2015-04-24 17:31:57 +00:00
package cert
import (
2018-01-08 18:31:38 +00:00
"context"
2016-02-29 15:40:15 +00:00
"crypto/x509"
2015-10-06 01:10:20 +00:00
"fmt"
2019-02-01 16:23:40 +00:00
"strings"
2015-04-24 19:58:39 +00:00
"time"
2015-04-24 17:31:57 +00:00
2019-01-09 00:48:57 +00:00
sockaddr "github.com/hashicorp/go-sockaddr"
2019-02-01 16:23:40 +00:00
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/policyutil"
2015-04-24 17:31:57 +00:00
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
2016-03-15 18:07:40 +00:00
func pathListCerts ( b * backend ) * framework . Path {
return & framework . Path {
Pattern : "certs/?" ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . ListOperation : b . pathCertList ,
} ,
HelpSynopsis : pathCertHelpSyn ,
HelpDescription : pathCertHelpDesc ,
}
}
2015-04-24 17:31:57 +00:00
func pathCerts ( b * backend ) * framework . Path {
2019-02-01 16:23:40 +00:00
return & framework . Path {
2015-08-21 07:56:13 +00:00
Pattern : "certs/" + framework . GenericNameRegex ( "name" ) ,
2015-04-24 17:31:57 +00:00
Fields : map [ string ] * framework . FieldSchema {
"name" : & framework . FieldSchema {
2019-02-01 16:23:40 +00:00
Type : framework . TypeString ,
2015-04-24 17:31:57 +00:00
Description : "The name of the certificate" ,
} ,
"certificate" : & framework . FieldSchema {
2015-09-18 18:01:28 +00:00
Type : framework . TypeString ,
Description : ` The public certificate that should be trusted .
Must be x509 PEM encoded . ` ,
2015-04-24 17:31:57 +00:00
} ,
2017-04-30 15:37:10 +00:00
"allowed_names" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of names .
2018-05-25 14:34:46 +00:00
At least one must exist in either the Common Name or SANs . Supports globbing .
This parameter is deprecated , please use allowed_common_names , allowed_dns_sans ,
allowed_email_sans , allowed_uri_sans . ` ,
} ,
"allowed_common_names" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of names .
At least one must exist in the Common Name . Supports globbing . ` ,
} ,
"allowed_dns_sans" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of DNS names .
At least one must exist in the SANs . Supports globbing . ` ,
} ,
"allowed_email_sans" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of Email Addresses .
At least one must exist in the SANs . Supports globbing . ` ,
} ,
"allowed_uri_sans" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of URIs .
At least one must exist in the SANs . Supports globbing . ` ,
2017-04-30 15:37:10 +00:00
} ,
2018-09-28 00:04:55 +00:00
"allowed_organizational_units" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of Organizational Units names .
At least one must exist in the OU field . ` ,
} ,
2017-12-18 17:53:44 +00:00
"required_extensions" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated string or array of extensions
formatted as "oid:value" . Expects the extension value to be some type of ASN1 encoded string .
All values much match . Supports globbing on "value" . ` ,
} ,
2015-04-24 17:31:57 +00:00
"display_name" : & framework . FieldSchema {
2015-09-18 18:01:28 +00:00
Type : framework . TypeString ,
Description : ` The display name to use for clients using this
certificate . ` ,
2015-04-24 17:31:57 +00:00
} ,
2019-02-01 16:23:40 +00:00
"policies" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : "Comma-separated list of policies." ,
} ,
2015-04-24 19:58:39 +00:00
"lease" : & framework . FieldSchema {
2015-09-18 18:01:28 +00:00
Type : framework . TypeInt ,
Description : ` Deprecated : use "ttl" instead . TTL time in
seconds . Defaults to system / backend default TTL . ` ,
} ,
2019-02-01 16:23:40 +00:00
"ttl" : & framework . FieldSchema {
Type : framework . TypeDurationSecond ,
Description : ` TTL for tokens issued by this backend .
Defaults to system / backend default TTL time . ` ,
} ,
"max_ttl" : & framework . FieldSchema {
Type : framework . TypeDurationSecond ,
Description : ` Duration in either an integer number of seconds ( 3600 ) or
an integer time unit ( 60 m ) after which the
issued token can no longer be renewed . ` ,
} ,
"period" : & framework . FieldSchema {
Type : framework . TypeDurationSecond ,
Description : ` If set , indicates that the token generated using this role
should never expire . The token should be renewed within the
duration specified by this value . At each renewal , the token ' s
TTL will be set to the value of this parameter . ` ,
} ,
"bound_cidrs" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks . If set , specifies the blocks of
IP addresses which can perform the login operation . ` ,
} ,
2015-04-24 17:31:57 +00:00
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . DeleteOperation : b . pathCertDelete ,
logical . ReadOperation : b . pathCertRead ,
2016-02-29 15:40:15 +00:00
logical . UpdateOperation : b . pathCertWrite ,
2015-04-24 17:31:57 +00:00
} ,
HelpSynopsis : pathCertHelpSyn ,
HelpDescription : pathCertHelpDesc ,
}
}
2018-01-19 06:44:44 +00:00
func ( b * backend ) Cert ( ctx context . Context , s logical . Storage , n string ) ( * CertEntry , error ) {
2019-02-01 16:23:40 +00:00
entry , err := s . Get ( ctx , "cert/" + strings . ToLower ( n ) )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
if entry == nil {
return nil , nil
}
var result CertEntry
if err := entry . DecodeJSON ( & result ) ; err != nil {
return nil , err
}
return & result , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertDelete ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2019-02-01 16:23:40 +00:00
err := req . Storage . Delete ( ctx , "cert/" + strings . ToLower ( d . Get ( "name" ) . ( string ) ) )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
return nil , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertList ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2018-01-19 06:44:44 +00:00
certs , err := req . Storage . List ( ctx , "cert/" )
2016-03-15 18:07:40 +00:00
if err != nil {
return nil , err
}
return logical . ListResponse ( certs ) , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertRead ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2019-02-01 16:23:40 +00:00
cert , err := b . Cert ( ctx , req . Storage , strings . ToLower ( d . Get ( "name" ) . ( string ) ) )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
if cert == nil {
return nil , nil
}
return & logical . Response {
2019-02-01 16:23:40 +00:00
Data : map [ string ] interface { } {
"certificate" : cert . Certificate ,
"display_name" : cert . DisplayName ,
"policies" : cert . Policies ,
"ttl" : cert . TTL / time . Second ,
"max_ttl" : cert . MaxTTL / time . Second ,
"period" : cert . Period / time . Second ,
"allowed_names" : cert . AllowedNames ,
"allowed_common_names" : cert . AllowedCommonNames ,
"allowed_dns_sans" : cert . AllowedDNSSANs ,
"allowed_email_sans" : cert . AllowedEmailSANs ,
"allowed_uri_sans" : cert . AllowedURISANs ,
"allowed_organizational_units" : cert . AllowedOrganizationalUnits ,
"required_extensions" : cert . RequiredExtensions ,
2019-02-08 14:12:55 +00:00
"bound_cidrs" : cert . BoundCIDRs ,
2019-02-01 16:23:40 +00:00
} ,
2015-04-24 17:31:57 +00:00
} , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertWrite ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2019-02-01 16:23:40 +00:00
name := strings . ToLower ( d . Get ( "name" ) . ( string ) )
2015-04-24 17:31:57 +00:00
certificate := d . Get ( "certificate" ) . ( string )
displayName := d . Get ( "display_name" ) . ( string )
2019-02-01 16:23:40 +00:00
policies := policyutil . ParsePolicies ( d . Get ( "policies" ) )
2017-04-30 15:37:10 +00:00
allowedNames := d . Get ( "allowed_names" ) . ( [ ] string )
2018-05-25 14:34:46 +00:00
allowedCommonNames := d . Get ( "allowed_common_names" ) . ( [ ] string )
allowedDNSSANs := d . Get ( "allowed_dns_sans" ) . ( [ ] string )
allowedEmailSANs := d . Get ( "allowed_email_sans" ) . ( [ ] string )
allowedURISANs := d . Get ( "allowed_uri_sans" ) . ( [ ] string )
2018-09-28 00:04:55 +00:00
allowedOrganizationalUnits := d . Get ( "allowed_organizational_units" ) . ( [ ] string )
2017-12-18 17:53:44 +00:00
requiredExtensions := d . Get ( "required_extensions" ) . ( [ ] string )
2015-04-24 17:31:57 +00:00
2017-12-18 20:29:45 +00:00
var resp logical . Response
2019-01-30 21:23:28 +00:00
// Parse the ttl (or lease duration)
systemDefaultTTL := b . System ( ) . DefaultLeaseTTL ( )
2019-02-01 16:23:40 +00:00
ttl := time . Duration ( d . Get ( "ttl" ) . ( int ) ) * time . Second
if ttl == 0 {
ttl = time . Duration ( d . Get ( "lease" ) . ( int ) ) * time . Second
}
if ttl > systemDefaultTTL {
resp . AddWarning ( fmt . Sprintf ( "Given ttl of %d seconds is greater than current mount/system default of %d seconds" , ttl / time . Second , systemDefaultTTL / time . Second ) )
}
if ttl < time . Duration ( 0 ) {
return logical . ErrorResponse ( "ttl cannot be negative" ) , nil
2017-12-18 20:29:45 +00:00
}
// Parse max_ttl
systemMaxTTL := b . System ( ) . MaxLeaseTTL ( )
2019-02-01 16:23:40 +00:00
maxTTL := time . Duration ( d . Get ( "max_ttl" ) . ( int ) ) * time . Second
if maxTTL > systemMaxTTL {
resp . AddWarning ( fmt . Sprintf ( "Given max_ttl of %d seconds is greater than current mount/system default of %d seconds" , maxTTL / time . Second , systemMaxTTL / time . Second ) )
2017-12-18 20:29:45 +00:00
}
2019-02-01 16:23:40 +00:00
if maxTTL < time . Duration ( 0 ) {
return logical . ErrorResponse ( "max_ttl cannot be negative" ) , nil
}
if maxTTL != 0 && ttl > maxTTL {
2017-12-18 20:29:45 +00:00
return logical . ErrorResponse ( "ttl should be shorter than max_ttl" ) , nil
}
// Parse period
2019-02-01 16:23:40 +00:00
period := time . Duration ( d . Get ( "period" ) . ( int ) ) * time . Second
if period > systemMaxTTL {
resp . AddWarning ( fmt . Sprintf ( "Given period of %d seconds is greater than the backend's maximum TTL of %d seconds" , period / time . Second , systemMaxTTL / time . Second ) )
}
if period < time . Duration ( 0 ) {
return logical . ErrorResponse ( "period cannot be negative" ) , nil
2017-12-18 20:29:45 +00:00
}
2015-04-24 17:52:17 +00:00
// Default the display name to the certificate name if not given
if displayName == "" {
displayName = name
}
2015-04-24 17:39:44 +00:00
parsed := parsePEM ( [ ] byte ( certificate ) )
if len ( parsed ) == 0 {
return logical . ErrorResponse ( "failed to parse certificate" ) , nil
}
2016-02-29 15:40:15 +00:00
// If the certificate is not a CA cert, then ensure that x509.ExtKeyUsageClientAuth is set
2016-02-29 23:29:41 +00:00
if ! parsed [ 0 ] . IsCA && parsed [ 0 ] . ExtKeyUsage != nil {
2016-02-29 21:02:19 +00:00
var clientAuth bool
2016-02-29 15:40:15 +00:00
for _ , usage := range parsed [ 0 ] . ExtKeyUsage {
2016-03-01 15:24:22 +00:00
if usage == x509 . ExtKeyUsageClientAuth || usage == x509 . ExtKeyUsageAny {
2016-02-29 15:40:15 +00:00
clientAuth = true
2016-03-01 15:24:22 +00:00
break
2016-02-29 15:40:15 +00:00
}
}
if ! clientAuth {
2016-02-29 23:29:41 +00:00
return logical . ErrorResponse ( "non-CA certificates should have TLS client authentication set as an extended key usage" ) , nil
2016-02-29 15:40:15 +00:00
}
}
2019-02-01 16:23:40 +00:00
parsedCIDRs , err := parseutil . ParseAddrs ( d . Get ( "bound_cidrs" ) )
if err != nil {
return logical . ErrorResponse ( err . Error ( ) ) , logical . ErrInvalidRequest
}
certEntry := & CertEntry {
Name : name ,
Certificate : certificate ,
DisplayName : displayName ,
Policies : policies ,
AllowedNames : allowedNames ,
AllowedCommonNames : allowedCommonNames ,
AllowedDNSSANs : allowedDNSSANs ,
AllowedEmailSANs : allowedEmailSANs ,
AllowedURISANs : allowedURISANs ,
AllowedOrganizationalUnits : allowedOrganizationalUnits ,
RequiredExtensions : requiredExtensions ,
TTL : ttl ,
MaxTTL : maxTTL ,
Period : period ,
BoundCIDRs : parsedCIDRs ,
}
2015-04-24 19:58:39 +00:00
2015-04-24 17:31:57 +00:00
// Store it
2015-10-06 01:10:20 +00:00
entry , err := logical . StorageEntryJSON ( "cert/" + name , certEntry )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
2018-01-19 06:44:44 +00:00
if err := req . Storage . Put ( ctx , entry ) ; err != nil {
2015-04-24 17:31:57 +00:00
return nil , err
}
2017-12-18 20:29:45 +00:00
if len ( resp . Warnings ) == 0 {
return nil , nil
}
return & resp , nil
2015-04-24 17:31:57 +00:00
}
type CertEntry struct {
2018-09-28 00:04:55 +00:00
Name string
Certificate string
DisplayName string
2019-02-01 16:23:40 +00:00
Policies [ ] string
TTL time . Duration
MaxTTL time . Duration
Period time . Duration
2018-09-28 00:04:55 +00:00
AllowedNames [ ] string
AllowedCommonNames [ ] string
AllowedDNSSANs [ ] string
AllowedEmailSANs [ ] string
AllowedURISANs [ ] string
AllowedOrganizationalUnits [ ] string
RequiredExtensions [ ] string
2019-02-01 16:23:40 +00:00
BoundCIDRs [ ] * sockaddr . SockAddrMarshaler
2015-04-24 17:31:57 +00:00
}
const pathCertHelpSyn = `
Manage trusted certificates used for authentication .
`
const pathCertHelpDesc = `
This endpoint allows you to create , read , update , and delete trusted certificates
that are allowed to authenticate .
Deleting a certificate will not revoke auth for prior authenticated connections .
To do this , do a revoke on "login" . If you don ' t need to revoke login immediately ,
then the next renew will cause the lease to expire .
`