open-vault/builtin/logical/rabbitmq/path_role_create.go

package rabbitmq

import (
	"context"
	"fmt"

	"github.com/hashicorp/errwrap"
	multierror "github.com/hashicorp/go-multierror"
	uuid "github.com/hashicorp/go-uuid"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
	rabbithole "github.com/michaelklishin/rabbit-hole"
)

func pathCreds(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "creds/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the role.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation: b.pathCredsRead,
		},

		HelpSynopsis:    pathRoleCreateReadHelpSyn,
		HelpDescription: pathRoleCreateReadHelpDesc,
	}
}

// Issues the credential based on the role name
func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	name := d.Get("name").(string)
	if name == "" {
		return logical.ErrorResponse("missing name"), nil
	}

	// Get the role
	role, err := b.Role(ctx, req.Storage, name)
	if err != nil {
		return nil, err
	}
	if role == nil {
		return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil
	}

	// Ensure username is unique
	uuidVal, err := uuid.GenerateUUID()
	if err != nil {
		return nil, err
	}
	username := fmt.Sprintf("%s-%s", req.DisplayName, uuidVal)

	password, err := uuid.GenerateUUID()
	if err != nil {
		return nil, err
	}

	// Get the client configuration
	client, err := b.Client(ctx, req.Storage)
	if err != nil {
		return nil, err
	}
	if client == nil {
		return logical.ErrorResponse("failed to get the client"), nil
	}

	// Register the generated credentials in the backend, with the RabbitMQ server
	if _, err = client.PutUser(username, rabbithole.UserSettings{
		Password: password,
		Tags:     role.Tags,
	}); err != nil {
		return nil, fmt.Errorf("failed to create a new user with the generated credentials")
	}

	// If the role had vhost permissions specified, assign those permissions
	// to the created username for respective vhosts.
	for vhost, permission := range role.VHosts {
		if _, err := client.UpdatePermissionsIn(vhost, username, rabbithole.Permissions{
			Configure: permission.Configure,
			Write:     permission.Write,
			Read:      permission.Read,
		}); err != nil {
			outerErr := errwrap.Wrapf(fmt.Sprintf("failed to update permissions to the %q user: {{err}}", username), err)
			// Delete the user because it's in an unknown state
			if _, rmErr := client.DeleteUser(username); rmErr != nil {
				return nil, multierror.Append(errwrap.Wrapf("failed to delete user: {{err}}", rmErr), outerErr)
			}
			return nil, outerErr
		}
	}

	// Return the secret
	resp := b.Secret(SecretCredsType).Response(map[string]interface{}{
		"username": username,
		"password": password,
	}, map[string]interface{}{
		"username": username,
	})

	// Determine if we have a lease
	lease, err := b.Lease(ctx, req.Storage)
	if err != nil {
		return nil, err
	}

	if lease != nil {
		resp.Secret.TTL = lease.TTL
		resp.Secret.MaxTTL = lease.MaxTTL
	}

	return resp, nil
}

const pathRoleCreateReadHelpSyn = `
Request RabbitMQ credentials for a certain role.
`

const pathRoleCreateReadHelpDesc = `
This path reads RabbitMQ credentials for a certain role. The
RabbitMQ credentials will be generated on demand and will be automatically
revoked when the lease is up.
`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`package rabbitmq`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`"fmt"`

Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`"github.com/hashicorp/errwrap"`
			`multierror "github.com/hashicorp/go-multierror"`
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing. 2019-01-09 00:48:57 +00:00			`uuid "github.com/hashicorp/go-uuid"`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing. 2019-01-09 00:48:57 +00:00			`rabbithole "github.com/michaelklishin/rabbit-hole"`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`)`

Polish the code 2016-06-08 07:18:26 +00:00			`func pathCreds(b backend) framework.Path {`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`return &framework.Path{`
			`Pattern: "creds/" + framework.GenericNameRegex("name"),`
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the role.",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Polish the code 2016-06-08 07:18:26 +00:00			`logical.ReadOperation: b.pathCredsRead,`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`},`

			`HelpSynopsis: pathRoleCreateReadHelpSyn,`
			`HelpDescription: pathRoleCreateReadHelpDesc,`
			`}`
			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Issues the credential based on the role name`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathCredsRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Polish the code 2016-06-08 07:18:26 +00:00			`name := d.Get("name").(string)`
			`if name == "" {`
			`return logical.ErrorResponse("missing name"), nil`
Address feedback 2016-05-21 05:51:09 +00:00			`}`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00
			`// Get the role`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err := b.Role(ctx, req.Storage, name)`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if role == nil {`
			`return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil`
			`}`

Address feedback 2016-05-21 05:51:09 +00:00			`// Ensure username is unique`
Migrate to go-uuid 2016-06-08 14:36:16 +00:00			`uuidVal, err := uuid.GenerateUUID()`
			`if err != nil {`
			`return nil, err`
			`}`
			`username := fmt.Sprintf("%s-%s", req.DisplayName, uuidVal)`

			`password, err := uuid.GenerateUUID()`
			`if err != nil {`
			`return nil, err`
			`}`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00
Polish the code 2016-06-08 07:18:26 +00:00			`// Get the client configuration`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`client, err := b.Client(ctx, req.Storage)`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Address feedback 2016-05-21 05:51:09 +00:00			`if client == nil {`
Polish the code 2016-06-08 07:18:26 +00:00			`return logical.ErrorResponse("failed to get the client"), nil`
Address feedback 2016-05-21 05:51:09 +00:00			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// Register the generated credentials in the backend, with the RabbitMQ server`
			`if _, err = client.PutUser(username, rabbithole.UserSettings{`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`Password: password,`
			`Tags: role.Tags,`
Polish the code 2016-06-08 07:18:26 +00:00			`}); err != nil {`
			`return nil, fmt.Errorf("failed to create a new user with the generated credentials")`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`}`

Polish the code 2016-06-08 07:18:26 +00:00			`// If the role had vhost permissions specified, assign those permissions`
			`// to the created username for respective vhosts.`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`for vhost, permission := range role.VHosts {`
Polish the code 2016-06-08 07:18:26 +00:00			`if _, err := client.UpdatePermissionsIn(vhost, username, rabbithole.Permissions{`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`Configure: permission.Configure,`
			`Write: permission.Write,`
			`Read: permission.Read,`
Polish the code 2016-06-08 07:18:26 +00:00			`}); err != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`outerErr := errwrap.Wrapf(fmt.Sprintf("failed to update permissions to the %q user: {{err}}", username), err)`
Address feedback 2016-05-21 05:51:09 +00:00			`// Delete the user because it's in an unknown state`
Polish the code 2016-06-08 07:18:26 +00:00			`if _, rmErr := client.DeleteUser(username); rmErr != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, multierror.Append(errwrap.Wrapf("failed to delete user: {{err}}", rmErr), outerErr)`
Address feedback 2016-05-21 05:51:09 +00:00			`}`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, outerErr`
Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`}`
			`}`

			`// Return the secret`
			`resp := b.Secret(SecretCredsType).Response(map[string]interface{}{`
			`"username": username,`
			`"password": password,`
			`}, map[string]interface{}{`
			`"username": username,`
			`})`
Polish the code 2016-06-08 07:18:26 +00:00
			`// Determine if we have a lease`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`lease, err := b.Lease(ctx, req.Storage)`
Polish the code 2016-06-08 07:18:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814) Fixes #3812 2018-01-18 06:43:38 +00:00
Polish the code 2016-06-08 07:18:26 +00:00			`if lease != nil {`
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback 2018-04-03 16:20:20 +00:00			`resp.Secret.TTL = lease.TTL`
			`resp.Secret.MaxTTL = lease.MaxTTL`
Polish the code 2016-06-08 07:18:26 +00:00			`}`

Add RabbitMQ secret backend 2015-11-18 16:25:42 +00:00			`return resp, nil`
			`}`

			const pathRoleCreateReadHelpSyn = `
			`Request RabbitMQ credentials for a certain role.`
			`

			const pathRoleCreateReadHelpDesc = `
			`This path reads RabbitMQ credentials for a certain role. The`
			`RabbitMQ credentials will be generated on demand and will be automatically`
			`revoked when the lease is up.`
			`