open-vault/api/secret.go

package api

import (
	"encoding/json"
	"io"
	"strconv"
	"time"

	"github.com/hashicorp/vault/helper/jsonutil"
)

// Secret is the structure returned for every secret within Vault.
type Secret struct {
	// The request ID that generated this response
	RequestID string `json:"request_id"`

	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`

	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data map[string]interface{} `json:"data"`

	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`

	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`

	// WrapInfo, if non-nil, means that the initial response was wrapped in the
	// cubbyhole of the given token (which has a TTL of the given number of
	// seconds)
	WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}

// TokenID returns the standardized token ID (token) for the given secret.
func (s *Secret) TokenID() string {
	if s == nil {
		return ""
	}

	if s.Auth != nil && len(s.Auth.ClientToken) > 0 {
		return s.Auth.ClientToken
	}

	if s.Data == nil || s.Data["id"] == nil {
		return ""
	}

	id, ok := s.Data["id"].(string)
	if !ok {
		return ""
	}

	return id
}

// TokenAccessor returns the standardized token accessor for the given secret.
// If the secret is nil or does not contain an accessor, this returns the empty
// string.
func (s *Secret) TokenAccessor() string {
	if s == nil {
		return ""
	}

	if s.Auth != nil && len(s.Auth.Accessor) > 0 {
		return s.Auth.Accessor
	}

	if s.Data == nil || s.Data["accessor"] == nil {
		return ""
	}

	accessor, ok := s.Data["accessor"].(string)
	if !ok {
		return ""
	}

	return accessor
}

// TokenMeta returns the standardized token metadata for the given secret.
// If the secret is nil or does not contain an accessor, this returns the empty
// string. Metadata is usually modeled as an map[string]interface{}, but token
// metdata is always a map[string]string. This function handles the coercion.
func (s *Secret) TokenMeta() map[string]string {
	if s == nil {
		return nil
	}

	if s.Auth != nil && len(s.Auth.Metadata) > 0 {
		return s.Auth.Metadata
	}

	if s.Data == nil || s.Data["meta"] == nil {
		return nil
	}

	metaRaw, ok := s.Data["meta"].(map[string]interface{})
	if !ok {
		return nil
	}

	meta := make(map[string]string, len(metaRaw))
	for k, v := range metaRaw {
		m, ok := v.(string)
		if !ok {
			return nil
		}
		meta[k] = m
	}

	return meta
}

// TokenRemainingUses returns the standardized remaining uses for the given
// secret. If the secret is nil or does not contain the "num_uses", this returns
// 0..
func (s *Secret) TokenRemainingUses() int {
	if s == nil || s.Data == nil || s.Data["num_uses"] == nil {
		return 0
	}

	usesStr, ok := s.Data["num_uses"].(json.Number)
	if !ok {
		return 0
	}

	if string(usesStr) == "" {
		return 0
	}

	uses, err := strconv.ParseInt(string(usesStr), 10, 64)
	if err != nil {
		return 0
	}

	return int(uses)
}

// TokenPolicies returns the standardized list of policies for the given secret.
// If the secret is nil or does not contain any policies, this returns nil.
// Policies are usually returned as []interface{}, but this function ensures
// they are []string.
func (s *Secret) TokenPolicies() []string {
	if s == nil {
		return nil
	}

	if s.Auth != nil && len(s.Auth.Policies) > 0 {
		return s.Auth.Policies
	}

	if s.Data == nil || s.Data["policies"] == nil {
		return nil
	}

	list, ok := s.Data["policies"].([]interface{})
	if !ok {
		return nil
	}

	policies := make([]string, len(list))
	for i := range list {
		p, ok := list[i].(string)
		if !ok {
			return nil
		}
		policies[i] = p
	}

	return policies
}

// TokenIsRenewable returns the standardized token renewability for the given
// secret. If the secret is nil or does not contain the "renewable" key, this
// returns false.
func (s *Secret) TokenIsRenewable() bool {
	if s == nil {
		return false
	}

	if s.Auth != nil && s.Auth.Renewable {
		return s.Auth.Renewable
	}

	if s.Data == nil || s.Data["renewable"] == nil {
		return false
	}

	renewable, ok := s.Data["renewable"].(bool)
	if !ok {
		return false
	}

	return renewable
}

// TokenTTL returns the standardized remaining token TTL for the given secret.
// If the secret is nil or does not contain a TTL, this returns the 0.
func (s *Secret) TokenTTL() time.Duration {
	if s == nil {
		return 0
	}

	if s.Auth != nil && s.Auth.LeaseDuration > 0 {
		return time.Duration(s.Auth.LeaseDuration) * time.Second
	}

	if s.Data == nil || s.Data["ttl"] == nil {
		return 0
	}

	ttlStr, ok := s.Data["ttl"].(json.Number)
	if !ok {
		return 0
	}

	if string(ttlStr) == "" {
		return 0
	}

	ttl, err := time.ParseDuration(string(ttlStr) + "s")
	if err != nil {
		return 0
	}

	return ttl
}

// SecretWrapInfo contains wrapping information if we have it. If what is
// contained is an authentication token, the accessor for the token will be
// available in WrappedAccessor.
type SecretWrapInfo struct {
	Token           string    `json:"token"`
	TTL             int       `json:"ttl"`
	CreationTime    time.Time `json:"creation_time"`
	CreationPath    string    `json:"creation_path"`
	WrappedAccessor string    `json:"wrapped_accessor"`
}

// SecretAuth is the structure containing auth information if we have it.
type SecretAuth struct {
	ClientToken string            `json:"client_token"`
	Accessor    string            `json:"accessor"`
	Policies    []string          `json:"policies"`
	Metadata    map[string]string `json:"metadata"`

	LeaseDuration int  `json:"lease_duration"`
	Renewable     bool `json:"renewable"`
}

// ParseSecret is used to parse a secret value from JSON from an io.Reader.
func ParseSecret(r io.Reader) (*Secret, error) {
	// First decode the JSON into a map[string]interface{}
	var secret Secret
	if err := jsonutil.DecodeJSONFromReader(r, &secret); err != nil {
		return nil, err
	}

	return &secret, nil
}
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`package api`

			`import (`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`"encoding/json"`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`"io"`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`"strconv"`
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 20:01:09 +00:00			`"time"`
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests. 2016-07-06 16:25:40 +00:00
			`"github.com/hashicorp/vault/helper/jsonutil"`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`)`

			`// Secret is the structure returned for every secret within Vault.`
			`type Secret struct {`
Plumb request UUID through the API 2016-07-27 13:25:04 +00:00			`// The request ID that generated this response`
			RequestID string `json:"request_id"`

api: update docs 2015-04-14 00:40:05 +00:00			LeaseID string `json:"lease_id"`
			LeaseDuration int `json:"lease_duration"`
			Renewable bool `json:"renewable"`

			`// Data is the actual contents of the secret. The format of the data`
			`// is arbitrary and up to the secret backend.`
			Data map[string]interface{} `json:"data"`

Add the ability for warnings to be added to responses. These are marshalled into JSON or displayed from the CLI depending on the output mode. This allows conferring information such as "no such policy exists" when creating a token -- not an error, but something the user should be aware of. Fixes #676 2015-10-07 19:30:54 +00:00			`// Warnings contains any warnings related to the operation. These`
			`// are not issues that caused the command to fail, but that the`
			`// client should be aware of.`
			Warnings []string `json:"warnings"`

api: update docs 2015-04-14 00:40:05 +00:00			`// Auth, if non-nil, means that there was authentication information`
			`// attached to this response.`
			Auth *SecretAuth `json:"auth,omitempty"`
Add wrap support to API/CLI 2016-05-02 05:58:58 +00:00
			`// WrapInfo, if non-nil, means that the initial response was wrapped in the`
			`// cubbyhole of the given token (which has a TTL of the given number of`
			`// seconds)`
			WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
			`}`

Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`// TokenID returns the standardized token ID (token) for the given secret.`
			`func (s *Secret) TokenID() string {`
			`if s == nil {`
			`return ""`
			`}`

			`if s.Auth != nil && len(s.Auth.ClientToken) > 0 {`
			`return s.Auth.ClientToken`
			`}`

			`if s.Data == nil \|\| s.Data["id"] == nil {`
			`return ""`
			`}`

			`id, ok := s.Data["id"].(string)`
			`if !ok {`
			`return ""`
			`}`

			`return id`
			`}`

			`// TokenAccessor returns the standardized token accessor for the given secret.`
			`// If the secret is nil or does not contain an accessor, this returns the empty`
			`// string.`
			`func (s *Secret) TokenAccessor() string {`
			`if s == nil {`
			`return ""`
			`}`

			`if s.Auth != nil && len(s.Auth.Accessor) > 0 {`
			`return s.Auth.Accessor`
			`}`

			`if s.Data == nil \|\| s.Data["accessor"] == nil {`
			`return ""`
			`}`

			`accessor, ok := s.Data["accessor"].(string)`
			`if !ok {`
			`return ""`
			`}`

			`return accessor`
			`}`

			`// TokenMeta returns the standardized token metadata for the given secret.`
			`// If the secret is nil or does not contain an accessor, this returns the empty`
			`// string. Metadata is usually modeled as an map[string]interface{}, but token`
			`// metdata is always a map[string]string. This function handles the coercion.`
			`func (s *Secret) TokenMeta() map[string]string {`
			`if s == nil {`
			`return nil`
			`}`

			`if s.Auth != nil && len(s.Auth.Metadata) > 0 {`
			`return s.Auth.Metadata`
			`}`

			`if s.Data == nil \|\| s.Data["meta"] == nil {`
			`return nil`
			`}`

			`metaRaw, ok := s.Data["meta"].(map[string]interface{})`
			`if !ok {`
			`return nil`
			`}`

			`meta := make(map[string]string, len(metaRaw))`
			`for k, v := range metaRaw {`
			`m, ok := v.(string)`
			`if !ok {`
			`return nil`
			`}`
			`meta[k] = m`
			`}`

			`return meta`
			`}`

			`// TokenRemainingUses returns the standardized remaining uses for the given`
			`// secret. If the secret is nil or does not contain the "num_uses", this returns`
			`// 0..`
			`func (s *Secret) TokenRemainingUses() int {`
			`if s == nil \|\| s.Data == nil \|\| s.Data["num_uses"] == nil {`
			`return 0`
			`}`

			`usesStr, ok := s.Data["num_uses"].(json.Number)`
			`if !ok {`
			`return 0`
			`}`

			`if string(usesStr) == "" {`
			`return 0`
			`}`

			`uses, err := strconv.ParseInt(string(usesStr), 10, 64)`
			`if err != nil {`
			`return 0`
			`}`

			`return int(uses)`
			`}`

			`// TokenPolicies returns the standardized list of policies for the given secret.`
			`// If the secret is nil or does not contain any policies, this returns nil.`
			`// Policies are usually returned as []interface{}, but this function ensures`
			`// they are []string.`
			`func (s *Secret) TokenPolicies() []string {`
			`if s == nil {`
			`return nil`
			`}`

			`if s.Auth != nil && len(s.Auth.Policies) > 0 {`
			`return s.Auth.Policies`
			`}`

			`if s.Data == nil \|\| s.Data["policies"] == nil {`
			`return nil`
			`}`

			`list, ok := s.Data["policies"].([]interface{})`
			`if !ok {`
			`return nil`
			`}`

			`policies := make([]string, len(list))`
			`for i := range list {`
			`p, ok := list[i].(string)`
			`if !ok {`
			`return nil`
			`}`
			`policies[i] = p`
			`}`

			`return policies`
			`}`

			`// TokenIsRenewable returns the standardized token renewability for the given`
			`// secret. If the secret is nil or does not contain the "renewable" key, this`
			`// returns false.`
			`func (s *Secret) TokenIsRenewable() bool {`
			`if s == nil {`
			`return false`
			`}`

			`if s.Auth != nil && s.Auth.Renewable {`
			`return s.Auth.Renewable`
			`}`

			`if s.Data == nil \|\| s.Data["renewable"] == nil {`
			`return false`
			`}`

			`renewable, ok := s.Data["renewable"].(bool)`
			`if !ok {`
			`return false`
			`}`

			`return renewable`
			`}`

			`// TokenTTL returns the standardized remaining token TTL for the given secret.`
			`// If the secret is nil or does not contain a TTL, this returns the 0.`
			`func (s *Secret) TokenTTL() time.Duration {`
			`if s == nil {`
			`return 0`
			`}`

			`if s.Auth != nil && s.Auth.LeaseDuration > 0 {`
			`return time.Duration(s.Auth.LeaseDuration) * time.Second`
			`}`

			`if s.Data == nil \|\| s.Data["ttl"] == nil {`
			`return 0`
			`}`

			`ttlStr, ok := s.Data["ttl"].(json.Number)`
			`if !ok {`
			`return 0`
			`}`

			`if string(ttlStr) == "" {`
			`return 0`
			`}`

			`ttl, err := time.ParseDuration(string(ttlStr) + "s")`
			`if err != nil {`
			`return 0`
			`}`

			`return ttl`
			`}`

Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			`// SecretWrapInfo contains wrapping information if we have it. If what is`
			`// contained is an authentication token, the accessor for the token will be`
			`// available in WrappedAccessor.`
Add wrap support to API/CLI 2016-05-02 05:58:58 +00:00			`type SecretWrapInfo struct {`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			Token string `json:"token"`
			TTL int `json:"ttl"`
			CreationTime time.Time `json:"creation_time"`
Store original request path in WrapInfo (#3100) * Store original request path in WrapInfo as CreationPath * Add wrapping_token_creation_path to CLI output * Add CreationPath to AuditResponseWrapInfo * Fix tests * Add and fix tests, update API docs with new sample responses 2017-08-02 22:28:58 +00:00			CreationPath string `json:"creation_path"`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			WrappedAccessor string `json:"wrapped_accessor"`
api: add auth information to results 2015-04-04 22:40:41 +00:00			`}`

Fix some lint warnings. 2015-09-29 07:35:16 +00:00			`// SecretAuth is the structure containing auth information if we have it.`
api: add auth information to results 2015-04-04 22:40:41 +00:00			`type SecretAuth struct {`
Use lowercase JSON keys for client_token 2015-04-24 16:00:00 +00:00			ClientToken string `json:"client_token"`
AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 11:23:31 +00:00			Accessor string `json:"accessor"`
api: add auth information to results 2015-04-04 22:40:41 +00:00			Policies []string `json:"policies"`
			Metadata map[string]string `json:"metadata"`

			LeaseDuration int `json:"lease_duration"`
			Renewable bool `json:"renewable"`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`}`

			`// ParseSecret is used to parse a secret value from JSON from an io.Reader.`
			`func ParseSecret(r io.Reader) (*Secret, error) {`
			`// First decode the JSON into a map[string]interface{}`
command/write 2015-03-16 03:35:33 +00:00			`var secret Secret`
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests. 2016-07-06 16:25:40 +00:00			`if err := jsonutil.DecodeJSONFromReader(r, &secret); err != nil {`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`return nil, err`
			`}`

command/write 2015-03-16 03:35:33 +00:00			`return &secret, nil`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`}`