open-vault/builtin/credential/cert/backend.go

package cert

import (
	"context"
	"strings"
	"sync"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
	b := Backend()
	if err := b.Setup(ctx, conf); err != nil {
		return nil, err
	}
	return b, nil
}

func Backend() *backend {
	var b backend
	b.Backend = &framework.Backend{
		Help: backendHelp,
		PathsSpecial: &logical.Paths{
			Unauthenticated: []string{
				"login",
			},
		},
		Paths: []*framework.Path{
			pathConfig(&b),
			pathLogin(&b),
			pathListCerts(&b),
			pathCerts(&b),
			pathCRLs(&b),
		},
		AuthRenew:   b.pathLoginRenew,
		Invalidate:  b.invalidate,
		BackendType: logical.TypeCredential,
	}

	b.crlUpdateMutex = &sync.RWMutex{}

	return &b
}

type backend struct {
	*framework.Backend
	MapCertId *framework.PathMap

	crls           map[string]CRLInfo
	crlUpdateMutex *sync.RWMutex
}

func (b *backend) invalidate(_ context.Context, key string) {
	switch {
	case strings.HasPrefix(key, "crls/"):
		b.crlUpdateMutex.Lock()
		defer b.crlUpdateMutex.Unlock()
		b.crls = nil
	}
}

const backendHelp = `
The "cert" credential provider allows authentication using
TLS client certificates. A client connects to Vault and uses
the "login" endpoint to generate a client token.

Trusted certificates are configured using the "certs/" endpoint
by a user with root access. A certificate authority can be trusted,
which permits all keys signed by it. Alternatively, self-signed
certificates can be trusted avoiding the need for a CA.
`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`package cert`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`"strings"`
Address first round of feedback from review 2015-10-30 17:32:51 +00:00			`"sync"`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`)`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {`
Address first round of feedback from review 2015-10-30 17:32:51 +00:00			`b := Backend()`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := b.Setup(ctx, conf); err != nil {`
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs 2017-07-20 17:28:40 +00:00			`return nil, err`
Drastically simplify the method and logic; keep an in-memory cache and use that for most operations, only affecting the backend storage when needed. 2015-10-15 16:10:22 +00:00			`}`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`return b, nil`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`}`

Address first round of feedback from review 2015-10-30 17:32:51 +00:00			`func Backend() *backend {`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`var b backend`
			`b.Backend = &framework.Backend{`
			`Help: backendHelp,`
			`PathsSpecial: &logical.Paths{`
			`Unauthenticated: []string{`
			`"login",`
			`},`
			`},`
all: fix no-op append calls (#6360) Append call in form of `append(s)` has no effect, it just returns `s`. Sometimes such invocation is a sign of a programming error, so it's better to remove these. Signed-off-by: Iskander Sharipov <quasilyte@gmail.com> 2019-03-14 20:40:30 +00:00			`Paths: []*framework.Path{`
make the verification of certs in renewal configurable 2016-02-24 21:42:20 +00:00			`pathConfig(&b),`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`pathLogin(&b),`
Add list support to certs in cert auth backend. Fixes #1212 2016-03-15 18:07:40 +00:00			`pathListCerts(&b),`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`pathCerts(&b),`
Add delete method, and ability to delete only one serial as well as an entire set. 2015-10-08 01:50:57 +00:00			`pathCRLs(&b),`
all: fix no-op append calls (#6360) Append call in form of `append(s)` has no effect, it just returns `s`. Sometimes such invocation is a sign of a programming error, so it's better to remove these. Signed-off-by: Iskander Sharipov <quasilyte@gmail.com> 2019-03-14 20:40:30 +00:00			`},`
Add BackendType to existing backends (#3078) 2017-07-28 18:04:46 +00:00			`AuthRenew: b.pathLoginRenew,`
			`Invalidate: b.invalidate,`
			`BackendType: logical.TypeCredential,`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`}`

Address first round of feedback from review 2015-10-30 17:32:51 +00:00			`b.crlUpdateMutex = &sync.RWMutex{}`

			`return &b`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`}`

			`type backend struct {`
			`*framework.Backend`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`MapCertId *framework.PathMap`
Address first round of feedback from review 2015-10-30 17:32:51 +00:00
			`crls map[string]CRLInfo`
			`crlUpdateMutex *sync.RWMutex`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b *backend) invalidate(_ context.Context, key string) {`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`switch {`
			`case strings.HasPrefix(key, "crls/"):`
			`b.crlUpdateMutex.Lock()`
			`defer b.crlUpdateMutex.Unlock()`
			`b.crls = nil`
			`}`
			`}`

credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			const backendHelp = `
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`The "cert" credential provider allows authentication using`
			`TLS client certificates. A client connects to Vault and uses`
			`the "login" endpoint to generate a client token.`

			`Trusted certificates are configured using the "certs/" endpoint`
			`by a user with root access. A certificate authority can be trusted,`
			`which permits all keys signed by it. Alternatively, self-signed`
			`certificates can be trusted avoiding the need for a CA.`
credential/cert: First pass at public key credential backend 2015-04-24 04:46:21 +00:00			`