2017-09-20 20:59:35 +00:00
|
|
|
package nomad
|
|
|
|
|
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
2017-12-16 00:50:20 +00:00
|
|
|
"errors"
|
|
|
|
|
2017-12-15 22:06:56 +00:00
|
|
|
"github.com/hashicorp/errwrap"
|
2017-09-20 20:59:35 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
|
|
|
func pathListRoles(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
2017-10-31 20:56:56 +00:00
|
|
|
Pattern: "role/?$",
|
2017-09-20 20:59:35 +00:00
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.ListOperation: b.pathRoleList,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-11-06 21:34:20 +00:00
|
|
|
func pathRoles(b *backend) *framework.Path {
|
2017-09-20 20:59:35 +00:00
|
|
|
return &framework.Path{
|
2017-10-31 20:56:56 +00:00
|
|
|
Pattern: "role/" + framework.GenericNameRegex("name"),
|
2017-09-20 20:59:35 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Name of the role",
|
|
|
|
},
|
|
|
|
|
2017-11-29 16:31:17 +00:00
|
|
|
"policies": &framework.FieldSchema{
|
2017-09-20 22:14:35 +00:00
|
|
|
Type: framework.TypeCommaStringSlice,
|
2017-12-15 22:06:56 +00:00
|
|
|
Description: "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.",
|
2017-09-20 20:59:35 +00:00
|
|
|
},
|
|
|
|
|
2017-09-28 22:57:48 +00:00
|
|
|
"global": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeBool,
|
2017-12-15 22:06:56 +00:00
|
|
|
Description: "Boolean value describing if the token should be global or not. Defaults to false.",
|
2017-09-28 22:57:48 +00:00
|
|
|
},
|
|
|
|
|
2017-11-06 21:34:20 +00:00
|
|
|
"type": &framework.FieldSchema{
|
2017-09-20 20:59:35 +00:00
|
|
|
Type: framework.TypeString,
|
|
|
|
Default: "client",
|
|
|
|
Description: `Which type of token to create: 'client'
|
|
|
|
or 'management'. If a 'management' token,
|
2017-11-29 16:31:17 +00:00
|
|
|
the "policies" parameter is not required.
|
2017-09-20 20:59:35 +00:00
|
|
|
Defaults to 'client'.`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2017-11-06 21:34:20 +00:00
|
|
|
logical.ReadOperation: b.pathRolesRead,
|
2017-12-16 00:50:20 +00:00
|
|
|
logical.CreateOperation: b.pathRolesWrite,
|
2017-11-06 21:34:20 +00:00
|
|
|
logical.UpdateOperation: b.pathRolesWrite,
|
|
|
|
logical.DeleteOperation: b.pathRolesDelete,
|
2017-09-20 20:59:35 +00:00
|
|
|
},
|
2017-12-16 00:50:20 +00:00
|
|
|
|
|
|
|
ExistenceCheck: b.rolesExistenceCheck,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
|
|
|
|
// Returning 'true' forces an UpdateOperation, CreateOperation otherwise.
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) rolesExistenceCheck(ctx context.Context, req *logical.Request, d *framework.FieldData) (bool, error) {
|
2017-12-16 00:50:20 +00:00
|
|
|
name := d.Get("name").(string)
|
|
|
|
entry, err := b.Role(req.Storage, name)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
2017-09-20 20:59:35 +00:00
|
|
|
}
|
2017-12-16 00:50:20 +00:00
|
|
|
return entry != nil, nil
|
2017-09-20 20:59:35 +00:00
|
|
|
}
|
|
|
|
|
2017-11-07 14:58:19 +00:00
|
|
|
func (b *backend) Role(storage logical.Storage, name string) (*roleConfig, error) {
|
2017-12-16 00:50:20 +00:00
|
|
|
if name == "" {
|
|
|
|
return nil, errors.New("invalid role name")
|
|
|
|
}
|
|
|
|
|
2017-11-07 14:58:19 +00:00
|
|
|
entry, err := storage.Get("role/" + name)
|
|
|
|
if err != nil {
|
2017-12-15 22:06:56 +00:00
|
|
|
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
|
2017-11-07 14:58:19 +00:00
|
|
|
}
|
|
|
|
if entry == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var result roleConfig
|
|
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &result, nil
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2017-10-31 20:56:56 +00:00
|
|
|
entries, err := req.Storage.List("role/")
|
2017-09-20 20:59:35 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return logical.ListResponse(entries), nil
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathRolesRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2017-09-20 20:59:35 +00:00
|
|
|
name := d.Get("name").(string)
|
|
|
|
|
2017-11-07 14:58:19 +00:00
|
|
|
role, err := b.Role(req.Storage, name)
|
2017-09-20 20:59:35 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-11-07 14:58:19 +00:00
|
|
|
if role == nil {
|
2017-09-20 20:59:35 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate the response
|
|
|
|
resp := &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
2017-11-29 16:31:17 +00:00
|
|
|
"type": role.TokenType,
|
|
|
|
"global": role.Global,
|
|
|
|
"policies": role.Policies,
|
2017-09-20 20:59:35 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
return resp, nil
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2017-09-20 20:59:35 +00:00
|
|
|
name := d.Get("name").(string)
|
2017-11-06 21:34:20 +00:00
|
|
|
|
2017-12-16 00:50:20 +00:00
|
|
|
role, err := b.Role(req.Storage, name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if role == nil {
|
|
|
|
role = new(roleConfig)
|
|
|
|
}
|
|
|
|
|
|
|
|
policies, ok := d.GetOk("policies")
|
|
|
|
if ok {
|
|
|
|
role.Policies = policies.([]string)
|
|
|
|
}
|
|
|
|
|
|
|
|
role.TokenType = d.Get("type").(string)
|
|
|
|
switch role.TokenType {
|
2017-11-06 21:34:20 +00:00
|
|
|
case "client":
|
2017-12-16 00:50:20 +00:00
|
|
|
if len(role.Policies) == 0 {
|
2017-09-20 20:59:35 +00:00
|
|
|
return logical.ErrorResponse(
|
2017-11-29 16:31:17 +00:00
|
|
|
"policies cannot be empty when using client tokens"), nil
|
2017-09-20 20:59:35 +00:00
|
|
|
}
|
2017-11-06 21:34:20 +00:00
|
|
|
case "management":
|
2017-12-16 00:50:20 +00:00
|
|
|
if len(role.Policies) != 0 {
|
2017-10-31 21:12:14 +00:00
|
|
|
return logical.ErrorResponse(
|
2017-11-29 16:31:17 +00:00
|
|
|
"policies should be empty when using management tokens"), nil
|
2017-10-31 21:12:14 +00:00
|
|
|
}
|
2017-11-06 21:34:20 +00:00
|
|
|
default:
|
|
|
|
return logical.ErrorResponse(
|
2017-12-15 22:06:56 +00:00
|
|
|
`type must be "client" or "management"`), nil
|
2017-09-20 20:59:35 +00:00
|
|
|
}
|
|
|
|
|
2017-12-16 00:50:20 +00:00
|
|
|
global, ok := d.GetOk("global")
|
|
|
|
if ok {
|
|
|
|
role.Global = global.(bool)
|
|
|
|
}
|
|
|
|
|
|
|
|
entry, err := logical.StorageEntryJSON("role/"+name, role)
|
2017-09-20 20:59:35 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := req.Storage.Put(entry); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2018-01-08 18:31:38 +00:00
|
|
|
func (b *backend) pathRolesDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2017-09-20 20:59:35 +00:00
|
|
|
name := d.Get("name").(string)
|
2017-10-31 20:56:56 +00:00
|
|
|
if err := req.Storage.Delete("role/" + name); err != nil {
|
2017-09-20 20:59:35 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type roleConfig struct {
|
2017-11-29 16:31:17 +00:00
|
|
|
Policies []string `json:"policies"`
|
2017-11-06 21:34:20 +00:00
|
|
|
TokenType string `json:"type"`
|
2017-11-06 15:09:56 +00:00
|
|
|
Global bool `json:"global"`
|
2017-09-20 20:59:35 +00:00
|
|
|
}
|