open-vault/builtin/logical/ssh/backend.go

package ssh

import (
	"strings"
	"sync"

	"github.com/hashicorp/vault/helper/salt"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

type backend struct {
	*framework.Backend
	view      logical.Storage
	salt      *salt.Salt
	saltMutex sync.RWMutex
}

func Factory(conf *logical.BackendConfig) (logical.Backend, error) {
	b, err := Backend(conf)
	if err != nil {
		return nil, err
	}
	return b.Setup(conf)
}

func Backend(conf *logical.BackendConfig) (*backend, error) {
	var b backend
	b.view = conf.StorageView
	b.Backend = &framework.Backend{
		Help: strings.TrimSpace(backendHelp),

		PathsSpecial: &logical.Paths{
			Unauthenticated: []string{
				"verify",
				"public_key",
			},

			LocalStorage: []string{
				"otp/",
			},
		},

		Paths: []*framework.Path{
			pathConfigZeroAddress(&b),
			pathKeys(&b),
			pathListRoles(&b),
			pathRoles(&b),
			pathCredsCreate(&b),
			pathLookup(&b),
			pathVerify(&b),
			pathConfigCA(&b),
			pathSign(&b),
			pathFetchPublicKey(&b),
		},

		Secrets: []*framework.Secret{
			secretDynamicKey(&b),
			secretOTP(&b),
		},

		Invalidate: b.invalidate,
	}
	return &b, nil
}

func (b *backend) Salt() (*salt.Salt, error) {
	b.saltMutex.RLock()
	if b.salt != nil {
		defer b.saltMutex.RUnlock()
		return b.salt, nil
	}
	b.saltMutex.RUnlock()
	b.saltMutex.Lock()
	defer b.saltMutex.Unlock()
	if b.salt != nil {
		return b.salt, nil
	}
	salt, err := salt.NewSalt(b.view, &salt.Config{
		HashFunc: salt.SHA256Hash,
		Location: salt.DefaultLocation,
	})
	if err != nil {
		return nil, err
	}
	b.salt = salt
	return salt, nil
}

func (b *backend) invalidate(key string) {
	switch key {
	case salt.DefaultLocation:
		b.saltMutex.Lock()
		defer b.saltMutex.Unlock()
		b.salt = nil
	}
}

const backendHelp = `
The SSH backend generates credentials allowing clients to establish SSH
connections to remote hosts.

There are three variants of the backend, which generate different types of
credentials: dynamic keys, One-Time Passwords (OTPs) and certificate authority. The desired behavior
is role-specific and chosen at role creation time with the 'key_type'
parameter.

Please see the backend documentation for a thorough description of both
types. The Vault team strongly recommends the OTP type.

After mounting this backend, before generating credentials, configure the
backend's lease behavior using the 'config/lease' endpoint and create roles
using the 'roles/' endpoint.
`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`package ssh`

			`import (`
			`"strings"`
Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`"sync"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00
Vault SSH: Vault agent support 2015-07-22 18:15:19 +00:00			`"github.com/hashicorp/vault/helper/salt"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`type backend struct {`
			`*framework.Backend`
Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`view logical.Storage`
			`salt *salt.Salt`
			`saltMutex sync.RWMutex`
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`}`

For SSH backend, allow factory to be provided instead of Backend 2015-07-01 13:37:11 +00:00			`func Factory(conf *logical.BackendConfig) (logical.Backend, error) {`
Vault SSH: Vault agent support 2015-07-22 18:15:19 +00:00			`b, err := Backend(conf)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return b.Setup(conf)`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`}`

Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 16:17:47 +00:00			`func Backend(conf logical.BackendConfig) (backend, error) {`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`var b backend`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`b.view = conf.StorageView`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`b.Backend = &framework.Backend{`
			`Help: strings.TrimSpace(backendHelp),`

			`PathsSpecial: &logical.Paths{`
Vault SSH: keys/ designated special path 2015-07-23 22:12:13 +00:00			`Unauthenticated: []string{`
			`"verify",`
Add ability to create SSH certificates 2016-12-26 14:03:27 +00:00			`"public_key",`
Vault SSH: keys/ designated special path 2015-07-23 22:12:13 +00:00			`},`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00
			`LocalStorage: []string{`
			`"otp/",`
			`},`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`},`

			`Paths: []*framework.Path{`
Vault SSH: Zeroaddress roles and CIDR overlap check 2015-08-29 19:24:15 +00:00			`pathConfigZeroAddress(&b),`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`pathKeys(&b),`
Add listing of roles to ssh backend 2016-01-28 17:48:00 +00:00			`pathListRoles(&b),`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`pathRoles(&b),`
Vault SSH: Dynamic Key test case fix 2015-07-24 16:13:26 +00:00			`pathCredsCreate(&b),`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`pathLookup(&b),`
Vault SSH: Vault agent support 2015-07-22 18:15:19 +00:00			`pathVerify(&b),`
Add ability to create SSH certificates 2016-12-26 14:03:27 +00:00			`pathConfigCA(&b),`
			`pathSign(&b),`
			`pathFetchPublicKey(&b),`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`},`

			`Secrets: []*framework.Secret{`
Vault SSH: keys/ designated special path 2015-07-23 22:12:13 +00:00			`secretDynamicKey(&b),`
Vault SSH: Vault agent support 2015-07-22 18:15:19 +00:00			`secretOTP(&b),`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`},`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00
Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`Invalidate: b.invalidate,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`}`
Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 16:17:47 +00:00			`return &b, nil`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`}`

Don't write salts in initialization, look up on demand (#2702) 2017-05-09 21:51:09 +00:00			`func (b backend) Salt() (salt.Salt, error) {`
			`b.saltMutex.RLock()`
			`if b.salt != nil {`
			`defer b.saltMutex.RUnlock()`
			`return b.salt, nil`
			`}`
			`b.saltMutex.RUnlock()`
Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`b.saltMutex.Lock()`
			`defer b.saltMutex.Unlock()`
Don't write salts in initialization, look up on demand (#2702) 2017-05-09 21:51:09 +00:00			`if b.salt != nil {`
			`return b.salt, nil`
			`}`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`salt, err := salt.NewSalt(b.view, &salt.Config{`
			`HashFunc: salt.SHA256Hash,`
Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`Location: salt.DefaultLocation,`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`})`
			`if err != nil {`
Don't write salts in initialization, look up on demand (#2702) 2017-05-09 21:51:09 +00:00			`return nil, err`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`}`
			`b.salt = salt`
Don't write salts in initialization, look up on demand (#2702) 2017-05-09 21:51:09 +00:00			`return salt, nil`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`}`

Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`func (b *backend) invalidate(key string) {`
			`switch key {`
			`case salt.DefaultLocation:`
Don't write salts in initialization, look up on demand (#2702) 2017-05-09 21:51:09 +00:00			`b.saltMutex.Lock()`
			`defer b.saltMutex.Unlock()`
			`b.salt = nil`
Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 19:01:52 +00:00			`}`
			`}`

Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			const backendHelp = `
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 20:12:38 +00:00			`The SSH backend generates credentials allowing clients to establish SSH`
			`connections to remote hosts.`
Vault SSH: review rework: formatted and moved code 2015-07-02 01:26:42 +00:00
Add ability to create SSH certificates 2016-12-26 14:03:27 +00:00			`There are three variants of the backend, which generate different types of`
			`credentials: dynamic keys, One-Time Passwords (OTPs) and certificate authority. The desired behavior`
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 20:12:38 +00:00			`is role-specific and chosen at role creation time with the 'key_type'`
			`parameter.`
Vault SSH: Refactoring 2015-07-27 17:02:31 +00:00
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 20:12:38 +00:00			`Please see the backend documentation for a thorough description of both`
			`types. The Vault team strongly recommends the OTP type.`
Vault SSH: Refactoring 2015-07-27 17:02:31 +00:00
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 20:12:38 +00:00			`After mounting this backend, before generating credentials, configure the`
			`backend's lease behavior using the 'config/lease' endpoint and create roles`
			`using the 'roles/' endpoint.`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`