open-vault/builtin/credential/ldap/path_groups.go

package ldap

import (
	"context"

	"github.com/hashicorp/vault/helper/policyutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathGroupsList(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "groups/?$",

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ListOperation: b.pathGroupList,
		},

		HelpSynopsis:    pathGroupHelpSyn,
		HelpDescription: pathGroupHelpDesc,
	}
}

func pathGroups(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: `groups/(?P<name>.+)`,
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Name of the LDAP group.",
			},

			"policies": &framework.FieldSchema{
				Type:        framework.TypeCommaStringSlice,
				Description: "Comma-separated list of policies associated to the group.",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.DeleteOperation: b.pathGroupDelete,
			logical.ReadOperation:   b.pathGroupRead,
			logical.UpdateOperation: b.pathGroupWrite,
		},

		HelpSynopsis:    pathGroupHelpSyn,
		HelpDescription: pathGroupHelpDesc,
	}
}

func (b *backend) Group(s logical.Storage, n string) (*GroupEntry, error) {
	entry, err := s.Get("group/" + n)
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var result GroupEntry
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}

	return &result, nil
}

func (b *backend) pathGroupDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	err := req.Storage.Delete("group/" + d.Get("name").(string))
	if err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathGroupRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	group, err := b.Group(req.Storage, d.Get("name").(string))
	if err != nil {
		return nil, err
	}
	if group == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"policies": group.Policies,
		},
	}, nil
}

func (b *backend) pathGroupWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	// Store it
	entry, err := logical.StorageEntryJSON("group/"+d.Get("name").(string), &GroupEntry{
		Policies: policyutil.ParsePolicies(d.Get("policies")),
	})
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(entry); err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathGroupList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	groups, err := req.Storage.List("group/")
	if err != nil {
		return nil, err
	}
	return logical.ListResponse(groups), nil
}

type GroupEntry struct {
	Policies []string
}

const pathGroupHelpSyn = `
Manage users allowed to authenticate.
`

const pathGroupHelpDesc = `
This endpoint allows you to create, read, update, and delete configuration
for LDAP groups that are allowed to authenticate, and associate policies to
them.

Deleting a group will not revoke auth for prior authenticated users in that
group. To do this, do a revoke on "login/<username>" for
the usernames you want revoked.
`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`package ldap`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`

Utility Enhancements 2016-04-06 00:30:38 +00:00			`"github.com/hashicorp/vault/helper/policyutil"`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`func pathGroupsList(b backend) framework.Path {`
			`return &framework.Path{`
			`Pattern: "groups/?$",`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ListOperation: b.pathGroupList,`
			`},`

			`HelpSynopsis: pathGroupHelpSyn,`
			`HelpDescription: pathGroupHelpDesc,`
			`}`
			`}`

auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`func pathGroups(b backend) framework.Path {`
			`return &framework.Path{`
Fixing merge conflict 2015-06-29 21:50:55 +00:00			Pattern: `groups/(?P<name>.+)`,
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Name of the LDAP group.",`
			`},`

			`"policies": &framework.FieldSchema{`
Sanitize policy behavior across backends (#3324) Fixes #3323 Fixes #3318 * Fix tests * Fix tests 2017-09-13 15:36:52 +00:00			`Type: framework.TypeCommaStringSlice,`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`Description: "Comma-separated list of policies associated to the group.",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.DeleteOperation: b.pathGroupDelete,`
			`logical.ReadOperation: b.pathGroupRead,`
Utility Enhancements 2016-04-06 00:30:38 +00:00			`logical.UpdateOperation: b.pathGroupWrite,`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`},`

			`HelpSynopsis: pathGroupHelpSyn,`
			`HelpDescription: pathGroupHelpDesc,`
			`}`
			`}`

			`func (b backend) Group(s logical.Storage, n string) (GroupEntry, error) {`
			`entry, err := s.Get("group/" + n)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

			`var result GroupEntry`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`

			`return &result, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathGroupDelete(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`err := req.Storage.Delete("group/" + d.Get("name").(string))`
			`if err != nil {`
			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathGroupRead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`group, err := b.Group(req.Storage, d.Get("name").(string))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if group == nil {`
			`return nil, nil`
			`}`

			`return &logical.Response{`
			`Data: map[string]interface{}{`
Sanitize policy behavior across backends (#3324) Fixes #3323 Fixes #3318 * Fix tests * Fix tests 2017-09-13 15:36:52 +00:00			`"policies": group.Policies,`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`},`
			`}, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathGroupWrite(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`// Store it`
Utility Enhancements 2016-04-06 00:30:38 +00:00			`entry, err := logical.StorageEntryJSON("group/"+d.Get("name").(string), &GroupEntry{`
Sanitize policy behavior across backends (#3324) Fixes #3323 Fixes #3318 * Fix tests * Fix tests 2017-09-13 15:36:52 +00:00			`Policies: policyutil.ParsePolicies(d.Get("policies")),`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err := req.Storage.Put(entry); err != nil {`
			`return nil, err`
			`}`

			`return nil, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathGroupList(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {`
Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 23:56:49 +00:00			`groups, err := req.Storage.List("group/")`
			`if err != nil {`
			`return nil, err`
			`}`
			`return logical.ListResponse(groups), nil`
			`}`

auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`type GroupEntry struct {`
			`Policies []string`
			`}`

			const pathGroupHelpSyn = `
			`Manage users allowed to authenticate.`
			`

			const pathGroupHelpDesc = `
			`This endpoint allows you to create, read, update, and delete configuration`
			`for LDAP groups that are allowed to authenticate, and associate policies to`
			`them.`

			`Deleting a group will not revoke auth for prior authenticated users in that`
			`group. To do this, do a revoke on "login/<username>" for`
			`the usernames you want revoked.`
			`