open-vault/builtin/logical/consul/path_token.go

package consul

import (
	"context"
	"fmt"
	"strings"
	"time"

	"github.com/hashicorp/consul/api"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

const (
	tokenPolicyType = "token"
)

func pathToken(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "creds/" + framework.GenericNameRegex("role"),
		Fields: map[string]*framework.FieldSchema{
			"role": {
				Type:        framework.TypeString,
				Description: "Name of the role.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation: b.pathTokenRead,
		},
	}
}

func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	role := d.Get("role").(string)
	entry, err := req.Storage.Get(ctx, "policy/"+role)
	if err != nil {
		return nil, fmt.Errorf("error retrieving role: %w", err)
	}
	if entry == nil {
		return logical.ErrorResponse(fmt.Sprintf("role %q not found", role)), nil
	}

	var roleConfigData roleConfig
	if err := entry.DecodeJSON(&roleConfigData); err != nil {
		return nil, err
	}

	if roleConfigData.TokenType == "" {
		roleConfigData.TokenType = "client"
	}

	// Get the consul client
	c, userErr, intErr := b.client(ctx, req.Storage)
	if intErr != nil {
		return nil, intErr
	}
	if userErr != nil {
		return logical.ErrorResponse(userErr.Error()), nil
	}

	// Generate a name for the token
	tokenName := fmt.Sprintf("Vault %s %s %d", role, req.DisplayName, time.Now().UnixNano())

	writeOpts := &api.WriteOptions{}
	writeOpts = writeOpts.WithContext(ctx)

	// Create an ACLEntry for Consul pre 1.4
	if (roleConfigData.Policy != "" && roleConfigData.TokenType == "client") ||
		(roleConfigData.Policy == "" && roleConfigData.TokenType == "management") {
		token, _, err := c.ACL().Create(&api.ACLEntry{
			Name:  tokenName,
			Type:  roleConfigData.TokenType,
			Rules: roleConfigData.Policy,
		}, writeOpts)
		if err != nil {
			return logical.ErrorResponse(err.Error()), nil
		}

		// Use the helper to create the secret
		s := b.Secret(SecretTokenType).Response(map[string]interface{}{
			"token": token,
		}, map[string]interface{}{
			"token": token,
			"role":  role,
		})
		s.Secret.TTL = roleConfigData.TTL
		s.Secret.MaxTTL = roleConfigData.MaxTTL
		return s, nil
	}

	// Create an ACLToken for Consul 1.4 and above
	policyLinks := []*api.ACLTokenPolicyLink{}
	for _, policyName := range roleConfigData.Policies {
		policyLinks = append(policyLinks, &api.ACLTokenPolicyLink{
			Name: policyName,
		})
	}

	roleLinks := []*api.ACLTokenRoleLink{}
	for _, roleName := range roleConfigData.ConsulRoles {
		roleLinks = append(roleLinks, &api.ACLTokenRoleLink{
			Name: roleName,
		})
	}

	aclServiceIdentities := parseServiceIdentities(roleConfigData.ServiceIdentities)
	aclNodeIdentities := parseNodeIdentities(roleConfigData.NodeIdentities)

	token, _, err := c.ACL().TokenCreate(&api.ACLToken{
		Description:       tokenName,
		Policies:          policyLinks,
		Roles:             roleLinks,
		ServiceIdentities: aclServiceIdentities,
		NodeIdentities:    aclNodeIdentities,
		Local:             roleConfigData.Local,
		Namespace:         roleConfigData.ConsulNamespace,
		Partition:         roleConfigData.Partition,
	}, writeOpts)
	if err != nil {
		return logical.ErrorResponse(err.Error()), nil
	}

	// Use the helper to create the secret
	s := b.Secret(SecretTokenType).Response(map[string]interface{}{
		"token":            token.SecretID,
		"accessor":         token.AccessorID,
		"local":            token.Local,
		"consul_namespace": token.Namespace,
		"partition":        token.Partition,
	}, map[string]interface{}{
		"token":   token.AccessorID,
		"role":    role,
		"version": tokenPolicyType,
	})
	s.Secret.TTL = roleConfigData.TTL
	s.Secret.MaxTTL = roleConfigData.MaxTTL

	return s, nil
}

func parseServiceIdentities(data []string) []*api.ACLServiceIdentity {
	aclServiceIdentities := []*api.ACLServiceIdentity{}

	for _, serviceIdentity := range data {
		entry := &api.ACLServiceIdentity{}
		components := strings.Split(serviceIdentity, ":")
		entry.ServiceName = components[0]
		if len(components) == 2 {
			entry.Datacenters = strings.Split(components[1], ",")
		}
		aclServiceIdentities = append(aclServiceIdentities, entry)
	}

	return aclServiceIdentities
}

func parseNodeIdentities(data []string) []*api.ACLNodeIdentity {
	aclNodeIdentities := []*api.ACLNodeIdentity{}

	for _, nodeIdentity := range data {
		entry := &api.ACLNodeIdentity{}
		components := strings.Split(nodeIdentity, ":")
		entry.NodeName = components[0]
		if len(components) > 1 {
			entry.Datacenter = components[1]
		}
		aclNodeIdentities = append(aclNodeIdentities, entry)
	}

	return aclNodeIdentities
}
logical/consul 2015-03-21 16:19:37 +00:00			`package consul`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
logical/consul 2015-03-21 16:19:37 +00:00			`"fmt"`
secrets/consul: Add support for generating tokens with service and node identities (#15295) Co-authored-by: Thomas L. Kula <kula@tproa.net> 2022-05-10 01:07:35 +00:00			`"strings"`
logical/consul 2015-03-21 16:19:37 +00:00			`"time"`

			`"github.com/hashicorp/consul/api"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
logical/consul 2015-03-21 16:19:37 +00:00			`)`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`const (`
			`tokenPolicyType = "token"`
			`)`

logical/consul 2015-03-21 16:19:37 +00:00			`func pathToken(b backend) framework.Path {`
			`return &framework.Path{`
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 18:28:19 +00:00			`Pattern: "creds/" + framework.GenericNameRegex("role"),`
logical/consul 2015-03-21 16:19:37 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"role": {`
logical/consul 2015-03-21 16:19:37 +00:00			`Type: framework.TypeString,`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`Description: "Name of the role.",`
			`},`
logical/consul 2015-03-21 16:19:37 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ReadOperation: b.pathTokenRead,`
			`},`
			`}`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathTokenRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 18:28:19 +00:00			`role := d.Get("role").(string)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := req.Storage.Get(ctx, "policy/"+role)`
logical/consul 2015-03-21 16:19:37 +00:00			`if err != nil {`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`return nil, fmt.Errorf("error retrieving role: %w", err)`
logical/consul 2015-03-21 16:19:37 +00:00			`}`
logical/consul: Combine policy and lease into single storage struct 2015-05-27 23:36:23 +00:00			`if entry == nil {`
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 18:28:19 +00:00			`return logical.ErrorResponse(fmt.Sprintf("role %q not found", role)), nil`
logical/consul: custom lease time for roles 2015-05-26 00:33:31 +00:00			`}`
logical/consul: Combine policy and lease into single storage struct 2015-05-27 23:36:23 +00:00
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`var roleConfigData roleConfig`
			`if err := entry.DecodeJSON(&roleConfigData); err != nil {`
logical/consul: Combine policy and lease into single storage struct 2015-05-27 23:36:23 +00:00			`return nil, err`
logical/consul 2015-03-21 16:19:37 +00:00			`}`

secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`if roleConfigData.TokenType == "" {`
			`roleConfigData.TokenType = "client"`
Allow creating Consul management tokens Fixes #714 2015-11-02 21:16:51 +00:00			`}`

logical/consul 2015-03-21 16:19:37 +00:00			`// Get the consul client`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`c, userErr, intErr := b.client(ctx, req.Storage)`
Add reading to consul config, and some better error handling. 2016-05-24 18:23:27 +00:00			`if intErr != nil {`
			`return nil, intErr`
			`}`
			`if userErr != nil {`
Fix nil value panic when Consul returns a user error (#2145) 2016-12-01 18:22:32 +00:00			`return logical.ErrorResponse(userErr.Error()), nil`
logical/consul 2015-03-21 16:19:37 +00:00			`}`

Add listing to Consul secret roles (#2065) 2016-11-04 16:35:16 +00:00			`// Generate a name for the token`
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 18:28:19 +00:00			`tokenName := fmt.Sprintf("Vault %s %s %d", role, req.DisplayName, time.Now().UnixNano())`
Add listing to Consul secret roles (#2065) 2016-11-04 16:35:16 +00:00
Fix build 2018-06-11 15:21:37 +00:00			`writeOpts := &api.WriteOptions{}`
Add context handling to Consul operations (#4739) 2018-06-11 15:03:00 +00:00			`writeOpts = writeOpts.WithContext(ctx)`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`// Create an ACLEntry for Consul pre 1.4`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`if (roleConfigData.Policy != "" && roleConfigData.TokenType == "client") \|\|`
			`(roleConfigData.Policy == "" && roleConfigData.TokenType == "management") {`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`token, _, err := c.ACL().Create(&api.ACLEntry{`
			`Name: tokenName,`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`Type: roleConfigData.TokenType,`
			`Rules: roleConfigData.Policy,`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`}, writeOpts)`
			`if err != nil {`
			`return logical.ErrorResponse(err.Error()), nil`
			`}`

			`// Use the helper to create the secret`
			`s := b.Secret(SecretTokenType).Response(map[string]interface{}{`
			`"token": token,`
			`}, map[string]interface{}{`
			`"token": token,`
			`"role": role,`
			`})`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`s.Secret.TTL = roleConfigData.TTL`
			`s.Secret.MaxTTL = roleConfigData.MaxTTL`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`return s, nil`
			`}`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`// Create an ACLToken for Consul 1.4 and above`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`policyLinks := []*api.ACLTokenPolicyLink{}`
			`for _, policyName := range roleConfigData.Policies {`
			`policyLinks = append(policyLinks, &api.ACLTokenPolicyLink{`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`Name: policyName,`
			`})`
			`}`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00
secret/consul: Add Consul ACL roles support (#14014) Co-authored-by: Brandon Ingalls <brandon@ingalls.io> 2022-02-17 01:31:08 +00:00			`roleLinks := []*api.ACLTokenRoleLink{}`
			`for _, roleName := range roleConfigData.ConsulRoles {`
			`roleLinks = append(roleLinks, &api.ACLTokenRoleLink{`
			`Name: roleName,`
			`})`
			`}`

secrets/consul: Add support for generating tokens with service and node identities (#15295) Co-authored-by: Thomas L. Kula <kula@tproa.net> 2022-05-10 01:07:35 +00:00			`aclServiceIdentities := parseServiceIdentities(roleConfigData.ServiceIdentities)`
			`aclNodeIdentities := parseNodeIdentities(roleConfigData.NodeIdentities)`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`token, _, err := c.ACL().TokenCreate(&api.ACLToken{`
secrets/consul: Add support for generating tokens with service and node identities (#15295) Co-authored-by: Thomas L. Kula <kula@tproa.net> 2022-05-10 01:07:35 +00:00			`Description: tokenName,`
			`Policies: policyLinks,`
			`Roles: roleLinks,`
			`ServiceIdentities: aclServiceIdentities,`
			`NodeIdentities: aclNodeIdentities,`
			`Local: roleConfigData.Local,`
			`Namespace: roleConfigData.ConsulNamespace,`
			`Partition: roleConfigData.Partition,`
Add context handling to Consul operations (#4739) 2018-06-11 15:03:00 +00:00			`}, writeOpts)`
logical/consul 2015-03-21 16:19:37 +00:00			`if err != nil {`
			`return logical.ErrorResponse(err.Error()), nil`
			`}`

			`// Use the helper to create the secret`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`s := b.Secret(SecretTokenType).Response(map[string]interface{}{`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`"token": token.SecretID,`
			`"accessor": token.AccessorID,`
			`"local": token.Local,`
			`"consul_namespace": token.Namespace,`
			`"partition": token.Partition,`
Fix the consul secret backends renewal revocation problem 2016-05-26 03:24:10 +00:00			`}, map[string]interface{}{`
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`"token": token.AccessorID,`
			`"role": role,`
			`"version": tokenPolicyType,`
Fix the consul secret backends renewal revocation problem 2016-05-26 03:24:10 +00:00			`})`
secret/consul: Add support for consul namespaces and admin partitions (#13850) * Add support for consul namespaces and admin partitions 2022-02-09 21:44:00 +00:00			`s.Secret.TTL = roleConfigData.TTL`
			`s.Secret.MaxTTL = roleConfigData.MaxTTL`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00
			`return s, nil`
logical/consul 2015-03-21 16:19:37 +00:00			`}`
secrets/consul: Add support for generating tokens with service and node identities (#15295) Co-authored-by: Thomas L. Kula <kula@tproa.net> 2022-05-10 01:07:35 +00:00
			`func parseServiceIdentities(data []string) []*api.ACLServiceIdentity {`
			`aclServiceIdentities := []*api.ACLServiceIdentity{}`

			`for _, serviceIdentity := range data {`
			`entry := &api.ACLServiceIdentity{}`
			`components := strings.Split(serviceIdentity, ":")`
			`entry.ServiceName = components[0]`
			`if len(components) == 2 {`
			`entry.Datacenters = strings.Split(components[1], ",")`
			`}`
			`aclServiceIdentities = append(aclServiceIdentities, entry)`
			`}`

			`return aclServiceIdentities`
			`}`

			`func parseNodeIdentities(data []string) []*api.ACLNodeIdentity {`
			`aclNodeIdentities := []*api.ACLNodeIdentity{}`

			`for _, nodeIdentity := range data {`
			`entry := &api.ACLNodeIdentity{}`
			`components := strings.Split(nodeIdentity, ":")`
			`entry.NodeName = components[0]`
			`if len(components) > 1 {`
			`entry.Datacenter = components[1]`
			`}`
			`aclNodeIdentities = append(aclNodeIdentities, entry)`
			`}`

			`return aclNodeIdentities`
			`}`