open-vault/builtin/logical/ssh/path_lookup.go

package ssh

import (
	"fmt"
	"net"
	"strings"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathLookup(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "lookup",
		Fields: map[string]*framework.FieldSchema{
			"ip": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "IP address of target",
			},
		},
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.WriteOperation: b.pathLookupWrite,
		},
		HelpSynopsis:    pathLookupSyn,
		HelpDescription: pathLookupDesc,
	}
}

func (b *backend) pathLookupWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	ipAddr := d.Get("ip").(string)
	if ipAddr == "" {
		return logical.ErrorResponse("Invalid 'ip'"), nil
	}
	ip := net.ParseIP(ipAddr)
	if ip == nil {
		return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ip.String())), nil
	}

	keys, err := req.Storage.List("policy/")
	if err != nil {
		return nil, err
	}
	if len(keys) == 0 {
		return &logical.Response{
			Data: map[string]interface{}{
				"roles": nil,
			},
		}, nil
	}

	var matchingRoles []string
	for _, item := range keys {
		if contains, _ := containsIP(req.Storage, item, ip.String()); contains {
			matchingRoles = append(matchingRoles, item)
		}
	}
	return &logical.Response{
		Data: map[string]interface{}{
			"roles": matchingRoles,
		},
	}, nil
}

func containsIP(s logical.Storage, roleName string, ip string) (bool, error) {
	if roleName == "" || ip == "" {
		return false, fmt.Errorf("invalid parameters")
	}
	roleEntry, err := s.Get(fmt.Sprintf("policy/%s", roleName))
	if err != nil {
		return false, fmt.Errorf("error retrieving role '%s'", err)
	}
	if roleEntry == nil {
		return false, fmt.Errorf("role '%s' not found", roleName)
	}
	var role sshRole
	if err := roleEntry.DecodeJSON(&role); err != nil {
		return false, fmt.Errorf("error decoding role '%s'", roleName)
	}
	ipMatched := false
	for _, item := range strings.Split(role.CIDR, ",") {
		_, cidrIPNet, err := net.ParseCIDR(item)
		if err != nil {
			return false, fmt.Errorf("invalid cidr entry '%s'", item)
		}
		ipMatched = cidrIPNet.Contains(net.ParseIP(ip))
		if ipMatched {
			break
		}
	}
	return ipMatched, nil
}

const pathLookupSyn = `
Lists 'roles' that can be used to create a dynamic key.
`

const pathLookupDesc = `
The IP address to which the key is requested will be searched in
the CIDR blocks registered with vault using the 'roles' endpoint.
Key can be generated only by specifying the 'role' name. The roles
that can be used to generate the key for a particular IP will be
listed through this endpoint. For example, if this backend is mounted
at "ssh" then "ssh/lookup" lists the roles associated with 
Keys can be generated for a target IP if the CIDR block encompassing
the IP is registered with vault.
`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`package ssh`

			`import (`
			`"fmt"`
			`"net"`
Refactoring changes 2015-06-30 02:00:08 +00:00			`"strings"`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`func pathLookup(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "lookup",`
			`Fields: map[string]*framework.FieldSchema{`
			`"ip": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "IP address of target",`
			`},`
			`},`
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.WriteOperation: b.pathLookupWrite,`
			`},`
			`HelpSynopsis: pathLookupSyn,`
			`HelpDescription: pathLookupDesc,`
			`}`
			`}`

			`func (b backend) pathLookupWrite(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`ipAddr := d.Get("ip").(string)`
			`if ipAddr == "" {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return logical.ErrorResponse("Invalid 'ip'"), nil`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`ip := net.ParseIP(ipAddr)`
			`if ip == nil {`
			`return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ip.String())), nil`
			`}`

			`keys, err := req.Storage.List("policy/")`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(keys) == 0 {`
For SSH backend, allow factory to be provided instead of Backend 2015-07-01 13:37:11 +00:00			`return &logical.Response{`
			`Data: map[string]interface{}{`
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`"roles": nil,`
For SSH backend, allow factory to be provided instead of Backend 2015-07-01 13:37:11 +00:00			`},`
			`}, nil`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`}`

ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`var matchingRoles []string`
			`for _, item := range keys {`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`if contains, _ := containsIP(req.Storage, item, ip.String()); contains {`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`matchingRoles = append(matchingRoles, item)`
			`}`
			`}`
			`return &logical.Response{`
			`Data: map[string]interface{}{`
			`"roles": matchingRoles,`
			`},`
			`}, nil`
			`}`

			`func containsIP(s logical.Storage, roleName string, ip string) (bool, error) {`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`if roleName == "" \|\| ip == "" {`
			`return false, fmt.Errorf("invalid parameters")`
			`}`
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`roleEntry, err := s.Get(fmt.Sprintf("policy/%s", roleName))`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`if err != nil {`
			`return false, fmt.Errorf("error retrieving role '%s'", err)`
			`}`
			`if roleEntry == nil {`
			`return false, fmt.Errorf("role '%s' not found", roleName)`
			`}`
			`var role sshRole`
			`if err := roleEntry.DecodeJSON(&role); err != nil {`
			`return false, fmt.Errorf("error decoding role '%s'", roleName)`
			`}`
			`ipMatched := false`
Refactoring changes 2015-06-30 02:00:08 +00:00			`for _, item := range strings.Split(role.CIDR, ",") {`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`_, cidrIPNet, err := net.ParseCIDR(item)`
			`if err != nil {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return false, fmt.Errorf("invalid cidr entry '%s'", item)`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`}`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`ipMatched = cidrIPNet.Contains(net.ParseIP(ip))`
			`if ipMatched {`
			`break`
			`}`
			`}`
			`return ipMatched, nil`
			`}`

			const pathLookupSyn = `
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`Lists 'roles' that can be used to create a dynamic key.`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`

			const pathLookupDesc = `
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`The IP address to which the key is requested will be searched in`
			`the CIDR blocks registered with vault using the 'roles' endpoint.`
			`Key can be generated only by specifying the 'role' name. The roles`
			`that can be used to generate the key for a particular IP will be`
			`listed through this endpoint. For example, if this backend is mounted`
			`at "ssh" then "ssh/lookup" lists the roles associated with`
			`Keys can be generated for a target IP if the CIDR block encompassing`
			`the IP is registered with vault.`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`