2016-12-19 18:15:58 +00:00
|
|
|
package database
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const SecretCredsType = "creds"
|
|
|
|
|
|
|
|
|
|
func secretCreds(b *databaseBackend) *framework.Secret {
|
|
|
|
|
return &framework.Secret{
|
2017-03-08 22:46:53 +00:00
|
|
|
Type: SecretCredsType,
|
|
|
|
|
Fields: map[string]*framework.FieldSchema{},
|
2016-12-19 18:15:58 +00:00
|
|
|
|
|
|
|
|
Renew: b.secretCredsRenew,
|
|
|
|
|
Revoke: b.secretCredsRevoke,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b *databaseBackend) secretCredsRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
|
// Get the username from the internal data
|
|
|
|
|
usernameRaw, ok := req.Secret.InternalData["username"]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("secret is missing username internal data")
|
|
|
|
|
}
|
|
|
|
|
username, ok := usernameRaw.(string)
|
|
|
|
|
|
2016-12-20 19:46:20 +00:00
|
|
|
roleNameRaw, ok := req.Secret.InternalData["role"]
|
2016-12-19 18:15:58 +00:00
|
|
|
if !ok {
|
2017-03-28 18:30:45 +00:00
|
|
|
return nil, fmt.Errorf("could not find role with name: %s", req.Secret.InternalData["role"])
|
2016-12-19 18:15:58 +00:00
|
|
|
}
|
|
|
|
|
|
2016-12-20 19:46:20 +00:00
|
|
|
role, err := b.Role(req.Storage, roleNameRaw.(string))
|
2016-12-19 18:15:58 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2016-12-20 19:46:20 +00:00
|
|
|
if role == nil {
|
2017-03-28 18:30:45 +00:00
|
|
|
return nil, fmt.Errorf("could not find role with name: %s", req.Secret.InternalData["role"])
|
2016-12-19 18:15:58 +00:00
|
|
|
}
|
|
|
|
|
|
2016-12-20 19:46:20 +00:00
|
|
|
f := framework.LeaseExtend(role.DefaultTTL, role.MaxTTL, b.System())
|
2016-12-19 18:15:58 +00:00
|
|
|
resp, err := f(req, d)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-20 19:46:20 +00:00
|
|
|
// Grab the read lock
|
2017-03-28 18:30:45 +00:00
|
|
|
b.Lock()
|
|
|
|
|
defer b.Unlock()
|
2016-12-20 19:46:20 +00:00
|
|
|
|
|
|
|
|
// Get our connection
|
2017-03-28 18:30:45 +00:00
|
|
|
db, err := b.getOrCreateDBObj(req.Storage, role.DBName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not find connection with name %s, got err: %s", role.DBName, err)
|
2016-12-20 19:46:20 +00:00
|
|
|
}
|
|
|
|
|
|
2016-12-19 18:15:58 +00:00
|
|
|
// Make sure we increase the VALID UNTIL endpoint for this user.
|
|
|
|
|
if expireTime := resp.Secret.ExpirationTime(); !expireTime.IsZero() {
|
2017-04-10 19:24:16 +00:00
|
|
|
err := db.RenewUser(role.Statements, username, expireTime)
|
2016-12-19 18:15:58 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return resp, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (b *databaseBackend) secretCredsRevoke(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
|
// Get the username from the internal data
|
|
|
|
|
usernameRaw, ok := req.Secret.InternalData["username"]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("secret is missing username internal data")
|
|
|
|
|
}
|
|
|
|
|
username, ok := usernameRaw.(string)
|
|
|
|
|
|
|
|
|
|
var resp *logical.Response
|
|
|
|
|
|
|
|
|
|
roleNameRaw, ok := req.Secret.InternalData["role"]
|
|
|
|
|
if !ok {
|
2017-04-07 22:50:03 +00:00
|
|
|
return nil, fmt.Errorf("no role name was provided")
|
2016-12-19 18:15:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
role, err := b.Role(req.Storage, roleNameRaw.(string))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if role == nil {
|
2017-03-28 18:30:45 +00:00
|
|
|
return nil, fmt.Errorf("could not find role with name: %s", req.Secret.InternalData["role"])
|
2016-12-19 18:15:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* TODO: think about how to handle this case.
|
|
|
|
|
if !ok {
|
|
|
|
|
role, err := b.Role(req.Storage, roleNameRaw.(string))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if role == nil {
|
|
|
|
|
if resp == nil {
|
|
|
|
|
resp = &logical.Response{}
|
|
|
|
|
}
|
|
|
|
|
resp.AddWarning(fmt.Sprintf("Role %q cannot be found. Using default revocation SQL.", roleNameRaw.(string)))
|
|
|
|
|
} else {
|
|
|
|
|
revocationSQL = role.RevocationStatement
|
|
|
|
|
}
|
|
|
|
|
}*/
|
|
|
|
|
|
|
|
|
|
// Grab the read lock
|
2017-03-28 18:30:45 +00:00
|
|
|
b.Lock()
|
|
|
|
|
defer b.Unlock()
|
2016-12-19 18:15:58 +00:00
|
|
|
|
|
|
|
|
// Get our connection
|
2017-03-28 18:30:45 +00:00
|
|
|
db, err := b.getOrCreateDBObj(req.Storage, role.DBName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not find database with name: %s, got error: %s", role.DBName, err)
|
2016-12-19 18:15:58 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-08 01:21:44 +00:00
|
|
|
err = db.RevokeUser(role.Statements, username)
|
2016-12-20 19:46:20 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2016-12-19 18:15:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return resp, nil
|
|
|
|
|
}
|
