open-vault/builtin/logical/aws/path_config_root.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package aws

import (
	"context"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

// A single default template that supports both the different credential types (IAM/STS) that are capped at differing length limits (64 chars/32 chars respectively)
const defaultUserNameTemplate = `{{ if (eq .Type "STS") }}{{ printf "vault-%s-%s"  (unix_time) (random 20) | truncate 32 }}{{ else }}{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}{{ end }}`

func pathConfigRoot(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "config/root",

		DisplayAttrs: &framework.DisplayAttributes{
			OperationPrefix: operationPrefixAWS,
		},

		Fields: map[string]*framework.FieldSchema{
			"access_key": {
				Type:        framework.TypeString,
				Description: "Access key with permission to create new keys.",
			},

			"secret_key": {
				Type:        framework.TypeString,
				Description: "Secret key with permission to create new keys.",
			},

			"region": {
				Type:        framework.TypeString,
				Description: "Region for API calls.",
			},
			"iam_endpoint": {
				Type:        framework.TypeString,
				Description: "Endpoint to custom IAM server URL",
			},
			"sts_endpoint": {
				Type:        framework.TypeString,
				Description: "Endpoint to custom STS server URL",
			},
			"max_retries": {
				Type:        framework.TypeInt,
				Default:     aws.UseServiceDefaultRetries,
				Description: "Maximum number of retries for recoverable exceptions of AWS APIs",
			},
			"username_template": {
				Type:        framework.TypeString,
				Description: "Template to generate custom IAM usernames",
			},
		},

		Operations: map[logical.Operation]framework.OperationHandler{
			logical.ReadOperation: &framework.PathOperation{
				Callback: b.pathConfigRootRead,
				DisplayAttrs: &framework.DisplayAttributes{
					OperationSuffix: "root-iam-credentials-configuration",
				},
			},
			logical.UpdateOperation: &framework.PathOperation{
				Callback: b.pathConfigRootWrite,
				DisplayAttrs: &framework.DisplayAttributes{
					OperationVerb:   "configure",
					OperationSuffix: "root-iam-credentials",
				},
			},
		},

		HelpSynopsis:    pathConfigRootHelpSyn,
		HelpDescription: pathConfigRootHelpDesc,
	}
}

func (b *backend) pathConfigRootRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	b.clientMutex.RLock()
	defer b.clientMutex.RUnlock()

	entry, err := req.Storage.Get(ctx, "config/root")
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var config rootConfig

	if err := entry.DecodeJSON(&config); err != nil {
		return nil, err
	}

	configData := map[string]interface{}{
		"access_key":        config.AccessKey,
		"region":            config.Region,
		"iam_endpoint":      config.IAMEndpoint,
		"sts_endpoint":      config.STSEndpoint,
		"max_retries":       config.MaxRetries,
		"username_template": config.UsernameTemplate,
	}
	return &logical.Response{
		Data: configData,
	}, nil
}

func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	region := data.Get("region").(string)
	iamendpoint := data.Get("iam_endpoint").(string)
	stsendpoint := data.Get("sts_endpoint").(string)
	maxretries := data.Get("max_retries").(int)
	usernameTemplate := data.Get("username_template").(string)
	if usernameTemplate == "" {
		usernameTemplate = defaultUserNameTemplate
	}

	b.clientMutex.Lock()
	defer b.clientMutex.Unlock()

	entry, err := logical.StorageEntryJSON("config/root", rootConfig{
		AccessKey:        data.Get("access_key").(string),
		SecretKey:        data.Get("secret_key").(string),
		IAMEndpoint:      iamendpoint,
		STSEndpoint:      stsendpoint,
		Region:           region,
		MaxRetries:       maxretries,
		UsernameTemplate: usernameTemplate,
	})
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	// clear possible cached IAM / STS clients after successfully updating
	// config/root
	b.iamClient = nil
	b.stsClient = nil

	return nil, nil
}

type rootConfig struct {
	AccessKey        string `json:"access_key"`
	SecretKey        string `json:"secret_key"`
	IAMEndpoint      string `json:"iam_endpoint"`
	STSEndpoint      string `json:"sts_endpoint"`
	Region           string `json:"region"`
	MaxRetries       int    `json:"max_retries"`
	UsernameTemplate string `json:"username_template"`
}

const pathConfigRootHelpSyn = `
Configure the root credentials that are used to manage IAM.
`

const pathConfigRootHelpDesc = `
Before doing anything, the AWS backend needs credentials that are able
to manage IAM policies, users, access keys, etc. This endpoint is used
to configure those credentials. They don't necessarily need to be root
keys as long as they have permission to manage IAM.
`
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

logical/aws 2015-03-20 16:59:48 +00:00			`package aws`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`

Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`"github.com/aws/aws-sdk-go/aws"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
logical/aws 2015-03-20 16:59:48 +00:00			`)`

Update genUsername to cap STS usernames at 32 chars (#12185) * update genUsername to cap STS usernames at 64 chars * add changelog * refactor tests into t.Run block * patch: remove warningExpected bool and include expected string * patch: revert sts to cap at 32 chars and add assume_role case in genUsername * update changelog * update genUsername to return error if username generated exceeds length limits * update changelog * add conditional default username template to provide custom STS usernames * update changelog * include test for failing STS length case * update comments for more clarity 2021-08-09 16:40:47 +00:00			`// A single default template that supports both the different credential types (IAM/STS) that are capped at differing length limits (64 chars/32 chars respectively)`
			const defaultUserNameTemplate = `{{ if (eq .Type "STS") }}{{ printf "vault-%s-%s" (unix_time) (random 20) \| truncate 32 }}{{ else }}{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) \| truncate 42) (unix_time) (random 20) \| truncate 64 }}{{ end }}`
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066) * add ability to customize IAM usernames based on templates * add changelog * remove unnecessary logs * patch: add test for readConfig * patch: add default STS Template * patch: remove unnecessary if cases * patch: add regex checks in username test * patch: update genUsername to return an error instead of warnings * patch: separate tests for default and custom templates * patch: return truncate warning from genUsername and trigger a 400 response on errors * patch: truncate midString to 42 chars in default template * docs: add new username_template field to aws docs 2021-07-20 16:48:29 +00:00
Translate AWS Rate limiting errors to 502 errors (#5270) * Initial implemntation of returning 529 for rate limits - bump aws iam and sts packages to v1.14.31 to get mocking interface - promote the iam and sts clients to the aws backend struct, for mocking in tests - this also promotes some functions to methods on the Backend struct, so that we can use the injected client Generating creds requires reading config/root for credentials to contact IAM. Here we make pathConfigRoot a method on aws/backend so we can clear the clients on successful update of config/root path. Adds a mutex to safely clear the clients * refactor locking and unlocking into methods on backend refactor/simply the locking * check client after grabbing lock 2018-09-18 20:26:06 +00:00			`func pathConfigRoot(b backend) framework.Path {`
logical/aws 2015-03-20 16:59:48 +00:00			`return &framework.Path{`
logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00			`Pattern: "config/root",`
openapi: Add display attributes for AWS (#19366) 2023-04-06 15:08:30 +00:00
			`DisplayAttrs: &framework.DisplayAttributes{`
			`OperationPrefix: operationPrefixAWS,`
			`},`

logical/aws 2015-03-20 16:59:48 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"access_key": {`
logical/aws 2015-03-20 16:59:48 +00:00			`Type: framework.TypeString,`
			`Description: "Access key with permission to create new keys.",`
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"secret_key": {`
logical/aws 2015-03-20 16:59:48 +00:00			`Type: framework.TypeString,`
			`Description: "Secret key with permission to create new keys.",`
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"region": {`
logical/aws 2015-03-20 16:59:48 +00:00			`Type: framework.TypeString,`
			`Description: "Region for API calls.",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"iam_endpoint": {`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`Type: framework.TypeString,`
			`Description: "Endpoint to custom IAM server URL",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"sts_endpoint": {`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`Type: framework.TypeString,`
			`Description: "Endpoint to custom STS server URL",`
			`},`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"max_retries": {`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`Type: framework.TypeInt,`
			`Default: aws.UseServiceDefaultRetries,`
			`Description: "Maximum number of retries for recoverable exceptions of AWS APIs",`
			`},`
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066) * add ability to customize IAM usernames based on templates * add changelog * remove unnecessary logs * patch: add test for readConfig * patch: add default STS Template * patch: remove unnecessary if cases * patch: add regex checks in username test * patch: update genUsername to return an error instead of warnings * patch: separate tests for default and custom templates * patch: return truncate warning from genUsername and trigger a 400 response on errors * patch: truncate midString to 42 chars in default template * docs: add new username_template field to aws docs 2021-07-20 16:48:29 +00:00			`"username_template": {`
			`Type: framework.TypeString,`
			`Description: "Template to generate custom IAM usernames",`
			`},`
logical/aws 2015-03-20 16:59:48 +00:00			`},`

openapi: Add display attributes for AWS (#19366) 2023-04-06 15:08:30 +00:00			`Operations: map[logical.Operation]framework.OperationHandler{`
			`logical.ReadOperation: &framework.PathOperation{`
			`Callback: b.pathConfigRootRead,`
			`DisplayAttrs: &framework.DisplayAttributes{`
			`OperationSuffix: "root-iam-credentials-configuration",`
			`},`
			`},`
			`logical.UpdateOperation: &framework.PathOperation{`
			`Callback: b.pathConfigRootWrite,`
			`DisplayAttrs: &framework.DisplayAttributes{`
			`OperationVerb: "configure",`
			`OperationSuffix: "root-iam-credentials",`
			`},`
			`},`
logical/aws 2015-03-20 16:59:48 +00:00			`},`
logical/aws: help 2015-04-04 04:10:54 +00:00
logical/aws: fix build 2015-04-19 05:22:35 +00:00			`HelpSynopsis: pathConfigRootHelpSyn,`
			`HelpDescription: pathConfigRootHelpDesc,`
logical/aws 2015-03-20 16:59:48 +00:00			`}`
			`}`

Add reading AWS root/config endpoint (#7245) 2019-09-13 17:07:04 +00:00			`func (b backend) pathConfigRootRead(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
			`b.clientMutex.RLock()`
			`defer b.clientMutex.RUnlock()`

			`entry, err := req.Storage.Get(ctx, "config/root")`
			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

			`var config rootConfig`

			`if err := entry.DecodeJSON(&config); err != nil {`
			`return nil, err`
			`}`

			`configData := map[string]interface{}{`
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066) * add ability to customize IAM usernames based on templates * add changelog * remove unnecessary logs * patch: add test for readConfig * patch: add default STS Template * patch: remove unnecessary if cases * patch: add regex checks in username test * patch: update genUsername to return an error instead of warnings * patch: separate tests for default and custom templates * patch: return truncate warning from genUsername and trigger a 400 response on errors * patch: truncate midString to 42 chars in default template * docs: add new username_template field to aws docs 2021-07-20 16:48:29 +00:00			`"access_key": config.AccessKey,`
			`"region": config.Region,`
			`"iam_endpoint": config.IAMEndpoint,`
			`"sts_endpoint": config.STSEndpoint,`
			`"max_retries": config.MaxRetries,`
			`"username_template": config.UsernameTemplate,`
Add reading AWS root/config endpoint (#7245) 2019-09-13 17:07:04 +00:00			`}`
			`return &logical.Response{`
			`Data: configData,`
			`}, nil`
			`}`

Translate AWS Rate limiting errors to 502 errors (#5270) * Initial implemntation of returning 529 for rate limits - bump aws iam and sts packages to v1.14.31 to get mocking interface - promote the iam and sts clients to the aws backend struct, for mocking in tests - this also promotes some functions to methods on the Backend struct, so that we can use the injected client Generating creds requires reading config/root for credentials to contact IAM. Here we make pathConfigRoot a method on aws/backend so we can clear the clients on successful update of config/root path. Adds a mutex to safely clear the clients * refactor locking and unlocking into methods on backend refactor/simply the locking * check client after grabbing lock 2018-09-18 20:26:06 +00:00			`func (b backend) pathConfigRootWrite(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00			`region := data.Get("region").(string)`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`iamendpoint := data.Get("iam_endpoint").(string)`
			`stsendpoint := data.Get("sts_endpoint").(string)`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`maxretries := data.Get("max_retries").(int)`
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066) * add ability to customize IAM usernames based on templates * add changelog * remove unnecessary logs * patch: add test for readConfig * patch: add default STS Template * patch: remove unnecessary if cases * patch: add regex checks in username test * patch: update genUsername to return an error instead of warnings * patch: separate tests for default and custom templates * patch: return truncate warning from genUsername and trigger a 400 response on errors * patch: truncate midString to 42 chars in default template * docs: add new username_template field to aws docs 2021-07-20 16:48:29 +00:00			`usernameTemplate := data.Get("username_template").(string)`
			`if usernameTemplate == "" {`
			`usernameTemplate = defaultUserNameTemplate`
			`}`
logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00
Add AWS Secret Engine Root Credential Rotation (#5140) * Add AWS Secret Engine Root Credential Rotation This allows the AWS Secret Engine to rotate its credentials used to access AWS. This will only work when the AWS Secret Engine has been provided explicit IAM credentials via the config/root endpoint, and further, when the IAM credentials provided are the only access key on the IAM user associated wtih the access key (because AWS allows a maximum of 2 access keys per user). Fixes #4385 * Add test for AWS root credential rotation Also fix a typo in the root credential rotation code * Add docs for AWS root rotation * Add locks around reading and writing config/root And wire the backend up in a bunch of places so the config can get the lock * Respond to PR feedback * Fix casing in error messages * Fix merge errors * Fix locking bugs 2018-09-26 14:10:00 +00:00			`b.clientMutex.Lock()`
			`defer b.clientMutex.Unlock()`

logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00			`entry, err := logical.StorageEntryJSON("config/root", rootConfig{`
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066) * add ability to customize IAM usernames based on templates * add changelog * remove unnecessary logs * patch: add test for readConfig * patch: add default STS Template * patch: remove unnecessary if cases * patch: add regex checks in username test * patch: update genUsername to return an error instead of warnings * patch: separate tests for default and custom templates * patch: return truncate warning from genUsername and trigger a 400 response on errors * patch: truncate midString to 42 chars in default template * docs: add new username_template field to aws docs 2021-07-20 16:48:29 +00:00			`AccessKey: data.Get("access_key").(string),`
			`SecretKey: data.Get("secret_key").(string),`
			`IAMEndpoint: iamendpoint,`
			`STSEndpoint: stsendpoint,`
			`Region: region,`
			`MaxRetries: maxretries,`
			`UsernameTemplate: usernameTemplate,`
logical/aws 2015-03-20 16:59:48 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
logical/aws 2015-03-20 16:59:48 +00:00			`return nil, err`
			`}`

Translate AWS Rate limiting errors to 502 errors (#5270) * Initial implemntation of returning 529 for rate limits - bump aws iam and sts packages to v1.14.31 to get mocking interface - promote the iam and sts clients to the aws backend struct, for mocking in tests - this also promotes some functions to methods on the Backend struct, so that we can use the injected client Generating creds requires reading config/root for credentials to contact IAM. Here we make pathConfigRoot a method on aws/backend so we can clear the clients on successful update of config/root path. Adds a mutex to safely clear the clients * refactor locking and unlocking into methods on backend refactor/simply the locking * check client after grabbing lock 2018-09-18 20:26:06 +00:00			`// clear possible cached IAM / STS clients after successfully updating`
			`// config/root`
			`b.iamClient = nil`
			`b.stsClient = nil`

logical/aws 2015-03-20 16:59:48 +00:00			`return nil, nil`
			`}`

			`type rootConfig struct {`
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066) * add ability to customize IAM usernames based on templates * add changelog * remove unnecessary logs * patch: add test for readConfig * patch: add default STS Template * patch: remove unnecessary if cases * patch: add regex checks in username test * patch: update genUsername to return an error instead of warnings * patch: separate tests for default and custom templates * patch: return truncate warning from genUsername and trigger a 400 response on errors * patch: truncate midString to 42 chars in default template * docs: add new username_template field to aws docs 2021-07-20 16:48:29 +00:00			AccessKey string `json:"access_key"`
			SecretKey string `json:"secret_key"`
			IAMEndpoint string `json:"iam_endpoint"`
			STSEndpoint string `json:"sts_endpoint"`
			Region string `json:"region"`
			MaxRetries int `json:"max_retries"`
			UsernameTemplate string `json:"username_template"`
logical/aws 2015-03-20 16:59:48 +00:00			`}`
logical/aws: help 2015-04-04 04:10:54 +00:00
logical/aws: fix build 2015-04-19 05:22:35 +00:00			const pathConfigRootHelpSyn = `
logical/aws: help 2015-04-04 04:10:54 +00:00			`Configure the root credentials that are used to manage IAM.`
			`

logical/aws: fix build 2015-04-19 05:22:35 +00:00			const pathConfigRootHelpDesc = `
logical/aws: help 2015-04-04 04:10:54 +00:00			`Before doing anything, the AWS backend needs credentials that are able`
			`to manage IAM policies, users, access keys, etc. This endpoint is used`
Spelling (#4119) 2018-03-20 18:54:10 +00:00			`to configure those credentials. They don't necessarily need to be root`
logical/aws: help 2015-04-04 04:10:54 +00:00			`keys as long as they have permission to manage IAM.`
			`