2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2017-10-11 17:21:20 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
2017-10-11 17:21:20 +00:00
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
|
2017-11-02 20:38:15 +00:00
|
|
|
"github.com/hashicorp/vault/helper/identity"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2017-10-11 17:21:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func lookupPaths(i *IdentityStore) []*framework.Path {
|
|
|
|
return []*framework.Path{
|
2017-11-02 20:38:15 +00:00
|
|
|
{
|
|
|
|
Pattern: "lookup/entity$",
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": {
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Name of the entity.",
|
|
|
|
},
|
|
|
|
"id": {
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "ID of the entity.",
|
|
|
|
},
|
2017-11-09 06:29:19 +00:00
|
|
|
"alias_id": {
|
2017-10-11 17:21:20 +00:00
|
|
|
Type: framework.TypeString,
|
2017-11-09 06:29:19 +00:00
|
|
|
Description: "ID of the alias.",
|
2017-10-11 17:21:20 +00:00
|
|
|
},
|
2017-11-09 06:29:19 +00:00
|
|
|
"alias_name": {
|
2017-10-11 17:21:20 +00:00
|
|
|
Type: framework.TypeString,
|
2018-03-20 18:54:10 +00:00
|
|
|
Description: "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.",
|
2017-10-11 17:21:20 +00:00
|
|
|
},
|
2017-11-09 06:29:19 +00:00
|
|
|
"alias_mount_accessor": {
|
2017-10-11 17:21:20 +00:00
|
|
|
Type: framework.TypeString,
|
2017-11-09 06:29:19 +00:00
|
|
|
Description: "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
|
2017-10-11 17:21:20 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2018-01-08 18:31:38 +00:00
|
|
|
logical.UpdateOperation: i.pathLookupEntityUpdate(),
|
2017-10-11 17:21:20 +00:00
|
|
|
},
|
|
|
|
|
2017-11-09 06:29:19 +00:00
|
|
|
HelpSynopsis: strings.TrimSpace(lookupHelp["lookup-entity"][0]),
|
|
|
|
HelpDescription: strings.TrimSpace(lookupHelp["lookup-entity"][1]),
|
2017-10-11 17:21:20 +00:00
|
|
|
},
|
2017-11-02 20:05:48 +00:00
|
|
|
{
|
2017-11-09 06:29:19 +00:00
|
|
|
Pattern: "lookup/group$",
|
2017-11-02 20:05:48 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": {
|
|
|
|
Type: framework.TypeString,
|
2017-11-09 06:29:19 +00:00
|
|
|
Description: "Name of the group.",
|
2017-11-02 20:05:48 +00:00
|
|
|
},
|
|
|
|
"id": {
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "ID of the group.",
|
|
|
|
},
|
2017-11-09 06:29:19 +00:00
|
|
|
"alias_id": {
|
2017-11-02 20:05:48 +00:00
|
|
|
Type: framework.TypeString,
|
2017-11-09 06:29:19 +00:00
|
|
|
Description: "ID of the alias.",
|
2017-11-02 20:05:48 +00:00
|
|
|
},
|
2017-11-09 06:29:19 +00:00
|
|
|
"alias_name": {
|
2017-11-02 20:05:48 +00:00
|
|
|
Type: framework.TypeString,
|
2018-03-20 18:54:10 +00:00
|
|
|
Description: "Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.",
|
2017-11-02 20:05:48 +00:00
|
|
|
},
|
2017-11-09 06:29:19 +00:00
|
|
|
"alias_mount_accessor": {
|
2017-11-02 20:05:48 +00:00
|
|
|
Type: framework.TypeString,
|
2017-11-09 06:29:19 +00:00
|
|
|
Description: "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.",
|
2017-11-02 20:05:48 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2018-01-08 18:31:38 +00:00
|
|
|
logical.UpdateOperation: i.pathLookupGroupUpdate(),
|
2017-11-02 20:05:48 +00:00
|
|
|
},
|
|
|
|
|
2017-11-09 06:29:19 +00:00
|
|
|
HelpSynopsis: strings.TrimSpace(lookupHelp["lookup-group"][0]),
|
|
|
|
HelpDescription: strings.TrimSpace(lookupHelp["lookup-group"][1]),
|
2017-11-02 20:05:48 +00:00
|
|
|
},
|
2017-10-11 17:21:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (i *IdentityStore) pathLookupEntityUpdate() framework.OperationFunc {
|
|
|
|
return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
var entity *identity.Entity
|
|
|
|
var err error
|
2017-11-02 20:38:15 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
inputCount := 0
|
2017-11-09 06:29:19 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
id := ""
|
|
|
|
idRaw, ok := d.GetOk("id")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
id = idRaw.(string)
|
2017-11-09 06:29:19 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
name := ""
|
|
|
|
nameRaw, ok := d.GetOk("name")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
name = nameRaw.(string)
|
2017-11-02 20:38:15 +00:00
|
|
|
}
|
2017-11-09 06:29:19 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
aliasID := ""
|
|
|
|
aliasIDRaw, ok := d.GetOk("alias_id")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
aliasID = aliasIDRaw.(string)
|
2017-11-02 20:38:15 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
aliasName := ""
|
|
|
|
aliasNameRaw, ok := d.GetOk("alias_name")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
aliasName = aliasNameRaw.(string)
|
2017-11-09 06:29:19 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
aliasMountAccessor := ""
|
|
|
|
aliasMountAccessorRaw, ok := d.GetOk("alias_mount_accessor")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
aliasMountAccessor = aliasMountAccessorRaw.(string)
|
2017-11-02 20:38:15 +00:00
|
|
|
}
|
2017-11-09 06:29:19 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
switch {
|
|
|
|
case inputCount == 0:
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("query parameter not supplied")), nil
|
|
|
|
|
|
|
|
case inputCount != 1:
|
|
|
|
switch {
|
|
|
|
case inputCount == 2 && aliasName != "" && aliasMountAccessor != "":
|
|
|
|
default:
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("query parameter conflict; please supply distinct set of query parameters")), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
case inputCount == 1:
|
|
|
|
switch {
|
|
|
|
case aliasName != "" || aliasMountAccessor != "":
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("both 'alias_name' and 'alias_mount_accessor' needs to be set")), nil
|
|
|
|
}
|
2017-11-02 20:38:15 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
switch {
|
|
|
|
case id != "":
|
|
|
|
entity, err = i.MemDBEntityByID(id, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
case name != "":
|
2018-09-18 03:03:00 +00:00
|
|
|
entity, err = i.MemDBEntityByName(ctx, name, false)
|
2018-01-08 18:31:38 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
case aliasID != "":
|
|
|
|
alias, err := i.MemDBAliasByID(aliasID, false, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if alias == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
entity, err = i.MemDBEntityByAliasID(alias.ID, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
case aliasName != "" && aliasMountAccessor != "":
|
|
|
|
alias, err := i.MemDBAliasByFactors(aliasMountAccessor, aliasName, false, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if alias == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
entity, err = i.MemDBEntityByAliasID(alias.ID, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-11-09 06:29:19 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
if entity == nil {
|
|
|
|
return nil, nil
|
2017-11-09 06:29:19 +00:00
|
|
|
}
|
2017-11-02 20:38:15 +00:00
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
return i.handleEntityReadCommon(ctx, entity)
|
2017-11-02 20:38:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (i *IdentityStore) pathLookupGroupUpdate() framework.OperationFunc {
|
|
|
|
return func(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
var group *identity.Group
|
|
|
|
var err error
|
2017-10-11 17:21:20 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
inputCount := 0
|
2017-11-02 20:05:48 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
id := ""
|
|
|
|
idRaw, ok := d.GetOk("id")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
id = idRaw.(string)
|
2017-11-09 06:29:19 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
name := ""
|
|
|
|
nameRaw, ok := d.GetOk("name")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
name = nameRaw.(string)
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
aliasID := ""
|
|
|
|
aliasIDRaw, ok := d.GetOk("alias_id")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
aliasID = aliasIDRaw.(string)
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
aliasName := ""
|
|
|
|
aliasNameRaw, ok := d.GetOk("alias_name")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
aliasName = aliasNameRaw.(string)
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
aliasMountAccessor := ""
|
|
|
|
aliasMountAccessorRaw, ok := d.GetOk("alias_mount_accessor")
|
|
|
|
if ok {
|
|
|
|
inputCount++
|
|
|
|
aliasMountAccessor = aliasMountAccessorRaw.(string)
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
switch {
|
|
|
|
case inputCount == 0:
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("query parameter not supplied")), nil
|
|
|
|
|
|
|
|
case inputCount != 1:
|
|
|
|
switch {
|
|
|
|
case inputCount == 2 && aliasName != "" && aliasMountAccessor != "":
|
|
|
|
default:
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("query parameter conflict; please supply distinct set of query parameters")), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
case inputCount == 1:
|
|
|
|
switch {
|
|
|
|
case aliasName != "" || aliasMountAccessor != "":
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("both 'alias_name' and 'alias_mount_accessor' needs to be set")), nil
|
|
|
|
}
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
2017-11-09 06:29:19 +00:00
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
switch {
|
|
|
|
case id != "":
|
|
|
|
group, err = i.MemDBGroupByID(id, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
case name != "":
|
2018-09-18 03:03:00 +00:00
|
|
|
group, err = i.MemDBGroupByName(ctx, name, false)
|
2018-01-08 18:31:38 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
case aliasID != "":
|
|
|
|
alias, err := i.MemDBAliasByID(aliasID, false, true)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if alias == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
group, err = i.MemDBGroupByAliasID(alias.ID, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
case aliasName != "" && aliasMountAccessor != "":
|
|
|
|
alias, err := i.MemDBAliasByFactors(aliasMountAccessor, aliasName, false, true)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if alias == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
group, err = i.MemDBGroupByAliasID(alias.ID, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
if group == nil {
|
|
|
|
return nil, nil
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
return i.handleGroupReadCommon(ctx, group)
|
2017-11-02 20:05:48 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-11 17:21:20 +00:00
|
|
|
var lookupHelp = map[string][2]string{
|
2017-11-02 20:38:15 +00:00
|
|
|
"lookup-entity": {
|
2017-11-09 06:29:19 +00:00
|
|
|
"Query entities based on various properties.",
|
|
|
|
`Distinct query parameters to be set:
|
2017-11-02 20:38:15 +00:00
|
|
|
- 'id'
|
2017-11-09 06:29:19 +00:00
|
|
|
To query the entity by its ID.
|
2017-11-02 20:38:15 +00:00
|
|
|
- 'name'
|
2017-11-09 06:29:19 +00:00
|
|
|
To query the entity by its name.
|
|
|
|
- 'alias_id'
|
|
|
|
To query the entity by the ID of any of its aliases.
|
|
|
|
- 'alias_name' and 'alias_mount_accessor'
|
|
|
|
To query the entity by the unique factors that represent an alias; the name and the mount accessor.
|
2017-11-02 20:38:15 +00:00
|
|
|
`,
|
|
|
|
},
|
2017-10-11 17:21:20 +00:00
|
|
|
"lookup-group": {
|
2017-11-09 06:29:19 +00:00
|
|
|
"Query groups based on various properties.",
|
|
|
|
`Distinct query parameters to be set:
|
2017-11-02 20:05:48 +00:00
|
|
|
- 'id'
|
2017-11-09 06:29:19 +00:00
|
|
|
To query the group by its ID.
|
2017-11-02 20:05:48 +00:00
|
|
|
- 'name'
|
2017-11-09 06:29:19 +00:00
|
|
|
To query the group by its name.
|
|
|
|
- 'alias_id'
|
|
|
|
To query the group by the ID of any of its aliases.
|
|
|
|
- 'alias_name' and 'alias_mount_accessor'
|
|
|
|
To query the group by the unique factors that represent an alias; the name and the mount accessor.
|
2017-11-02 20:05:48 +00:00
|
|
|
`,
|
2017-10-11 17:21:20 +00:00
|
|
|
},
|
|
|
|
}
|