open-vault/builtin/logical/nomad/path_config_access.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package nomad

import (
	"context"
	"fmt"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

const configAccessKey = "config/access"

func pathConfigAccess(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "config/access",
		Fields: map[string]*framework.FieldSchema{
			"address": {
				Type:        framework.TypeString,
				Description: "Nomad server address",
			},

			"token": {
				Type:        framework.TypeString,
				Description: "Token for API calls",
			},

			"max_token_name_length": {
				Type:        framework.TypeInt,
				Description: "Max length for name of generated Nomad tokens",
			},
			"ca_cert": {
				Type: framework.TypeString,
				Description: `CA certificate to use when verifying Nomad server certificate,
must be x509 PEM encoded.`,
			},
			"client_cert": {
				Type: framework.TypeString,
				Description: `Client certificate used for Nomad's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_key.`,
			},
			"client_key": {
				Type: framework.TypeString,
				Description: `Client key used for Nomad's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_cert.`,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation:   b.pathConfigAccessRead,
			logical.CreateOperation: b.pathConfigAccessWrite,
			logical.UpdateOperation: b.pathConfigAccessWrite,
			logical.DeleteOperation: b.pathConfigAccessDelete,
		},

		ExistenceCheck: b.configExistenceCheck,
	}
}

func (b *backend) configExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) {
	entry, err := b.readConfigAccess(ctx, req.Storage)
	if err != nil {
		return false, err
	}

	return entry != nil, nil
}

func (b *backend) readConfigAccess(ctx context.Context, storage logical.Storage) (*accessConfig, error) {
	entry, err := storage.Get(ctx, configAccessKey)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	conf := &accessConfig{}
	if err := entry.DecodeJSON(conf); err != nil {
		return nil, fmt.Errorf("error reading nomad access configuration: %w", err)
	}

	return conf, nil
}

func (b *backend) pathConfigAccessRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	conf, err := b.readConfigAccess(ctx, req.Storage)
	if err != nil {
		return nil, err
	}
	if conf == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"address":               conf.Address,
			"max_token_name_length": conf.MaxTokenNameLength,
			"ca_cert":               conf.CACert,
			"client_cert":           conf.ClientCert,
		},
	}, nil
}

func (b *backend) pathConfigAccessWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	conf, err := b.readConfigAccess(ctx, req.Storage)
	if err != nil {
		return nil, err
	}
	if conf == nil {
		conf = &accessConfig{}
	}

	address, ok := data.GetOk("address")
	if ok {
		conf.Address = address.(string)
	}
	token, ok := data.GetOk("token")
	if ok {
		conf.Token = token.(string)
	}
	caCert, ok := data.GetOk("ca_cert")
	if ok {
		conf.CACert = caCert.(string)
	}
	clientCert, ok := data.GetOk("client_cert")
	if ok {
		conf.ClientCert = clientCert.(string)
	}
	clientKey, ok := data.GetOk("client_key")
	if ok {
		conf.ClientKey = clientKey.(string)
	}

	if conf.Token == "" {
		client, err := clientFromConfig(conf)
		if err != nil {
			return logical.ErrorResponse("Token not provided and failed to constuct client"), err
		}
		token, _, err := client.ACLTokens().Bootstrap(nil)
		if err != nil {
			return logical.ErrorResponse("Token not provided and failed to bootstrap ACLs"), err
		}
		conf.Token = token.SecretID
	}

	conf.MaxTokenNameLength = data.Get("max_token_name_length").(int)

	entry, err := logical.StorageEntryJSON("config/access", conf)
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathConfigAccessDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	if err := req.Storage.Delete(ctx, configAccessKey); err != nil {
		return nil, err
	}
	return nil, nil
}

type accessConfig struct {
	Address            string `json:"address"`
	Token              string `json:"token"`
	MaxTokenNameLength int    `json:"max_token_name_length"`
	CACert             string `json:"ca_cert"`
	ClientCert         string `json:"client_cert"`
	ClientKey          string `json:"client_key"`
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`package nomad`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`"fmt"`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`)`

adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`const configAccessKey = "config/access"`

minor cleanup 2017-11-06 21:34:20 +00:00			`func pathConfigAccess(b backend) framework.Path {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return &framework.Path{`
			`Pattern: "config/access",`
			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"address": {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`Type: framework.TypeString,`
			`Description: "Nomad server address",`
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"token": {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`Type: framework.TypeString,`
			`Description: "Token for API calls",`
			`},`
[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"max_token_name_length": {`
[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00			`Type: framework.TypeInt,`
			`Description: "Max length for name of generated Nomad tokens",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"ca_cert": {`
Add TLS options per Nomad backend (#8083) 2020-01-15 10:03:38 +00:00			`Type: framework.TypeString,`
			Description: `CA certificate to use when verifying Nomad server certificate,
			must be x509 PEM encoded.`,
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"client_cert": {`
Add TLS options per Nomad backend (#8083) 2020-01-15 10:03:38 +00:00			`Type: framework.TypeString,`
			Description: `Client certificate used for Nomad's TLS communication,
			must be x509 PEM encoded and if this is set you need to also set client_key.`,
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"client_key": {`
Add TLS options per Nomad backend (#8083) 2020-01-15 10:03:38 +00:00			`Type: framework.TypeString,`
			Description: `Client key used for Nomad's TLS communication,
			must be x509 PEM encoded and if this is set you need to also set client_cert.`,
			`},`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
minor cleanup 2017-11-06 21:34:20 +00:00			`logical.ReadOperation: b.pathConfigAccessRead,`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`logical.CreateOperation: b.pathConfigAccessWrite,`
minor cleanup 2017-11-06 21:34:20 +00:00			`logical.UpdateOperation: b.pathConfigAccessWrite,`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`logical.DeleteOperation: b.pathConfigAccessDelete,`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`},`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00
			`ExistenceCheck: b.configExistenceCheck,`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) configExistenceCheck(ctx context.Context, req logical.Request, data *framework.FieldData) (bool, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := b.readConfigAccess(ctx, req.Storage)`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`if err != nil {`
			`return false, err`
			`}`

			`return entry != nil, nil`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b backend) readConfigAccess(ctx context.Context, storage logical.Storage) (accessConfig, error) {`
			`entry, err := storage.Get(ctx, configAccessKey)`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`if err != nil {`
Refactoring readAcessConfig to return a single type of error instead of two 2017-11-01 08:49:31 +00:00			`return nil, err`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`
			`if entry == nil {`
Returning nil config if is actually nil, and catching the error before creating the client in backend.go Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com> 2017-11-29 11:15:54 +00:00			`return nil, nil`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`

			`conf := &accessConfig{}`
			`if err := entry.DecodeJSON(conf); err != nil {`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`return nil, fmt.Errorf("error reading nomad access configuration: %w", err)`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`

Refactoring readAcessConfig to return a single type of error instead of two 2017-11-01 08:49:31 +00:00			`return conf, nil`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathConfigAccessRead(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`conf, err := b.readConfigAccess(ctx, req.Storage)`
minor cleanup 2017-11-06 21:36:37 +00:00			`if err != nil {`
			`return nil, err`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`
			`if conf == nil {`
Returning nil config if is actually nil, and catching the error before creating the client in backend.go Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com> 2017-11-29 11:15:54 +00:00			`return nil, nil`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`

			`return &logical.Response{`
			`Data: map[string]interface{}{`
[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00			`"address": conf.Address,`
			`"max_token_name_length": conf.MaxTokenNameLength,`
Allow reading Nomad CA/Client cert configuration (#15809) * Allow reading Nomad CA/Client cert configuration In the Nomad secret engine, writing to /nomad/config/access allows users to specify a CA certificate and client credential pair. However, these values are not in the read of the endpoint, making it hard for operators to see if these values were specified and if they need to be rotated. Add `ca_cert` and `client_cert` parameters to the response, eliding the `client_key` parameter as it is more sensitive (and should most likely be replaced at the same time as `client_cert`). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix tests to expect additional fields Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test with existing CA/client cert+key Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-06-10 14:09:54 +00:00			`"ca_cert": conf.CACert,`
			`"client_cert": conf.ClientCert,`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`},`
			`}, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathConfigAccessWrite(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`conf, err := b.readConfigAccess(ctx, req.Storage)`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if conf == nil {`
			`conf = &accessConfig{}`
			`}`

			`address, ok := data.GetOk("address")`
			`if ok {`
			`conf.Address = address.(string)`
Validating that Address and Token are provided in path_config_access.go 2017-11-29 10:36:34 +00:00			`}`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`token, ok := data.GetOk("token")`
			`if ok {`
			`conf.Token = token.(string)`
Validating that Address and Token are provided in path_config_access.go 2017-11-29 10:36:34 +00:00			`}`
Add TLS options per Nomad backend (#8083) 2020-01-15 10:03:38 +00:00			`caCert, ok := data.GetOk("ca_cert")`
			`if ok {`
			`conf.CACert = caCert.(string)`
			`}`
			`clientCert, ok := data.GetOk("client_cert")`
			`if ok {`
			`conf.ClientCert = clientCert.(string)`
			`}`
			`clientKey, ok := data.GetOk("client_key")`
			`if ok {`
			`conf.ClientKey = clientKey.(string)`
			`}`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00
Bootstrap Nomad ACL system if no token is given (#12451) * Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:https://github.com/hashicorp/vault/pull/10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt 2022-04-20 18:06:25 +00:00			`if conf.Token == "" {`
			`client, err := clientFromConfig(conf)`
			`if err != nil {`
			`return logical.ErrorResponse("Token not provided and failed to constuct client"), err`
			`}`
			`token, _, err := client.ACLTokens().Bootstrap(nil)`
			`if err != nil {`
			`return logical.ErrorResponse("Token not provided and failed to bootstrap ACLs"), err`
			`}`
			`conf.Token = token.SecretID`
			`}`

[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00			`conf.MaxTokenNameLength = data.Get("max_token_name_length").(int)`

adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`entry, err := logical.StorageEntryJSON("config/access", conf)`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathConfigAccessDelete(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Delete(ctx, configAccessKey); err != nil {`
adding access config existence check and delete endpoint 2017-12-16 00:18:32 +00:00			`return nil, err`
			`}`
			`return nil, nil`
			`}`

MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`type accessConfig struct {`
[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00			Address string `json:"address"`
			Token string `json:"token"`
			MaxTokenNameLength int `json:"max_token_name_length"`
Add TLS options per Nomad backend (#8083) 2020-01-15 10:03:38 +00:00			CACert string `json:"ca_cert"`
			ClientCert string `json:"client_cert"`
			ClientKey string `json:"client_key"`
MVP of working Nomad Secret Backend 2017-09-20 20:59:35 +00:00			`}`