open-vault/builtin/logical/database/path_creds_create.go

package database

import (
	"context"
	"fmt"
	"time"

	"github.com/hashicorp/vault/builtin/logical/database/dbplugin"
	"github.com/hashicorp/vault/helper/strutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathCredsCreate(b *databaseBackend) *framework.Path {
	return &framework.Path{
		Pattern: "creds/" + framework.GenericNameRegex("name"),
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the role.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation: b.pathCredsCreateRead(),
		},

		HelpSynopsis:    pathCredsCreateReadHelpSyn,
		HelpDescription: pathCredsCreateReadHelpDesc,
	}
}

func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
		name := data.Get("name").(string)

		// Get the role
		role, err := b.Role(ctx, req.Storage, name)
		if err != nil {
			return nil, err
		}
		if role == nil {
			return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil
		}

		dbConfig, err := b.DatabaseConfig(ctx, req.Storage, role.DBName)
		if err != nil {
			return nil, err
		}

		// If role name isn't in the database's allowed roles, send back a
		// permission denied.
		if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContainsGlob(dbConfig.AllowedRoles, name) {
			return nil, fmt.Errorf("%q is not an allowed role", name)
		}

		// Get the Database object
		db, err := b.GetConnection(ctx, req.Storage, role.DBName)
		if err != nil {
			return nil, err
		}

		db.RLock()
		defer db.RUnlock()

		ttl, _, err := framework.CalculateTTL(b.System(), 0, role.DefaultTTL, 0, role.MaxTTL, 0, time.Time{})
		if err != nil {
			return nil, err
		}
		expiration := time.Now().Add(ttl)
		// Adding a small buffer since the TTL will be calculated again after this call
		// to ensure the database credential does not expire before the lease
		expiration = expiration.Add(5 * time.Second)

		usernameConfig := dbplugin.UsernameConfig{
			DisplayName: req.DisplayName,
			RoleName:    name,
		}

		// Create the user
		username, password, err := db.CreateUser(ctx, role.Statements, usernameConfig, expiration)
		if err != nil {
			b.CloseIfShutdown(db, err)
			return nil, err
		}

		resp := b.Secret(SecretCredsType).Response(map[string]interface{}{
			"username": username,
			"password": password,
		}, map[string]interface{}{
			"username":              username,
			"role":                  name,
			"db_name":               role.DBName,
			"revocation_statements": role.Statements.Revocation,
		})
		resp.Secret.TTL = role.DefaultTTL
		resp.Secret.MaxTTL = role.MaxTTL
		return resp, nil
	}
}

const pathCredsCreateReadHelpSyn = `
Request database credentials for a certain role.
`

const pathCredsCreateReadHelpDesc = `
This path reads database credentials for a certain role. The
database credentials will be generated on demand and will be automatically
revoked when the lease is up.
`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`package database`

			`import (`
Database gRPC plugins (#3666) * Start work on context aware backends * Start work on moving the database plugins to gRPC in order to pass context * Add context to builtin database plugins * use byte slice instead of string * Context all the things * Move proto messages to the dbplugin package * Add a grpc mechanism for running backend plugins * Serve the GRPC plugin * Add backwards compatibility to the database plugins * Remove backend plugin changes * Remove backend plugin changes * Cleanup the transport implementations * If grpc connection is in an unexpected state restart the plugin * Fix tests * Fix tests * Remove context from the request object, replace it with context.TODO * Add a test to verify netRPC plugins still work * Remove unused mapstructure call * Code review fixes * Code review fixes * Code review fixes 2017-12-14 22:03:11 +00:00			`"context"`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`"fmt"`
Update the interface for plugins removing functions for creating creds 2017-04-10 19:24:16 +00:00			`"time"`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`"github.com/hashicorp/vault/builtin/logical/database/dbplugin"`
Add allowed_roles parameter and checks 2017-04-13 17:33:34 +00:00			`"github.com/hashicorp/vault/helper/strutil"`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`func pathCredsCreate(b databaseBackend) framework.Path {`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`return &framework.Path{`
			`Pattern: "creds/" + framework.GenericNameRegex("name"),`
			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the role.",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`logical.ReadOperation: b.pathCredsCreateRead(),`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`},`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`HelpSynopsis: pathCredsCreateReadHelpSyn,`
			`HelpDescription: pathCredsCreateReadHelpDesc,`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`}`
			`}`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			`func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`return func(ctx context.Context, req logical.Request, data framework.FieldData) (*logical.Response, error) {`
Update help text and comments 2017-04-11 18:50:34 +00:00			`name := data.Get("name").(string)`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Update help text and comments 2017-04-11 18:50:34 +00:00			`// Get the role`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`role, err := b.Role(ctx, req.Storage, name)`
Update help text and comments 2017-04-11 18:50:34 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if role == nil {`
Don't uppercase ErrorResponses 2017-04-24 21:03:48 +00:00			`return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", name)), nil`
Update help text and comments 2017-04-11 18:50:34 +00:00			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`dbConfig, err := b.DatabaseConfig(ctx, req.Storage, role.DBName)`
Add allowed_roles parameter and checks 2017-04-13 17:33:34 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`// If role name isn't in the database's allowed roles, send back a`
			`// permission denied.`
Add the ability to glob allowed roles in the Database Backend (#3387) * Add the ability to glob allowed roles in the Database Backend * Make the error messages better * Switch to the go-glob repo 2017-10-30 20:24:25 +00:00			`if !strutil.StrListContains(dbConfig.AllowedRoles, "*") && !strutil.StrListContainsGlob(dbConfig.AllowedRoles, name) {`
Return a more helpful error message for unknown db roles (#6157) * return a more helpful err msg * update test, print fmt * fix other test failure 2019-02-07 19:16:23 +00:00			`return nil, fmt.Errorf("%q is not an allowed role", name)`
Add allowed_roles parameter and checks 2017-04-13 17:33:34 +00:00			`}`

Update help text and comments 2017-04-11 18:50:34 +00:00			`// Get the Database object`
Database Root Credential Rotation (#3976) * redoing connection handling * a little more cleanup * empty implementation of rotation * updating rotate signature * signature update * updating interfaces again :( * changing back to interface * adding templated url support and rotation for postgres * adding correct username * return updates * updating statements to be a list * adding error sanitizing middleware * fixing log sanitizier * adding postgres rotate test * removing conf from rotate * adding rotate command * adding mysql rotate * finishing up the endpoint in the db backend for rotate * no more structs, just store raw config * fixing tests * adding db instance lock * adding support for statement list in cassandra * wip redoing interface to support BC * adding falllback for Initialize implementation * adding backwards compat for statements * fix tests * fix more tests * fixing up tests, switching to new fields in statements * fixing more tests * adding mssql and mysql * wrapping all the things in middleware, implementing templating for mongodb * wrapping all db servers with error santizer * fixing test * store the name with the db instance * adding rotate to cassandra * adding compatibility translation to both server and plugin * reordering a few things * store the name with the db instance * reordering * adding a few more tests * switch secret values from slice to map * addressing some feedback * reinstate execute plugin after resetting connection * set database connection to closed * switching secret values func to map[string]interface for potential future uses * addressing feedback 2018-03-21 19:05:56 +00:00			`db, err := b.GetConnection(ctx, req.Storage, role.DBName)`
			`if err != nil {`
			`return nil, err`
Update help text and comments 2017-04-11 18:50:34 +00:00			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Database Root Credential Rotation (#3976) * redoing connection handling * a little more cleanup * empty implementation of rotation * updating rotate signature * signature update * updating interfaces again :( * changing back to interface * adding templated url support and rotation for postgres * adding correct username * return updates * updating statements to be a list * adding error sanitizing middleware * fixing log sanitizier * adding postgres rotate test * removing conf from rotate * adding rotate command * adding mysql rotate * finishing up the endpoint in the db backend for rotate * no more structs, just store raw config * fixing tests * adding db instance lock * adding support for statement list in cassandra * wip redoing interface to support BC * adding falllback for Initialize implementation * adding backwards compat for statements * fix tests * fix more tests * fixing up tests, switching to new fields in statements * fixing more tests * adding mssql and mysql * wrapping all the things in middleware, implementing templating for mongodb * wrapping all db servers with error santizer * fixing test * store the name with the db instance * adding rotate to cassandra * adding compatibility translation to both server and plugin * reordering a few things * store the name with the db instance * reordering * adding a few more tests * switch secret values from slice to map * addressing some feedback * reinstate execute plugin after resetting connection * set database connection to closed * switching secret values func to map[string]interface for potential future uses * addressing feedback 2018-03-21 19:05:56 +00:00			`db.RLock()`
			`defer db.RUnlock()`

Fix a few missing TTL core changes (#4265) * Fix missing ttl handling in backends * fix test 2018-04-04 10:43:21 +00:00			`ttl, _, err := framework.CalculateTTL(b.System(), 0, role.DefaultTTL, 0, role.MaxTTL, 0, time.Time{})`
			`if err != nil {`
			`return nil, err`
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814) Fixes #3812 2018-01-18 06:43:38 +00:00			`}`
			`expiration := time.Now().Add(ttl)`
Fix a few missing TTL core changes (#4265) * Fix missing ttl handling in backends * fix test 2018-04-04 10:43:21 +00:00			`// Adding a small buffer since the TTL will be calculated again after this call`
			`// to ensure the database credential does not expire before the lease`
			`expiration = expiration.Add(5 * time.Second)`
More work on refactor and cassandra database 2016-12-20 19:46:20 +00:00
Use the role name in the db username (#2812) 2017-06-06 13:49:49 +00:00			`usernameConfig := dbplugin.UsernameConfig{`
			`DisplayName: req.DisplayName,`
			`RoleName: name,`
			`}`

Update help text and comments 2017-04-11 18:50:34 +00:00			`// Create the user`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`username, password, err := db.CreateUser(ctx, role.Statements, usernameConfig, expiration)`
Update help text and comments 2017-04-11 18:50:34 +00:00			`if err != nil {`
Database Root Credential Rotation (#3976) * redoing connection handling * a little more cleanup * empty implementation of rotation * updating rotate signature * signature update * updating interfaces again :( * changing back to interface * adding templated url support and rotation for postgres * adding correct username * return updates * updating statements to be a list * adding error sanitizing middleware * fixing log sanitizier * adding postgres rotate test * removing conf from rotate * adding rotate command * adding mysql rotate * finishing up the endpoint in the db backend for rotate * no more structs, just store raw config * fixing tests * adding db instance lock * adding support for statement list in cassandra * wip redoing interface to support BC * adding falllback for Initialize implementation * adding backwards compat for statements * fix tests * fix more tests * fixing up tests, switching to new fields in statements * fixing more tests * adding mssql and mysql * wrapping all the things in middleware, implementing templating for mongodb * wrapping all db servers with error santizer * fixing test * store the name with the db instance * adding rotate to cassandra * adding compatibility translation to both server and plugin * reordering a few things * store the name with the db instance * reordering * adding a few more tests * switch secret values from slice to map * addressing some feedback * reinstate execute plugin after resetting connection * set database connection to closed * switching secret values func to map[string]interface for potential future uses * addressing feedback 2018-03-21 19:05:56 +00:00			`b.CloseIfShutdown(db, err)`
Update help text and comments 2017-04-11 18:50:34 +00:00			`return nil, err`
			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00
Update help text and comments 2017-04-11 18:50:34 +00:00			`resp := b.Secret(SecretCredsType).Response(map[string]interface{}{`
			`"username": username,`
			`"password": password,`
			`}, map[string]interface{}{`
Database updates (#4787) * Database updates * Add create/update distinction for connection config * Add create/update distinction for role config * Add db name and revocation statements to leases to give revocation a shot at working if the role has been deleted Fixes #3544 Fixes #4782 * Add create/update info to docs 2018-06-19 15:24:28 +00:00			`"username": username,`
			`"role": name,`
			`"db_name": role.DBName,`
			`"revocation_statements": role.Statements.Revocation,`
Update help text and comments 2017-04-11 18:50:34 +00:00			`})`
Fix a few missing TTL core changes (#4265) * Fix missing ttl handling in backends * fix test 2018-04-04 10:43:21 +00:00			`resp.Secret.TTL = role.DefaultTTL`
			`resp.Secret.MaxTTL = role.MaxTTL`
Update help text and comments 2017-04-11 18:50:34 +00:00			`return resp, nil`
			`}`
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`}`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			const pathCredsCreateReadHelpSyn = `
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`Request database credentials for a certain role.`
			`

Rename path_role_create to path_creds_create 2017-04-25 17:39:17 +00:00			const pathCredsCreateReadHelpDesc = `
Begin work on database refactor 2016-12-19 18:15:58 +00:00			`This path reads database credentials for a certain role. The`
			`database credentials will be generated on demand and will be automatically`
			`revoked when the lease is up.`
			`