06 21:34:20 +00:00			`func pathRoles(b backend) framework.Path {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return &framework.Path{`
Unifying Storage and API path in role 2017-10-31 20:56:56 +00:00			`Pattern: "role/" + framework.GenericNameRegex("name"),`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"name": {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`Type: framework.TypeString,`
			`Description: "Name of the role",`
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"policies": {`
Fixing data model 2017-09-20 22:14:35 +00:00			`Type: framework.TypeCommaStringSlice,`
address some feedback 2017-12-15 22:06:56 +00:00			`Description: "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.",`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"global": {`
Adding Global tokens to the data model 2017-09-28 22:57:48 +00:00			`Type: framework.TypeBool,`
address some feedback 2017-12-15 22:06:56 +00:00			`Description: "Boolean value describing if the token should be global or not. Defaults to false.",`
Adding Global tokens to the data model 2017-09-28 22:57:48 +00:00			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"type": {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`Type: framework.TypeString,`
			`Default: "client",`
			Description: `Which type of token to create: 'client'
			`or 'management'. If a 'management' token,`
Rename policy into policies 2017-11-29 16:31:17 +00:00			`the "policies" parameter is not required.`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			Defaults to 'client'.`,
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
minor cleanup 2017-11-06 21:34:20 +00:00			`logical.ReadOperation: b.pathRolesRead,`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`logical.CreateOperation: b.pathRolesWrite,`
minor cleanup 2017-11-06 21:34:20 +00:00			`logical.UpdateOperation: b.pathRolesWrite,`
			`logical.DeleteOperation: b.pathRolesDelete,`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`},`
adding existence check for roles 2017-12-16 00:50:20 +00:00
			`ExistenceCheck: b.rolesExistenceCheck,`
			`}`
			`}`

			`// Establishes dichotomy of request operation between CreateOperation and UpdateOperation.`
			`// Returning 'true' forces an UpdateOperation, CreateOperation otherwise.`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) rolesExistenceCheck(ctx context.Context, req logical.Request, d *framework.FieldData) (bool, error) {`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`name := d.Get("name").(string)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := b.Role(ctx, req.Storage, name)`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`if err != nil {`
			`return false, err`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`return entry != nil, nil`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b backend) Role(ctx context.Context, storage logical.Storage, name string) (roleConfig, error) {`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`if name == "" {`
			`return nil, errors.New("invalid role name")`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := storage.Get(ctx, "role/"+name)`
adding ttl to secret, refactoring for consistency 2017-11-07 14:58:19 +00:00			`if err != nil {`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`return nil, fmt.Errorf("error retrieving role: %w", err)`
adding ttl to secret, refactoring for consistency 2017-11-07 14:58:19 +00:00			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

			`var result roleConfig`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`
			`return &result, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRoleList(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entries, err := req.Storage.List(ctx, "role/")`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`return logical.ListResponse(entries), nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRolesRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`name := d.Get("name").(string)`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err := b.Role(ctx, req.Storage, name)`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
adding ttl to secret, refactoring for consistency 2017-11-07 14:58:19 +00:00			`if role == nil {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return nil, nil`
			`}`

			`// Generate the response`
			`resp := &logical.Response{`
			`Data: map[string]interface{}{`
Rename policy into policies 2017-11-29 16:31:17 +00:00			`"type": role.TokenType,`
			`"global": role.Global,`
			`"policies": role.Policies,`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`},`
			`}`
			`return resp, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRolesWrite(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`name := d.Get("name").(string)`
minor cleanup 2017-11-06 21:34:20 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err := b.Role(ctx, req.Storage, name)`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if role == nil {`
			`role = new(roleConfig)`
			`}`

			`policies, ok := d.GetOk("policies")`
			`if ok {`
			`role.Policies = policies.([]string)`
			`}`

			`role.TokenType = d.Get("type").(string)`
			`switch role.TokenType {`
minor cleanup 2017-11-06 21:34:20 +00:00			`case "client":`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`if len(role.Policies) == 0 {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return logical.ErrorResponse(`
Rename policy into policies 2017-11-29 16:31:17 +00:00			`"policies cannot be empty when using client tokens"), nil`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`
minor cleanup 2017-11-06 21:34:20 +00:00			`case "management":`
adding existence check for roles 2017-12-16 00:50:20 +00:00			`if len(role.Policies) != 0 {`
Should return an error if trying create a management token with policies attached 2017-10-31 21:12:14 +00:00			`return logical.ErrorResponse(`
Rename policy into policies 2017-11-29 16:31:17 +00:00			`"policies should be empty when using management tokens"), nil`
Should return an error if trying create a management token with policies attached 2017-10-31 21:12:14 +00:00			`}`
minor cleanup 2017-11-06 21:34:20 +00:00			`default:`
			`return logical.ErrorResponse(`
address some feedback 2017-12-15 22:06:56 +00:00			`type must be "client" or "management"`), nil
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`

adding existence check for roles 2017-12-16 00:50:20 +00:00			`global, ok := d.GetOk("global")`
			`if ok {`
			`role.Global = global.(bool)`
			`}`

			`entry, err := logical.StorageEntryJSON("role/"+name, role)`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRolesDelete(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`name := d.Get("name").(string)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Delete(ctx, "role/"+name); err != nil {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return nil, err`
			`}`
			`return nil, nil`
			`}`

			`type roleConfig struct {`
Rename policy into policies 2017-11-29 16:31:17 +00:00			Policies []string `json:"policies"`
minor cleanup 2017-11-06 21:34:20 +00:00			TokenType string `json:"type"`
Refactored Lease into the Backend configuration 2017-11-06 15:09:56 +00:00			Global bool `json:"global"`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`