open-vault/builtin/logical/ssh/path_roles.go

284 lines
8.3 KiB
Go
Raw Normal View History

package ssh
import (
"fmt"
"net"
"strings"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
2015-07-29 18:21:36 +00:00
const KeyTypeOTP = "otp"
const KeyTypeDynamic = "dynamic"
func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/(?P<role>[-\\w]+)",
Fields: map[string]*framework.FieldSchema{
"role": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Required for both types]
Name of the role being created.`,
},
"key": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Required for dynamic type] [Not applicable for otp type]
Name of the registered key in Vault. Before creating the role, use the
'keys/' endpoint to create a named key.`,
},
"admin_user": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Required for dynamic type] [Not applicable for otp type]
Admin user at remote host. The shared key being registered should be
for this user and should have root privileges. Everytime a dynamic
credential is being generated for other users, Vault uses this admin
username to login to remote host and install the generated credential
for the other user.`,
},
"default_user": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Required for both types]
Default username for which a credential will be generated.
When the endpoint 'creds/' is used without a username, this
value will be used as default username.`,
},
2015-08-13 15:46:55 +00:00
"cidr_list": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Required for both types]
Comma separated list of CIDR blocks for which the role is applicable for.
CIDR blocks can belong to more than one role.`,
},
"port": &framework.FieldSchema{
Type: framework.TypeInt,
Description: `
[Optional for both types]
Port number for SSH connection. Default is '22'.`,
},
2015-07-22 18:15:19 +00:00
"key_type": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Required for both types]
Type of key used to login to hosts. It can be either 'otp' or 'dynamic'.
'otp' type requires agent to be installed in remote hosts.`,
2015-07-22 18:15:19 +00:00
},
2015-07-29 18:21:36 +00:00
"key_bits": &framework.FieldSchema{
Type: framework.TypeInt,
Description: `
[Optional for dynamic type] [Not applicable for otp type]
Length of the RSA dynamic key in bits. It can be one of 1024, 2048 or 4096.`,
2015-07-29 18:21:36 +00:00
},
"install_script": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
[Optional for dynamic type][Not-applicable for otp type]
Script used to install and uninstall public keys in the target machine.
The inbuilt default install script will be for Linux hosts. For sample
script, refer the project's documentation website.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathRoleRead,
logical.WriteOperation: b.pathRoleWrite,
logical.DeleteOperation: b.pathRoleDelete,
},
HelpSynopsis: pathRoleHelpSyn,
HelpDescription: pathRoleHelpDesc,
}
}
2015-07-29 18:21:36 +00:00
func (b *backend) pathRoleWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
roleName := d.Get("role").(string)
2015-07-22 18:15:19 +00:00
if roleName == "" {
return logical.ErrorResponse("Missing role name"), nil
}
2015-07-27 17:02:31 +00:00
defaultUser := d.Get("default_user").(string)
if defaultUser == "" {
return logical.ErrorResponse("Missing default user"), nil
}
2015-08-13 15:46:55 +00:00
cidrList := d.Get("cidr_list").(string)
if cidrList == "" {
return logical.ErrorResponse("Missing CIDR blocks"), nil
2015-07-22 18:15:19 +00:00
}
2015-08-13 15:46:55 +00:00
for _, item := range strings.Split(cidrList, ",") {
2015-07-22 18:15:19 +00:00
_, _, err := net.ParseCIDR(item)
if err != nil {
2015-08-13 15:46:55 +00:00
return logical.ErrorResponse(fmt.Sprintf("Invalid CIDR list entry '%s'", item)), nil
2015-07-22 18:15:19 +00:00
}
}
2015-07-27 17:02:31 +00:00
2015-08-13 15:46:55 +00:00
port := d.Get("port").(int)
if port == 0 {
port = 22
2015-07-22 18:15:19 +00:00
}
2015-07-27 17:02:31 +00:00
2015-07-29 18:21:36 +00:00
keyType := d.Get("key_type").(string)
if keyType == "" {
return logical.ErrorResponse("Missing key type"), nil
2015-07-22 18:15:19 +00:00
}
2015-07-29 18:21:36 +00:00
keyType = strings.ToLower(keyType)
2015-07-22 18:15:19 +00:00
2015-07-29 18:21:36 +00:00
var err error
var roleEntry sshRole
2015-07-29 18:21:36 +00:00
if keyType == KeyTypeOTP {
adminUser := d.Get("admin_user").(string)
if adminUser != "" {
return logical.ErrorResponse("Admin user not required for OTP type"), nil
}
2015-07-22 18:15:19 +00:00
roleEntry = sshRole{
2015-07-29 18:21:36 +00:00
DefaultUser: defaultUser,
2015-08-13 15:46:55 +00:00
CIDRList: cidrList,
2015-07-29 18:21:36 +00:00
KeyType: KeyTypeOTP,
2015-07-31 17:24:23 +00:00
Port: port,
}
2015-07-29 18:21:36 +00:00
} else if keyType == KeyTypeDynamic {
keyName := d.Get("key").(string)
if keyName == "" {
return logical.ErrorResponse("Missing key name"), nil
}
keyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", keyName))
if err != nil || keyEntry == nil {
return logical.ErrorResponse(fmt.Sprintf("Invalid 'key': '%s'", keyName)), nil
}
2015-07-27 17:02:31 +00:00
installScript := d.Get("install_script").(string)
if installScript == "" {
return logical.ErrorResponse("Missing install script"), nil
}
2015-07-29 18:21:36 +00:00
adminUser := d.Get("admin_user").(string)
if adminUser == "" {
return logical.ErrorResponse("Missing admin username"), nil
}
2015-07-27 17:02:31 +00:00
keyBits := d.Get("key_bits").(int)
if keyBits != 0 && keyBits != 1024 && keyBits != 2048 && keyBits != 4096 {
return logical.ErrorResponse("Invalid key_bits field"), nil
}
if keyBits == 0 {
keyBits = 2048
2015-07-29 18:21:36 +00:00
}
2015-07-27 17:02:31 +00:00
roleEntry = sshRole{
KeyName: keyName,
AdminUser: adminUser,
DefaultUser: defaultUser,
2015-08-13 15:46:55 +00:00
CIDRList: cidrList,
Port: port,
KeyType: KeyTypeDynamic,
KeyBits: keyBits,
InstallScript: installScript,
}
2015-07-29 18:21:36 +00:00
} else {
return logical.ErrorResponse("Invalid key type"), nil
}
entry, err := logical.StorageEntryJSON(fmt.Sprintf("roles/%s", roleName), roleEntry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(entry); err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) getRole(s logical.Storage, n string) (*sshRole, error) {
entry, err := s.Get("roles/" + n)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
2015-07-27 17:02:31 +00:00
var result sshRole
if err := entry.DecodeJSON(&result); err != nil {
2015-07-02 21:23:09 +00:00
return nil, err
}
2015-07-27 17:02:31 +00:00
return &result, nil
}
func (b *backend) pathRoleRead(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
role, err := b.getRole(req.Storage, d.Get("role").(string))
if err != nil {
return nil, err
}
if role == nil {
return nil, nil
}
2015-07-31 17:24:23 +00:00
if role.KeyType == KeyTypeOTP {
return &logical.Response{
Data: map[string]interface{}{
"default_user": role.DefaultUser,
2015-08-13 15:46:55 +00:00
"cidr_list": role.CIDRList,
2015-07-31 17:24:23 +00:00
"port": role.Port,
"key_type": role.KeyType,
},
}, nil
} else {
return &logical.Response{
Data: map[string]interface{}{
"key": role.KeyName,
"admin_user": role.AdminUser,
"default_user": role.DefaultUser,
2015-08-13 15:46:55 +00:00
"cidr_list": role.CIDRList,
2015-07-31 17:24:23 +00:00
"port": role.Port,
"key_type": role.KeyType,
},
}, nil
}
}
func (b *backend) pathRoleDelete(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
roleName := d.Get("role").(string)
err := req.Storage.Delete(fmt.Sprintf("roles/%s", roleName))
if err != nil {
return nil, err
}
return nil, nil
}
type sshRole struct {
KeyType string `mapstructure:"key_type" json:"key_type"`
KeyName string `mapstructure:"key" json:"key"`
KeyBits int `mapstructure:"key_bits" json:"key_bits"`
AdminUser string `mapstructure:"admin_user" json:"admin_user"`
DefaultUser string `mapstructure:"default_user" json:"default_user"`
2015-08-13 15:46:55 +00:00
CIDRList string `mapstructure:"cidr_list" json:"cidr_list"`
Port int `mapstructure:"port" json:"port"`
InstallScript string `mapstructure:"install_script" json:"install_script"`
}
const pathRoleHelpSyn = `
Manage the 'roles' that can be created with this backend.
`
const pathRoleHelpDesc = `
This path allows you to manage the roles that are used to generate
credentials. These roles will be having privileged access to all
the hosts mentioned by CIDR blocks. For example, if the backend
is mounted at "ssh" and the role is created at "ssh/roles/web",
then a user could request for a new key at "ssh/creds/web" for the
supplied username and IP address.
2015-08-13 15:46:55 +00:00
The 'cidr_list' field takes comma seperated CIDR blocks. The 'admin_user'
should have root access in all the hosts represented by the 'cidr_list'
field. When the user requests key for an IP, the key will be installed
for the user mentioned by 'default_user' field. The 'key' field takes
a named key which can be configured by 'ssh/keys/' endpoint.
`