2015-03-15 20:52:43 +00:00
|
|
|
package logical
|
|
|
|
|
2015-03-15 21:53:41 +00:00
|
|
|
import (
|
|
|
|
"errors"
|
2015-03-31 03:55:01 +00:00
|
|
|
"fmt"
|
2016-05-02 02:39:45 +00:00
|
|
|
"time"
|
2015-03-15 21:53:41 +00:00
|
|
|
)
|
|
|
|
|
2017-01-04 21:44:03 +00:00
|
|
|
// RequestWrapInfo is a struct that stores information about desired response
|
|
|
|
// wrapping behavior
|
|
|
|
type RequestWrapInfo struct {
|
|
|
|
// Setting to non-zero specifies that the response should be wrapped.
|
|
|
|
// Specifies the desired TTL of the wrapping token.
|
|
|
|
TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"`
|
|
|
|
|
|
|
|
// The format to use for the wrapped response; if not specified it's a bare
|
|
|
|
// token
|
|
|
|
Format string `json:"format" structs:"format" mapstructure:"format"`
|
|
|
|
}
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Request is a struct that stores the parameters and context
|
|
|
|
// of a request being made to Vault. It is used to abstract
|
|
|
|
// the details of the higher level request protocol from the handlers.
|
|
|
|
type Request struct {
|
2016-07-24 01:46:28 +00:00
|
|
|
// Id is the uuid associated with each request
|
|
|
|
ID string `json:"id" structs:"id" mapstructure:"id"`
|
|
|
|
|
2017-02-16 18:09:53 +00:00
|
|
|
// If set, the name given to the replication secondary where this request
|
|
|
|
// originated
|
|
|
|
ReplicationCluster string `json:"replication_cluster" structs:"replication_cluster", mapstructure:"replication_cluster"`
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Operation is the requested operation type
|
2016-07-24 01:46:28 +00:00
|
|
|
Operation Operation `json:"operation" structs:"operation" mapstructure:"operation"`
|
2015-03-15 20:52:43 +00:00
|
|
|
|
|
|
|
// Path is the part of the request path not consumed by the
|
|
|
|
// routing. As an example, if the original request path is "prod/aws/foo"
|
|
|
|
// and the AWS logical backend is mounted at "prod/aws/", then the
|
|
|
|
// final path is "foo" since the mount prefix is trimmed.
|
2016-07-24 01:46:28 +00:00
|
|
|
Path string `json:"path" structs:"path" mapstructure:"path"`
|
2015-03-15 20:52:43 +00:00
|
|
|
|
|
|
|
// Request data is an opaque map that must have string keys.
|
2016-07-24 01:46:28 +00:00
|
|
|
Data map[string]interface{} `json:"map" structs:"data" mapstructure:"data"`
|
2015-03-15 20:52:43 +00:00
|
|
|
|
|
|
|
// Storage can be used to durably store and retrieve state.
|
2017-02-16 18:09:53 +00:00
|
|
|
Storage Storage `json:"-"`
|
2015-03-19 22:11:42 +00:00
|
|
|
|
|
|
|
// Secret will be non-nil only for Revoke and Renew operations
|
|
|
|
// to represent the secret that was returned prior.
|
2016-07-24 01:46:28 +00:00
|
|
|
Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret"`
|
2015-03-24 18:09:25 +00:00
|
|
|
|
2015-04-09 21:21:06 +00:00
|
|
|
// Auth will be non-nil only for Renew operations
|
|
|
|
// to represent the auth that was returned prior.
|
2016-07-24 01:46:28 +00:00
|
|
|
Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth"`
|
2015-04-09 21:21:06 +00:00
|
|
|
|
2017-02-02 19:49:20 +00:00
|
|
|
// Headers will contain the http headers from the request. This value will
|
|
|
|
// be used in the audit broker to ensure we are auditing only the allowed
|
|
|
|
// headers.
|
|
|
|
Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers"`
|
|
|
|
|
2015-03-30 21:23:32 +00:00
|
|
|
// Connection will be non-nil only for credential providers to
|
|
|
|
// inspect the connection information and potentially use it for
|
|
|
|
// authentication/protection.
|
2016-07-24 01:46:28 +00:00
|
|
|
Connection *Connection `json:"connection" structs:"connection" mapstructure:"connection"`
|
2015-03-30 21:23:32 +00:00
|
|
|
|
2015-03-24 18:09:25 +00:00
|
|
|
// ClientToken is provided to the core so that the identity
|
2015-04-15 20:56:42 +00:00
|
|
|
// can be verified and ACLs applied. This value is passed
|
|
|
|
// through to the logical backends but after being salted and
|
|
|
|
// hashed.
|
2016-07-24 01:46:28 +00:00
|
|
|
ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token"`
|
2015-04-15 20:56:42 +00:00
|
|
|
|
2016-10-29 21:01:49 +00:00
|
|
|
// ClientTokenAccessor is provided to the core so that the it can get
|
|
|
|
// logged as part of request audit logging.
|
|
|
|
ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor"`
|
|
|
|
|
2015-04-15 20:56:42 +00:00
|
|
|
// DisplayName is provided to the logical backend to help associate
|
|
|
|
// dynamic secrets with the source entity. This is not a sensitive
|
|
|
|
// name, but is useful for operators.
|
2016-07-24 01:46:28 +00:00
|
|
|
DisplayName string `json:"display_name" structs:"display_name" mapstructure:"display_name"`
|
2015-05-27 18:46:42 +00:00
|
|
|
|
|
|
|
// MountPoint is provided so that a logical backend can generate
|
|
|
|
// paths relative to itself. The `Path` is effectively the client
|
|
|
|
// request path with the MountPoint trimmed off.
|
2016-07-24 01:46:28 +00:00
|
|
|
MountPoint string `json:"mount_point" structs:"mount_point" mapstructure:"mount_point"`
|
2016-05-02 02:39:45 +00:00
|
|
|
|
2017-04-24 19:15:50 +00:00
|
|
|
// MountType is provided so that a logical backend can make decisions
|
|
|
|
// based on the specific mount type (e.g., if a mount type has different
|
|
|
|
// aliases, generating different defaults depending on the alias)
|
|
|
|
MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type"`
|
|
|
|
|
2017-01-04 21:44:03 +00:00
|
|
|
// WrapInfo contains requested response wrapping parameters
|
|
|
|
WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info"`
|
2017-03-01 17:39:42 +00:00
|
|
|
|
2017-03-09 01:05:23 +00:00
|
|
|
// ClientTokenRemainingUses represents the allowed number of uses left on the
|
2017-03-08 22:36:50 +00:00
|
|
|
// token supplied
|
|
|
|
ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"`
|
|
|
|
|
2017-03-01 17:39:42 +00:00
|
|
|
// For replication, contains the last WAL on the remote side after handling
|
|
|
|
// the request, used for best-effort avoidance of stale read-after-write
|
|
|
|
lastRemoteWAL uint64
|
2015-03-15 20:52:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get returns a data field and guards for nil Data
|
|
|
|
func (r *Request) Get(key string) interface{} {
|
|
|
|
if r.Data == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return r.Data[key]
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetString returns a data field as a string
|
|
|
|
func (r *Request) GetString(key string) string {
|
|
|
|
raw := r.Get(key)
|
|
|
|
s, _ := raw.(string)
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2015-03-31 03:55:01 +00:00
|
|
|
func (r *Request) GoString() string {
|
|
|
|
return fmt.Sprintf("*%#v", *r)
|
|
|
|
}
|
|
|
|
|
2017-03-01 17:39:42 +00:00
|
|
|
func (r *Request) LastRemoteWAL() uint64 {
|
|
|
|
return r.lastRemoteWAL
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *Request) SetLastRemoteWAL(last uint64) {
|
|
|
|
r.lastRemoteWAL = last
|
|
|
|
}
|
|
|
|
|
2015-03-19 19:20:25 +00:00
|
|
|
// RenewRequest creates the structure of the renew request.
|
|
|
|
func RenewRequest(
|
2015-03-19 22:11:42 +00:00
|
|
|
path string, secret *Secret, data map[string]interface{}) *Request {
|
2015-03-19 19:20:25 +00:00
|
|
|
return &Request{
|
|
|
|
Operation: RenewOperation,
|
|
|
|
Path: path,
|
2015-03-19 22:11:42 +00:00
|
|
|
Data: data,
|
|
|
|
Secret: secret,
|
2015-03-19 19:20:25 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-11 21:46:09 +00:00
|
|
|
// RenewAuthRequest creates the structure of the renew request for an auth.
|
|
|
|
func RenewAuthRequest(
|
|
|
|
path string, auth *Auth, data map[string]interface{}) *Request {
|
|
|
|
return &Request{
|
|
|
|
Operation: RenewOperation,
|
|
|
|
Path: path,
|
|
|
|
Data: data,
|
|
|
|
Auth: auth,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-19 19:20:25 +00:00
|
|
|
// RevokeRequest creates the structure of the revoke request.
|
|
|
|
func RevokeRequest(
|
2015-03-19 22:11:42 +00:00
|
|
|
path string, secret *Secret, data map[string]interface{}) *Request {
|
2015-03-19 19:20:25 +00:00
|
|
|
return &Request{
|
|
|
|
Operation: RevokeOperation,
|
|
|
|
Path: path,
|
2015-03-19 22:11:42 +00:00
|
|
|
Data: data,
|
|
|
|
Secret: secret,
|
2015-03-19 19:20:25 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-20 16:20:55 +00:00
|
|
|
// RollbackRequest creates the structure of the revoke request.
|
|
|
|
func RollbackRequest(path string) *Request {
|
|
|
|
return &Request{
|
|
|
|
Operation: RollbackOperation,
|
|
|
|
Path: path,
|
2015-03-21 10:18:33 +00:00
|
|
|
Data: make(map[string]interface{}),
|
2015-03-20 16:20:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Operation is an enum that is used to specify the type
|
|
|
|
// of request being made
|
|
|
|
type Operation string
|
|
|
|
|
|
|
|
const (
|
2015-03-19 18:41:41 +00:00
|
|
|
// The operations below are called per path
|
2016-01-07 20:10:05 +00:00
|
|
|
CreateOperation Operation = "create"
|
|
|
|
ReadOperation = "read"
|
|
|
|
UpdateOperation = "update"
|
2015-03-19 18:41:41 +00:00
|
|
|
DeleteOperation = "delete"
|
|
|
|
ListOperation = "list"
|
|
|
|
HelpOperation = "help"
|
|
|
|
|
|
|
|
// The operations below are called globally, the path is less relevant.
|
|
|
|
RevokeOperation Operation = "revoke"
|
2015-03-17 23:16:04 +00:00
|
|
|
RenewOperation = "renew"
|
|
|
|
RollbackOperation = "rollback"
|
2015-03-15 20:52:43 +00:00
|
|
|
)
|
2015-03-15 21:53:41 +00:00
|
|
|
|
|
|
|
var (
|
|
|
|
// ErrUnsupportedOperation is returned if the operation is not supported
|
|
|
|
// by the logical backend.
|
|
|
|
ErrUnsupportedOperation = errors.New("unsupported operation")
|
|
|
|
|
|
|
|
// ErrUnsupportedPath is returned if the path is not supported
|
|
|
|
// by the logical backend.
|
|
|
|
ErrUnsupportedPath = errors.New("unsupported path")
|
|
|
|
|
|
|
|
// ErrInvalidRequest is returned if the request is invalid
|
|
|
|
ErrInvalidRequest = errors.New("invalid request")
|
2015-03-24 18:23:59 +00:00
|
|
|
|
2015-08-09 19:20:06 +00:00
|
|
|
// ErrPermissionDenied is returned if the client is not authorized
|
2015-03-24 18:23:59 +00:00
|
|
|
ErrPermissionDenied = errors.New("permission denied")
|
2015-03-15 21:53:41 +00:00
|
|
|
)
|