2016-05-30 18:30:01 +00:00
package approle
import (
2018-01-08 18:31:38 +00:00
"context"
2018-06-20 02:57:11 +00:00
"errors"
2016-05-30 18:30:01 +00:00
"fmt"
"strings"
"time"
2019-01-09 00:48:57 +00:00
uuid "github.com/hashicorp/go-uuid"
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/framework"
2019-04-12 22:03:59 +00:00
"github.com/hashicorp/vault/sdk/helper/cidrutil"
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/locksutil"
2019-07-01 20:30:08 +00:00
"github.com/hashicorp/vault/sdk/helper/parseutil"
2019-04-12 22:08:46 +00:00
"github.com/hashicorp/vault/sdk/helper/policyutil"
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/strutil"
2019-07-01 20:30:08 +00:00
"github.com/hashicorp/vault/sdk/helper/tokenutil"
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/logical"
2016-05-30 18:30:01 +00:00
)
// roleStorageEntry stores all the options that are set on an role
type roleStorageEntry struct {
2019-07-01 20:30:08 +00:00
tokenutil . TokenParams
2018-06-05 20:12:11 +00:00
// Name of the role. This field is not persisted on disk. After the role is
// read out of disk, the sanitized version of name is set in this field for
// subsequent use of role name elsewhere.
name string
2016-05-30 18:30:01 +00:00
// UUID that uniquely represents this role. This serves as a credential
// to perform login using this role.
2018-06-05 20:12:11 +00:00
RoleID string ` json:"role_id" mapstructure:"role_id" `
2016-05-30 18:30:01 +00:00
// UUID that serves as the HMAC key for the hashing the 'secret_id's
// of the role
2018-06-05 20:12:11 +00:00
HMACKey string ` json:"hmac_key" mapstructure:"hmac_key" `
2016-05-30 18:30:01 +00:00
2019-07-01 20:30:08 +00:00
// Policies that are to be required by the token to access this role. Deprecated.
2018-06-05 20:12:11 +00:00
Policies [ ] string ` json:"policies" mapstructure:"policies" `
2016-05-30 18:30:01 +00:00
// Number of times the SecretID generated against this role can be
// used to perform login operation
2018-06-05 20:12:11 +00:00
SecretIDNumUses int ` json:"secret_id_num_uses" mapstructure:"secret_id_num_uses" `
2016-05-30 18:30:01 +00:00
// Duration (less than the backend mount's max TTL) after which a
// SecretID generated against the role will expire
2018-06-05 20:12:11 +00:00
SecretIDTTL time . Duration ` json:"secret_id_ttl" mapstructure:"secret_id_ttl" `
2016-05-30 18:30:01 +00:00
// A constraint, if set, requires 'secret_id' credential to be presented during login
2018-06-05 20:12:11 +00:00
BindSecretID bool ` json:"bind_secret_id" mapstructure:"bind_secret_id" `
2016-05-30 18:30:01 +00:00
2018-06-20 02:57:11 +00:00
// Deprecated: A constraint, if set, specifies the CIDR blocks from which logins should be allowed,
// please use SecretIDBoundCIDRs instead.
2018-03-08 22:49:08 +00:00
BoundCIDRListOld string ` json:"bound_cidr_list,omitempty" `
2018-06-20 02:57:11 +00:00
// Deprecated: A constraint, if set, specifies the CIDR blocks from which logins should be allowed,
// please use SecretIDBoundCIDRs instead.
2018-06-05 20:12:11 +00:00
BoundCIDRList [ ] string ` json:"bound_cidr_list_list" mapstructure:"bound_cidr_list" `
2016-05-30 18:30:01 +00:00
2018-06-20 02:57:11 +00:00
// A constraint, if set, specifies the CIDR blocks from which logins should be allowed
SecretIDBoundCIDRs [ ] string ` json:"secret_id_bound_cidrs" mapstructure:"secret_id_bound_cidrs" `
2016-05-30 18:30:01 +00:00
// Period, if set, indicates that the token generated using this role
// should never expire. The token should be renewed within the duration
2019-07-01 20:30:08 +00:00
// specified by this value. The renewal duration will be fixed if the value
// is not modified on the role. If the `Period` in the role is modified, a
// token will pick up the new value during its next renewal. Deprecated.
2018-06-05 20:12:11 +00:00
Period time . Duration ` json:"period" mapstructure:"period" `
2017-12-11 21:41:17 +00:00
// LowerCaseRoleName enforces the lower casing of role names for all the
// roles that get created since this field was introduced.
2018-06-05 20:12:11 +00:00
LowerCaseRoleName bool ` json:"lower_case_role_name" mapstructure:"lower_case_role_name" `
2018-04-23 14:51:55 +00:00
2018-04-23 21:05:53 +00:00
// SecretIDPrefix is the storage prefix for persisting secret IDs. This
// differs based on whether the secret IDs are cluster local or not.
2018-06-05 20:12:11 +00:00
SecretIDPrefix string ` json:"secret_id_prefix" mapstructure:"secret_id_prefix" `
2016-05-30 18:30:01 +00:00
}
// roleIDStorageEntry represents the reverse mapping from RoleID to Role
type roleIDStorageEntry struct {
2018-06-05 20:12:11 +00:00
Name string ` json:"name" mapstructure:"name" `
2016-05-30 18:30:01 +00:00
}
// rolePaths creates all the paths that are used to register and manage an role.
//
// Paths returned:
// role/ - For listing all the registered roles
// role/<role_name> - For registering an role
// role/<role_name>/policies - For updating the param
// role/<role_name>/secret-id-num-uses - For updating the param
// role/<role_name>/secret-id-ttl - For updating the param
// role/<role_name>/token-ttl - For updating the param
// role/<role_name>/token-max-ttl - For updating the param
2017-03-03 14:31:20 +00:00
// role/<role_name>/token-num-uses - For updating the param
2016-05-30 18:30:01 +00:00
// role/<role_name>/bind-secret-id - For updating the param
// role/<role_name>/bound-cidr-list - For updating the param
// role/<role_name>/period - For updating the param
// role/<role_name>/role-id - For fetching the role_id of an role
2018-03-20 18:54:10 +00:00
// role/<role_name>/secret-id - For issuing a secret_id against an role, also to list the secret_id_accessors
2016-05-30 18:30:01 +00:00
// role/<role_name>/custom-secret-id - For assigning a custom SecretID against an role
2016-09-29 00:22:37 +00:00
// role/<role_name>/secret-id/lookup - For reading the properties of a secret_id
// role/<role_name>/secret-id/destroy - For deleting a secret_id
2016-09-29 02:11:48 +00:00
// role/<role_name>/secret-id-accessor/lookup - For reading secret_id using accessor
// role/<role_name>/secret-id-accessor/destroy - For deleting secret_id using accessor
2016-05-30 18:30:01 +00:00
func rolePaths ( b * backend ) [ ] * framework . Path {
2019-07-01 20:30:08 +00:00
defTokenFields := tokenutil . TokenFields ( )
p := & framework . Path {
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
2016-05-30 18:30:01 +00:00
} ,
2021-04-08 16:43:39 +00:00
"bind_secret_id" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeBool ,
Default : true ,
Description : "Impose secret_id to be presented when logging in using this role. Defaults to 'true'." ,
} ,
2021-04-08 16:43:39 +00:00
"bound_cidr_list" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : ` Use "secret_id_bound_cidrs" instead. ` ,
Deprecated : true ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_bound_cidrs" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks . If set , specifies the blocks of
2018-03-08 22:49:08 +00:00
IP addresses which can perform the login operation . ` ,
2019-07-01 20:30:08 +00:00
} ,
2021-04-08 16:43:39 +00:00
"policies" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : tokenutil . DeprecationText ( "token_policies" ) ,
Deprecated : true ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_num_uses" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeInt ,
Description : ` Number of times a SecretID can access the role , after which the SecretID
2016-05-30 18:30:01 +00:00
will expire . Defaults to 0 meaning that the the secret_id is of unlimited use . ` ,
2019-07-01 20:30:08 +00:00
} ,
2021-04-08 16:43:39 +00:00
"secret_id_ttl" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeDurationSecond ,
Description : ` Duration in seconds after which the issued SecretID should expire . Defaults
2016-11-15 16:50:51 +00:00
to 0 , meaning no expiration . ` ,
2019-07-01 20:30:08 +00:00
} ,
2021-04-08 16:43:39 +00:00
"period" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeDurationSecond ,
Description : tokenutil . DeprecationText ( "token_period" ) ,
Deprecated : true ,
} ,
2021-04-08 16:43:39 +00:00
"role_id" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeString ,
Description : "Identifier of the role. Defaults to a UUID." ,
} ,
2021-04-08 16:43:39 +00:00
"local_secret_ids" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeBool ,
Description : ` If set , the secret IDs generated using this role will be cluster local . This
2018-04-23 21:05:53 +00:00
can only be set during role creation and once set , it can ' t be reset later . ` ,
2016-05-30 18:30:01 +00:00
} ,
2019-07-01 20:30:08 +00:00
} ,
ExistenceCheck : b . pathRoleExistenceCheck ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . CreateOperation : b . pathRoleCreateUpdate ,
logical . UpdateOperation : b . pathRoleCreateUpdate ,
logical . ReadOperation : b . pathRoleRead ,
logical . DeleteOperation : b . pathRoleDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role" ] [ 1 ] ) ,
}
tokenutil . AddTokenFields ( p . Fields )
return [ ] * framework . Path {
p ,
2021-04-08 16:43:39 +00:00
{
2019-07-01 20:30:08 +00:00
Pattern : "role/?" ,
2016-05-30 18:30:01 +00:00
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2019-07-01 20:30:08 +00:00
logical . ListOperation : b . pathRoleList ,
2016-05-30 18:30:01 +00:00
} ,
2019-07-01 20:30:08 +00:00
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-list" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-list" ] [ 1 ] ) ,
2016-05-30 18:30:01 +00:00
} ,
2021-04-08 16:43:39 +00:00
{
2018-04-24 21:52:42 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/local-secret-ids$" ,
2018-04-23 14:51:55 +00:00
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2018-04-23 14:51:55 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2018-04-24 21:52:42 +00:00
logical . ReadOperation : b . pathRoleLocalSecretIDsRead ,
2018-04-23 14:51:55 +00:00
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-local-secret-ids" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-local-secret-ids" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/policies$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"policies" : {
2017-08-15 00:15:51 +00:00
Type : framework . TypeCommaStringSlice ,
2019-07-01 20:30:08 +00:00
Description : tokenutil . DeprecationText ( "token_policies" ) ,
Deprecated : true ,
} ,
2021-04-08 16:43:39 +00:00
"token_policies" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : defTokenFields [ "token_policies" ] . Description ,
2016-05-30 18:30:01 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRolePoliciesUpdate ,
logical . ReadOperation : b . pathRolePoliciesRead ,
logical . DeleteOperation : b . pathRolePoliciesDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-policies" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-policies" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/bound-cidr-list$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"bound_cidr_list" : {
2018-03-08 22:49:08 +00:00
Type : framework . TypeCommaStringSlice ,
2018-06-20 02:57:11 +00:00
Description : ` Deprecated : Please use "secret_id_bound_cidrs" instead . Comma separated string or list
of CIDR blocks . If set , specifies the blocks of IP addresses which can perform the login operation . ` ,
2016-05-30 18:30:01 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2018-06-20 02:57:11 +00:00
logical . UpdateOperation : b . pathRoleBoundCIDRUpdate ,
2016-05-30 18:30:01 +00:00
logical . ReadOperation : b . pathRoleBoundCIDRListRead ,
logical . DeleteOperation : b . pathRoleBoundCIDRListDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-bound-cidr-list" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-bound-cidr-list" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2018-06-20 02:57:11 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id-bound-cidrs$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2018-06-20 02:57:11 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_bound_cidrs" : {
2018-06-20 02:57:11 +00:00
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks . If set , specifies the blocks of
IP addresses which can perform the login operation . ` ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2019-07-01 20:30:08 +00:00
logical . UpdateOperation : b . pathRoleSecretIDBoundCIDRUpdate ,
2018-06-20 02:57:11 +00:00
logical . ReadOperation : b . pathRoleSecretIDBoundCIDRRead ,
logical . DeleteOperation : b . pathRoleSecretIDBoundCIDRDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "secret-id-bound-cidrs" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "secret-id-bound-cidrs" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2018-06-20 02:57:11 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/token-bound-cidrs$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2018-06-20 02:57:11 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"token_bound_cidrs" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : defTokenFields [ "token_bound_cidrs" ] . Description ,
2018-06-20 02:57:11 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2019-07-01 20:30:08 +00:00
logical . UpdateOperation : b . pathRoleTokenBoundCIDRUpdate ,
2018-06-20 02:57:11 +00:00
logical . ReadOperation : b . pathRoleTokenBoundCIDRRead ,
logical . DeleteOperation : b . pathRoleTokenBoundCIDRDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "token-bound-cidrs" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "token-bound-cidrs" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/bind-secret-id$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"bind_secret_id" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeBool ,
Default : true ,
Description : "Impose secret_id to be presented when logging in using this role." ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleBindSecretIDUpdate ,
logical . ReadOperation : b . pathRoleBindSecretIDRead ,
logical . DeleteOperation : b . pathRoleBindSecretIDDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-bind-secret-id" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-bind-secret-id" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id-num-uses$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_num_uses" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeInt ,
Description : "Number of times a SecretID can access the role, after which the SecretID will expire." ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleSecretIDNumUsesUpdate ,
logical . ReadOperation : b . pathRoleSecretIDNumUsesRead ,
logical . DeleteOperation : b . pathRoleSecretIDNumUsesDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id-num-uses" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id-num-uses" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id-ttl$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_ttl" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeDurationSecond ,
Description : ` Duration in seconds after which the issued SecretID should expire . Defaults
2016-11-15 16:50:51 +00:00
to 0 , meaning no expiration . ` ,
2016-05-30 18:30:01 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleSecretIDTTLUpdate ,
logical . ReadOperation : b . pathRoleSecretIDTTLRead ,
logical . DeleteOperation : b . pathRoleSecretIDTTLDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id-ttl" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id-ttl" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/period$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"period" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeDurationSecond ,
Description : tokenutil . DeprecationText ( "token_period" ) ,
Deprecated : true ,
} ,
2021-04-08 16:43:39 +00:00
"token_period" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeDurationSecond ,
Description : defTokenFields [ "token_period" ] . Description ,
2016-05-30 18:30:01 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRolePeriodUpdate ,
logical . ReadOperation : b . pathRolePeriodRead ,
logical . DeleteOperation : b . pathRolePeriodDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-period" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-period" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2017-03-03 14:31:20 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/token-num-uses$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2017-03-03 14:31:20 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"token_num_uses" : {
2017-03-03 14:31:20 +00:00
Type : framework . TypeInt ,
2019-07-01 20:30:08 +00:00
Description : defTokenFields [ "token_num_uses" ] . Description ,
2017-03-03 14:31:20 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleTokenNumUsesUpdate ,
logical . ReadOperation : b . pathRoleTokenNumUsesRead ,
logical . DeleteOperation : b . pathRoleTokenNumUsesDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-token-num-uses" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-token-num-uses" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/token-ttl$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"token_ttl" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeDurationSecond ,
Description : defTokenFields [ "token_ttl" ] . Description ,
2016-05-30 18:30:01 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleTokenTTLUpdate ,
logical . ReadOperation : b . pathRoleTokenTTLRead ,
logical . DeleteOperation : b . pathRoleTokenTTLDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-token-ttl" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-token-ttl" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/token-max-ttl$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"token_max_ttl" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeDurationSecond ,
Description : defTokenFields [ "token_max_ttl" ] . Description ,
2016-05-30 18:30:01 +00:00
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleTokenMaxTTLUpdate ,
logical . ReadOperation : b . pathRoleTokenMaxTTLRead ,
logical . DeleteOperation : b . pathRoleTokenMaxTTLDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-token-max-ttl" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-token-max-ttl" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/role-id$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"role_id" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Identifier of the role. Defaults to a UUID." ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . ReadOperation : b . pathRoleRoleIDRead ,
logical . UpdateOperation : b . pathRoleRoleIDUpdate ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-id" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-id" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id/?$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"metadata" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : ` Metadata to be tied to the SecretID . This should be a JSON
formatted string containing the metadata in key value pairs . ` ,
} ,
2021-04-08 16:43:39 +00:00
"cidr_list" : {
2018-03-08 22:49:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks enforcing secret IDs to be used from
2016-09-19 18:40:43 +00:00
specific set of IP addresses . If ' bound_cidr_list ' is set on the role , then the
list of CIDR blocks listed here should be a subset of the CIDR blocks listed on
the role . ` ,
} ,
2021-04-08 16:43:39 +00:00
"token_bound_cidrs" : {
2019-07-01 20:30:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : defTokenFields [ "token_bound_cidrs" ] . Description ,
2018-08-21 15:54:04 +00:00
} ,
2016-05-30 18:30:01 +00:00
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleSecretIDUpdate ,
logical . ListOperation : b . pathRoleSecretIDList ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-09-29 00:22:37 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id/lookup/?$" ,
2016-08-21 18:42:49 +00:00
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-08-21 18:42:49 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id" : {
2016-08-21 18:42:49 +00:00
Type : framework . TypeString ,
Description : "SecretID attached to the role." ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2016-09-29 00:22:37 +00:00
logical . UpdateOperation : b . pathRoleSecretIDLookupUpdate ,
2016-08-21 18:42:49 +00:00
} ,
2016-09-29 00:22:37 +00:00
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id-lookup" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id-lookup" ] [ 1 ] ) ,
2016-08-21 18:42:49 +00:00
} ,
2021-04-08 16:43:39 +00:00
{
2016-09-29 00:22:37 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id/destroy/?$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-09-29 00:22:37 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id" : {
2016-09-29 00:22:37 +00:00
Type : framework . TypeString ,
Description : "SecretID attached to the role." ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleSecretIDDestroyUpdateDelete ,
logical . DeleteOperation : b . pathRoleSecretIDDestroyUpdateDelete ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id-destroy" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id-destroy" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-09-29 00:22:37 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id-accessor/lookup/?$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-09-29 00:22:37 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_accessor" : {
2016-09-29 00:22:37 +00:00
Type : framework . TypeString ,
Description : "Accessor of the SecretID" ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleSecretIDAccessorLookupUpdate ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id-accessor" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id-accessor" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-09-29 00:22:37 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/secret-id-accessor/destroy/?$" ,
2016-05-30 18:30:01 +00:00
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id_accessor" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Accessor of the SecretID" ,
} ,
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
2016-09-29 00:22:37 +00:00
logical . UpdateOperation : b . pathRoleSecretIDAccessorDestroyUpdateDelete ,
logical . DeleteOperation : b . pathRoleSecretIDAccessorDestroyUpdateDelete ,
2016-05-30 18:30:01 +00:00
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-secret-id-accessor" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-secret-id-accessor" ] [ 1 ] ) ,
} ,
2021-04-08 16:43:39 +00:00
{
2016-05-30 18:30:01 +00:00
Pattern : "role/" + framework . GenericNameRegex ( "role_name" ) + "/custom-secret-id$" ,
Fields : map [ string ] * framework . FieldSchema {
2021-04-08 16:43:39 +00:00
"role_name" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "Name of the role." ,
} ,
2021-04-08 16:43:39 +00:00
"secret_id" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : "SecretID to be attached to the role." ,
} ,
2021-04-08 16:43:39 +00:00
"metadata" : {
2016-05-30 18:30:01 +00:00
Type : framework . TypeString ,
Description : ` Metadata to be tied to the SecretID . This should be a JSON
formatted string containing metadata in key value pairs . ` ,
} ,
2021-04-08 16:43:39 +00:00
"cidr_list" : {
2018-03-08 22:49:08 +00:00
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks enforcing secret IDs to be used from
2016-09-19 18:40:43 +00:00
specific set of IP addresses . If ' bound_cidr_list ' is set on the role , then the
list of CIDR blocks listed here should be a subset of the CIDR blocks listed on
the role . ` ,
} ,
2021-04-08 16:43:39 +00:00
"token_bound_cidrs" : {
2018-08-21 15:54:04 +00:00
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks . If set , specifies the blocks of
IP addresses which can use the returned token . Should be a subset of the token CIDR blocks listed on the role , if any . ` ,
} ,
2016-05-30 18:30:01 +00:00
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . UpdateOperation : b . pathRoleCustomSecretIDUpdate ,
} ,
HelpSynopsis : strings . TrimSpace ( roleHelp [ "role-custom-secret-id" ] [ 0 ] ) ,
HelpDescription : strings . TrimSpace ( roleHelp [ "role-custom-secret-id" ] [ 1 ] ) ,
} ,
}
}
// pathRoleExistenceCheck returns whether the role with the given name exists or not.
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleExistenceCheck ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( bool , error ) {
2017-11-10 16:32:04 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return false , fmt . Errorf ( "missing role_name" )
}
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return false , err
}
2017-11-10 16:32:04 +00:00
2016-05-30 18:30:01 +00:00
return role != nil , nil
}
// pathRoleList is used to list all the Roles registered with the backend.
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleList ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2018-01-19 06:44:44 +00:00
roles , err := req . Storage . List ( ctx , "role/" )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
return logical . ListResponse ( roles ) , nil
}
// pathRoleSecretIDList is used to list all the 'secret_id_accessor's issued against the role.
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDList ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2016-05-30 18:30:01 +00:00
// Get the role entry
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2017-11-10 16:32:04 +00:00
return logical . ErrorResponse ( fmt . Sprintf ( "role %q does not exist" , roleName ) ) , nil
2016-05-30 18:30:01 +00:00
}
2017-02-01 23:13:49 +00:00
// Guard the list operation with an outer lock
b . secretIDListingLock . RLock ( )
defer b . secretIDListingLock . RUnlock ( )
2016-05-30 18:30:01 +00:00
2018-06-05 20:12:11 +00:00
roleNameHMAC , err := createHMAC ( role . HMACKey , role . name )
2016-05-30 18:30:01 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of role_name: %w" , err )
2016-05-30 18:30:01 +00:00
}
// Listing works one level at a time. Get the first level of data
// which could then be used to get the actual SecretID storage entries.
2018-04-23 14:51:55 +00:00
secretIDHMACs , err := req . Storage . List ( ctx , fmt . Sprintf ( "%s%s/" , role . SecretIDPrefix , roleNameHMAC ) )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
var listItems [ ] string
for _ , secretIDHMAC := range secretIDHMACs {
2017-02-01 23:13:49 +00:00
// For sanity
if secretIDHMAC == "" {
continue
}
2016-05-30 18:30:01 +00:00
// Prepare the full index of the SecretIDs.
2018-04-23 14:51:55 +00:00
entryIndex := fmt . Sprintf ( "%s%s/%s" , role . SecretIDPrefix , roleNameHMAC , secretIDHMAC )
2016-05-30 18:30:01 +00:00
// SecretID locks are not indexed by SecretIDs itself.
// This is because SecretIDs are not stored in plaintext
// form anywhere in the backend, and hence accessing its
// corresponding lock many times using SecretIDs is not
// possible. Also, indexing it everywhere using secretIDHMACs
// makes listing operation easier.
2017-02-01 23:13:49 +00:00
secretIDLock := b . secretIDLock ( secretIDHMAC )
secretIDLock . RLock ( )
2016-05-30 18:30:01 +00:00
result := secretIDStorageEntry { }
2018-01-19 06:44:44 +00:00
if entry , err := req . Storage . Get ( ctx , entryIndex ) ; err != nil {
2017-02-01 23:13:49 +00:00
secretIDLock . RUnlock ( )
2016-05-30 18:30:01 +00:00
return nil , err
} else if entry == nil {
2017-02-01 23:13:49 +00:00
secretIDLock . RUnlock ( )
2016-05-30 18:30:01 +00:00
return nil , fmt . Errorf ( "storage entry for SecretID is present but no content found at the index" )
} else if err := entry . DecodeJSON ( & result ) ; err != nil {
2017-02-01 23:13:49 +00:00
secretIDLock . RUnlock ( )
2016-05-30 18:30:01 +00:00
return nil , err
}
listItems = append ( listItems , result . SecretIDAccessor )
2017-02-01 23:13:49 +00:00
secretIDLock . RUnlock ( )
2016-05-30 18:30:01 +00:00
}
return logical . ListResponse ( listItems ) , nil
}
2016-09-13 22:30:04 +00:00
// validateRoleConstraints checks if the role has at least one constraint
2016-09-15 16:10:40 +00:00
// enabled.
2016-09-13 22:30:04 +00:00
func validateRoleConstraints ( role * roleStorageEntry ) error {
2016-09-15 16:10:40 +00:00
if role == nil {
return fmt . Errorf ( "nil role" )
}
2016-09-13 21:44:07 +00:00
// At least one constraint should be enabled on the role
switch {
case role . BindSecretID :
2018-03-08 22:49:08 +00:00
case len ( role . BoundCIDRList ) != 0 :
2018-06-20 02:57:11 +00:00
case len ( role . SecretIDBoundCIDRs ) != 0 :
case len ( role . TokenBoundCIDRs ) != 0 :
2016-09-13 21:44:07 +00:00
default :
2016-09-13 22:30:04 +00:00
return fmt . Errorf ( "at least one constraint should be enabled on the role" )
2016-09-13 21:44:07 +00:00
}
2016-09-13 22:30:04 +00:00
return nil
2016-09-13 21:44:07 +00:00
}
2017-11-10 16:32:04 +00:00
// setRoleEntry persists the role and creates an index from roleID to role
// name.
2018-01-19 06:44:44 +00:00
func ( b * backend ) setRoleEntry ( ctx context . Context , s logical . Storage , roleName string , role * roleStorageEntry , previousRoleID string ) error {
2016-09-13 20:03:15 +00:00
if roleName == "" {
return fmt . Errorf ( "missing role name" )
}
if role == nil {
return fmt . Errorf ( "nil role" )
}
2016-09-13 21:44:07 +00:00
// Check if role constraints are properly set
2016-09-13 22:30:04 +00:00
if err := validateRoleConstraints ( role ) ; err != nil {
2016-09-13 21:44:07 +00:00
return err
}
2016-09-13 20:03:15 +00:00
2016-05-30 18:30:01 +00:00
// Create a storage entry for the role
entry , err := logical . StorageEntryJSON ( "role/" + strings . ToLower ( roleName ) , role )
if err != nil {
return err
}
if entry == nil {
2017-11-10 16:32:04 +00:00
return fmt . Errorf ( "failed to create storage entry for role %q" , roleName )
2016-05-30 18:30:01 +00:00
}
// Check if the index from the role_id to role already exists
2018-01-19 06:44:44 +00:00
roleIDIndex , err := b . roleIDEntry ( ctx , s , role . RoleID )
2016-05-30 18:30:01 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return fmt . Errorf ( "failed to read role_id index: %w" , err )
2016-05-30 18:30:01 +00:00
}
// If the entry exists, make sure that it belongs to the current role
if roleIDIndex != nil && roleIDIndex . Name != roleName {
return fmt . Errorf ( "role_id already in use" )
}
// When role_id is getting updated, delete the old index before
// a new one is created
if previousRoleID != "" && previousRoleID != role . RoleID {
2018-01-19 06:44:44 +00:00
if err = b . roleIDEntryDelete ( ctx , s , previousRoleID ) ; err != nil {
2021-04-22 15:20:59 +00:00
return fmt . Errorf ( "failed to delete previous role ID index: %w" , err )
2016-05-30 18:30:01 +00:00
}
}
// Save the role entry only after all the validations
2018-01-19 06:44:44 +00:00
if err = s . Put ( ctx , entry ) ; err != nil {
2016-05-30 18:30:01 +00:00
return err
}
2016-09-28 16:01:16 +00:00
// If previousRoleID is still intact, don't create another one
2016-10-14 16:56:29 +00:00
if previousRoleID != "" && previousRoleID == role . RoleID {
2016-09-28 16:01:16 +00:00
return nil
}
2016-05-30 18:30:01 +00:00
// Create a storage entry for reverse mapping of RoleID to role.
// Note that secondary index is created when the roleLock is held.
2018-01-19 06:44:44 +00:00
return b . setRoleIDEntry ( ctx , s , role . RoleID , & roleIDStorageEntry {
2016-05-30 18:30:01 +00:00
Name : roleName ,
} )
}
2017-11-10 16:32:04 +00:00
// roleEntry reads the role from storage
2018-01-19 06:44:44 +00:00
func ( b * backend ) roleEntry ( ctx context . Context , s logical . Storage , roleName string ) ( * roleStorageEntry , error ) {
2016-05-30 18:30:01 +00:00
if roleName == "" {
return nil , fmt . Errorf ( "missing role_name" )
}
2016-09-28 16:01:16 +00:00
var role roleStorageEntry
2016-05-30 18:30:01 +00:00
2018-01-19 06:44:44 +00:00
if entry , err := s . Get ( ctx , "role/" + strings . ToLower ( roleName ) ) ; err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
} else if entry == nil {
return nil , nil
2016-09-28 16:01:16 +00:00
} else if err := entry . DecodeJSON ( & role ) ; err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
}
2018-03-08 22:49:08 +00:00
needsUpgrade := false
if role . BoundCIDRListOld != "" {
2018-06-20 02:57:11 +00:00
role . SecretIDBoundCIDRs = strutil . ParseDedupAndSortStrings ( role . BoundCIDRListOld , "," )
2018-03-08 22:49:08 +00:00
role . BoundCIDRListOld = ""
needsUpgrade = true
}
2018-06-20 02:57:11 +00:00
if len ( role . BoundCIDRList ) != 0 {
role . SecretIDBoundCIDRs = role . BoundCIDRList
role . BoundCIDRList = nil
needsUpgrade = true
}
2018-04-23 20:31:47 +00:00
if role . SecretIDPrefix == "" {
role . SecretIDPrefix = secretIDPrefix
needsUpgrade = true
}
2019-07-01 20:30:08 +00:00
if role . TokenPeriod == 0 && role . Period > 0 {
role . TokenPeriod = role . Period
}
if len ( role . TokenPolicies ) == 0 && len ( role . Policies ) > 0 {
role . TokenPolicies = role . Policies
}
2019-02-01 21:56:57 +00:00
if needsUpgrade && ( b . System ( ) . LocalMount ( ) || ! b . System ( ) . ReplicationState ( ) . HasState ( consts . ReplicationPerformanceSecondary | consts . ReplicationPerformanceStandby ) ) {
2018-03-08 22:49:08 +00:00
entry , err := logical . StorageEntryJSON ( "role/" + strings . ToLower ( roleName ) , & role )
if err != nil {
return nil , err
}
if err := s . Put ( ctx , entry ) ; err != nil {
// Only perform upgrades on replication primary
if ! strings . Contains ( err . Error ( ) , logical . ErrReadOnly . Error ( ) ) {
return nil , err
}
}
}
2018-06-05 20:12:11 +00:00
role . name = roleName
if role . LowerCaseRoleName {
role . name = strings . ToLower ( roleName )
}
2016-09-28 16:01:16 +00:00
return & role , nil
2016-05-30 18:30:01 +00:00
}
// pathRoleCreateUpdate registers a new role with the backend or updates the options
// of an existing role
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleCreateUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2016-05-30 18:30:01 +00:00
// Check if the role already exists
2018-01-19 06:44:44 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
// Create a new entry object if this is a CreateOperation
2018-06-05 20:12:11 +00:00
switch {
case role == nil && req . Operation == logical . CreateOperation :
2016-05-30 18:30:01 +00:00
hmacKey , err := uuid . GenerateUUID ( )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create role_id: %w" , err )
2016-05-30 18:30:01 +00:00
}
role = & roleStorageEntry {
2018-06-05 20:12:11 +00:00
name : strings . ToLower ( roleName ) ,
2017-12-11 21:41:17 +00:00
HMACKey : hmacKey ,
LowerCaseRoleName : true ,
2016-05-30 18:30:01 +00:00
}
2018-06-05 20:12:11 +00:00
case role == nil :
2018-06-18 13:29:05 +00:00
return logical . ErrorResponse ( fmt . Sprintf ( "role name %q doesn't exist" , roleName ) ) , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
2019-07-03 03:29:42 +00:00
var resp * logical . Response
// Handle a backwards compat case
if tokenTypeRaw , ok := data . Raw [ "token_type" ] ; ok {
switch tokenTypeRaw . ( string ) {
case "default-service" :
data . Raw [ "token_type" ] = "service"
resp . AddWarning ( "default-service has no useful meaning; adjusting to service" )
case "default-batch" :
data . Raw [ "token_type" ] = "batch"
resp . AddWarning ( "default-batch has no useful meaning; adjusting to batch" )
}
}
2019-07-01 20:30:08 +00:00
if err := role . ParseTokenFields ( req , data ) ; err != nil {
return logical . ErrorResponse ( err . Error ( ) ) , logical . ErrInvalidRequest
}
2018-04-24 21:52:42 +00:00
localSecretIDsRaw , ok := data . GetOk ( "local_secret_ids" )
2018-04-23 21:05:53 +00:00
if ok {
2018-04-24 19:55:40 +00:00
switch {
case req . Operation == logical . CreateOperation :
2018-04-23 21:05:53 +00:00
localSecretIDs := localSecretIDsRaw . ( bool )
if localSecretIDs {
role . SecretIDPrefix = secretIDLocalPrefix
}
2018-04-24 19:55:40 +00:00
default :
2018-04-24 21:52:42 +00:00
return logical . ErrorResponse ( "local_secret_ids can only be modified during role creation" ) , nil
2018-04-23 14:51:55 +00:00
}
}
2016-05-30 18:30:01 +00:00
previousRoleID := role . RoleID
if roleIDRaw , ok := data . GetOk ( "role_id" ) ; ok {
role . RoleID = roleIDRaw . ( string )
} else if req . Operation == logical . CreateOperation {
roleID , err := uuid . GenerateUUID ( )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to generate role_id: %w" , err )
2016-05-30 18:30:01 +00:00
}
role . RoleID = roleID
}
if role . RoleID == "" {
2017-11-10 16:32:04 +00:00
return logical . ErrorResponse ( "invalid role_id supplied, or failed to generate a role_id" ) , nil
2016-05-30 18:30:01 +00:00
}
if bindSecretIDRaw , ok := data . GetOk ( "bind_secret_id" ) ; ok {
role . BindSecretID = bindSecretIDRaw . ( bool )
} else if req . Operation == logical . CreateOperation {
role . BindSecretID = data . Get ( "bind_secret_id" ) . ( bool )
}
2018-06-20 02:57:11 +00:00
if boundCIDRListRaw , ok := data . GetFirst ( "secret_id_bound_cidrs" , "bound_cidr_list" ) ; ok {
role . SecretIDBoundCIDRs = boundCIDRListRaw . ( [ ] string )
2016-05-30 18:30:01 +00:00
}
2016-09-21 19:44:54 +00:00
2018-06-20 02:57:11 +00:00
if len ( role . SecretIDBoundCIDRs ) != 0 {
valid , err := cidrutil . ValidateCIDRListSlice ( role . SecretIDBoundCIDRs )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to validate CIDR blocks: %w" , err )
2018-06-20 02:57:11 +00:00
}
if ! valid {
return logical . ErrorResponse ( "invalid CIDR blocks" ) , nil
}
}
2016-05-30 18:30:01 +00:00
if secretIDNumUsesRaw , ok := data . GetOk ( "secret_id_num_uses" ) ; ok {
role . SecretIDNumUses = secretIDNumUsesRaw . ( int )
} else if req . Operation == logical . CreateOperation {
role . SecretIDNumUses = data . Get ( "secret_id_num_uses" ) . ( int )
}
if role . SecretIDNumUses < 0 {
return logical . ErrorResponse ( "secret_id_num_uses cannot be negative" ) , nil
}
if secretIDTTLRaw , ok := data . GetOk ( "secret_id_ttl" ) ; ok {
role . SecretIDTTL = time . Second * time . Duration ( secretIDTTLRaw . ( int ) )
} else if req . Operation == logical . CreateOperation {
role . SecretIDTTL = time . Second * time . Duration ( data . Get ( "secret_id_ttl" ) . ( int ) )
}
2019-07-01 20:30:08 +00:00
// handle upgrade cases
{
2019-07-02 13:52:05 +00:00
if err := tokenutil . UpgradeValue ( data , "policies" , "token_policies" , & role . Policies , & role . TokenPolicies ) ; err != nil {
return logical . ErrorResponse ( err . Error ( ) ) , nil
2018-10-15 16:56:24 +00:00
}
2019-07-02 13:52:05 +00:00
if err := tokenutil . UpgradeValue ( data , "period" , "token_period" , & role . Period , & role . TokenPeriod ) ; err != nil {
return logical . ErrorResponse ( err . Error ( ) ) , nil
2018-10-15 16:56:24 +00:00
}
}
2019-07-01 20:30:08 +00:00
if role . Period > b . System ( ) . MaxLeaseTTL ( ) {
return logical . ErrorResponse ( fmt . Sprintf ( "period of %q is greater than the backend's maximum lease TTL of %q" , role . Period . String ( ) , b . System ( ) . MaxLeaseTTL ( ) . String ( ) ) ) , nil
2016-05-30 18:30:01 +00:00
}
if role . TokenMaxTTL > b . System ( ) . MaxLeaseTTL ( ) {
resp = & logical . Response { }
resp . AddWarning ( "token_max_ttl is greater than the backend mount's maximum TTL value; issued tokens' max TTL value will be truncated" )
}
// Store the entry.
2018-06-05 20:12:11 +00:00
return resp , b . setRoleEntry ( ctx , req . Storage , role . name , role , previousRoleID )
2016-05-30 18:30:01 +00:00
}
// pathRoleRead grabs a read lock and reads the options set on the role from the storage
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
lockRelease := lock . RUnlock
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2017-11-10 16:32:04 +00:00
if err != nil {
lockRelease ( )
2016-05-30 18:30:01 +00:00
return nil , err
2017-11-10 16:32:04 +00:00
}
if role == nil {
lockRelease ( )
2016-05-30 18:30:01 +00:00
return nil , nil
2017-11-10 16:32:04 +00:00
}
2016-05-30 18:30:01 +00:00
2017-11-10 16:32:04 +00:00
respData := map [ string ] interface { } {
2019-07-01 20:30:08 +00:00
"bind_secret_id" : role . BindSecretID ,
2018-06-20 02:57:11 +00:00
"secret_id_bound_cidrs" : role . SecretIDBoundCIDRs ,
"secret_id_num_uses" : role . SecretIDNumUses ,
"secret_id_ttl" : role . SecretIDTTL / time . Second ,
"local_secret_ids" : false ,
2018-04-24 13:53:36 +00:00
}
2019-07-01 20:30:08 +00:00
role . PopulateTokenData ( respData )
2018-04-24 13:53:36 +00:00
if role . SecretIDPrefix == secretIDLocalPrefix {
2018-04-24 21:52:42 +00:00
respData [ "local_secret_ids" ] = true
2017-11-10 16:32:04 +00:00
}
2016-05-30 18:30:01 +00:00
2019-07-01 20:30:08 +00:00
// Backwards compat data
if role . Period != 0 {
respData [ "period" ] = role . Period / time . Second
}
if len ( role . Policies ) > 0 {
respData [ "policies" ] = role . Policies
}
2017-11-10 16:32:04 +00:00
resp := & logical . Response {
Data : respData ,
}
if err := validateRoleConstraints ( role ) ; err != nil {
resp . AddWarning ( "Role does not have any constraints set on it. Updates to this role will require a constraint to be set" )
}
2016-09-13 21:44:07 +00:00
2017-11-10 16:32:04 +00:00
// For sanity, verify that the index still exists. If the index is missing,
// add one and return a warning so it can be reported.
2018-01-19 06:44:44 +00:00
roleIDIndex , err := b . roleIDEntry ( ctx , req . Storage , role . RoleID )
2017-11-10 16:32:04 +00:00
if err != nil {
lockRelease ( )
return nil , err
}
if roleIDIndex == nil {
// Switch to a write lock
lock . RUnlock ( )
lock . Lock ( )
lockRelease = lock . Unlock
// Check again if the index is missing
2018-01-19 06:44:44 +00:00
roleIDIndex , err = b . roleIDEntry ( ctx , req . Storage , role . RoleID )
2017-11-10 16:32:04 +00:00
if err != nil {
lockRelease ( )
return nil , err
2016-09-13 21:44:07 +00:00
}
2017-11-10 16:32:04 +00:00
if roleIDIndex == nil {
// Create a new index
2018-01-19 06:44:44 +00:00
err = b . setRoleIDEntry ( ctx , req . Storage , role . RoleID , & roleIDStorageEntry {
2018-06-05 20:12:11 +00:00
Name : role . name ,
2017-11-10 16:32:04 +00:00
} )
if err != nil {
lockRelease ( )
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create secondary index for role_id %q: %w" , role . RoleID , err )
2017-11-10 16:32:04 +00:00
}
resp . AddWarning ( "Role identifier was missing an index back to role name. A new index has been added. Please report this observation." )
}
2016-05-30 18:30:01 +00:00
}
2017-11-10 16:32:04 +00:00
lockRelease ( )
return resp , nil
2016-05-30 18:30:01 +00:00
}
// pathRoleDelete removes the role from the storage
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
2016-09-26 13:55:08 +00:00
if role == nil {
return nil , nil
}
2016-05-30 18:30:01 +00:00
// Just before the role is deleted, remove all the SecretIDs issued as part of the role.
2018-06-05 20:12:11 +00:00
if err = b . flushRoleSecrets ( ctx , req . Storage , role . name , role . HMACKey , role . SecretIDPrefix ) ; err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to invalidate the secrets belonging to role %q: %w" , role . name , err )
2016-05-30 18:30:01 +00:00
}
// Delete the reverse mapping from RoleID to the role
2018-01-19 06:44:44 +00:00
if err = b . roleIDEntryDelete ( ctx , req . Storage , role . RoleID ) ; err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to delete the mapping from RoleID to role %q: %w" , role . name , err )
2016-05-30 18:30:01 +00:00
}
// After deleting the SecretIDs and the RoleID, delete the role itself
2018-06-05 20:12:11 +00:00
if err = req . Storage . Delete ( ctx , "role/" + strings . ToLower ( role . name ) ) ; err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
}
return nil , nil
}
2016-08-21 18:42:49 +00:00
// Returns the properties of the SecretID
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDLookupUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-08-21 18:42:49 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
secretID := data . Get ( "secret_id" ) . ( string )
if secretID == "" {
return logical . ErrorResponse ( "missing secret_id" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2016-08-21 18:42:49 +00:00
// Fetch the role
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-08-21 18:42:49 +00:00
if err != nil {
return nil , err
}
if role == nil {
2017-11-10 16:32:04 +00:00
return nil , fmt . Errorf ( "role %q does not exist" , roleName )
2016-08-21 18:42:49 +00:00
}
// Create the HMAC of the secret ID using the per-role HMAC key
secretIDHMAC , err := createHMAC ( role . HMACKey , secretID )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of secret_id: %w" , err )
2016-08-21 18:42:49 +00:00
}
// Create the HMAC of the roleName using the per-role HMAC key
2018-06-05 20:12:11 +00:00
roleNameHMAC , err := createHMAC ( role . HMACKey , role . name )
2016-08-21 18:42:49 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of role_name: %w" , err )
2016-08-21 18:42:49 +00:00
}
// Create the index at which the secret_id would've been stored
2018-04-23 14:51:55 +00:00
entryIndex := fmt . Sprintf ( "%s%s/%s" , role . SecretIDPrefix , roleNameHMAC , secretIDHMAC )
2016-08-21 18:42:49 +00:00
2018-06-05 20:12:11 +00:00
secretLock := b . secretIDLock ( secretIDHMAC )
secretLock . Lock ( )
defer secretLock . Unlock ( )
2016-08-21 19:46:11 +00:00
2018-06-05 20:12:11 +00:00
secretIDEntry , err := b . nonLockedSecretIDStorageEntry ( ctx , req . Storage , role . SecretIDPrefix , roleNameHMAC , secretIDHMAC )
if err != nil {
2016-08-21 18:42:49 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if secretIDEntry == nil {
2016-08-21 18:42:49 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
// If a secret ID entry does not have a corresponding accessor
// entry, revoke the secret ID immediately
accessorEntry , err := b . secretIDAccessorEntry ( ctx , req . Storage , secretIDEntry . SecretIDAccessor , role . SecretIDPrefix )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to read secret ID accessor entry: %w" , err )
2016-09-28 18:20:03 +00:00
}
2018-06-05 20:12:11 +00:00
if accessorEntry == nil {
if err := req . Storage . Delete ( ctx , entryIndex ) ; err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "error deleting secret ID %q from storage: %w" , secretIDHMAC , err )
2018-06-05 20:12:11 +00:00
}
return logical . ErrorResponse ( "invalid secret id" ) , nil
2016-09-28 18:20:03 +00:00
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : secretIDEntry . ToResponseData ( ) ,
} , nil
}
func ( entry * secretIDStorageEntry ) ToResponseData ( ) map [ string ] interface { } {
2019-07-01 20:30:08 +00:00
ret := map [ string ] interface { } {
2018-06-05 20:12:11 +00:00
"secret_id_accessor" : entry . SecretIDAccessor ,
"secret_id_num_uses" : entry . SecretIDNumUses ,
"secret_id_ttl" : entry . SecretIDTTL / time . Second ,
"creation_time" : entry . CreationTime ,
"expiration_time" : entry . ExpirationTime ,
"last_updated_time" : entry . LastUpdatedTime ,
"metadata" : entry . Metadata ,
"cidr_list" : entry . CIDRList ,
2018-08-21 15:54:04 +00:00
"token_bound_cidrs" : entry . TokenBoundCIDRs ,
2018-06-05 20:12:11 +00:00
}
2019-07-01 20:30:08 +00:00
if len ( entry . TokenBoundCIDRs ) == 0 {
ret [ "token_bound_cidrs" ] = [ ] string { }
}
return ret
2016-08-21 18:42:49 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDDestroyUpdateDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-08-21 18:42:49 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
secretID := data . Get ( "secret_id" ) . ( string )
if secretID == "" {
return logical . ErrorResponse ( "missing secret_id" ) , nil
}
2017-11-10 16:32:04 +00:00
roleLock := b . roleLock ( roleName )
roleLock . RLock ( )
defer roleLock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-08-21 18:42:49 +00:00
if err != nil {
return nil , err
}
if role == nil {
2017-11-10 16:32:04 +00:00
return nil , fmt . Errorf ( "role %q does not exist" , roleName )
2016-08-21 18:42:49 +00:00
}
secretIDHMAC , err := createHMAC ( role . HMACKey , secretID )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of secret_id: %w" , err )
2016-08-21 18:42:49 +00:00
}
2018-06-05 20:12:11 +00:00
roleNameHMAC , err := createHMAC ( role . HMACKey , role . name )
2016-08-21 18:42:49 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of role_name: %w" , err )
2016-08-21 18:42:49 +00:00
}
2018-04-23 14:51:55 +00:00
entryIndex := fmt . Sprintf ( "%s%s/%s" , role . SecretIDPrefix , roleNameHMAC , secretIDHMAC )
2016-08-21 18:42:49 +00:00
lock := b . secretIDLock ( secretIDHMAC )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
entry , err := b . nonLockedSecretIDStorageEntry ( ctx , req . Storage , role . SecretIDPrefix , roleNameHMAC , secretIDHMAC )
if err != nil {
2016-08-21 18:42:49 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if entry == nil {
2016-08-21 18:42:49 +00:00
return nil , nil
}
// Delete the accessor of the SecretID first
2018-06-05 20:12:11 +00:00
if err := b . deleteSecretIDAccessorEntry ( ctx , req . Storage , entry . SecretIDAccessor , role . SecretIDPrefix ) ; err != nil {
2016-09-15 21:49:14 +00:00
return nil , err
2016-08-21 18:42:49 +00:00
}
// Delete the storage entry that corresponds to the SecretID
2018-01-19 06:44:44 +00:00
if err := req . Storage . Delete ( ctx , entryIndex ) ; err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to delete secret_id: %w" , err )
2016-08-21 18:42:49 +00:00
}
return nil , nil
}
2016-09-29 00:22:37 +00:00
// pathRoleSecretIDAccessorLookupUpdate returns the properties of the SecretID
// given its accessor
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDAccessorLookupUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
secretIDAccessor := data . Get ( "secret_id_accessor" ) . ( string )
if secretIDAccessor == "" {
return logical . ErrorResponse ( "missing secret_id_accessor" ) , nil
}
// SecretID is indexed based on HMACed roleName and HMACed SecretID.
// Get the role details to fetch the RoleID and accessor to get
// the HMACed SecretID.
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2017-11-10 16:32:04 +00:00
return nil , fmt . Errorf ( "role %q does not exist" , roleName )
2016-05-30 18:30:01 +00:00
}
2018-04-23 20:19:05 +00:00
accessorEntry , err := b . secretIDAccessorEntry ( ctx , req . Storage , secretIDAccessor , role . SecretIDPrefix )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if accessorEntry == nil {
2018-04-05 15:49:21 +00:00
return nil , fmt . Errorf ( "failed to find accessor entry for secret_id_accessor: %q" , secretIDAccessor )
2016-05-30 18:30:01 +00:00
}
2018-06-05 20:12:11 +00:00
roleNameHMAC , err := createHMAC ( role . HMACKey , role . name )
2016-05-30 18:30:01 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of role_name: %w" , err )
2016-05-30 18:30:01 +00:00
}
2018-06-05 20:12:11 +00:00
secretLock := b . secretIDLock ( accessorEntry . SecretIDHMAC )
secretLock . RLock ( )
defer secretLock . RUnlock ( )
secretIDEntry , err := b . nonLockedSecretIDStorageEntry ( ctx , req . Storage , role . SecretIDPrefix , roleNameHMAC , accessorEntry . SecretIDHMAC )
if err != nil {
return nil , err
}
if secretIDEntry == nil {
return nil , nil
}
2016-05-30 18:30:01 +00:00
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : secretIDEntry . ToResponseData ( ) ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDAccessorDestroyUpdateDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
secretIDAccessor := data . Get ( "secret_id_accessor" ) . ( string )
if secretIDAccessor == "" {
return logical . ErrorResponse ( "missing secret_id_accessor" ) , nil
}
// SecretID is indexed based on HMACed roleName and HMACed SecretID.
// Get the role details to fetch the RoleID and accessor to get
// the HMACed SecretID.
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2017-11-10 16:32:04 +00:00
return nil , fmt . Errorf ( "role %q does not exist" , roleName )
2016-05-30 18:30:01 +00:00
}
2018-04-23 20:19:05 +00:00
accessorEntry , err := b . secretIDAccessorEntry ( ctx , req . Storage , secretIDAccessor , role . SecretIDPrefix )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if accessorEntry == nil {
2018-04-05 15:49:21 +00:00
return nil , fmt . Errorf ( "failed to find accessor entry for secret_id_accessor: %q" , secretIDAccessor )
2016-05-30 18:30:01 +00:00
}
2018-06-05 20:12:11 +00:00
roleNameHMAC , err := createHMAC ( role . HMACKey , role . name )
2016-05-30 18:30:01 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to create HMAC of role_name: %w" , err )
2016-05-30 18:30:01 +00:00
}
2018-04-23 14:51:55 +00:00
entryIndex := fmt . Sprintf ( "%s%s/%s" , role . SecretIDPrefix , roleNameHMAC , accessorEntry . SecretIDHMAC )
2016-05-30 18:30:01 +00:00
lock := b . secretIDLock ( accessorEntry . SecretIDHMAC )
lock . Lock ( )
defer lock . Unlock ( )
// Delete the accessor of the SecretID first
2018-04-23 20:19:05 +00:00
if err := b . deleteSecretIDAccessorEntry ( ctx , req . Storage , secretIDAccessor , role . SecretIDPrefix ) ; err != nil {
2016-09-15 21:49:14 +00:00
return nil , err
2016-05-30 18:30:01 +00:00
}
// Delete the storage entry that corresponds to the SecretID
2018-01-19 06:44:44 +00:00
if err := req . Storage . Delete ( ctx , entryIndex ) ; err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to delete secret_id: %w" , err )
2016-05-30 18:30:01 +00:00
}
return nil , nil
}
2018-06-20 02:57:11 +00:00
func ( b * backend ) pathRoleBoundCIDRUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2019-07-01 20:30:08 +00:00
delete ( data . Raw , "token_bound_cidrs" )
delete ( data . Raw , "secret_id_bound_cidrs" )
return b . pathRoleBoundCIDRUpdateCommon ( ctx , req , data )
}
func ( b * backend ) pathRoleSecretIDBoundCIDRUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
delete ( data . Raw , "bound_cidr_list" )
delete ( data . Raw , "token_bound_cidrs" )
return b . pathRoleBoundCIDRUpdateCommon ( ctx , req , data )
}
func ( b * backend ) pathRoleTokenBoundCIDRUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
delete ( data . Raw , "bound_cidr_list" )
delete ( data . Raw , "secret_id_bound_cidrs" )
return b . pathRoleBoundCIDRUpdateCommon ( ctx , req , data )
}
func ( b * backend ) pathRoleBoundCIDRUpdateCommon ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
// Re-read the role after grabbing the lock
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
2018-06-20 02:57:11 +00:00
if cidrsIfc , ok := data . GetFirst ( "secret_id_bound_cidrs" , "bound_cidr_list" ) ; ok {
2019-07-01 20:30:08 +00:00
cidrs := cidrsIfc . ( [ ] string )
if len ( cidrs ) == 0 {
return logical . ErrorResponse ( "missing bound_cidr_list" ) , nil
}
valid , err := cidrutil . ValidateCIDRListSlice ( cidrs )
if err != nil {
2021-04-22 15:20:59 +00:00
return logical . ErrorResponse ( fmt . Errorf ( "failed to validate CIDR blocks: %w" , err ) . Error ( ) ) , nil
2019-07-01 20:30:08 +00:00
}
if ! valid {
return logical . ErrorResponse ( "failed to validate CIDR blocks" ) , nil
}
2018-06-20 02:57:11 +00:00
role . SecretIDBoundCIDRs = cidrs
2019-07-01 20:30:08 +00:00
2018-06-20 02:57:11 +00:00
} else if cidrsIfc , ok := data . GetOk ( "token_bound_cidrs" ) ; ok {
2019-07-01 20:30:08 +00:00
cidrs , err := parseutil . ParseAddrs ( cidrsIfc . ( [ ] string ) )
if err != nil {
2021-04-22 15:20:59 +00:00
return logical . ErrorResponse ( fmt . Errorf ( "failed to parse token_bound_cidrs: %w" , err ) . Error ( ) ) , nil
2019-07-01 20:30:08 +00:00
}
2018-06-20 02:57:11 +00:00
role . TokenBoundCIDRs = cidrs
}
2016-05-30 18:30:01 +00:00
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-06-20 02:57:11 +00:00
func ( b * backend ) pathRoleSecretIDBoundCIDRRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
return b . pathRoleFieldRead ( ctx , req , data , "secret_id_bound_cidrs" )
}
func ( b * backend ) pathRoleTokenBoundCIDRRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
return b . pathRoleFieldRead ( ctx , req , data , "token_bound_cidrs" )
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleBoundCIDRListRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2018-06-20 02:57:11 +00:00
return b . pathRoleFieldRead ( ctx , req , data , "bound_cidr_list" )
}
func ( b * backend ) pathRoleFieldRead ( ctx context . Context , req * logical . Request , data * framework . FieldData , fieldName string ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
2018-06-20 02:57:11 +00:00
} else {
switch fieldName {
case "secret_id_bound_cidrs" :
return & logical . Response {
Data : map [ string ] interface { } {
"secret_id_bound_cidrs" : role . SecretIDBoundCIDRs ,
} ,
} , nil
case "token_bound_cidrs" :
return & logical . Response {
Data : map [ string ] interface { } {
"token_bound_cidrs" : role . TokenBoundCIDRs ,
} ,
} , nil
case "bound_cidr_list" :
resp := & logical . Response {
Data : map [ string ] interface { } {
"bound_cidr_list" : role . BoundCIDRList ,
} ,
}
resp . AddWarning ( ` The "bound_cidr_list" parameter is deprecated and will be removed. Please use "secret_id_bound_cidrs" instead. ` )
return resp , nil
default :
// shouldn't occur IRL
return nil , errors . New ( "unrecognized field provided: " + fieldName )
}
2016-05-30 18:30:01 +00:00
}
}
2018-06-20 02:57:11 +00:00
func ( b * backend ) pathRoleBoundCIDRDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData , fieldName string ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
2018-06-20 02:57:11 +00:00
switch fieldName {
case "bound_cidr_list" :
2019-07-01 20:30:08 +00:00
role . BoundCIDRList = nil
2018-06-20 02:57:11 +00:00
case "secret_id_bound_cidrs" :
2019-07-01 20:30:08 +00:00
role . SecretIDBoundCIDRs = nil
2018-06-20 02:57:11 +00:00
case "token_bound_cidrs" :
2019-07-01 20:30:08 +00:00
role . TokenBoundCIDRs = nil
2018-06-20 02:57:11 +00:00
}
2019-07-01 20:30:08 +00:00
2018-06-20 02:57:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , roleName , role , "" )
}
2016-05-30 18:30:01 +00:00
2018-06-20 02:57:11 +00:00
func ( b * backend ) pathRoleBoundCIDRListDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
return b . pathRoleBoundCIDRDelete ( ctx , req , data , "bound_cidr_list" )
}
func ( b * backend ) pathRoleSecretIDBoundCIDRDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
return b . pathRoleBoundCIDRDelete ( ctx , req , data , "secret_id_bound_cidrs" )
}
func ( b * backend ) pathRoleTokenBoundCIDRDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
return b . pathRoleBoundCIDRDelete ( ctx , req , data , "token_bound_cidrs" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleBindSecretIDUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
if bindSecretIDRaw , ok := data . GetOk ( "bind_secret_id" ) ; ok {
role . BindSecretID = bindSecretIDRaw . ( bool )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
} else {
return logical . ErrorResponse ( "missing bind_secret_id" ) , nil
}
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleBindSecretIDRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"bind_secret_id" : role . BindSecretID ,
} ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleBindSecretIDDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
// Deleting a field implies setting the value to it's default value.
role . BindSecretID = data . GetDefaultOrZero ( "bind_secret_id" ) . ( bool )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-04-24 21:52:42 +00:00
func ( b * backend ) pathRoleLocalSecretIDsRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2018-04-23 14:51:55 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2018-04-23 14:51:55 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2018-04-23 14:51:55 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
localSecretIDs := false
if role . SecretIDPrefix == secretIDLocalPrefix {
localSecretIDs = true
}
return & logical . Response {
Data : map [ string ] interface { } {
"local_secret_ids" : localSecretIDs ,
} ,
} , nil
2018-04-23 14:51:55 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRolePoliciesUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
2019-07-01 20:30:08 +00:00
policiesRaw , ok := data . GetOk ( "token_policies" )
2017-08-15 00:15:51 +00:00
if ! ok {
2019-07-01 20:30:08 +00:00
policiesRaw , ok = data . GetOk ( "policies" )
if ok {
role . Policies = policyutil . ParsePolicies ( policiesRaw )
role . TokenPolicies = role . Policies
} else {
return logical . ErrorResponse ( "missing token_policies" ) , nil
}
} else {
role . TokenPolicies = policyutil . ParsePolicies ( policiesRaw )
_ , ok = data . GetOk ( "policies" )
if ok {
role . Policies = role . TokenPolicies
} else {
role . Policies = nil
}
2016-05-30 18:30:01 +00:00
}
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRolePoliciesRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
2019-07-01 20:30:08 +00:00
p := role . TokenPolicies
if p == nil {
p = [ ] string { }
}
d := map [ string ] interface { } {
"token_policies" : p ,
}
if len ( role . Policies ) > 0 {
d [ "policies" ] = role . Policies
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
2019-07-01 20:30:08 +00:00
Data : d ,
2018-06-05 20:12:11 +00:00
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRolePoliciesDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
2019-07-01 20:30:08 +00:00
role . TokenPolicies = nil
role . Policies = nil
2016-05-30 18:30:01 +00:00
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDNumUsesUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
if numUsesRaw , ok := data . GetOk ( "secret_id_num_uses" ) ; ok {
role . SecretIDNumUses = numUsesRaw . ( int )
if role . SecretIDNumUses < 0 {
return logical . ErrorResponse ( "secret_id_num_uses cannot be negative" ) , nil
}
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
} else {
return logical . ErrorResponse ( "missing secret_id_num_uses" ) , nil
}
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleRoleIDUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
previousRoleID := role . RoleID
role . RoleID = data . Get ( "role_id" ) . ( string )
if role . RoleID == "" {
return logical . ErrorResponse ( "missing role_id" ) , nil
}
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , previousRoleID )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleRoleIDRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"role_id" : role . RoleID ,
} ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDNumUsesRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"secret_id_num_uses" : role . SecretIDNumUses ,
} ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDNumUsesDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
role . SecretIDNumUses = data . GetDefaultOrZero ( "secret_id_num_uses" ) . ( int )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDTTLUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
if secretIDTTLRaw , ok := data . GetOk ( "secret_id_ttl" ) ; ok {
role . SecretIDTTL = time . Second * time . Duration ( secretIDTTLRaw . ( int ) )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
} else {
return logical . ErrorResponse ( "missing secret_id_ttl" ) , nil
}
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDTTLRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"secret_id_ttl" : role . SecretIDTTL / time . Second ,
} ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDTTLDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
role . SecretIDTTL = time . Second * time . Duration ( data . GetDefaultOrZero ( "secret_id_ttl" ) . ( int ) )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRolePeriodUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
2019-07-01 20:30:08 +00:00
periodRaw , ok := data . GetOk ( "token_period" )
if ! ok {
periodRaw , ok = data . GetOk ( "period" )
if ok {
role . Period = time . Second * time . Duration ( periodRaw . ( int ) )
role . TokenPeriod = role . Period
} else {
return logical . ErrorResponse ( "missing period" ) , nil
2016-05-30 18:30:01 +00:00
}
} else {
2019-07-01 20:30:08 +00:00
role . TokenPeriod = time . Second * time . Duration ( periodRaw . ( int ) )
_ , ok = data . GetOk ( "period" )
if ok {
role . Period = role . TokenPeriod
} else {
role . Period = 0
}
2016-05-30 18:30:01 +00:00
}
2019-07-01 20:30:08 +00:00
if role . TokenPeriod > b . System ( ) . MaxLeaseTTL ( ) {
return logical . ErrorResponse ( fmt . Sprintf ( "period of %q is greater than the backend's maximum lease TTL of %q" , role . Period . String ( ) , b . System ( ) . MaxLeaseTTL ( ) . String ( ) ) ) , nil
}
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRolePeriodRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
2019-07-01 20:30:08 +00:00
d := map [ string ] interface { } {
"token_period" : role . TokenPeriod / time . Second ,
}
if role . Period > 0 {
d [ "period" ] = role . Period / time . Second
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
2019-07-01 20:30:08 +00:00
Data : d ,
2018-06-05 20:12:11 +00:00
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRolePeriodDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
2019-07-01 20:30:08 +00:00
role . TokenPeriod = 0
role . Period = 0
2016-05-30 18:30:01 +00:00
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenNumUsesUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2017-03-03 14:31:20 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2017-03-03 14:31:20 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2017-03-03 14:31:20 +00:00
}
if tokenNumUsesRaw , ok := data . GetOk ( "token_num_uses" ) ; ok {
role . TokenNumUses = tokenNumUsesRaw . ( int )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2017-03-03 14:31:20 +00:00
} else {
return logical . ErrorResponse ( "missing token_num_uses" ) , nil
}
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenNumUsesRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2017-03-03 14:31:20 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2017-03-03 14:31:20 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2017-03-03 14:31:20 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"token_num_uses" : role . TokenNumUses ,
} ,
} , nil
2017-03-03 14:31:20 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenNumUsesDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2017-03-03 14:31:20 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2017-03-03 14:31:20 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
role . TokenNumUses = data . GetDefaultOrZero ( "token_num_uses" ) . ( int )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2017-03-03 14:31:20 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenTTLUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
if tokenTTLRaw , ok := data . GetOk ( "token_ttl" ) ; ok {
role . TokenTTL = time . Second * time . Duration ( tokenTTLRaw . ( int ) )
if role . TokenMaxTTL > time . Duration ( 0 ) && role . TokenTTL > role . TokenMaxTTL {
return logical . ErrorResponse ( "token_ttl should not be greater than token_max_ttl" ) , nil
}
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
} else {
return logical . ErrorResponse ( "missing token_ttl" ) , nil
}
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenTTLRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"token_ttl" : role . TokenTTL / time . Second ,
} ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenTTLDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
role . TokenTTL = time . Second * time . Duration ( data . GetDefaultOrZero ( "token_ttl" ) . ( int ) )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenMaxTTLUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return nil , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
if tokenMaxTTLRaw , ok := data . GetOk ( "token_max_ttl" ) ; ok {
role . TokenMaxTTL = time . Second * time . Duration ( tokenMaxTTLRaw . ( int ) )
if role . TokenMaxTTL > time . Duration ( 0 ) && role . TokenTTL > role . TokenMaxTTL {
return logical . ErrorResponse ( "token_max_ttl should be greater than or equal to token_ttl" ) , nil
}
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
} else {
return logical . ErrorResponse ( "missing token_max_ttl" ) , nil
}
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenMaxTTLRead ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
if err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
2018-06-05 20:12:11 +00:00
}
if role == nil {
2016-05-30 18:30:01 +00:00
return nil , nil
}
2018-06-05 20:12:11 +00:00
return & logical . Response {
Data : map [ string ] interface { } {
"token_max_ttl" : role . TokenMaxTTL / time . Second ,
} ,
} , nil
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleTokenMaxTTLDelete ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . Lock ( )
defer lock . Unlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
return nil , nil
}
role . TokenMaxTTL = time . Second * time . Duration ( data . GetDefaultOrZero ( "token_max_ttl" ) . ( int ) )
2018-06-05 20:12:11 +00:00
return nil , b . setRoleEntry ( ctx , req . Storage , role . name , role , "" )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleSecretIDUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
secretID , err := uuid . GenerateUUID ( )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to generate secret_id: %w" , err )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
return b . handleRoleSecretIDCommon ( ctx , req , data , secretID )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathRoleCustomSecretIDUpdate ( ctx context . Context , req * logical . Request , data * framework . FieldData ) ( * logical . Response , error ) {
return b . handleRoleSecretIDCommon ( ctx , req , data , data . Get ( "secret_id" ) . ( string ) )
2016-05-30 18:30:01 +00:00
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) handleRoleSecretIDCommon ( ctx context . Context , req * logical . Request , data * framework . FieldData , secretID string ) ( * logical . Response , error ) {
2016-05-30 18:30:01 +00:00
roleName := data . Get ( "role_name" ) . ( string )
if roleName == "" {
return logical . ErrorResponse ( "missing role_name" ) , nil
}
if secretID == "" {
return logical . ErrorResponse ( "missing secret_id" ) , nil
}
2017-11-10 16:32:04 +00:00
lock := b . roleLock ( roleName )
lock . RLock ( )
defer lock . RUnlock ( )
2018-06-05 20:12:11 +00:00
role , err := b . roleEntry ( ctx , req . Storage , roleName )
2016-05-30 18:30:01 +00:00
if err != nil {
return nil , err
}
if role == nil {
2018-06-18 13:29:05 +00:00
return logical . ErrorResponse ( fmt . Sprintf ( "role %q does not exist" , roleName ) ) , logical . ErrUnsupportedPath
2016-05-30 18:30:01 +00:00
}
if ! role . BindSecretID {
return logical . ErrorResponse ( "bind_secret_id is not set on the role" ) , nil
}
2018-03-08 22:49:08 +00:00
secretIDCIDRs := data . Get ( "cidr_list" ) . ( [ ] string )
2016-09-19 18:40:43 +00:00
// Validate the list of CIDR blocks
2018-03-08 22:49:08 +00:00
if len ( secretIDCIDRs ) != 0 {
valid , err := cidrutil . ValidateCIDRListSlice ( secretIDCIDRs )
2016-09-21 19:44:54 +00:00
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to validate CIDR blocks: %w" , err )
2016-09-21 19:44:54 +00:00
}
if ! valid {
return logical . ErrorResponse ( "failed to validate CIDR blocks" ) , nil
}
2016-09-19 18:40:43 +00:00
}
2016-09-21 23:41:08 +00:00
// Ensure that the CIDRs on the secret ID are a subset of that of role's
2018-06-20 02:57:11 +00:00
if err := verifyCIDRRoleSecretIDSubset ( secretIDCIDRs , role . SecretIDBoundCIDRs ) ; err != nil {
2016-09-21 23:41:08 +00:00
return nil , err
2016-09-19 18:40:43 +00:00
}
2018-08-21 15:54:04 +00:00
secretIDTokenCIDRs := data . Get ( "token_bound_cidrs" ) . ( [ ] string )
if len ( secretIDTokenCIDRs ) != 0 {
valid , err := cidrutil . ValidateCIDRListSlice ( secretIDTokenCIDRs )
if err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to validate token CIDR blocks: %w" , err )
2018-08-21 15:54:04 +00:00
}
if ! valid {
return logical . ErrorResponse ( "failed to validate token CIDR blocks" ) , nil
}
}
// Ensure that the token CIDRs on the secret ID are a subset of that of role's
2019-07-01 20:30:08 +00:00
var roleCIDRs [ ] string
for _ , v := range role . TokenBoundCIDRs {
roleCIDRs = append ( roleCIDRs , v . String ( ) )
}
if err := verifyCIDRRoleSecretIDSubset ( secretIDTokenCIDRs , roleCIDRs ) ; err != nil {
2018-08-21 15:54:04 +00:00
return nil , err
}
2016-05-30 18:30:01 +00:00
secretIDStorage := & secretIDStorageEntry {
SecretIDNumUses : role . SecretIDNumUses ,
SecretIDTTL : role . SecretIDTTL ,
Metadata : make ( map [ string ] string ) ,
2016-09-21 23:41:08 +00:00
CIDRList : secretIDCIDRs ,
2018-08-21 15:54:04 +00:00
TokenBoundCIDRs : secretIDTokenCIDRs ,
2016-05-30 18:30:01 +00:00
}
2016-08-03 18:18:22 +00:00
if err = strutil . ParseArbitraryKeyValues ( data . Get ( "metadata" ) . ( string ) , secretIDStorage . Metadata , "," ) ; err != nil {
2016-05-30 18:30:01 +00:00
return logical . ErrorResponse ( fmt . Sprintf ( "failed to parse metadata: %v" , err ) ) , nil
}
2018-06-05 20:12:11 +00:00
if secretIDStorage , err = b . registerSecretIDEntry ( ctx , req . Storage , role . name , secretID , role . HMACKey , role . SecretIDPrefix , secretIDStorage ) ; err != nil {
2021-04-22 15:20:59 +00:00
return nil , fmt . Errorf ( "failed to store secret_id: %w" , err )
2016-05-30 18:30:01 +00:00
}
2021-02-04 00:32:16 +00:00
resp := & logical . Response {
2016-05-30 18:30:01 +00:00
Data : map [ string ] interface { } {
"secret_id" : secretID ,
"secret_id_accessor" : secretIDStorage . SecretIDAccessor ,
2021-02-04 00:32:16 +00:00
"secret_id_ttl" : int64 ( b . deriveSecretIDTTL ( secretIDStorage . SecretIDTTL ) . Seconds ( ) ) ,
2016-05-30 18:30:01 +00:00
} ,
2021-02-04 00:32:16 +00:00
}
return resp , nil
2016-05-30 18:30:01 +00:00
}
2017-03-07 16:21:32 +00:00
func ( b * backend ) roleIDLock ( roleID string ) * locksutil . LockEntry {
return locksutil . LockForKey ( b . roleIDLocks , roleID )
2016-05-30 18:30:01 +00:00
}
2017-03-07 16:21:32 +00:00
func ( b * backend ) roleLock ( roleName string ) * locksutil . LockEntry {
2018-06-05 20:12:11 +00:00
return locksutil . LockForKey ( b . roleLocks , strings . ToLower ( roleName ) )
2016-08-26 23:34:32 +00:00
}
2016-05-30 18:30:01 +00:00
// setRoleIDEntry creates a storage entry that maps RoleID to Role
2018-01-19 06:44:44 +00:00
func ( b * backend ) setRoleIDEntry ( ctx context . Context , s logical . Storage , roleID string , roleIDEntry * roleIDStorageEntry ) error {
2016-05-30 18:30:01 +00:00
lock := b . roleIDLock ( roleID )
lock . Lock ( )
defer lock . Unlock ( )
2018-03-08 19:21:11 +00:00
salt , err := b . Salt ( ctx )
2017-05-09 21:51:09 +00:00
if err != nil {
return err
}
entryIndex := "role_id/" + salt . SaltID ( roleID )
2016-05-30 18:30:01 +00:00
entry , err := logical . StorageEntryJSON ( entryIndex , roleIDEntry )
if err != nil {
return err
}
2018-01-19 06:44:44 +00:00
if err = s . Put ( ctx , entry ) ; err != nil {
2016-05-30 18:30:01 +00:00
return err
}
return nil
}
// roleIDEntry is used to read the storage entry that maps RoleID to Role
2018-01-19 06:44:44 +00:00
func ( b * backend ) roleIDEntry ( ctx context . Context , s logical . Storage , roleID string ) ( * roleIDStorageEntry , error ) {
2016-05-30 18:30:01 +00:00
if roleID == "" {
2018-04-05 15:49:21 +00:00
return nil , fmt . Errorf ( "missing role id" )
2016-05-30 18:30:01 +00:00
}
lock := b . roleIDLock ( roleID )
lock . RLock ( )
defer lock . RUnlock ( )
var result roleIDStorageEntry
2018-03-08 19:21:11 +00:00
salt , err := b . Salt ( ctx )
2017-05-09 21:51:09 +00:00
if err != nil {
return nil , err
}
entryIndex := "role_id/" + salt . SaltID ( roleID )
2016-05-30 18:30:01 +00:00
2018-01-19 06:44:44 +00:00
if entry , err := s . Get ( ctx , entryIndex ) ; err != nil {
2016-05-30 18:30:01 +00:00
return nil , err
} else if entry == nil {
return nil , nil
} else if err := entry . DecodeJSON ( & result ) ; err != nil {
return nil , err
}
return & result , nil
}
// roleIDEntryDelete is used to remove the secondary index that maps the
// RoleID to the Role itself.
2018-01-19 06:44:44 +00:00
func ( b * backend ) roleIDEntryDelete ( ctx context . Context , s logical . Storage , roleID string ) error {
2016-05-30 18:30:01 +00:00
if roleID == "" {
2018-04-05 15:49:21 +00:00
return fmt . Errorf ( "missing role id" )
2016-05-30 18:30:01 +00:00
}
lock := b . roleIDLock ( roleID )
lock . Lock ( )
defer lock . Unlock ( )
2018-03-08 19:21:11 +00:00
salt , err := b . Salt ( ctx )
2017-05-09 21:51:09 +00:00
if err != nil {
return err
}
entryIndex := "role_id/" + salt . SaltID ( roleID )
2016-05-30 18:30:01 +00:00
2018-01-19 06:44:44 +00:00
return s . Delete ( ctx , entryIndex )
2016-05-30 18:30:01 +00:00
}
var roleHelp = map [ string ] [ 2 ] string {
"role-list" : {
"Lists all the roles registered with the backend." ,
"The list will contain the names of the roles." ,
} ,
"role" : {
"Register an role with the backend." ,
` A role can represent a service , a machine or anything that can be IDed .
The set of policies on the role defines access to the role , meaning , any
Vault token with a policy set that is a superset of the policies on the
role registered here will have access to the role . If a SecretID is desired
to be generated against only this specific role , it can be done via
' role / < role_name > / secret - id ' and ' role / < role_name > / custom - secret - id ' endpoints .
The properties of the SecretID created against the role and the properties
2018-01-03 18:56:14 +00:00
of the token issued with the SecretID generated against the role , can be
2016-05-30 18:30:01 +00:00
configured using the parameters of this endpoint . ` ,
} ,
"role-bind-secret-id" : {
"Impose secret_id to be presented during login using this role." ,
` By setting this to ' true ' , during login the parameter ' secret_id ' becomes a mandatory argument .
The value of ' secret_id ' can be retrieved using ' role / < role_name > / secret - id ' endpoint . ` ,
} ,
"role-bound-cidr-list" : {
2018-06-20 02:57:11 +00:00
` Deprecated : Comma separated list of CIDR blocks , if set , specifies blocks of IP
addresses which can perform the login operation ` ,
` During login , the IP address of the client will be checked to see if it
belongs to the CIDR blocks specified . If CIDR blocks were set and if the
IP is not encompassed by it , login fails ` ,
} ,
"secret-id-bound-cidrs" : {
2016-05-30 18:30:01 +00:00
` Comma separated list of CIDR blocks , if set , specifies blocks of IP
addresses which can perform the login operation ` ,
` During login , the IP address of the client will be checked to see if it
belongs to the CIDR blocks specified . If CIDR blocks were set and if the
IP is not encompassed by it , login fails ` ,
2018-06-20 02:57:11 +00:00
} ,
"token-bound-cidrs" : {
` Comma separated string or list of CIDR blocks . If set , specifies the blocks of
IP addresses which can use the returned token . ` ,
` During use of the returned token , the IP address of the client will be checked to see if it
belongs to the CIDR blocks specified . If CIDR blocks were set and if the
IP is not encompassed by it , token use fails ` ,
2016-05-30 18:30:01 +00:00
} ,
"role-policies" : {
"Policies of the role." ,
` A comma - delimited set of Vault policies that defines access to the role .
All the Vault tokens with policies that encompass the policy set
defined on the role , can access the role . ` ,
} ,
"role-secret-id-num-uses" : {
"Use limit of the SecretID generated against the role." ,
` If the SecretIDs are generated / assigned against the role using the
' role / < role_name > / secret - id ' or ' role / < role_name > / custom - secret - id ' endpoints ,
then the number of times that SecretID can access the role is defined by
this option . ` ,
} ,
"role-secret-id-ttl" : {
` Duration in seconds , representing the lifetime of the SecretIDs
that are generated against the role using ' role / < role_name > / secret - id ' or
' role / < role_name > / custom - secret - id ' endpoints . ` ,
` ` ,
} ,
2016-09-29 00:22:37 +00:00
"role-secret-id-lookup" : {
"Read the properties of an issued secret_id" ,
` This endpoint is used to read the properties of a secret_id associated to a
2021-04-08 16:43:39 +00:00
role . ` ,
} ,
2016-09-29 00:22:37 +00:00
"role-secret-id-destroy" : {
"Invalidate an issued secret_id" ,
` This endpoint is used to delete the properties of a secret_id associated to a
2021-04-08 16:43:39 +00:00
role . ` ,
} ,
2016-09-29 00:22:37 +00:00
"role-secret-id-accessor-lookup" : {
"Read an issued secret_id, using its accessor" ,
` This is particularly useful to lookup the non - expiring ' secret_id ' s .
The list operation on the ' role / < role_name > / secret - id ' endpoint will return
the ' secret_id_accessor ' s . This endpoint can be used to read the properties
of the secret . If the ' secret_id_num_uses ' field in the response is 0 , it
represents a non - expiring ' secret_id ' . ` ,
2016-08-21 18:42:49 +00:00
} ,
2016-09-29 00:22:37 +00:00
"role-secret-id-accessor-destroy" : {
"Delete an issued secret_id, using its accessor" ,
2016-05-30 18:30:01 +00:00
` This is particularly useful to clean - up the non - expiring ' secret_id ' s .
The list operation on the ' role / < role_name > / secret - id ' endpoint will return
the ' secret_id_accessor ' s . This endpoint can be used to read the properties
of the secret . If the ' secret_id_num_uses ' field in the response is 0 , it
2016-09-29 00:22:37 +00:00
represents a non - expiring ' secret_id ' . ` ,
2017-03-03 14:31:20 +00:00
} ,
"role-token-num-uses" : {
"Number of times issued tokens can be used" ,
` By default , this will be set to zero , indicating that the issued
tokens can be used any number of times . ` ,
2016-05-30 18:30:01 +00:00
} ,
"role-token-ttl" : {
` Duration in seconds , the lifetime of the token issued by using the SecretID that
is generated against this role , before which the token needs to be renewed . ` ,
` If SecretIDs are generated against the role , using ' role / < role_name > / secret - id ' or the
' role / < role_name > / custom - secret - id ' endpoints , and if those SecretIDs are used
to perform the login operation , then the value of ' token - ttl ' defines the
lifetime of the token issued , before which the token needs to be renewed . ` ,
} ,
"role-token-max-ttl" : {
` Duration in seconds , the maximum lifetime of the tokens issued by using
the SecretIDs that were generated against this role , after which the
tokens are not allowed to be renewed . ` ,
` If SecretIDs are generated against the role using ' role / < role_name > / secret - id '
or the ' role / < role_name > / custom - secret - id ' endpoints , and if those SecretIDs
are used to perform the login operation , then the value of ' token - max - ttl '
defines the maximum lifetime of the tokens issued , after which the tokens
cannot be renewed . A reauthentication is required after this duration .
2017-04-04 16:29:18 +00:00
This value will be capped by the backend mount ' s maximum TTL value . ` ,
2016-05-30 18:30:01 +00:00
} ,
"role-id" : {
"Returns the 'role_id' of the role." ,
` If login is performed from an role , then its ' role_id ' should be presented
as a credential during the login . This ' role_id ' can be retrieved using
this endpoint . ` ,
} ,
"role-secret-id" : {
"Generate a SecretID against this role." ,
` The SecretID generated using this endpoint will be scoped to access
just this role and none else . The properties of this SecretID will be
based on the options set on the role . It will expire after a period
defined by the ' secret_id_ttl ' option on the role and / or the backend
mount ' s maximum TTL value . ` ,
} ,
"role-custom-secret-id" : {
"Assign a SecretID of choice against the role." ,
` This option is not recommended unless there is a specific need
to do so . This will assign a client supplied SecretID to be used to access
the role . This SecretID will behave similarly to the SecretIDs generated by
the backend . The properties of this SecretID will be based on the options
set on the role . It will expire after a period defined by the ' secret_id_ttl '
option on the role and / or the backend mount ' s maximum TTL value . ` ,
} ,
"role-period" : {
"Updates the value of 'period' on the role" ,
` If set , indicates that the token generated using this role
should never expire . The token should be renewed within the
duration specified by this value . The renewal duration will
be fixed . If the Period in the role is modified , the token
will pick up the new value during its next renewal . ` ,
} ,
2018-04-23 14:51:55 +00:00
"role-local-secret-ids" : {
2018-04-23 20:52:09 +00:00
"Enables cluster local secret IDs" ,
2018-04-24 19:55:40 +00:00
` If set , the secret IDs generated using this role will be cluster local .
This can only be set during role creation and once set , it can ' t be
reset later . ` ,
2018-04-23 14:51:55 +00:00
} ,
2016-05-30 18:30:01 +00:00
}