2015-06-26 01:47:32 +00:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"net"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func pathLookup(b *backend) *framework.Path {
|
|
|
|
|
return &framework.Path{
|
|
|
|
|
Pattern: "lookup",
|
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
|
"ip": &framework.FieldSchema{
|
|
|
|
|
Type: framework.TypeString,
|
2015-08-14 19:41:26 +00:00
|
|
|
Description: "[Required] IP address of remote host",
|
2015-06-26 01:47:32 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
|
logical.WriteOperation: b.pathLookupWrite,
|
|
|
|
|
},
|
|
|
|
|
HelpSynopsis: pathLookupSyn,
|
|
|
|
|
HelpDescription: pathLookupDesc,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b *backend) pathLookupWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2015-06-30 20:30:13 +00:00
|
|
|
ipAddr := d.Get("ip").(string)
|
|
|
|
|
if ipAddr == "" {
|
2015-07-02 01:26:42 +00:00
|
|
|
return logical.ErrorResponse("Missing ip"), nil
|
2015-06-26 01:47:32 +00:00
|
|
|
}
|
2015-06-30 20:30:13 +00:00
|
|
|
ip := net.ParseIP(ipAddr)
|
|
|
|
|
if ip == nil {
|
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ip.String())), nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-13 00:36:27 +00:00
|
|
|
keys, err := req.Storage.List("roles/")
|
2015-06-30 20:30:13 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-26 01:47:32 +00:00
|
|
|
var matchingRoles []string
|
2015-07-02 21:23:09 +00:00
|
|
|
for _, role := range keys {
|
|
|
|
|
if contains, _ := roleContainsIP(req.Storage, role, ip.String()); contains {
|
|
|
|
|
matchingRoles = append(matchingRoles, role)
|
2015-06-26 01:47:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
2015-08-13 21:18:30 +00:00
|
|
|
|
|
|
|
|
// This result may potentially reveal more information than it is supposed to.
|
|
|
|
|
// The roles for which the client is not authorized to will also be displayed.
|
|
|
|
|
// However, if the client tries to use the role for which the client is not
|
|
|
|
|
// authenticated, it will fail. There are no problems there. In a way this can
|
|
|
|
|
// be viewed as a feature. The client can ask for permissions to be given for
|
|
|
|
|
// a specific role if things are not working!
|
|
|
|
|
// Going forward, the role names should be filtered and only the roles which
|
|
|
|
|
// the client is authorized to see, should be returned.
|
2015-06-26 01:47:32 +00:00
|
|
|
return &logical.Response{
|
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
|
"roles": matchingRoles,
|
|
|
|
|
},
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const pathLookupSyn = `
|
2015-06-30 20:30:13 +00:00
|
|
|
Lists 'roles' that can be used to create a dynamic key.
|
2015-06-26 01:47:32 +00:00
|
|
|
`
|
|
|
|
|
|
|
|
|
|
const pathLookupDesc = `
|
2015-07-27 17:02:31 +00:00
|
|
|
The IP address for which the key is requested, is searched in the
|
|
|
|
|
CIDR blocks registered with vault using the 'roles' endpoint. Keys
|
|
|
|
|
can be generated only by specifying the 'role' name. The roles that
|
|
|
|
|
can be used to generate the key for a particular IP, are listed via
|
|
|
|
|
this endpoint. For example, if this backend is mounted at "ssh", then
|
|
|
|
|
"ssh/lookup" lists the roles associated with keys can be generated
|
|
|
|
|
for a target IP, if the CIDR block encompassing the IP, is registered
|
|
|
|
|
with vault.
|
2015-06-26 01:47:32 +00:00
|
|
|
`
|
