2015-09-04 20:58:12 +00:00
|
|
|
package vault
|
|
|
|
|
2016-01-07 20:10:05 +00:00
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
2017-04-25 01:31:27 +00:00
|
|
|
"fmt"
|
2016-01-07 20:10:05 +00:00
|
|
|
"time"
|
|
|
|
|
2017-09-01 05:02:03 +00:00
|
|
|
"github.com/hashicorp/errwrap"
|
|
|
|
|
2017-02-16 18:37:21 +00:00
|
|
|
"github.com/hashicorp/vault/helper/consts"
|
2017-04-04 00:52:29 +00:00
|
|
|
"github.com/hashicorp/vault/helper/pluginutil"
|
2017-04-24 19:15:01 +00:00
|
|
|
"github.com/hashicorp/vault/helper/wrapping"
|
2016-01-07 20:10:05 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
)
|
2015-09-04 20:58:12 +00:00
|
|
|
|
|
|
|
type dynamicSystemView struct {
|
2015-09-10 02:17:49 +00:00
|
|
|
core *Core
|
|
|
|
mountEntry *MountEntry
|
2015-09-04 20:58:12 +00:00
|
|
|
}
|
|
|
|
|
2015-09-10 19:09:34 +00:00
|
|
|
func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
|
|
|
|
def, _ := d.fetchTTLs()
|
|
|
|
return def
|
2015-09-04 20:58:12 +00:00
|
|
|
}
|
|
|
|
|
2015-09-10 19:09:34 +00:00
|
|
|
func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
|
|
|
|
_, max := d.fetchTTLs()
|
|
|
|
return max
|
2015-09-04 20:58:12 +00:00
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func (d dynamicSystemView) SudoPrivilege(ctx context.Context, path string, token string) bool {
|
2015-09-21 14:04:03 +00:00
|
|
|
// Resolve the token policy
|
2018-01-19 06:44:44 +00:00
|
|
|
te, err := d.core.tokenStore.Lookup(ctx, token)
|
2015-09-18 23:59:06 +00:00
|
|
|
if err != nil {
|
2016-08-19 20:45:17 +00:00
|
|
|
d.core.logger.Error("core: failed to lookup token", "error", err)
|
2015-09-18 23:59:06 +00:00
|
|
|
return false
|
|
|
|
}
|
2015-09-21 14:04:03 +00:00
|
|
|
|
|
|
|
// Ensure the token is valid
|
|
|
|
if te == nil {
|
2016-08-19 20:45:17 +00:00
|
|
|
d.core.logger.Error("entry not found for given token")
|
2015-09-21 14:04:03 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Construct the corresponding ACL object
|
2018-01-19 06:44:44 +00:00
|
|
|
acl, err := d.core.policyStore.ACL(ctx, te.Policies...)
|
2015-09-21 14:04:03 +00:00
|
|
|
if err != nil {
|
2016-08-19 20:45:17 +00:00
|
|
|
d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
|
2015-09-21 14:04:03 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2016-01-07 20:10:05 +00:00
|
|
|
// The operation type isn't important here as this is run from a path the
|
|
|
|
// user has already been given access to; we only care about whether they
|
|
|
|
// have sudo
|
2017-01-20 00:54:08 +00:00
|
|
|
req := new(logical.Request)
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = path
|
2017-10-23 20:03:36 +00:00
|
|
|
authResults := acl.AllowOperation(req)
|
|
|
|
return authResults.RootPrivs
|
2015-09-18 23:59:06 +00:00
|
|
|
}
|
|
|
|
|
2015-09-04 20:58:12 +00:00
|
|
|
// TTLsByPath returns the default and max TTLs corresponding to a particular
|
|
|
|
// mount point, or the system default
|
2015-09-10 19:09:34 +00:00
|
|
|
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
|
2015-09-04 20:58:12 +00:00
|
|
|
def = d.core.defaultLeaseTTL
|
|
|
|
max = d.core.maxLeaseTTL
|
|
|
|
|
2015-09-10 02:17:49 +00:00
|
|
|
if d.mountEntry.Config.DefaultLeaseTTL != 0 {
|
|
|
|
def = d.mountEntry.Config.DefaultLeaseTTL
|
2015-09-04 20:58:12 +00:00
|
|
|
}
|
2015-09-10 02:17:49 +00:00
|
|
|
if d.mountEntry.Config.MaxLeaseTTL != 0 {
|
|
|
|
max = d.mountEntry.Config.MaxLeaseTTL
|
2015-09-04 20:58:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
2016-01-22 22:01:22 +00:00
|
|
|
|
|
|
|
// Tainted indicates that the mount is in the process of being removed
|
|
|
|
func (d dynamicSystemView) Tainted() bool {
|
|
|
|
return d.mountEntry.Tainted
|
|
|
|
}
|
2016-04-21 13:52:42 +00:00
|
|
|
|
2016-04-21 20:32:06 +00:00
|
|
|
// CachingDisabled indicates whether to use caching behavior
|
|
|
|
func (d dynamicSystemView) CachingDisabled() bool {
|
2017-03-08 14:20:09 +00:00
|
|
|
return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
|
2016-04-21 13:52:42 +00:00
|
|
|
}
|
2017-01-12 20:13:47 +00:00
|
|
|
|
2017-09-04 23:38:37 +00:00
|
|
|
// Checks if this is a primary Vault instance. Caller should hold the stateLock
|
|
|
|
// in read mode.
|
2017-02-16 18:37:21 +00:00
|
|
|
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
|
2018-01-16 18:51:55 +00:00
|
|
|
return d.core.ReplicationState()
|
2017-01-12 20:13:47 +00:00
|
|
|
}
|
2017-03-16 00:14:48 +00:00
|
|
|
|
|
|
|
// ResponseWrapData wraps the given data in a cubbyhole and returns the
|
|
|
|
// token used to unwrap.
|
2018-01-19 06:44:44 +00:00
|
|
|
func (d dynamicSystemView) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
|
2017-03-16 00:14:48 +00:00
|
|
|
req := &logical.Request{
|
|
|
|
Operation: logical.CreateOperation,
|
2017-04-24 19:15:01 +00:00
|
|
|
Path: "sys/wrapping/wrap",
|
2017-03-16 00:14:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resp := &logical.Response{
|
2017-04-24 19:15:01 +00:00
|
|
|
WrapInfo: &wrapping.ResponseWrapInfo{
|
2017-03-16 00:14:48 +00:00
|
|
|
TTL: ttl,
|
|
|
|
},
|
|
|
|
Data: data,
|
|
|
|
}
|
|
|
|
|
|
|
|
if jwt {
|
|
|
|
resp.WrapInfo.Format = "jwt"
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err := d.core.wrapInCubbyhole(ctx, req, resp, nil)
|
2017-03-16 00:14:48 +00:00
|
|
|
if err != nil {
|
2017-04-24 19:15:01 +00:00
|
|
|
return nil, err
|
2017-03-16 00:14:48 +00:00
|
|
|
}
|
|
|
|
|
2017-04-24 19:15:01 +00:00
|
|
|
return resp.WrapInfo, nil
|
2017-03-16 00:14:48 +00:00
|
|
|
}
|
2017-04-04 00:52:29 +00:00
|
|
|
|
2017-04-11 00:12:52 +00:00
|
|
|
// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
|
|
|
|
// returns a PluginRunner or an error if no plugin was found.
|
2018-01-19 06:44:44 +00:00
|
|
|
func (d dynamicSystemView) LookupPlugin(ctx context.Context, name string) (*pluginutil.PluginRunner, error) {
|
2017-08-16 02:10:32 +00:00
|
|
|
if d.core == nil {
|
|
|
|
return nil, fmt.Errorf("system view core is nil")
|
|
|
|
}
|
|
|
|
if d.core.pluginCatalog == nil {
|
|
|
|
return nil, fmt.Errorf("system view core plugin catalog is nil")
|
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
r, err := d.core.pluginCatalog.Get(ctx, name)
|
2017-04-25 01:31:27 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if r == nil {
|
2017-09-01 05:02:03 +00:00
|
|
|
return nil, errwrap.Wrapf(fmt.Sprintf("{{err}}: %s", name), ErrPluginNotFound)
|
2017-04-25 01:31:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return r, nil
|
2017-04-04 00:52:29 +00:00
|
|
|
}
|
2017-04-11 00:12:52 +00:00
|
|
|
|
2017-04-24 19:21:49 +00:00
|
|
|
// MlockEnabled returns the configuration setting for enabling mlock on plugins.
|
|
|
|
func (d dynamicSystemView) MlockEnabled() bool {
|
|
|
|
return d.core.enableMlock
|
2017-04-11 00:12:52 +00:00
|
|
|
}
|