open-vault/builtin/logical/ssh/secret_dynamic_key.go

package ssh

import (
	"fmt"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
	"github.com/mitchellh/mapstructure"
)

const SecretDynamicKeyType = "secret_dynamic_key_type"

func secretDynamicKey(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretDynamicKeyType,
		Fields: map[string]*framework.FieldSchema{
			"username": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Username in host",
			},
			"ip": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "IP address of host",
			},
		},

		Renew:  b.secretDynamicKeyRenew,
		Revoke: b.secretDynamicKeyRevoke,
	}
}

func (b *backend) secretDynamicKeyRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	f := framework.LeaseExtend(0, 0, b.System())
	return f(req, d)
}

func (b *backend) secretDynamicKeyRevoke(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	type sec struct {
		AdminUser        string `mapstructure:"admin_user"`
		Username         string `mapstructure:"username"`
		IP               string `mapstructure:"ip"`
		HostKeyName      string `mapstructure:"host_key_name"`
		DynamicPublicKey string `mapstructure:"dynamic_public_key"`
		InstallScript    string `mapstructure:"install_script"`
		Port             int    `mapstructure:"port"`
	}

	intSec := &sec{}
	err := mapstructure.Decode(req.Secret.InternalData, intSec)
	if err != nil {
		return nil, errwrap.Wrapf("secret internal data could not be decoded: {{err}}", err)
	}

	// Fetch the host key using the key name
	hostKey, err := b.getKey(req.Storage, intSec.HostKeyName)
	if err != nil {
		return nil, fmt.Errorf("key %q not found error: %v", intSec.HostKeyName, err)
	}
	if hostKey == nil {
		return nil, fmt.Errorf("key %q not found", intSec.HostKeyName)
	}

	// Remove the public key from authorized_keys file in target machine
	// The last param 'false' indicates that the key should be uninstalled.
	err = b.installPublicKeyInTarget(intSec.AdminUser, intSec.Username, intSec.IP, intSec.Port, hostKey.Key, intSec.DynamicPublicKey, intSec.InstallScript, false)
	if err != nil {
		return nil, fmt.Errorf("error removing public key from authorized_keys file in target")
	}
	return nil, nil
}
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`package ssh`

			`import (`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`"fmt"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00
Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 19:04:04 +00:00			`"github.com/hashicorp/errwrap"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 19:04:04 +00:00			`"github.com/mitchellh/mapstructure"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`)`

Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 23:00:14 +00:00			`const SecretDynamicKeyType = "secret_dynamic_key_type"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00
Vault SSH: keys/ designated special path 2015-07-23 22:12:13 +00:00			`func secretDynamicKey(b backend) framework.Secret {`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`return &framework.Secret{`
Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 23:00:14 +00:00			`Type: SecretDynamicKeyType,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"username": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Username in host",`
			`},`
			`"ip": &framework.FieldSchema{`
			`Type: framework.TypeString,`
Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`Description: "IP address of host",`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`},`
			`},`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00
			`Renew: b.secretDynamicKeyRenew,`
			`Revoke: b.secretDynamicKeyRevoke,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`}`
			`}`

Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`func (b backend) secretDynamicKeyRenew(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`f := framework.LeaseExtend(0, 0, b.System())`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`return f(req, d)`
			`}`

Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`func (b backend) secretDynamicKeyRevoke(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 19:04:04 +00:00			`type sec struct {`
			AdminUser string `mapstructure:"admin_user"`
			Username string `mapstructure:"username"`
			IP string `mapstructure:"ip"`
			HostKeyName string `mapstructure:"host_key_name"`
			DynamicPublicKey string `mapstructure:"dynamic_public_key"`
			InstallScript string `mapstructure:"install_script"`
			Port int `mapstructure:"port"`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00			`}`

Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 19:04:04 +00:00			`intSec := &sec{}`
			`err := mapstructure.Decode(req.Secret.InternalData, intSec)`
			`if err != nil {`
			`return nil, errwrap.Wrapf("secret internal data could not be decoded: {{err}}", err)`
Vault SSH: Made port number configurable 2015-07-06 20:56:45 +00:00			`}`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Fetch the host key using the key name`
Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 19:04:04 +00:00			`hostKey, err := b.getKey(req.Storage, intSec.HostKeyName)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`if err != nil {`
ssh: Use temporary file to store the identity file 2016-10-18 16:46:54 +00:00			`return nil, fmt.Errorf("key %q not found error: %v", intSec.HostKeyName, err)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP 2015-08-13 21:18:30 +00:00			`if hostKey == nil {`
ssh: Use temporary file to store the identity file 2016-10-18 16:46:54 +00:00			`return nil, fmt.Errorf("key %q not found", intSec.HostKeyName)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Remove the public key from authorized_keys file in target machine`
Vault SSH: Mandate default_user. Other refactoring 2015-08-13 17:36:31 +00:00			`// The last param 'false' indicates that the key should be uninstalled.`
Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 19:04:04 +00:00			`err = b.installPublicKeyInTarget(intSec.AdminUser, intSec.Username, intSec.IP, intSec.Port, hostKey.Key, intSec.DynamicPublicKey, intSec.InstallScript, false)`
Refactoring changes 2015-06-30 02:00:08 +00:00			`if err != nil {`
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`return nil, fmt.Errorf("error removing public key from authorized_keys file in target")`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`return nil, nil`
			`}`