open-vault/builtin/logical/nomad/path_roles.go

187 lines
4.7 KiB
Go
Raw Normal View History

2017-09-20 20:59:35 +00:00
package nomad
import (
"context"
2017-12-16 00:50:20 +00:00
"errors"
2017-12-15 22:06:56 +00:00
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
2017-09-20 20:59:35 +00:00
)
func pathListRoles(b *backend) *framework.Path {
return &framework.Path{
2017-10-31 20:56:56 +00:00
Pattern: "role/?$",
2017-09-20 20:59:35 +00:00
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathRoleList,
},
}
}
2017-11-06 21:34:20 +00:00
func pathRoles(b *backend) *framework.Path {
2017-09-20 20:59:35 +00:00
return &framework.Path{
2017-10-31 20:56:56 +00:00
Pattern: "role/" + framework.GenericNameRegex("name"),
2017-09-20 20:59:35 +00:00
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the role",
},
2017-11-29 16:31:17 +00:00
"policies": &framework.FieldSchema{
2017-09-20 22:14:35 +00:00
Type: framework.TypeCommaStringSlice,
2017-12-15 22:06:56 +00:00
Description: "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.",
2017-09-20 20:59:35 +00:00
},
2017-09-28 22:57:48 +00:00
"global": &framework.FieldSchema{
Type: framework.TypeBool,
2017-12-15 22:06:56 +00:00
Description: "Boolean value describing if the token should be global or not. Defaults to false.",
2017-09-28 22:57:48 +00:00
},
2017-11-06 21:34:20 +00:00
"type": &framework.FieldSchema{
2017-09-20 20:59:35 +00:00
Type: framework.TypeString,
Default: "client",
Description: `Which type of token to create: 'client'
or 'management'. If a 'management' token,
2017-11-29 16:31:17 +00:00
the "policies" parameter is not required.
2017-09-20 20:59:35 +00:00
Defaults to 'client'.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
2017-11-06 21:34:20 +00:00
logical.ReadOperation: b.pathRolesRead,
2017-12-16 00:50:20 +00:00
logical.CreateOperation: b.pathRolesWrite,
2017-11-06 21:34:20 +00:00
logical.UpdateOperation: b.pathRolesWrite,
logical.DeleteOperation: b.pathRolesDelete,
2017-09-20 20:59:35 +00:00
},
2017-12-16 00:50:20 +00:00
ExistenceCheck: b.rolesExistenceCheck,
}
}
// Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
// Returning 'true' forces an UpdateOperation, CreateOperation otherwise.
func (b *backend) rolesExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
2017-12-16 00:50:20 +00:00
name := d.Get("name").(string)
entry, err := b.Role(ctx, req.Storage, name)
2017-12-16 00:50:20 +00:00
if err != nil {
return false, err
2017-09-20 20:59:35 +00:00
}
2017-12-16 00:50:20 +00:00
return entry != nil, nil
2017-09-20 20:59:35 +00:00
}
func (b *backend) Role(ctx context.Context, storage logical.Storage, name string) (*roleConfig, error) {
2017-12-16 00:50:20 +00:00
if name == "" {
return nil, errors.New("invalid role name")
}
entry, err := storage.Get(ctx, "role/"+name)
if err != nil {
2017-12-15 22:06:56 +00:00
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
}
if entry == nil {
return nil, nil
}
var result roleConfig
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
return &result, nil
}
func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
entries, err := req.Storage.List(ctx, "role/")
2017-09-20 20:59:35 +00:00
if err != nil {
return nil, err
}
return logical.ListResponse(entries), nil
}
func (b *backend) pathRolesRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
2017-09-20 20:59:35 +00:00
name := d.Get("name").(string)
role, err := b.Role(ctx, req.Storage, name)
2017-09-20 20:59:35 +00:00
if err != nil {
return nil, err
}
if role == nil {
2017-09-20 20:59:35 +00:00
return nil, nil
}
// Generate the response
resp := &logical.Response{
Data: map[string]interface{}{
2017-11-29 16:31:17 +00:00
"type": role.TokenType,
"global": role.Global,
"policies": role.Policies,
2017-09-20 20:59:35 +00:00
},
}
return resp, nil
}
func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
2017-09-20 20:59:35 +00:00
name := d.Get("name").(string)
2017-11-06 21:34:20 +00:00
role, err := b.Role(ctx, req.Storage, name)
2017-12-16 00:50:20 +00:00
if err != nil {
return nil, err
}
if role == nil {
role = new(roleConfig)
}
policies, ok := d.GetOk("policies")
if ok {
role.Policies = policies.([]string)
}
role.TokenType = d.Get("type").(string)
switch role.TokenType {
2017-11-06 21:34:20 +00:00
case "client":
2017-12-16 00:50:20 +00:00
if len(role.Policies) == 0 {
2017-09-20 20:59:35 +00:00
return logical.ErrorResponse(
2017-11-29 16:31:17 +00:00
"policies cannot be empty when using client tokens"), nil
2017-09-20 20:59:35 +00:00
}
2017-11-06 21:34:20 +00:00
case "management":
2017-12-16 00:50:20 +00:00
if len(role.Policies) != 0 {
return logical.ErrorResponse(
2017-11-29 16:31:17 +00:00
"policies should be empty when using management tokens"), nil
}
2017-11-06 21:34:20 +00:00
default:
return logical.ErrorResponse(
2017-12-15 22:06:56 +00:00
`type must be "client" or "management"`), nil
2017-09-20 20:59:35 +00:00
}
2017-12-16 00:50:20 +00:00
global, ok := d.GetOk("global")
if ok {
role.Global = global.(bool)
}
entry, err := logical.StorageEntryJSON("role/"+name, role)
2017-09-20 20:59:35 +00:00
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entry); err != nil {
2017-09-20 20:59:35 +00:00
return nil, err
}
return nil, nil
}
func (b *backend) pathRolesDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
2017-09-20 20:59:35 +00:00
name := d.Get("name").(string)
if err := req.Storage.Delete(ctx, "role/"+name); err != nil {
2017-09-20 20:59:35 +00:00
return nil, err
}
return nil, nil
}
type roleConfig struct {
2017-11-29 16:31:17 +00:00
Policies []string `json:"policies"`
2017-11-06 21:34:20 +00:00
TokenType string `json:"type"`
Global bool `json:"global"`
2017-09-20 20:59:35 +00:00
}