open-vault/builtin/credential/ldap/path_users.go

package ldap

import (
	"context"
	"strings"

	"github.com/hashicorp/go-secure-stdlib/strutil"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/policyutil"
	"github.com/hashicorp/vault/sdk/logical"
)

func pathUsersList(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "users/?$",

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ListOperation: b.pathUserList,
		},

		HelpSynopsis:    pathUserHelpSyn,
		HelpDescription: pathUserHelpDesc,
		DisplayAttrs: &framework.DisplayAttributes{
			Navigation: true,
			ItemType:   "User",
		},
	}
}

func pathUsers(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: `users/(?P<name>.+)`,
		Fields: map[string]*framework.FieldSchema{
			"name": {
				Type:        framework.TypeString,
				Description: "Name of the LDAP user.",
			},

			"groups": {
				Type:        framework.TypeCommaStringSlice,
				Description: "Comma-separated list of additional groups associated with the user.",
			},

			"policies": {
				Type:        framework.TypeCommaStringSlice,
				Description: "Comma-separated list of policies associated with the user.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.DeleteOperation: b.pathUserDelete,
			logical.ReadOperation:   b.pathUserRead,
			logical.UpdateOperation: b.pathUserWrite,
		},

		HelpSynopsis:    pathUserHelpSyn,
		HelpDescription: pathUserHelpDesc,
		DisplayAttrs: &framework.DisplayAttributes{
			Action:   "Create",
			ItemType: "User",
		},
	}
}

func (b *backend) User(ctx context.Context, s logical.Storage, n string) (*UserEntry, error) {
	entry, err := s.Get(ctx, "user/"+n)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var result UserEntry
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}

	return &result, nil
}

func (b *backend) pathUserDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	err := req.Storage.Delete(ctx, "user/"+d.Get("name").(string))
	if err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathUserRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	username := d.Get("name").(string)

	cfg, err := b.Config(ctx, req)
	if err != nil {
		return nil, err
	}
	if cfg == nil {
		return logical.ErrorResponse("ldap backend not configured"), nil
	}
	if !*cfg.CaseSensitiveNames {
		username = strings.ToLower(username)
	}

	user, err := b.User(ctx, req.Storage, username)
	if err != nil {
		return nil, err
	}
	if user == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"groups":   strings.Join(user.Groups, ","),
			"policies": user.Policies,
		},
	}, nil
}

func (b *backend) pathUserWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	lowercaseGroups := false
	username := d.Get("name").(string)

	cfg, err := b.Config(ctx, req)
	if err != nil {
		return nil, err
	}
	if cfg == nil {
		return logical.ErrorResponse("ldap backend not configured"), nil
	}
	if !*cfg.CaseSensitiveNames {
		username = strings.ToLower(username)
		lowercaseGroups = true
	}

	groups := strutil.RemoveDuplicates(d.Get("groups").([]string), lowercaseGroups)
	policies := policyutil.ParsePolicies(d.Get("policies"))
	for i, g := range groups {
		groups[i] = strings.TrimSpace(g)
	}

	// Store it
	entry, err := logical.StorageEntryJSON("user/"+username, &UserEntry{
		Groups:   groups,
		Policies: policies,
	})
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathUserList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	keys, err := logical.CollectKeysWithPrefix(ctx, req.Storage, "user/")
	if err != nil {
		return nil, err
	}
	for i := range keys {
		keys[i] = strings.TrimPrefix(keys[i], "user/")
	}
	return logical.ListResponse(keys), nil
}

type UserEntry struct {
	Groups   []string
	Policies []string
}

const pathUserHelpSyn = `
Manage users allowed to authenticate.
`

const pathUserHelpDesc = `
This endpoint allows you to create, read, update, and delete configuration
for LDAP users that are allowed to authenticate, in particular associating
additional groups to them.

Deleting a user will not revoke their auth. To do this, do a revoke on "login/<username>" for
the usernames you want revoked.
`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`package ldap`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`"strings"`

Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) * Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter 2021-07-16 00:17:31 +00:00			`"github.com/hashicorp/go-secure-stdlib/strutil"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Move policyutil to sdk 2019-04-12 22:08:46 +00:00			`"github.com/hashicorp/vault/sdk/helper/policyutil"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`)`

Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`func pathUsersList(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "users/?$",`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ListOperation: b.pathUserList,`
			`},`

			`HelpSynopsis: pathUserHelpSyn,`
			`HelpDescription: pathUserHelpDesc,`
update OpenAPI output to use DisplayAttributes struct (#6928) 2019-06-21 15:08:08 +00:00			`DisplayAttrs: &framework.DisplayAttributes{`
			`Navigation: true,`
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow 2019-10-17 23:19:14 +00:00			`ItemType: "User",`
update OpenAPI output to use DisplayAttributes struct (#6928) 2019-06-21 15:08:08 +00:00			`},`
Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`}`
			`}`

ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`func pathUsers(b backend) framework.Path {`
			`return &framework.Path{`
			Pattern: `users/(?P<name>.+)`,
			`Fields: map[string]*framework.FieldSchema{`
Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942) No functional change, but the updated type plays nicer with the OpenAPI-driven UI. 2019-06-20 22:36:54 +00:00			`"name": {`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`Type: framework.TypeString,`
			`Description: "Name of the LDAP user.",`
			`},`

Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942) No functional change, but the updated type plays nicer with the OpenAPI-driven UI. 2019-06-20 22:36:54 +00:00			`"groups": {`
			`Type: framework.TypeCommaStringSlice,`
ldap: change setting user policies to setting user groups 2015-07-17 21:40:06 +00:00			`Description: "Comma-separated list of additional groups associated with the user.",`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`},`
add support per user acl for ldap users 2016-11-29 10:32:59 +00:00
Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942) No functional change, but the updated type plays nicer with the OpenAPI-driven UI. 2019-06-20 22:36:54 +00:00			`"policies": {`
Sanitize policy behavior across backends (#3324) Fixes #3323 Fixes #3318 * Fix tests * Fix tests 2017-09-13 15:36:52 +00:00			`Type: framework.TypeCommaStringSlice,`
ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 15:56:43 +00:00			`Description: "Comma-separated list of policies associated with the user.",`
add support per user acl for ldap users 2016-11-29 10:32:59 +00:00			`},`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.DeleteOperation: b.pathUserDelete,`
			`logical.ReadOperation: b.pathUserRead,`
Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`logical.UpdateOperation: b.pathUserWrite,`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`},`

			`HelpSynopsis: pathUserHelpSyn,`
			`HelpDescription: pathUserHelpDesc,`
UI: Clean up Dynamic UI for CRUD (#6994) 2019-07-01 20:35:18 +00:00			`DisplayAttrs: &framework.DisplayAttributes{`
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow 2019-10-17 23:19:14 +00:00			`Action: "Create",`
			`ItemType: "User",`
UI: Clean up Dynamic UI for CRUD (#6994) 2019-07-01 20:35:18 +00:00			`},`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`}`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b backend) User(ctx context.Context, s logical.Storage, n string) (UserEntry, error) {`
			`entry, err := s.Get(ctx, "user/"+n)`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

			`var result UserEntry`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`

			`return &result, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathUserDelete(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err := req.Storage.Delete(ctx, "user/"+d.Get("name").(string))`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathUserRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Case insensitive behavior for LDAP (#4238) 2018-04-03 13:52:43 +00:00			`username := d.Get("name").(string)`

			`cfg, err := b.Config(ctx, req)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if cfg == nil {`
			`return logical.ErrorResponse("ldap backend not configured"), nil`
			`}`
			`if !*cfg.CaseSensitiveNames {`
			`username = strings.ToLower(username)`
			`}`

			`user, err := b.User(ctx, req.Storage, username)`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if user == nil {`
			`return nil, nil`
			`}`

			`return &logical.Response{`
			`Data: map[string]interface{}{`
ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 15:56:43 +00:00			`"groups": strings.Join(user.Groups, ","),`
Sanitize policy behavior across backends (#3324) Fixes #3323 Fixes #3318 * Fix tests * Fix tests 2017-09-13 15:36:52 +00:00			`"policies": user.Policies,`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`},`
			`}, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathUserWrite(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Case insensitive behavior for LDAP (#4238) 2018-04-03 13:52:43 +00:00			`lowercaseGroups := false`
			`username := d.Get("name").(string)`

			`cfg, err := b.Config(ctx, req)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if cfg == nil {`
			`return logical.ErrorResponse("ldap backend not configured"), nil`
			`}`
			`if !*cfg.CaseSensitiveNames {`
			`username = strings.ToLower(username)`
			`lowercaseGroups = true`
			`}`

Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942) No functional change, but the updated type plays nicer with the OpenAPI-driven UI. 2019-06-20 22:36:54 +00:00			`groups := strutil.RemoveDuplicates(d.Get("groups").([]string), lowercaseGroups)`
Sanitize policy behavior across backends (#3324) Fixes #3323 Fixes #3318 * Fix tests * Fix tests 2017-09-13 15:36:52 +00:00			`policies := policyutil.ParsePolicies(d.Get("policies"))`
ldap: change setting user policies to setting user groups 2015-07-17 21:40:06 +00:00			`for i, g := range groups {`
			`groups[i] = strings.TrimSpace(g)`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`}`

			`// Store it`
Case insensitive behavior for LDAP (#4238) 2018-04-03 13:52:43 +00:00			`entry, err := logical.StorageEntryJSON("user/"+username, &UserEntry{`
ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 15:56:43 +00:00			`Groups: groups,`
add support per user acl for ldap users 2016-11-29 10:32:59 +00:00			`Policies: policies,`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathUserList(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Fix Okta auth to allow group names containing slashes (#6665) This PR also adds CollectKeysPrefix which allows a more memory efficient key scan for those cases where the result is immediately filtered by prefix. 2019-05-01 21:56:18 +00:00			`keys, err := logical.CollectKeysWithPrefix(ctx, req.Storage, "user/")`
Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Fix Okta auth to allow group names containing slashes (#6665) This PR also adds CollectKeysPrefix which allows a more memory efficient key scan for those cases where the result is immediately filtered by prefix. 2019-05-01 21:56:18 +00:00			`for i := range keys {`
			`keys[i] = strings.TrimPrefix(keys[i], "user/")`
Return absolute paths while listing in LDAP backend (#5537) 2018-10-17 21:56:51 +00:00			`}`
Fix Okta auth to allow group names containing slashes (#6665) This PR also adds CollectKeysPrefix which allows a more memory efficient key scan for those cases where the result is immediately filtered by prefix. 2019-05-01 21:56:18 +00:00			`return logical.ListResponse(keys), nil`
Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`}`

ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`type UserEntry struct {`
ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 15:56:43 +00:00			`Groups []string`
add support per user acl for ldap users 2016-11-29 10:32:59 +00:00			`Policies []string`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`}`

			const pathUserHelpSyn = `
Fix inverted description for ldap/users$ and ldap/groups$ endpoints (#6406) 2019-03-13 18:02:45 +00:00			`Manage users allowed to authenticate.`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`

			const pathUserHelpDesc = `
			`This endpoint allows you to create, read, update, and delete configuration`
ldap: change setting user policies to setting user groups 2015-07-17 21:40:06 +00:00			`for LDAP users that are allowed to authenticate, in particular associating`
			`additional groups to them.`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00
ldap: change setting user policies to setting user groups 2015-07-17 21:40:06 +00:00			`Deleting a user will not revoke their auth. To do this, do a revoke on "login/<username>" for`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`the usernames you want revoked.`
			`