2015-06-17 16:39:49 +00:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
|
|
import (
|
2015-06-18 00:33:03 +00:00
|
|
|
"bytes"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
2015-06-26 01:47:32 +00:00
|
|
|
"net"
|
2015-06-19 00:48:41 +00:00
|
|
|
"strings"
|
2015-06-17 16:39:49 +00:00
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
|
)
|
|
|
|
|
|
2015-06-24 22:13:12 +00:00
|
|
|
func pathRoleCreate(b *backend) *framework.Path {
|
2015-06-17 16:39:49 +00:00
|
|
|
return &framework.Path{
|
2015-06-24 22:13:12 +00:00
|
|
|
Pattern: "creds/(?P<name>\\w+)",
|
2015-06-17 16:39:49 +00:00
|
|
|
Fields: map[string]*framework.FieldSchema{
|
2015-06-24 22:13:12 +00:00
|
|
|
"name": &framework.FieldSchema{
|
|
|
|
|
Type: framework.TypeString,
|
|
|
|
|
Description: "name of the policy",
|
|
|
|
|
},
|
2015-06-17 16:39:49 +00:00
|
|
|
"username": &framework.FieldSchema{
|
|
|
|
|
Type: framework.TypeString,
|
2015-06-24 22:13:12 +00:00
|
|
|
Description: "username in target",
|
2015-06-17 16:39:49 +00:00
|
|
|
},
|
2015-06-24 22:13:12 +00:00
|
|
|
"ip": &framework.FieldSchema{
|
2015-06-17 16:39:49 +00:00
|
|
|
Type: framework.TypeString,
|
2015-06-24 22:13:12 +00:00
|
|
|
Description: "IP of the target machine",
|
2015-06-17 16:39:49 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2015-06-24 22:13:12 +00:00
|
|
|
logical.WriteOperation: b.pathRoleCreateWrite,
|
2015-06-17 16:39:49 +00:00
|
|
|
},
|
2015-06-30 20:30:13 +00:00
|
|
|
HelpSynopsis: pathRoleCreateHelpSyn,
|
|
|
|
|
HelpDescription: pathRoleCreateHelpDesc,
|
2015-06-17 16:39:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-24 22:13:12 +00:00
|
|
|
func (b *backend) pathRoleCreateWrite(
|
2015-06-17 16:39:49 +00:00
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
2015-06-24 22:13:12 +00:00
|
|
|
roleName := d.Get("name").(string)
|
2015-06-19 00:48:41 +00:00
|
|
|
username := d.Get("username").(string)
|
2015-06-26 01:47:32 +00:00
|
|
|
ipRaw := d.Get("ip").(string)
|
2015-06-30 20:30:13 +00:00
|
|
|
if roleName == "" {
|
|
|
|
|
return logical.ErrorResponse("Invalid 'name'"), nil
|
|
|
|
|
}
|
|
|
|
|
if ipRaw == "" {
|
|
|
|
|
return logical.ErrorResponse("Invalid 'ip'"), nil
|
|
|
|
|
}
|
2015-06-18 00:33:03 +00:00
|
|
|
|
2015-06-26 01:47:32 +00:00
|
|
|
//find the role to be used for installing dynamic key
|
2015-06-24 22:13:12 +00:00
|
|
|
rolePath := "policy/" + roleName
|
|
|
|
|
roleEntry, err := req.Storage.Get(rolePath)
|
2015-06-19 00:48:41 +00:00
|
|
|
if err != nil {
|
2015-06-24 22:13:12 +00:00
|
|
|
return nil, fmt.Errorf("error retrieving role: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if roleEntry == nil {
|
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("Role '%s' not found", roleName)), nil
|
|
|
|
|
}
|
|
|
|
|
var role sshRole
|
|
|
|
|
if err := roleEntry.DecodeJSON(&role); err != nil {
|
2015-06-19 00:48:41 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-30 20:30:13 +00:00
|
|
|
if username == "" {
|
|
|
|
|
username = role.DefaultUser
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-26 01:47:32 +00:00
|
|
|
//validate the IP address
|
|
|
|
|
ipAddr := net.ParseIP(ipRaw)
|
|
|
|
|
if ipAddr == nil {
|
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ipRaw)), nil
|
|
|
|
|
}
|
|
|
|
|
ip := ipAddr.String()
|
|
|
|
|
|
|
|
|
|
ipMatched := false
|
2015-06-30 02:00:08 +00:00
|
|
|
for _, item := range strings.Split(role.CIDR, ",") {
|
2015-06-30 20:30:13 +00:00
|
|
|
_, cidrIPNet, err := net.ParseCIDR(item)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("Invalid cidr entry '%s'", item)), nil
|
|
|
|
|
}
|
2015-06-26 01:47:32 +00:00
|
|
|
ipMatched = cidrIPNet.Contains(ipAddr)
|
|
|
|
|
if ipMatched {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !ipMatched {
|
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf("IP[%s] does not belong to role[%s]", ip, roleName)), nil
|
|
|
|
|
}
|
2015-06-24 22:13:12 +00:00
|
|
|
|
2015-06-26 01:47:32 +00:00
|
|
|
//fetch the host key to be used for installation
|
2015-06-24 22:13:12 +00:00
|
|
|
keyPath := "keys/" + role.KeyName
|
|
|
|
|
keyEntry, err := req.Storage.Get(keyPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Key '%s' not found error:%s", role.KeyName, err)
|
2015-06-19 00:48:41 +00:00
|
|
|
}
|
|
|
|
|
var hostKey sshHostKey
|
2015-06-24 22:13:12 +00:00
|
|
|
if err := keyEntry.DecodeJSON(&hostKey); err != nil {
|
2015-06-19 00:48:41 +00:00
|
|
|
return nil, fmt.Errorf("Error reading the host key: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-26 01:47:32 +00:00
|
|
|
//store the host key to file. Use it as parameter for scp command
|
|
|
|
|
hostKeyFileName := "./vault_ssh_" + username + "_" + ip + "_shared.pem"
|
2015-06-29 15:49:34 +00:00
|
|
|
err = ioutil.WriteFile(hostKeyFileName, []byte(hostKey.Key), 0600)
|
2015-06-19 00:48:41 +00:00
|
|
|
|
2015-06-30 20:30:13 +00:00
|
|
|
dynamicPrivateKeyFileName := "vault_ssh_" + username + "_" + ip + "_otk.pem"
|
|
|
|
|
dynamicPublicKeyFileName := dynamicPrivateKeyFileName + ".pub"
|
|
|
|
|
|
|
|
|
|
//delete the temporary files if they are already present
|
|
|
|
|
err = removeFile(dynamicPrivateKeyFileName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf(fmt.Sprintf("Error removing dynamic private key file: '%s'", err))
|
|
|
|
|
}
|
|
|
|
|
err = removeFile(dynamicPublicKeyFileName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf(fmt.Sprintf("Error removing dynamic private key file: '%s'", err))
|
|
|
|
|
}
|
2015-06-26 01:47:32 +00:00
|
|
|
|
2015-06-30 20:30:13 +00:00
|
|
|
//generate RSA key pair
|
2015-06-26 18:08:03 +00:00
|
|
|
dynamicPublicKey, dynamicPrivateKey, _ := generateRSAKeys()
|
2015-06-30 20:30:13 +00:00
|
|
|
|
|
|
|
|
//save the public key pair to a file
|
|
|
|
|
ioutil.WriteFile(dynamicPublicKeyFileName, []byte(dynamicPublicKey), 0644)
|
|
|
|
|
|
|
|
|
|
//send the public key to target machine
|
|
|
|
|
err = uploadFileScp(dynamicPublicKeyFileName, username, ip, hostKey.Key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2015-06-29 15:49:34 +00:00
|
|
|
|
2015-06-30 02:00:08 +00:00
|
|
|
//connect to target machine
|
|
|
|
|
session, err := createSSHPublicKeysSession(username, ip, hostKey.Key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Unable to create SSH Session using public keys: %s", err)
|
2015-06-18 00:33:03 +00:00
|
|
|
}
|
2015-06-30 02:00:08 +00:00
|
|
|
if session == nil {
|
|
|
|
|
return nil, fmt.Errorf("Invalid session object")
|
2015-06-29 15:49:34 +00:00
|
|
|
}
|
2015-06-18 00:33:03 +00:00
|
|
|
var buf bytes.Buffer
|
|
|
|
|
session.Stdout = &buf
|
2015-06-26 01:47:32 +00:00
|
|
|
|
2015-06-30 20:30:13 +00:00
|
|
|
authKeysFileName := "/home/" + username + "/.ssh/authorized_keys"
|
|
|
|
|
tempKeysFileName := "/home/" + username + "/temp_authorized_keys"
|
2015-06-26 01:47:32 +00:00
|
|
|
|
|
|
|
|
//commands to be run on target machine
|
2015-06-30 20:30:13 +00:00
|
|
|
grepCmd := "grep -vFf " + dynamicPublicKeyFileName + " " + authKeysFileName + " > " + tempKeysFileName + ";"
|
2015-06-26 01:47:32 +00:00
|
|
|
catCmdRemoveDuplicate := "cat " + tempKeysFileName + " > " + authKeysFileName + ";"
|
2015-06-30 20:30:13 +00:00
|
|
|
catCmdAppendNew := "cat " + dynamicPublicKeyFileName + " >> " + authKeysFileName + ";"
|
|
|
|
|
removeCmd := "rm -f " + tempKeysFileName + " " + dynamicPublicKeyFileName + ";"
|
2015-06-26 01:47:32 +00:00
|
|
|
remoteCmdString := strings.Join([]string{
|
|
|
|
|
grepCmd,
|
|
|
|
|
catCmdRemoveDuplicate,
|
|
|
|
|
catCmdAppendNew,
|
|
|
|
|
removeCmd,
|
|
|
|
|
}, "")
|
|
|
|
|
|
|
|
|
|
//run the commands on target machine
|
|
|
|
|
if err := session.Run(remoteCmdString); err != nil {
|
|
|
|
|
return nil, err
|
2015-06-18 00:33:03 +00:00
|
|
|
}
|
|
|
|
|
session.Close()
|
|
|
|
|
fmt.Println(buf.String())
|
2015-06-26 01:47:32 +00:00
|
|
|
|
2015-07-01 00:21:41 +00:00
|
|
|
result := b.Secret(SecretOneTimeKeyType).Response(map[string]interface{}{
|
2015-06-26 01:47:32 +00:00
|
|
|
"key": dynamicPrivateKey,
|
|
|
|
|
}, map[string]interface{}{
|
|
|
|
|
"username": username,
|
|
|
|
|
"ip": ip,
|
|
|
|
|
"host_key_name": role.KeyName,
|
|
|
|
|
"dynamic_public_key": dynamicPublicKey,
|
2015-07-01 00:21:41 +00:00
|
|
|
})
|
|
|
|
|
lease, _ := b.Lease(req.Storage)
|
|
|
|
|
if lease != nil {
|
|
|
|
|
result.Secret.Lease = lease.Lease
|
|
|
|
|
result.Secret.LeaseGracePeriod = lease.LeaseMax
|
|
|
|
|
}
|
|
|
|
|
return result, nil
|
2015-06-26 01:47:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type sshCIDR struct {
|
|
|
|
|
CIDR []string
|
2015-06-17 16:39:49 +00:00
|
|
|
}
|
|
|
|
|
|
2015-06-30 20:30:13 +00:00
|
|
|
const pathRoleCreateHelpSyn = `
|
|
|
|
|
Creates a dynamic key for the target machine.
|
2015-06-17 16:39:49 +00:00
|
|
|
`
|
|
|
|
|
|
2015-06-30 20:30:13 +00:00
|
|
|
const pathRoleCreateHelpDesc = `
|
|
|
|
|
This path will generates a new key for establishing SSH session with
|
|
|
|
|
target host. Previously registered shared key belonging to target
|
|
|
|
|
infrastructure will be used to install the new key at the target. If
|
|
|
|
|
this backend is mounted at 'ssh', then "ssh/creds/role" would generate
|
|
|
|
|
a dynamic key for 'web' role.
|
|
|
|
|
|
|
|
|
|
The dynamic keys will have a lease associated with them. The access
|
|
|
|
|
keys can be revoked by using the lease ID.
|
2015-06-17 16:39:49 +00:00
|
|
|
`
|
