open-vault/builtin/credential/cert/path_certs.go

package cert

import (
	"crypto/x509"
	"fmt"
	"strings"
	"time"

	"github.com/hashicorp/vault/helper/policyutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathListCerts(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "certs/?",

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ListOperation: b.pathCertList,
		},

		HelpSynopsis:    pathCertHelpSyn,
		HelpDescription: pathCertHelpDesc,
	}
}

func pathCerts(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "certs/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "The name of the certificate",
			},

			"certificate": &framework.FieldSchema{
				Type: framework.TypeString,
				Description: `The public certificate that should be trusted.
Must be x509 PEM encoded.`,
			},

			"allowed_names": &framework.FieldSchema{
				Type: framework.TypeCommaStringSlice,
				Description: `A comma-separated list of names.
At least one must exist in either the Common Name or SANs. Supports globbing.`,
			},

			"display_name": &framework.FieldSchema{
				Type: framework.TypeString,
				Description: `The display name to use for clients using this
certificate.`,
			},

			"policies": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Comma-seperated list of policies.",
			},

			"lease": &framework.FieldSchema{
				Type: framework.TypeInt,
				Description: `Deprecated: use "ttl" instead. TTL time in
seconds. Defaults to system/backend default TTL.`,
			},

			"ttl": &framework.FieldSchema{
				Type: framework.TypeDurationSecond,
				Description: `TTL for tokens issued by this backend.
Defaults to system/backend default TTL time.`,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.DeleteOperation: b.pathCertDelete,
			logical.ReadOperation:   b.pathCertRead,
			logical.UpdateOperation: b.pathCertWrite,
		},

		HelpSynopsis:    pathCertHelpSyn,
		HelpDescription: pathCertHelpDesc,
	}
}

func (b *backend) Cert(s logical.Storage, n string) (*CertEntry, error) {
	entry, err := s.Get("cert/" + strings.ToLower(n))
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var result CertEntry
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}
	return &result, nil
}

func (b *backend) pathCertDelete(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	err := req.Storage.Delete("cert/" + strings.ToLower(d.Get("name").(string)))
	if err != nil {
		return nil, err
	}
	return nil, nil
}

func (b *backend) pathCertList(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	certs, err := req.Storage.List("cert/")
	if err != nil {
		return nil, err
	}
	return logical.ListResponse(certs), nil
}

func (b *backend) pathCertRead(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	cert, err := b.Cert(req.Storage, strings.ToLower(d.Get("name").(string)))
	if err != nil {
		return nil, err
	}
	if cert == nil {
		return nil, nil
	}

	duration := cert.TTL
	if duration == 0 {
		duration = b.System().DefaultLeaseTTL()
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"certificate":  cert.Certificate,
			"display_name": cert.DisplayName,
			"policies":     strings.Join(cert.Policies, ","),
			"ttl":          duration / time.Second,
		},
	}, nil
}

func (b *backend) pathCertWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := strings.ToLower(d.Get("name").(string))
	certificate := d.Get("certificate").(string)
	displayName := d.Get("display_name").(string)
	policies := policyutil.ParsePolicies(d.Get("policies").(string))
	allowedNames := d.Get("allowed_names").([]string)

	// Default the display name to the certificate name if not given
	if displayName == "" {
		displayName = name
	}

	parsed := parsePEM([]byte(certificate))
	if len(parsed) == 0 {
		return logical.ErrorResponse("failed to parse certificate"), nil
	}

	// If the certificate is not a CA cert, then ensure that x509.ExtKeyUsageClientAuth is set
	if !parsed[0].IsCA && parsed[0].ExtKeyUsage != nil {
		var clientAuth bool
		for _, usage := range parsed[0].ExtKeyUsage {
			if usage == x509.ExtKeyUsageClientAuth || usage == x509.ExtKeyUsageAny {
				clientAuth = true
				break
			}
		}
		if !clientAuth {
			return logical.ErrorResponse("non-CA certificates should have TLS client authentication set as an extended key usage"), nil
		}
	}

	certEntry := &CertEntry{
		Name:         name,
		Certificate:  certificate,
		DisplayName:  displayName,
		Policies:     policies,
		AllowedNames: allowedNames,
	}

	// Parse the lease duration or default to backend/system default
	maxTTL := b.System().MaxLeaseTTL()
	ttl := time.Duration(d.Get("ttl").(int)) * time.Second
	if ttl == time.Duration(0) {
		ttl = time.Second * time.Duration(d.Get("lease").(int))
	}
	if ttl > maxTTL {
		return logical.ErrorResponse(fmt.Sprintf("Given TTL of %d seconds greater than current mount/system default of %d seconds", ttl/time.Second, maxTTL/time.Second)), nil
	}
	if ttl > time.Duration(0) {
		certEntry.TTL = ttl
	}

	// Store it
	entry, err := logical.StorageEntryJSON("cert/"+name, certEntry)
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(entry); err != nil {
		return nil, err
	}
	return nil, nil
}

type CertEntry struct {
	Name         string
	Certificate  string
	DisplayName  string
	Policies     []string
	TTL          time.Duration
	AllowedNames []string
}

const pathCertHelpSyn = `
Manage trusted certificates used for authentication.
`

const pathCertHelpDesc = `
This endpoint allows you to create, read, update, and delete trusted certificates
that are allowed to authenticate.

Deleting a certificate will not revoke auth for prior authenticated connections.
To do this, do a revoke on "login". If you don't need to revoke login immediately,
then the next renew will cause the lease to expire.
`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`package cert`

			`import (`
supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`"crypto/x509"`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`"fmt"`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`"strings"`
credential/cert: support leasing and renewal 2015-04-24 19:58:39 +00:00			`"time"`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00
Utility Enhancements 2016-04-06 00:30:38 +00:00			`"github.com/hashicorp/vault/helper/policyutil"`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Add list support to certs in cert auth backend. Fixes #1212 2016-03-15 18:07:40 +00:00			`func pathListCerts(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "certs/?",`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ListOperation: b.pathCertList,`
			`},`

			`HelpSynopsis: pathCertHelpSyn,`
			`HelpDescription: pathCertHelpDesc,`
			`}`
			`}`

credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`func pathCerts(b backend) framework.Path {`
			`return &framework.Path{`
Vault: Fix wild card paths for all backends 2015-08-21 07:56:13 +00:00			`Pattern: "certs/" + framework.GenericNameRegex("name"),`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "The name of the certificate",`
			`},`

			`"certificate": &framework.FieldSchema{`
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 18:01:28 +00:00			`Type: framework.TypeString,`
			Description: `The public certificate that should be trusted.
			Must be x509 PEM encoded.`,
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`},`

Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`"allowed_names": &framework.FieldSchema{`
			`Type: framework.TypeCommaStringSlice,`
			Description: `A comma-separated list of names.
			At least one must exist in either the Common Name or SANs. Supports globbing.`,
			`},`

credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`"display_name": &framework.FieldSchema{`
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 18:01:28 +00:00			`Type: framework.TypeString,`
			Description: `The display name to use for clients using this
			certificate.`,
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`},`

			`"policies": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Comma-seperated list of policies.",`
			`},`
credential/cert: support leasing and renewal 2015-04-24 19:58:39 +00:00
			`"lease": &framework.FieldSchema{`
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 18:01:28 +00:00			`Type: framework.TypeInt,`
			Description: `Deprecated: use "ttl" instead. TTL time in
			seconds. Defaults to system/backend default TTL.`,
			`},`

			`"ttl": &framework.FieldSchema{`
Use TypeDurationSecond instead of TypeString 2015-10-30 21:45:01 +00:00			`Type: framework.TypeDurationSecond,`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			Description: `TTL for tokens issued by this backend.
			Defaults to system/backend default TTL time.`,
credential/cert: support leasing and renewal 2015-04-24 19:58:39 +00:00			`},`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.DeleteOperation: b.pathCertDelete,`
			`logical.ReadOperation: b.pathCertRead,`
supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`logical.UpdateOperation: b.pathCertWrite,`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`},`

			`HelpSynopsis: pathCertHelpSyn,`
			`HelpDescription: pathCertHelpDesc,`
			`}`
			`}`

			`func (b backend) Cert(s logical.Storage, n string) (CertEntry, error) {`
			`entry, err := s.Get("cert/" + strings.ToLower(n))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

			`var result CertEntry`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`
			`return &result, nil`
			`}`

			`func (b *backend) pathCertDelete(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`err := req.Storage.Delete("cert/" + strings.ToLower(d.Get("name").(string)))`
			`if err != nil {`
			`return nil, err`
			`}`
			`return nil, nil`
			`}`

Add list support to certs in cert auth backend. Fixes #1212 2016-03-15 18:07:40 +00:00			`func (b *backend) pathCertList(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`certs, err := req.Storage.List("cert/")`
			`if err != nil {`
			`return nil, err`
			`}`
			`return logical.ListResponse(certs), nil`
			`}`

credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`func (b *backend) pathCertRead(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`cert, err := b.Cert(req.Storage, strings.ToLower(d.Get("name").(string)))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if cert == nil {`
			`return nil, nil`
			`}`

Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 18:01:28 +00:00			`duration := cert.TTL`
			`if duration == 0 {`
			`duration = b.System().DefaultLeaseTTL()`
			`}`

credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`return &logical.Response{`
			`Data: map[string]interface{}{`
			`"certificate": cert.Certificate,`
			`"display_name": cert.DisplayName,`
			`"policies": strings.Join(cert.Policies, ","),`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`"ttl": duration / time.Second,`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`},`
			`}, nil`
			`}`

			`func (b *backend) pathCertWrite(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`name := strings.ToLower(d.Get("name").(string))`
			`certificate := d.Get("certificate").(string)`
			`displayName := d.Get("display_name").(string)`
Utility Enhancements 2016-04-06 00:30:38 +00:00			`policies := policyutil.ParsePolicies(d.Get("policies").(string))`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`allowedNames := d.Get("allowed_names").([]string)`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00
credential/cert: default display name 2015-04-24 17:52:17 +00:00			`// Default the display name to the certificate name if not given`
			`if displayName == "" {`
			`displayName = name`
			`}`

credential/cert: more validation on cert setup 2015-04-24 17:39:44 +00:00			`parsed := parsePEM([]byte(certificate))`
			`if len(parsed) == 0 {`
			`return logical.ErrorResponse("failed to parse certificate"), nil`
			`}`

supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`// If the certificate is not a CA cert, then ensure that x509.ExtKeyUsageClientAuth is set`
corrections, policy matching changes and test cert changes 2016-02-29 23:29:41 +00:00			`if !parsed[0].IsCA && parsed[0].ExtKeyUsage != nil {`
Added testcase for cert writes 2016-02-29 21:02:19 +00:00			`var clientAuth bool`
supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`for _, usage := range parsed[0].ExtKeyUsage {`
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow 2016-03-01 15:24:22 +00:00			`if usage == x509.ExtKeyUsageClientAuth \|\| usage == x509.ExtKeyUsageAny {`
supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`clientAuth = true`
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow 2016-03-01 15:24:22 +00:00			`break`
supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`}`
			`}`
			`if !clientAuth {`
corrections, policy matching changes and test cert changes 2016-02-29 23:29:41 +00:00			`return logical.ErrorResponse("non-CA certificates should have TLS client authentication set as an extended key usage"), nil`
supporting non-ca certs for verification 2016-02-29 15:40:15 +00:00			`}`
			`}`

Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`certEntry := &CertEntry{`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`Name: name,`
			`Certificate: certificate,`
			`DisplayName: displayName,`
			`Policies: policies,`
			`AllowedNames: allowedNames,`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`}`

Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 18:01:28 +00:00			`// Parse the lease duration or default to backend/system default`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`maxTTL := b.System().MaxLeaseTTL()`
Use TypeDurationSecond instead of TypeString 2015-10-30 21:45:01 +00:00			`ttl := time.Duration(d.Get("ttl").(int)) * time.Second`
			`if ttl == time.Duration(0) {`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`ttl = time.Second * time.Duration(d.Get("lease").(int))`
			`}`
			`if ttl > maxTTL {`
			`return logical.ErrorResponse(fmt.Sprintf("Given TTL of %d seconds greater than current mount/system default of %d seconds", ttl/time.Second, maxTTL/time.Second)), nil`
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 18:01:28 +00:00			`}`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`if ttl > time.Duration(0) {`
			`certEntry.TTL = ttl`
credential/cert: support leasing and renewal 2015-04-24 19:58:39 +00:00			`}`

credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`// Store it`
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior. 2015-10-06 01:10:20 +00:00			`entry, err := logical.StorageEntryJSON("cert/"+name, certEntry)`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if err := req.Storage.Put(entry); err != nil {`
			`return nil, err`
			`}`
			`return nil, nil`
			`}`

			`type CertEntry struct {`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`Name string`
			`Certificate string`
			`DisplayName string`
			`Policies []string`
			`TTL time.Duration`
			`AllowedNames []string`
credential/cert: major refactor 2015-04-24 17:31:57 +00:00			`}`

			const pathCertHelpSyn = `
			`Manage trusted certificates used for authentication.`
			`

			const pathCertHelpDesc = `
			`This endpoint allows you to create, read, update, and delete trusted certificates`
			`that are allowed to authenticate.`

			`Deleting a certificate will not revoke auth for prior authenticated connections.`
			`To do this, do a revoke on "login". If you don't need to revoke login immediately,`
			`then the next renew will cause the lease to expire.`
			`