2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2015-07-22 20:00:58 +00:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
|
|
|
|
2015-08-12 20:22:48 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2015-07-22 20:00:58 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func pathVerify(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "verify",
|
2023-04-10 18:18:00 +00:00
|
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
|
|
OperationPrefix: operationPrefixSSH,
|
|
|
|
OperationVerb: "verify",
|
|
|
|
OperationSuffix: "otp",
|
|
|
|
},
|
2015-07-22 20:00:58 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
2021-04-08 16:43:39 +00:00
|
|
|
"otp": {
|
2015-07-22 20:00:58 +00:00
|
|
|
Type: framework.TypeString,
|
2015-08-14 19:41:26 +00:00
|
|
|
Description: "[Required] One-Time-Key that needs to be validated",
|
2015-07-22 20:00:58 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2016-01-07 15:30:47 +00:00
|
|
|
logical.UpdateOperation: b.pathVerifyWrite,
|
2015-07-22 20:00:58 +00:00
|
|
|
},
|
|
|
|
HelpSynopsis: pathVerifyHelpSyn,
|
|
|
|
HelpDescription: pathVerifyHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func (b *backend) getOTP(ctx context.Context, s logical.Storage, n string) (*sshOTP, error) {
|
|
|
|
entry, err := s.Get(ctx, "otp/"+n)
|
2015-08-13 21:18:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if entry == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var result sshOTP
|
|
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &result, nil
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2015-07-22 20:00:58 +00:00
|
|
|
otp := d.Get("otp").(string)
|
2015-08-12 16:25:28 +00:00
|
|
|
|
2015-08-12 17:48:58 +00:00
|
|
|
// If OTP is not a UUID and a string matching VerifyEchoRequest, then the
|
|
|
|
// response will be VerifyEchoResponse. This is used by agent to check if
|
|
|
|
// connection to Vault server is proper.
|
2015-08-12 20:22:48 +00:00
|
|
|
if otp == api.VerifyEchoRequest {
|
2015-08-12 16:25:28 +00:00
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
2015-08-12 20:22:48 +00:00
|
|
|
"message": api.VerifyEchoResponse,
|
2015-08-12 16:25:28 +00:00
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2015-08-18 01:22:03 +00:00
|
|
|
// Create the salt of OTP because entry would have been create with the
|
|
|
|
// salt and not directly of the OTP. Salt will yield the same value which
|
|
|
|
// because the seed is the same, the backend salt.
|
2018-03-08 19:21:11 +00:00
|
|
|
salt, err := b.Salt(ctx)
|
2017-05-09 21:51:09 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
otpSalted := salt.SaltID(otp)
|
2015-08-13 21:18:30 +00:00
|
|
|
|
|
|
|
// Return nil if there is no entry found for the OTP
|
2018-01-19 06:44:44 +00:00
|
|
|
otpEntry, err := b.getOTP(ctx, req.Storage, otpSalted)
|
2015-07-22 20:00:58 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-08-13 21:18:30 +00:00
|
|
|
if otpEntry == nil {
|
2016-02-17 00:46:29 +00:00
|
|
|
return logical.ErrorResponse("OTP not found"), nil
|
2015-07-22 20:00:58 +00:00
|
|
|
}
|
|
|
|
|
2015-08-13 21:18:30 +00:00
|
|
|
// Delete the OTP if found. This is what makes the key an OTP.
|
2018-01-19 06:44:44 +00:00
|
|
|
err = req.Storage.Delete(ctx, "otp/"+otpSalted)
|
2015-07-22 20:00:58 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-07-29 18:21:36 +00:00
|
|
|
|
2015-08-13 21:18:30 +00:00
|
|
|
// Return username and IP only if there were no problems uptill this point.
|
2015-07-22 20:00:58 +00:00
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
2016-07-01 18:31:37 +00:00
|
|
|
"username": otpEntry.Username,
|
|
|
|
"ip": otpEntry.IP,
|
|
|
|
"role_name": otpEntry.RoleName,
|
2015-07-22 20:00:58 +00:00
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
const pathVerifyHelpSyn = `
|
2015-08-18 01:22:03 +00:00
|
|
|
Validate the OTP provided by Vault SSH Agent.
|
2015-07-22 20:00:58 +00:00
|
|
|
`
|
|
|
|
|
|
|
|
const pathVerifyHelpDesc = `
|
2018-03-20 18:54:10 +00:00
|
|
|
This path will be used by Vault SSH Agent running in the remote hosts. The OTP
|
2015-08-18 01:22:03 +00:00
|
|
|
provided by the client is sent to Vault for validation by the agent. If Vault
|
|
|
|
finds an entry for the OTP, it responds with the username and IP it is associated
|
|
|
|
with. Agent uses this information to authenticate the client. Vault deletes the
|
|
|
|
OTP after validating it once.
|
2015-07-22 20:00:58 +00:00
|
|
|
`
|