2015-03-15 20:52:43 +00:00
|
|
|
package logical
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2018-01-08 18:31:38 +00:00
|
|
|
)
|
2015-04-04 18:39:58 +00:00
|
|
|
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
// BackendType is the type of backend that is being implemented
|
|
|
|
type BackendType uint32
|
|
|
|
|
|
|
|
// The these are the types of backends that can be derived from
|
|
|
|
// logical.Backend
|
|
|
|
const (
|
|
|
|
TypeUnknown BackendType = 0 // This is also the zero-value for BackendType
|
|
|
|
TypeLogical BackendType = 1
|
|
|
|
TypeCredential BackendType = 2
|
|
|
|
)
|
|
|
|
|
|
|
|
// Stringer implementation
|
|
|
|
func (b BackendType) String() string {
|
|
|
|
switch b {
|
|
|
|
case TypeLogical:
|
|
|
|
return "secret"
|
|
|
|
case TypeCredential:
|
|
|
|
return "auth"
|
|
|
|
}
|
|
|
|
|
|
|
|
return "unknown"
|
|
|
|
}
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Backend interface must be implemented to be "mountable" at
|
|
|
|
// a given path. Requests flow through a router which has various mount
|
|
|
|
// points that flow to a logical backend. The logic of each backend is flexible,
|
|
|
|
// and this is what allows materialized keys to function. There can be specialized
|
|
|
|
// logical backends for various upstreams (Consul, PostgreSQL, MySQL, etc) that can
|
|
|
|
// interact with remote APIs to generate keys dynamically. This interface also
|
|
|
|
// allows for a "procfs" like interaction, as internal state can be exposed by
|
|
|
|
// acting like a logical backend and being mounted.
|
|
|
|
type Backend interface {
|
2019-07-05 23:55:40 +00:00
|
|
|
|
|
|
|
// Initialize is used to initialize a plugin after it has been mounted.
|
|
|
|
Initialize(context.Context, *InitializationRequest) error
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// HandleRequest is used to handle a request and generate a response.
|
|
|
|
// The backends must check the operation type and handle appropriately.
|
2018-01-08 18:31:38 +00:00
|
|
|
HandleRequest(context.Context, *Request) (*Response, error)
|
2015-03-15 20:52:43 +00:00
|
|
|
|
2015-03-31 00:46:18 +00:00
|
|
|
// SpecialPaths is a list of paths that are special in some way.
|
|
|
|
// See PathType for the types of special paths. The key is the type
|
|
|
|
// of the special path, and the value is a list of paths for this type.
|
|
|
|
// This is not a regular expression but is an exact match. If the path
|
|
|
|
// ends in '*' then it is a prefix-based match. The '*' can only appear
|
|
|
|
// at the end.
|
|
|
|
SpecialPaths() *Paths
|
2015-09-02 19:56:58 +00:00
|
|
|
|
|
|
|
// System provides an interface to access certain system configuration
|
|
|
|
// information, such as globally configured default and max lease TTLs.
|
|
|
|
System() SystemView
|
2015-09-10 14:11:37 +00:00
|
|
|
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
// Logger provides an interface to access the underlying logger. This
|
|
|
|
// is useful when a struct embeds a Backend-implemented struct that
|
|
|
|
// contains a private instance of logger.
|
|
|
|
Logger() log.Logger
|
|
|
|
|
2016-01-07 20:10:05 +00:00
|
|
|
// HandleExistenceCheck is used to handle a request and generate a response
|
|
|
|
// indicating whether the given path exists or not; this is used to
|
|
|
|
// understand whether the request must have a Create or Update capability
|
2016-01-12 20:09:16 +00:00
|
|
|
// ACL applied. The first bool indicates whether an existence check
|
|
|
|
// function was found for the backend; the second indicates whether, if an
|
|
|
|
// existence check function was found, the item exists or not.
|
2018-01-08 18:31:38 +00:00
|
|
|
HandleExistenceCheck(context.Context, *Request) (bool, bool, error)
|
2016-01-07 20:10:05 +00:00
|
|
|
|
2017-01-07 23:18:22 +00:00
|
|
|
// Cleanup is invoked during an unmount of a backend to allow it to
|
|
|
|
// handle any cleanup like connection closing or releasing of file handles.
|
2018-01-19 06:44:44 +00:00
|
|
|
Cleanup(context.Context)
|
2017-01-07 23:18:22 +00:00
|
|
|
|
|
|
|
// InvalidateKey may be invoked when an object is modified that belongs
|
|
|
|
// to the backend. The backend can use this to clear any caches or reset
|
|
|
|
// internal state as needed.
|
2018-01-19 06:44:44 +00:00
|
|
|
InvalidateKey(context.Context, string)
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
|
|
|
|
// Setup is used to set up the backend based on the provided backend
|
|
|
|
// configuration.
|
2018-01-19 06:44:44 +00:00
|
|
|
Setup(context.Context, *BackendConfig) error
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
|
|
|
|
// Type returns the BackendType for the particular backend
|
|
|
|
Type() BackendType
|
2015-03-15 20:52:43 +00:00
|
|
|
}
|
|
|
|
|
2015-07-01 00:30:43 +00:00
|
|
|
// BackendConfig is provided to the factory to initialize the backend
|
|
|
|
type BackendConfig struct {
|
|
|
|
// View should not be stored, and should only be used for initialization
|
2015-09-09 19:42:29 +00:00
|
|
|
StorageView Storage
|
2015-07-01 00:30:43 +00:00
|
|
|
|
|
|
|
// The backend should use this logger. The log should not contain any secrets.
|
2016-08-19 20:45:17 +00:00
|
|
|
Logger log.Logger
|
2015-07-01 00:30:43 +00:00
|
|
|
|
2015-08-27 15:51:35 +00:00
|
|
|
// System provides a view into a subset of safe system information that
|
|
|
|
// is useful for backends, such as the default/max lease TTLs
|
2015-08-27 17:36:44 +00:00
|
|
|
System SystemView
|
2015-08-27 15:51:35 +00:00
|
|
|
|
2018-03-21 19:04:27 +00:00
|
|
|
// BackendUUID is a unique identifier provided to this backend. It's useful
|
|
|
|
// when a backend needs a consistent and unique string without using storage.
|
|
|
|
BackendUUID string
|
|
|
|
|
2015-07-01 00:30:43 +00:00
|
|
|
// Config is the opaque user configuration provided when mounting
|
|
|
|
Config map[string]string
|
|
|
|
}
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Factory is the factory function to create a logical backend.
|
2018-01-19 06:44:44 +00:00
|
|
|
type Factory func(context.Context, *BackendConfig) (Backend, error)
|
2015-03-31 00:46:18 +00:00
|
|
|
|
|
|
|
// Paths is the structure of special paths that is used for SpecialPaths.
|
|
|
|
type Paths struct {
|
|
|
|
// Root are the paths that require a root token to access
|
|
|
|
Root []string
|
|
|
|
|
|
|
|
// Unauthenticated are the paths that can be accessed without any auth.
|
2021-10-13 16:51:20 +00:00
|
|
|
// These can't be regular expressions, it is either exact match, a prefix
|
|
|
|
// match and/or a wildcard match. For prefix match, append '*' as a suffix.
|
|
|
|
// For a wildcard match, use '+' in the segment to match any identifier
|
|
|
|
// (e.g. 'foo/+/bar'). Note that '+' can't be adjacent to a non-slash.
|
2015-03-31 00:46:18 +00:00
|
|
|
Unauthenticated []string
|
2017-01-13 19:51:10 +00:00
|
|
|
|
|
|
|
// LocalStorage are paths (prefixes) that are local to this instance; this
|
|
|
|
// indicates that these paths should not be replicated
|
|
|
|
LocalStorage []string
|
2017-10-23 20:42:56 +00:00
|
|
|
|
|
|
|
// SealWrapStorage are storage paths that, when using a capable seal,
|
|
|
|
// should be seal wrapped with extra encryption. It is exact matching
|
|
|
|
// unless it ends with '/' in which case it will be treated as a prefix.
|
|
|
|
SealWrapStorage []string
|
2017-01-13 19:51:10 +00:00
|
|
|
}
|
2019-05-22 22:52:53 +00:00
|
|
|
|
|
|
|
type Auditor interface {
|
|
|
|
AuditRequest(ctx context.Context, input *LogInput) error
|
|
|
|
AuditResponse(ctx context.Context, input *LogInput) error
|
|
|
|
}
|