open-vault/builtin/logical/ssh/path_role_create.go

package ssh

import (
	"fmt"
	"net"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathRoleCreate(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "creds/(?P<name>[-\\w]+)",
		Fields: map[string]*framework.FieldSchema{
			"name": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "name of the policy",
			},
			"username": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "username in target",
			},
			"ip": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "IP of the target machine",
			},
		},
		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.WriteOperation: b.pathRoleCreateWrite,
		},
		HelpSynopsis:    pathRoleCreateHelpSyn,
		HelpDescription: pathRoleCreateHelpDesc,
	}
}

func (b *backend) pathRoleCreateWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	roleName := d.Get("name").(string)
	username := d.Get("username").(string)
	ipRaw := d.Get("ip").(string)
	if roleName == "" {
		return logical.ErrorResponse("Missing name"), nil
	}
	if ipRaw == "" {
		return logical.ErrorResponse("Missing ip"), nil
	}

	// Find the role to be used for installing dynamic key
	roleEntry, err := req.Storage.Get(fmt.Sprintf("policy/%s", roleName))
	if err != nil {
		return nil, fmt.Errorf("error retrieving role: %s", err)
	}
	if roleEntry == nil {
		return logical.ErrorResponse(fmt.Sprintf("Role '%s' not found", roleName)), nil
	}
	var role sshRole
	if err := roleEntry.DecodeJSON(&role); err != nil {
		return nil, err
	}

	// Set the default username
	if username == "" {
		username = role.DefaultUser
	}

	// Validate the IP address
	ipAddr := net.ParseIP(ipRaw)
	if ipAddr == nil {
		return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ipRaw)), nil
	}
	ip := ipAddr.String()
	ipMatched, err := cidrContainsIP(ip, role.CIDR)
	if err != nil {
		return logical.ErrorResponse(fmt.Sprintf("Error validating IP: %s", err)), nil
	}
	if !ipMatched {
		return logical.ErrorResponse(fmt.Sprintf("IP[%s] does not belong to role[%s]", ip, roleName)), nil
	}

	// Fetch the host key to be used for dynamic key installation
	keyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", role.KeyName))
	if err != nil {
		return nil, fmt.Errorf("key '%s' not found error:%s", role.KeyName, err)
	}
	var hostKey sshHostKey
	if err := keyEntry.DecodeJSON(&hostKey); err != nil {
		return nil, fmt.Errorf("error reading the host key: %s", err)
	}

	// Generate RSA key pair
	dynamicPublicKey, dynamicPrivateKey, _ := generateRSAKeys()

	// Transfer the public key to target machine
	err = uploadPublicKeyScp(dynamicPublicKey, username, ip, hostKey.Key)
	if err != nil {
		return nil, err
	}

	// Add the public key to authorized_keys file in target machine
	err = installPublicKeyInTarget(username, ip, hostKey.Key)
	if err != nil {
		return nil, fmt.Errorf("error adding public key to authorized_keys file in target")
	}

	result := b.Secret(SecretOneTimeKeyType).Response(map[string]interface{}{
		"key": dynamicPrivateKey,
	}, map[string]interface{}{
		"username":           username,
		"ip":                 ip,
		"host_key_name":      role.KeyName,
		"dynamic_public_key": dynamicPublicKey,
	})

	// Change the lease information to reflect user's choice
	lease, _ := b.Lease(req.Storage)
	if lease != nil {
		result.Secret.Lease = lease.Lease
		result.Secret.LeaseGracePeriod = lease.LeaseMax
	}
	return result, nil
}

type sshCIDR struct {
	CIDR []string
}

const pathRoleCreateHelpSyn = `
Creates a dynamic key for the target machine.
`

const pathRoleCreateHelpDesc = `
This path will generates a new key for establishing SSH session with
target host. Previously registered shared key belonging to target
infrastructure will be used to install the new key at the target. If
this backend is mounted at 'ssh', then "ssh/creds/role" would generate
a dynamic key for 'web' role.

The dynamic keys will have a lease associated with them. The access
keys can be revoked by using the lease ID.
`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`package ssh`

			`import (`
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-18 00:33:03 +00:00			`"fmt"`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`"net"`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`func pathRoleCreate(b backend) framework.Path {`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`return &framework.Path{`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`Pattern: "creds/(?P<name>[-\\w]+)",`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`Fields: map[string]*framework.FieldSchema{`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`"name": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "name of the policy",`
			`},`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`"username": &framework.FieldSchema{`
			`Type: framework.TypeString,`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`Description: "username in target",`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`},`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`"ip": &framework.FieldSchema{`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`Type: framework.TypeString,`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`Description: "IP of the target machine",`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`},`
			`},`
			`Callbacks: map[logical.Operation]framework.OperationFunc{`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`logical.WriteOperation: b.pathRoleCreateWrite,`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`},`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`HelpSynopsis: pathRoleCreateHelpSyn,`
			`HelpDescription: pathRoleCreateHelpDesc,`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`}`
			`}`

POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`func (b *backend) pathRoleCreateWrite(`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`roleName := d.Get("name").(string)`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`username := d.Get("username").(string)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`ipRaw := d.Get("ip").(string)`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`if roleName == "" {`
Vault SSH: review rework: formatted and moved code 2015-07-02 01:26:42 +00:00			`return logical.ErrorResponse("Missing name"), nil`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`}`
			`if ipRaw == "" {`
Vault SSH: review rework: formatted and moved code 2015-07-02 01:26:42 +00:00			`return logical.ErrorResponse("Missing ip"), nil`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`}`
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-18 00:33:03 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Find the role to be used for installing dynamic key`
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`roleEntry, err := req.Storage.Get(fmt.Sprintf("policy/%s", roleName))`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`if err != nil {`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`return nil, fmt.Errorf("error retrieving role: %s", err)`
			`}`
			`if roleEntry == nil {`
			`return logical.ErrorResponse(fmt.Sprintf("Role '%s' not found", roleName)), nil`
			`}`
			`var role sshRole`
			`if err := roleEntry.DecodeJSON(&role); err != nil {`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`return nil, err`
			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Set the default username`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`if username == "" {`
			`username = role.DefaultUser`
			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Validate the IP address`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`ipAddr := net.ParseIP(ipRaw)`
			`if ipAddr == nil {`
			`return logical.ErrorResponse(fmt.Sprintf("Invalid IP '%s'", ipRaw)), nil`
			`}`
			`ip := ipAddr.String()`
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`ipMatched, err := cidrContainsIP(ip, role.CIDR)`
			`if err != nil {`
			`return logical.ErrorResponse(fmt.Sprintf("Error validating IP: %s", err)), nil`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
			`if !ipMatched {`
			`return logical.ErrorResponse(fmt.Sprintf("IP[%s] does not belong to role[%s]", ip, roleName)), nil`
			`}`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Fetch the host key to be used for dynamic key installation`
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`keyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", role.KeyName))`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`if err != nil {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return nil, fmt.Errorf("key '%s' not found error:%s", role.KeyName, err)`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`}`
			`var hostKey sshHostKey`
POC: Rework. Doing away with policy file. 2015-06-24 22:13:12 +00:00			`if err := keyEntry.DecodeJSON(&hostKey); err != nil {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return nil, fmt.Errorf("error reading the host key: %s", err)`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Generate RSA key pair`
Creating SSH keys and removal of files in pure 'go' 2015-06-26 18:08:03 +00:00			`dynamicPublicKey, dynamicPrivateKey, _ := generateRSAKeys()`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Transfer the public key to target machine`
			`err = uploadPublicKeyScp(dynamicPublicKey, username, ip, hostKey.Key)`
Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			`if err != nil {`
			`return nil, err`
			`}`
SCP in pure GO and CIDR parsing fix 2015-06-29 15:49:34 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Add the public key to authorized_keys file in target machine`
			`err = installPublicKeyInTarget(username, ip, hostKey.Key)`
Refactoring changes 2015-06-30 02:00:08 +00:00			`if err != nil {`
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`return nil, fmt.Errorf("error adding public key to authorized_keys file in target")`
SCP in pure GO and CIDR parsing fix 2015-06-29 15:49:34 +00:00			`}`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00
lease handling fix 2015-07-01 00:21:41 +00:00			`result := b.Secret(SecretOneTimeKeyType).Response(map[string]interface{}{`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`"key": dynamicPrivateKey,`
			`}, map[string]interface{}{`
			`"username": username,`
			`"ip": ip,`
			`"host_key_name": role.KeyName,`
			`"dynamic_public_key": dynamicPublicKey,`
lease handling fix 2015-07-01 00:21:41 +00:00			`})`
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00
			`// Change the lease information to reflect user's choice`
lease handling fix 2015-07-01 00:21:41 +00:00			`lease, _ := b.Lease(req.Storage)`
			`if lease != nil {`
			`result.Secret.Lease = lease.Lease`
			`result.Secret.LeaseGracePeriod = lease.LeaseMax`
			`}`
			`return result, nil`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`

			`type sshCIDR struct {`
			`CIDR []string`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`}`

Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			const pathRoleCreateHelpSyn = `
			`Creates a dynamic key for the target machine.`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`

Input validations, help strings, default_user support 2015-06-30 20:30:13 +00:00			const pathRoleCreateHelpDesc = `
			`This path will generates a new key for establishing SSH session with`
			`target host. Previously registered shared key belonging to target`
			`infrastructure will be used to install the new key at the target. If`
			`this backend is mounted at 'ssh', then "ssh/creds/role" would generate`
			`a dynamic key for 'web' role.`

			`The dynamic keys will have a lease associated with them. The access`
			`keys can be revoked by using the lease ID.`
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 16:39:49 +00:00			`