open-vault/vault/identity_store_structs.go

package vault

import (
	"context"
	"regexp"
	"sync"

	log "github.com/hashicorp/go-hclog"
	"github.com/hashicorp/go-memdb"
	"github.com/hashicorp/vault/helper/identity"
	"github.com/hashicorp/vault/helper/metricsutil"
	"github.com/hashicorp/vault/helper/namespace"
	"github.com/hashicorp/vault/helper/storagepacker"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/consts"
	"github.com/hashicorp/vault/sdk/logical"
)

const (
	// Storage prefixes
	entityPrefix = "entity/"
)

// metaKeyFormatRegEx checks if a metadata key string is valid
var metaKeyFormatRegEx = regexp.MustCompile(`^[a-zA-Z0-9=/+_-]+$`).MatchString

const (
	// The meta key prefix reserved for Vault's internal use
	metaKeyReservedPrefix = "vault-"

	// The maximum number of metadata key pairs allowed to be registered
	metaMaxKeyPairs = 64

	// The maximum allowed length of a metadata key
	metaKeyMaxLength = 128

	// The maximum allowed length of a metadata value
	metaValueMaxLength = 512
)

// IdentityStore is composed of its own storage view and a MemDB which
// maintains active in-memory replicas of the storage contents indexed by
// multiple fields.
type IdentityStore struct {
	// IdentityStore is a secret backend in Vault
	*framework.Backend

	// view is the storage sub-view where all the artifacts of identity store
	// gets persisted
	view logical.Storage

	// db is the in-memory database where the storage artifacts gets replicated
	// to enable richer queries based on multiple indexes.
	db *memdb.MemDB

	// locks to make sure things are consistent
	lock     sync.RWMutex
	oidcLock sync.RWMutex

	// groupLock is used to protect modifications to group entries
	groupLock sync.RWMutex

	// oidcCache stores common response data as well as when the periodic func needs
	// to run. This is conservatively managed, and most writes to the OIDC endpoints
	// will invalidate the cache.
	oidcCache *oidcCache

	// logger is the server logger copied over from core
	logger log.Logger

	// entityPacker is used to pack multiple entity storage entries into 256
	// buckets
	entityPacker *storagepacker.StoragePacker

	// groupPacker is used to pack multiple group storage entries into 256
	// buckets
	groupPacker *storagepacker.StoragePacker

	// disableLowerCaseNames indicates whether or not identity artifacts are
	// operated case insensitively
	disableLowerCasedNames bool

	router        *Router
	redirectAddr  string
	localNode     LocalNode
	namespacer    Namespacer
	metrics       metricsutil.Metrics
	totpPersister TOTPPersister
	groupUpdater  GroupUpdater
}

type groupDiff struct {
	New        []*identity.Group
	Deleted    []*identity.Group
	Unmodified []*identity.Group
}

type casesensitivity struct {
	DisableLowerCasedNames bool `json:"disable_lower_cased_names"`
}

type LocalNode interface {
	ReplicationState() consts.ReplicationState
	HAState() consts.HAState
}

var _ LocalNode = &Core{}

type Namespacer interface {
	NamespaceByID(context.Context, string) (*namespace.Namespace, error)
	ListNamespaces() []*namespace.Namespace
}

var _ Namespacer = &Core{}

type TOTPPersister interface {
	PersistTOTPKey(ctx context.Context, configID string, entityID string, key string) error
}

var _ TOTPPersister = &Core{}

type GroupUpdater interface {
	SendGroupUpdate(ctx context.Context, group *identity.Group) (bool, error)
}

var _ GroupUpdater = &Core{}
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`package vault`

			`import (`
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 19:31:11 +00:00			`"context"`
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`"regexp"`
			`"sync"`

Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go 2018-04-03 00:46:59 +00:00			`log "github.com/hashicorp/go-hclog"`
Namespace support for identity tokens (#7045) 2019-07-03 03:15:43 +00:00			`"github.com/hashicorp/go-memdb"`
External identity groups (#3447) * external identity groups * add local LDAP groups as well to group aliases * add group aliases for okta credential backend * Fix panic in tests * fix build failure * remove duplicated struct tag * add test steps to test out removal of group member during renewals * Add comment for having a prefix check in router * fix tests * s/parent_id/canonical_id * s/parent/canonical in comments and errors 2017-11-02 20:05:48 +00:00			`"github.com/hashicorp/vault/helper/identity"`
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 19:31:11 +00:00			`"github.com/hashicorp/vault/helper/metricsutil"`
			`"github.com/hashicorp/vault/helper/namespace"`
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`"github.com/hashicorp/vault/helper/storagepacker"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 19:31:11 +00:00			`"github.com/hashicorp/vault/sdk/helper/consts"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`)`

			`const (`
			`// Storage prefixes`
			`entityPrefix = "entity/"`
			`)`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`// metaKeyFormatRegEx checks if a metadata key string is valid`
			var metaKeyFormatRegEx = regexp.MustCompile(`^[a-zA-Z0-9=/+_-]+$`).MatchString
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00
			`const (`
			`// The meta key prefix reserved for Vault's internal use`
			`metaKeyReservedPrefix = "vault-"`

			`// The maximum number of metadata key pairs allowed to be registered`
			`metaMaxKeyPairs = 64`

			`// The maximum allowed length of a metadata key`
			`metaKeyMaxLength = 128`

			`// The maximum allowed length of a metadata value`
			`metaValueMaxLength = 512`
			`)`

			`// IdentityStore is composed of its own storage view and a MemDB which`
			`// maintains active in-memory replicas of the storage contents indexed by`
			`// multiple fields.`
			`type IdentityStore struct {`
			`// IdentityStore is a secret backend in Vault`
			`*framework.Backend`

			`// view is the storage sub-view where all the artifacts of identity store`
			`// gets persisted`
			`view logical.Storage`

			`// db is the in-memory database where the storage artifacts gets replicated`
			`// to enable richer queries based on multiple indexes.`
			`db *memdb.MemDB`

Namespace support for identity tokens (#7045) 2019-07-03 03:15:43 +00:00			`// locks to make sure things are consistent`
			`lock sync.RWMutex`
			`oidcLock sync.RWMutex`
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00
			`// groupLock is used to protect modifications to group entries`
			`groupLock sync.RWMutex`

Add OIDC token generation to Identity (#6900) * Add OIDC token generation to Identity There are a few open TODOs and some remaining cleanup, but this is functionally complete and ready for review. (Tests will being added soon.) * Simplified key update endpoint * Cache the config * Fix Issuer handling * Suppose base64-encoded templates (#6919) * Cache JWKS and switch to go-cache (#6918) * Address review comments * Add warning if neither Issue nor api_addr are set * adds tests (#6937) * adds help synopsis and descriptions to the framework path for the oid… (#6930) * adds help synopsis and descriptions to the framework path for the oidc backend * Update vault/identity_store_oidc.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * Add Now parameter to PopulateStringInput * Addressing review comments * Refactor template processing to improve mode-specific handling * adds a test for the periodic func (#6943) * adds a test for the periodic func * removes commented out code * adds a comment * Add comments 2019-06-21 17:23:39 +00:00			`// oidcCache stores common response data as well as when the periodic func needs`
			`// to run. This is conservatively managed, and most writes to the OIDC endpoints`
			`// will invalidate the cache.`
Namespace support for identity tokens (#7045) 2019-07-03 03:15:43 +00:00			`oidcCache *oidcCache`
Add OIDC token generation to Identity (#6900) * Add OIDC token generation to Identity There are a few open TODOs and some remaining cleanup, but this is functionally complete and ready for review. (Tests will being added soon.) * Simplified key update endpoint * Cache the config * Fix Issuer handling * Suppose base64-encoded templates (#6919) * Cache JWKS and switch to go-cache (#6918) * Address review comments * Add warning if neither Issue nor api_addr are set * adds tests (#6937) * adds help synopsis and descriptions to the framework path for the oid… (#6930) * adds help synopsis and descriptions to the framework path for the oidc backend * Update vault/identity_store_oidc.go Co-Authored-By: Jim Kalafut <jim@kalafut.net> * Add Now parameter to PopulateStringInput * Addressing review comments * Refactor template processing to improve mode-specific handling * adds a test for the periodic func (#6943) * adds a test for the periodic func * removes commented out code * adds a comment * Add comments 2019-06-21 17:23:39 +00:00
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`// logger is the server logger copied over from core`
			`logger log.Logger`

			`// entityPacker is used to pack multiple entity storage entries into 256`
			`// buckets`
			`entityPacker *storagepacker.StoragePacker`

			`// groupPacker is used to pack multiple group storage entries into 256`
			`// buckets`
			`groupPacker *storagepacker.StoragePacker`
port missed items from identity store to oss (#4242) 2018-04-03 02:17:33 +00:00
Case insensitive identity names (#5404) * case insensitive identity names * TestIdentityStore_GroupHierarchyCases * address review feedback * Use errwrap.Contains instead of errwrap.ContainsType * Warn about duplicate names all the time to help fix them * Address review feedback 2018-10-19 19:47:26 +00:00			`// disableLowerCaseNames indicates whether or not identity artifacts are`
			`// operated case insensitively`
			`disableLowerCasedNames bool`
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 19:31:11 +00:00
			`router *Router`
			`redirectAddr string`
			`localNode LocalNode`
			`namespacer Namespacer`
			`metrics metricsutil.Metrics`
			`totpPersister TOTPPersister`
			`groupUpdater GroupUpdater`
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor 2017-10-11 17:21:20 +00:00			`}`
External identity groups (#3447) * external identity groups * add local LDAP groups as well to group aliases * add group aliases for okta credential backend * Fix panic in tests * fix build failure * remove duplicated struct tag * add test steps to test out removal of group member during renewals * Add comment for having a prefix check in router * fix tests * s/parent_id/canonical_id * s/parent/canonical in comments and errors 2017-11-02 20:05:48 +00:00
			`type groupDiff struct {`
			`New []*identity.Group`
			`Deleted []*identity.Group`
			`Unmodified []*identity.Group`
			`}`
Fix identity case sensitivity loading in secondary cluster (#7327) * Fix identity case sensitivity loading in secondary cluster * Add nil check 2019-09-30 14:27:25 +00:00
			`type casesensitivity struct {`
			DisableLowerCasedNames bool `json:"disable_lower_cased_names"`
			`}`
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 19:31:11 +00:00
			`type LocalNode interface {`
			`ReplicationState() consts.ReplicationState`
			`HAState() consts.HAState`
			`}`

			`var _ LocalNode = &Core{}`

			`type Namespacer interface {`
			`NamespaceByID(context.Context, string) (*namespace.Namespace, error)`
			`ListNamespaces() []*namespace.Namespace`
			`}`

			`var _ Namespacer = &Core{}`

			`type TOTPPersister interface {`
			`PersistTOTPKey(ctx context.Context, configID string, entityID string, key string) error`
			`}`

			`var _ TOTPPersister = &Core{}`

			`type GroupUpdater interface {`
			`SendGroupUpdate(ctx context.Context, group *identity.Group) (bool, error)`
			`}`

			`var _ GroupUpdater = &Core{}`