open-vault/builtin/logical/rabbitmq/path_roles.go

package rabbitmq

import (
	"context"
	"fmt"

	"github.com/fatih/structs"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/jsonutil"
	"github.com/hashicorp/vault/sdk/logical"
)

func pathListRoles(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "roles/?$",
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ListOperation: b.pathRoleList,
		},
		HelpSynopsis:    pathRoleHelpSyn,
		HelpDescription: pathRoleHelpDesc,
	}
}

func pathRoles(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "roles/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": {
				Type:        framework.TypeString,
				Description: "Name of the role.",
			},
			"tags": {
				Type:        framework.TypeString,
				Description: "Comma-separated list of tags for this role.",
			},
			"vhosts": {
				Type:        framework.TypeString,
				Description: "A map of virtual hosts to permissions.",
			},
			"vhost_topics": {
				Type:        framework.TypeString,
				Description: "A nested map of virtual hosts and exchanges to topic permissions.",
			},
		},
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation:   b.pathRoleRead,
			logical.UpdateOperation: b.pathRoleUpdate,
			logical.DeleteOperation: b.pathRoleDelete,
		},
		HelpSynopsis:    pathRoleHelpSyn,
		HelpDescription: pathRoleHelpDesc,
	}
}

// Reads the role configuration from the storage
func (b *backend) Role(ctx context.Context, s logical.Storage, n string) (*roleEntry, error) {
	entry, err := s.Get(ctx, "role/"+n)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var result roleEntry
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}

	return &result, nil
}

// Deletes an existing role
func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	if name == "" {
		return logical.ErrorResponse("missing name"), nil
	}

	return nil, req.Storage.Delete(ctx, "role/"+name)
}

// Reads an existing role
func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	if name == "" {
		return logical.ErrorResponse("missing name"), nil
	}

	role, err := b.Role(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if role == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: structs.New(role).Map(),
	}, nil
}

// Lists all the roles registered with the backend
func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	roles, err := req.Storage.List(ctx, "role/")
	if err != nil {
		return nil, err
	}

	return logical.ListResponse(roles), nil
}

// Registers a new role with the backend
func (b *backend) pathRoleUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	if name == "" {
		return logical.ErrorResponse("missing name"), nil
	}

	tags := d.Get("tags").(string)
	rawVHosts := d.Get("vhosts").(string)
	rawVHostTopics := d.Get("vhost_topics").(string)

	// Either tags or VHost permissions are always required, but topic permissions are always optional.
	if tags == "" && rawVHosts == "" {
		return logical.ErrorResponse("both tags and vhosts not specified"), nil
	}

	var vhosts map[string]vhostPermission
	if len(rawVHosts) > 0 {
		if err := jsonutil.DecodeJSON([]byte(rawVHosts), &vhosts); err != nil {
			return logical.ErrorResponse(fmt.Sprintf("failed to unmarshal vhosts: %s", err)), nil
		}
	}

	var vhostTopics map[string]map[string]vhostTopicPermission
	if len(rawVHostTopics) > 0 {
		if err := jsonutil.DecodeJSON([]byte(rawVHostTopics), &vhostTopics); err != nil {
			return logical.ErrorResponse(fmt.Sprintf("failed to unmarshal vhost_topics: %s", err)), nil
		}
	}

	// Store it
	entry, err := logical.StorageEntryJSON("role/"+name, &roleEntry{
		Tags:        tags,
		VHosts:      vhosts,
		VHostTopics: vhostTopics,
	})
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

// Role that defines the capabilities of the credentials issued against it.
// Maps are used because the names of vhosts and exchanges will vary widely.
// VHosts is a map with a vhost name as key and the permissions as value.
// VHostTopics is a nested map with vhost name and exchange name as keys and
// the topic permissions as value.
type roleEntry struct {
	Tags        string                                     `json:"tags" structs:"tags" mapstructure:"tags"`
	VHosts      map[string]vhostPermission                 `json:"vhosts" structs:"vhosts" mapstructure:"vhosts"`
	VHostTopics map[string]map[string]vhostTopicPermission `json:"vhost_topics" structs:"vhost_topics" mapstructure:"vhost_topics"`
}

// Structure representing the permissions of a vhost
type vhostPermission struct {
	Configure string `json:"configure" structs:"configure" mapstructure:"configure"`
	Write     string `json:"write" structs:"write" mapstructure:"write"`
	Read      string `json:"read" structs:"read" mapstructure:"read"`
}

// Structure representing the topic permissions of an exchange
type vhostTopicPermission struct {
	Write string `json:"write" structs:"write" mapstructure:"write"`
	Read  string `json:"read" structs:"read" mapstructure:"read"`
}

const pathRoleHelpSyn = `
Manage the roles that can be created with this backend.
`

const pathRoleHelpDesc = `
This path lets you manage the roles that can be created with this backend.

The "tags" parameter customizes the tags used to create the role.
This is a comma separated list of strings. The "vhosts" parameter customizes
the virtual hosts that this user will be associated with. This is a JSON object
passed as a string in the form:
{
	"vhostOne": {
		"configure": ".*",
		"write": ".*",
		"read": ".*"
	},
	"vhostTwo": {
		"configure": ".*",
		"write": ".*",
		"read": ".*"
	}
}
The "vhost_topics" parameter customizes the topic permissions that this user
will be granted. This is a JSON object passed as a string in the form:
{
	"vhostOne": {
		"exchangeOneOne": {
			"write": ".*",
			"read": ".*"
		},
		"exchangeOneTwo": {
			"write": ".*",
			"read": ".*"
		}
	},
	"vhostTwo": {
		"exchangeTwoOne": {
			"write": ".*",
			"read": ".*"
		}
	}
}
`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`package rabbitmq`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`"fmt"`

Polish the code 2016-06-08 07:18:26 +00:00			`"github.com/fatih/structs"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/helper/jsonutil"`
			`"github.com/hashicorp/vault/sdk/logical"`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`)`

List roles 2016-04-08 16:46:25 +00:00			`func pathListRoles(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "roles/?$",`
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ListOperation: b.pathRoleList,`
			`},`
			`HelpSynopsis: pathRoleHelpSyn,`
			`HelpDescription: pathRoleHelpDesc,`
			`}`
			`}`

Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`func pathRoles(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "roles/" + framework.GenericNameRegex("name"),`
Polish the code 2016-06-08 07:18:26 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"name": {`
Polish the code 2016-06-08 07:18:26 +00:00			`Type: framework.TypeString,`
			`Description: "Name of the role.",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"tags": {`
Polish the code 2016-06-08 07:18:26 +00:00			`Type: framework.TypeString,`
			`Description: "Comma-separated list of tags for this role.",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"vhosts": {`
Polish the code 2016-06-08 07:18:26 +00:00			`Type: framework.TypeString,`
			`Description: "A map of virtual hosts to permissions.",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"vhost_topics": {`
Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`Type: framework.TypeString,`
			`Description: "A nested map of virtual hosts and exchanges to topic permissions.",`
			`},`
Polish the code 2016-06-08 07:18:26 +00:00			`},`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ReadOperation: b.pathRoleRead,`
Merge remote-tracking branch 'origin/master' into rabbitmq 2016-05-21 06:27:22 +00:00			`logical.UpdateOperation: b.pathRoleUpdate,`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`logical.DeleteOperation: b.pathRoleDelete,`
			`},`
			`HelpSynopsis: pathRoleHelpSyn,`
			`HelpDescription: pathRoleHelpDesc,`
			`}`
			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Reads the role configuration from the storage`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b backend) Role(ctx context.Context, s logical.Storage, n string) (roleEntry, error) {`
			`entry, err := s.Get(ctx, "role/"+n)`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

			`var result roleEntry`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`

			`return &result, nil`
			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Deletes an existing role`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRoleDelete(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Polish the code 2016-06-08 07:18:26 +00:00			`name := d.Get("name").(string)`
			`if name == "" {`
			`return logical.ErrorResponse("missing name"), nil`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`return nil, req.Storage.Delete(ctx, "role/"+name)`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Reads an existing role`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRoleRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Polish the code 2016-06-08 07:18:26 +00:00			`name := d.Get("name").(string)`
			`if name == "" {`
			`return logical.ErrorResponse("missing name"), nil`
Address feedback 2016-05-21 05:51:09 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err := b.Role(ctx, req.Storage, name)`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if role == nil {`
			`return nil, nil`
			`}`

			`return &logical.Response{`
Polish the code 2016-06-08 07:18:26 +00:00			`Data: structs.New(role).Map(),`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`}, nil`
			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Lists all the roles registered with the backend`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRoleList(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`roles, err := req.Storage.List(ctx, "role/")`
List roles 2016-04-08 16:46:25 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`return logical.ListResponse(roles), nil`
List roles 2016-04-08 16:46:25 +00:00			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Registers a new role with the backend`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathRoleUpdate(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Polish the code 2016-06-08 07:18:26 +00:00			`name := d.Get("name").(string)`
			`if name == "" {`
			`return logical.ErrorResponse("missing name"), nil`
			`}`

			`tags := d.Get("tags").(string)`
			`rawVHosts := d.Get("vhosts").(string)`
Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`rawVHostTopics := d.Get("vhost_topics").(string)`
Polish the code 2016-06-08 07:18:26 +00:00
Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`// Either tags or VHost permissions are always required, but topic permissions are always optional.`
Polish the code 2016-06-08 07:18:26 +00:00			`if tags == "" && rawVHosts == "" {`
			`return logical.ErrorResponse("both tags and vhosts not specified"), nil`
Address feedback 2016-05-21 05:51:09 +00:00			`}`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00
			`var vhosts map[string]vhostPermission`
			`if len(rawVHosts) > 0 {`
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests. 2016-07-06 16:25:40 +00:00			`if err := jsonutil.DecodeJSON([]byte(rawVHosts), &vhosts); err != nil {`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`return logical.ErrorResponse(fmt.Sprintf("failed to unmarshal vhosts: %s", err)), nil`
			`}`
			`}`

Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`var vhostTopics map[string]map[string]vhostTopicPermission`
			`if len(rawVHostTopics) > 0 {`
			`if err := jsonutil.DecodeJSON([]byte(rawVHostTopics), &vhostTopics); err != nil {`
			`return logical.ErrorResponse(fmt.Sprintf("failed to unmarshal vhost_topics: %s", err)), nil`
			`}`
			`}`

Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`// Store it`
			`entry, err := logical.StorageEntryJSON("role/"+name, &roleEntry{`
Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`Tags: tags,`
			`VHosts: vhosts,`
			`VHostTopics: vhostTopics,`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`// Role that defines the capabilities of the credentials issued against it.`
			`// Maps are used because the names of vhosts and exchanges will vary widely.`
			`// VHosts is a map with a vhost name as key and the permissions as value.`
			`// VHostTopics is a nested map with vhost name and exchange name as keys and`
			`// the topic permissions as value.`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`type roleEntry struct {`
Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			Tags string `json:"tags" structs:"tags" mapstructure:"tags"`
			VHosts map[string]vhostPermission `json:"vhosts" structs:"vhosts" mapstructure:"vhosts"`
			VHostTopics map[string]map[string]vhostTopicPermission `json:"vhost_topics" structs:"vhost_topics" mapstructure:"vhost_topics"`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Structure representing the permissions of a vhost`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`type vhostPermission struct {`
Polish the code 2016-06-08 07:18:26 +00:00			Configure string `json:"configure" structs:"configure" mapstructure:"configure"`
			Write string `json:"write" structs:"write" mapstructure:"write"`
Fix some typos in rmq text and structure 2016-06-08 15:31:57 +00:00			Read string `json:"read" structs:"read" mapstructure:"read"`
Address feedback 2016-05-21 05:51:09 +00:00			`}`

Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`// Structure representing the topic permissions of an exchange`
			`type vhostTopicPermission struct {`
			Write string `json:"write" structs:"write" mapstructure:"write"`
			Read string `json:"read" structs:"read" mapstructure:"read"`
			`}`

Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			const pathRoleHelpSyn = `
			`Manage the roles that can be created with this backend.`
			`

			const pathRoleHelpDesc = `
			`This path lets you manage the roles that can be created with this backend.`

			`The "tags" parameter customizes the tags used to create the role.`
			`This is a comma separated list of strings. The "vhosts" parameter customizes`
			`the virtual hosts that this user will be associated with. This is a JSON object`
			`passed as a string in the form:`
			`{`
			`"vhostOne": {`
			`"configure": ".*",`
			`"write": ".*",`
			`"read": ".*"`
			`},`
			`"vhostTwo": {`
			`"configure": ".*",`
			`"write": ".*",`
			`"read": ".*"`
			`}`
			`}`
Rabbitmq topic permissions (#7751) * Upgraded rabbit hole library to 2.0 * Added RabbitMQ topic permission support. * Updated docs to cover RabbitMQ topic permissions. * Improved comments and docs as suggested. 2019-10-30 21:19:49 +00:00			`The "vhost_topics" parameter customizes the topic permissions that this user`
			`will be granted. This is a JSON object passed as a string in the form:`
			`{`
			`"vhostOne": {`
			`"exchangeOneOne": {`
			`"write": ".*",`
			`"read": ".*"`
			`},`
			`"exchangeOneTwo": {`
			`"write": ".*",`
			`"read": ".*"`
			`}`
			`},`
			`"vhostTwo": {`
			`"exchangeTwoOne": {`
			`"write": ".*",`
			`"read": ".*"`
			`}`
			`}`
			`}`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`