open-vault/builtin/logical/consul/path_config.go

package consul

import (
	"context"
	"fmt"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

func pathConfigAccess(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "config/access",
		Fields: map[string]*framework.FieldSchema{
			"address": {
				Type:        framework.TypeString,
				Description: "Consul server address",
			},

			"scheme": {
				Type:        framework.TypeString,
				Description: "URI scheme for the Consul address",

				// https would be a better default but Consul on its own
				// defaults to HTTP access, and when HTTPS is enabled it
				// disables HTTP, so there isn't really any harm done here.
				Default: "http",
			},

			"token": {
				Type:        framework.TypeString,
				Description: "Token for API calls",
			},

			"ca_cert": {
				Type: framework.TypeString,
				Description: `CA certificate to use when verifying Consul server certificate,
must be x509 PEM encoded.`,
			},

			"client_cert": {
				Type: framework.TypeString,
				Description: `Client certificate used for Consul's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_key.`,
			},

			"client_key": {
				Type: framework.TypeString,
				Description: `Client key used for Consul's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_cert.`,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation:   b.pathConfigAccessRead,
			logical.UpdateOperation: b.pathConfigAccessWrite,
		},
	}
}

func (b *backend) readConfigAccess(ctx context.Context, storage logical.Storage) (*accessConfig, error, error) {
	entry, err := storage.Get(ctx, "config/access")
	if err != nil {
		return nil, nil, err
	}
	if entry == nil {
		return nil, fmt.Errorf("access credentials for the backend itself haven't been configured; please configure them at the '/config/access' endpoint"), nil
	}

	conf := &accessConfig{}
	if err := entry.DecodeJSON(conf); err != nil {
		return nil, nil, fmt.Errorf("error reading consul access configuration: %w", err)
	}

	return conf, nil, nil
}

func (b *backend) pathConfigAccessRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	conf, userErr, intErr := b.readConfigAccess(ctx, req.Storage)
	if intErr != nil {
		return nil, intErr
	}
	if userErr != nil {
		return logical.ErrorResponse(userErr.Error()), nil
	}
	if conf == nil {
		return nil, fmt.Errorf("no user error reported but consul access configuration not found")
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"address": conf.Address,
			"scheme":  conf.Scheme,
		},
	}, nil
}

func (b *backend) pathConfigAccessWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	entry, err := logical.StorageEntryJSON("config/access", accessConfig{
		Address:    data.Get("address").(string),
		Scheme:     data.Get("scheme").(string),
		Token:      data.Get("token").(string),
		CACert:     data.Get("ca_cert").(string),
		ClientCert: data.Get("client_cert").(string),
		ClientKey:  data.Get("client_key").(string),
	})
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

type accessConfig struct {
	Address    string `json:"address"`
	Scheme     string `json:"scheme"`
	Token      string `json:"token"`
	CACert     string `json:"ca_cert"`
	ClientCert string `json:"client_cert"`
	ClientKey  string `json:"client_key"`
}
logical/consul 2015-03-21 16:19:37 +00:00			`package consul`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`"fmt"`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
logical/consul 2015-03-21 16:19:37 +00:00			`)`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`func pathConfigAccess(b backend) framework.Path {`
logical/consul 2015-03-21 16:19:37 +00:00			`return &framework.Path{`
logical/consul: config/access is the new path for config 2015-04-19 05:28:53 +00:00			`Pattern: "config/access",`
logical/consul 2015-03-21 16:19:37 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"address": {`
logical/consul 2015-03-21 16:19:37 +00:00			`Type: framework.TypeString,`
			`Description: "Consul server address",`
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"scheme": {`
logical/consul 2015-03-21 16:19:37 +00:00			`Type: framework.TypeString,`
			`Description: "URI scheme for the Consul address",`

			`// https would be a better default but Consul on its own`
			`// defaults to HTTP access, and when HTTPS is enabled it`
			`// disables HTTP, so there isn't really any harm done here.`
			`Default: "http",`
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"token": {`
logical/consul 2015-03-21 16:19:37 +00:00			`Type: framework.TypeString,`
			`Description: "Token for API calls",`
			`},`
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 08:44:35 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"ca_cert": {`
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 08:44:35 +00:00			`Type: framework.TypeString,`
			Description: `CA certificate to use when verifying Consul server certificate,
			must be x509 PEM encoded.`,
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"client_cert": {`
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 08:44:35 +00:00			`Type: framework.TypeString,`
			Description: `Client certificate used for Consul's TLS communication,
			must be x509 PEM encoded and if this is set you need to also set client_key.`,
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"client_key": {`
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 08:44:35 +00:00			`Type: framework.TypeString,`
			Description: `Client key used for Consul's TLS communication,
			must be x509 PEM encoded and if this is set you need to also set client_cert.`,
			`},`
logical/consul 2015-03-21 16:19:37 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`logical.ReadOperation: b.pathConfigAccessRead,`
			`logical.UpdateOperation: b.pathConfigAccessWrite,`
logical/consul 2015-03-21 16:19:37 +00:00			`},`
			`}`
			`}`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`func (b backend) readConfigAccess(ctx context.Context, storage logical.Storage) (accessConfig, error, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := storage.Get(ctx, "config/access")`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`if entry == nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, fmt.Errorf("access credentials for the backend itself haven't been configured; please configure them at the '/config/access' endpoint"), nil`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`}`

			`conf := &accessConfig{}`
			`if err := entry.DecodeJSON(conf); err != nil {`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`return nil, nil, fmt.Errorf("error reading consul access configuration: %w", err)`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`}`

			`return conf, nil, nil`
			`}`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`func (b backend) pathConfigAccessRead(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
			`conf, userErr, intErr := b.readConfigAccess(ctx, req.Storage)`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`if intErr != nil {`
			`return nil, intErr`
			`}`
			`if userErr != nil {`
			`return logical.ErrorResponse(userErr.Error()), nil`
			`}`
			`if conf == nil {`
Add tests around writing and reading consul access configuration 2016-05-24 21:28:19 +00:00			`return nil, fmt.Errorf("no user error reported but consul access configuration not found")`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`}`

Add tests around writing and reading consul access configuration 2016-05-24 21:28:19 +00:00			`return &logical.Response{`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`Data: map[string]interface{}{`
			`"address": conf.Address,`
			`"scheme": conf.Scheme,`
			`},`
Add tests around writing and reading consul access configuration 2016-05-24 21:28:19 +00:00			`}, nil`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`}`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`func (b backend) pathConfigAccessWrite(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
logical/consul: config/access is the new path for config 2015-04-19 05:28:53 +00:00			`entry, err := logical.StorageEntryJSON("config/access", accessConfig{`
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 08:44:35 +00:00			`Address: data.Get("address").(string),`
			`Scheme: data.Get("scheme").(string),`
			`Token: data.Get("token").(string),`
			`CACert: data.Get("ca_cert").(string),`
			`ClientCert: data.Get("client_cert").(string),`
			`ClientKey: data.Get("client_key").(string),`
logical/consul 2015-03-21 16:19:37 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
logical/consul 2015-03-21 16:19:37 +00:00			`return nil, err`
			`}`

			`return nil, nil`
			`}`

logical/consul: config/access is the new path for config 2015-04-19 05:28:53 +00:00			`type accessConfig struct {`
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 08:44:35 +00:00			Address string `json:"address"`
			Scheme string `json:"scheme"`
			Token string `json:"token"`
			CACert string `json:"ca_cert"`
			ClientCert string `json:"client_cert"`
			ClientKey string `json:"client_key"`
logical/consul 2015-03-21 16:19:37 +00:00			`}`