2015-08-27 15:51:35 +00:00
|
|
|
package logical
|
|
|
|
|
2017-02-16 18:37:21 +00:00
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2017-03-16 00:14:48 +00:00
|
|
|
"errors"
|
2020-05-27 18:28:00 +00:00
|
|
|
"fmt"
|
|
|
|
"io"
|
2017-02-16 18:37:21 +00:00
|
|
|
"time"
|
|
|
|
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/license"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/pluginutil"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/wrapping"
|
2017-02-16 18:37:21 +00:00
|
|
|
)
|
2015-08-27 15:51:35 +00:00
|
|
|
|
2015-08-27 17:36:44 +00:00
|
|
|
// SystemView exposes system configuration information in a safe way
|
|
|
|
// for logical backends to consume
|
|
|
|
type SystemView interface {
|
2015-08-27 16:14:03 +00:00
|
|
|
// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
|
2015-09-10 19:09:34 +00:00
|
|
|
DefaultLeaseTTL() time.Duration
|
2015-08-27 16:14:03 +00:00
|
|
|
|
|
|
|
// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
|
|
|
|
// authors should take care not to issue credentials that last longer than
|
|
|
|
// this value, as Vault will revoke them
|
2015-09-10 19:09:34 +00:00
|
|
|
MaxLeaseTTL() time.Duration
|
2015-09-18 23:59:06 +00:00
|
|
|
|
2016-01-22 22:01:22 +00:00
|
|
|
// Returns true if the mount is tainted. A mount is tainted if it is in the
|
|
|
|
// process of being unmounted. This should only be used in special
|
|
|
|
// circumstances; a primary use-case is as a guard in revocation functions.
|
|
|
|
// If revocation of a backend's leases fails it can keep the unmounting
|
|
|
|
// process from being successful. If the reason for this failure is not
|
|
|
|
// relevant when the mount is tainted (for instance, saving a CRL to disk
|
|
|
|
// when the stored CRL will be removed during the unmounting process
|
|
|
|
// anyways), we can ignore the errors to allow unmounting to complete.
|
|
|
|
Tainted() bool
|
2016-04-21 13:52:42 +00:00
|
|
|
|
|
|
|
// Returns true if caching is disabled. If true, no caches should be used,
|
|
|
|
// despite known slowdowns.
|
2016-04-21 20:32:06 +00:00
|
|
|
CachingDisabled() bool
|
2017-01-07 23:18:22 +00:00
|
|
|
|
2018-02-02 23:17:12 +00:00
|
|
|
// When run from a system view attached to a request, indicates whether the
|
|
|
|
// request is affecting a local mount or not
|
|
|
|
LocalMount() bool
|
|
|
|
|
2017-01-13 19:51:10 +00:00
|
|
|
// ReplicationState indicates the state of cluster replication
|
2017-02-16 18:37:21 +00:00
|
|
|
ReplicationState() consts.ReplicationState
|
2017-03-16 00:14:48 +00:00
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
// HasFeature returns true if the feature is currently enabled
|
|
|
|
HasFeature(feature license.Features) bool
|
|
|
|
|
2017-03-16 00:14:48 +00:00
|
|
|
// ResponseWrapData wraps the given data in a cubbyhole and returns the
|
|
|
|
// token used to unwrap.
|
2018-01-19 06:44:44 +00:00
|
|
|
ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
|
2017-04-04 00:52:29 +00:00
|
|
|
|
2017-04-11 00:12:52 +00:00
|
|
|
// LookupPlugin looks into the plugin catalog for a plugin with the given
|
|
|
|
// name. Returns a PluginRunner or an error if a plugin can not be found.
|
2018-11-07 01:21:24 +00:00
|
|
|
LookupPlugin(context.Context, string, consts.PluginType) (*pluginutil.PluginRunner, error)
|
2017-04-11 00:12:52 +00:00
|
|
|
|
2017-05-04 17:41:59 +00:00
|
|
|
// MlockEnabled returns the configuration setting for enabling mlock on
|
2017-04-24 19:21:49 +00:00
|
|
|
// plugins.
|
|
|
|
MlockEnabled() bool
|
2018-06-04 00:48:12 +00:00
|
|
|
|
|
|
|
// EntityInfo returns a subset of information related to the identity entity
|
|
|
|
// for the given entity id
|
|
|
|
EntityInfo(entityID string) (*Entity, error)
|
2018-08-03 16:32:17 +00:00
|
|
|
|
2020-01-06 18:16:52 +00:00
|
|
|
// GroupsForEntity returns the group membership information for the provided
|
|
|
|
// entity id
|
|
|
|
GroupsForEntity(entityID string) ([]*Group, error)
|
|
|
|
|
2018-08-03 16:32:17 +00:00
|
|
|
// PluginEnv returns Vault environment information used by plugins
|
|
|
|
PluginEnv(context.Context) (*PluginEnvironment, error)
|
2020-05-27 18:28:00 +00:00
|
|
|
|
|
|
|
// GeneratePasswordFromPolicy generates a password from the policy referenced.
|
|
|
|
// If the policy does not exist, this will return an error.
|
|
|
|
GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)
|
|
|
|
}
|
|
|
|
|
|
|
|
type PasswordPolicy interface {
|
|
|
|
// Generate a random password
|
|
|
|
Generate(context.Context, io.Reader) (string, error)
|
2015-08-27 17:36:44 +00:00
|
|
|
}
|
|
|
|
|
2019-05-22 22:52:53 +00:00
|
|
|
type ExtendedSystemView interface {
|
|
|
|
Auditor() Auditor
|
2019-06-11 20:13:03 +00:00
|
|
|
ForwardGenericRequest(context.Context, *Request) (*Response, error)
|
2019-05-22 22:52:53 +00:00
|
|
|
}
|
|
|
|
|
2020-06-17 20:24:38 +00:00
|
|
|
type PasswordGenerator func() (password string, err error)
|
|
|
|
|
2015-08-27 18:25:07 +00:00
|
|
|
type StaticSystemView struct {
|
2017-01-13 19:51:10 +00:00
|
|
|
DefaultLeaseTTLVal time.Duration
|
|
|
|
MaxLeaseTTLVal time.Duration
|
|
|
|
SudoPrivilegeVal bool
|
|
|
|
TaintedVal bool
|
|
|
|
CachingDisabledVal bool
|
|
|
|
Primary bool
|
2017-04-24 19:21:49 +00:00
|
|
|
EnableMlock bool
|
2018-02-02 23:17:12 +00:00
|
|
|
LocalMountVal bool
|
2017-02-16 18:37:21 +00:00
|
|
|
ReplicationStateVal consts.ReplicationState
|
2018-06-04 00:48:12 +00:00
|
|
|
EntityVal *Entity
|
2020-01-06 18:16:52 +00:00
|
|
|
GroupsVal []*Group
|
2018-09-18 03:03:00 +00:00
|
|
|
Features license.Features
|
2018-08-03 16:32:17 +00:00
|
|
|
VaultVersion string
|
|
|
|
PluginEnvironment *PluginEnvironment
|
2020-06-17 20:24:38 +00:00
|
|
|
PasswordPolicies map[string]PasswordGenerator
|
2015-08-27 17:36:44 +00:00
|
|
|
}
|
|
|
|
|
2019-05-22 22:52:53 +00:00
|
|
|
type noopAuditor struct{}
|
|
|
|
|
|
|
|
func (a noopAuditor) AuditRequest(ctx context.Context, input *LogInput) error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a noopAuditor) AuditResponse(ctx context.Context, input *LogInput) error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (d StaticSystemView) Auditor() Auditor {
|
|
|
|
return noopAuditor{}
|
|
|
|
}
|
|
|
|
|
2019-06-11 21:07:04 +00:00
|
|
|
func (d StaticSystemView) ForwardGenericRequest(ctx context.Context, req *Request) (*Response, error) {
|
|
|
|
return nil, errors.New("ForwardGenericRequest is not implemented in StaticSystemView")
|
|
|
|
}
|
|
|
|
|
2015-09-10 19:09:34 +00:00
|
|
|
func (d StaticSystemView) DefaultLeaseTTL() time.Duration {
|
|
|
|
return d.DefaultLeaseTTLVal
|
2015-08-27 17:36:44 +00:00
|
|
|
}
|
|
|
|
|
2015-09-10 19:09:34 +00:00
|
|
|
func (d StaticSystemView) MaxLeaseTTL() time.Duration {
|
|
|
|
return d.MaxLeaseTTLVal
|
2015-08-27 15:51:35 +00:00
|
|
|
}
|
2015-09-18 23:59:06 +00:00
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func (d StaticSystemView) SudoPrivilege(_ context.Context, path string, token string) bool {
|
2015-09-19 21:53:24 +00:00
|
|
|
return d.SudoPrivilegeVal
|
2015-09-18 23:59:06 +00:00
|
|
|
}
|
2016-01-22 22:01:22 +00:00
|
|
|
|
|
|
|
func (d StaticSystemView) Tainted() bool {
|
|
|
|
return d.TaintedVal
|
|
|
|
}
|
2016-04-21 13:52:42 +00:00
|
|
|
|
2016-04-21 20:32:06 +00:00
|
|
|
func (d StaticSystemView) CachingDisabled() bool {
|
|
|
|
return d.CachingDisabledVal
|
2016-04-21 13:52:42 +00:00
|
|
|
}
|
2017-01-07 23:18:22 +00:00
|
|
|
|
2018-02-02 23:17:12 +00:00
|
|
|
func (d StaticSystemView) LocalMount() bool {
|
|
|
|
return d.LocalMountVal
|
|
|
|
}
|
|
|
|
|
2017-02-16 18:37:21 +00:00
|
|
|
func (d StaticSystemView) ReplicationState() consts.ReplicationState {
|
2017-01-13 19:51:10 +00:00
|
|
|
return d.ReplicationStateVal
|
2017-01-07 23:18:22 +00:00
|
|
|
}
|
2017-03-16 00:14:48 +00:00
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func (d StaticSystemView) ResponseWrapData(_ context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
|
2017-04-24 19:15:01 +00:00
|
|
|
return nil, errors.New("ResponseWrapData is not implemented in StaticSystemView")
|
2017-03-16 00:14:48 +00:00
|
|
|
}
|
2017-04-04 00:52:29 +00:00
|
|
|
|
2018-11-07 01:21:24 +00:00
|
|
|
func (d StaticSystemView) LookupPlugin(_ context.Context, _ string, _ consts.PluginType) (*pluginutil.PluginRunner, error) {
|
2017-04-11 18:50:34 +00:00
|
|
|
return nil, errors.New("LookupPlugin is not implemented in StaticSystemView")
|
2017-04-04 00:52:29 +00:00
|
|
|
}
|
2017-04-11 00:12:52 +00:00
|
|
|
|
2017-04-24 19:21:49 +00:00
|
|
|
func (d StaticSystemView) MlockEnabled() bool {
|
|
|
|
return d.EnableMlock
|
2017-04-11 00:12:52 +00:00
|
|
|
}
|
2018-06-04 00:48:12 +00:00
|
|
|
|
|
|
|
func (d StaticSystemView) EntityInfo(entityID string) (*Entity, error) {
|
|
|
|
return d.EntityVal, nil
|
|
|
|
}
|
2018-08-03 16:32:17 +00:00
|
|
|
|
2020-01-06 18:16:52 +00:00
|
|
|
func (d StaticSystemView) GroupsForEntity(entityID string) ([]*Group, error) {
|
|
|
|
return d.GroupsVal, nil
|
|
|
|
}
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
func (d StaticSystemView) HasFeature(feature license.Features) bool {
|
|
|
|
return d.Features.HasFeature(feature)
|
|
|
|
}
|
|
|
|
|
2018-08-03 16:32:17 +00:00
|
|
|
func (d StaticSystemView) PluginEnv(_ context.Context) (*PluginEnvironment, error) {
|
|
|
|
return d.PluginEnvironment, nil
|
|
|
|
}
|
2020-05-27 18:28:00 +00:00
|
|
|
|
|
|
|
func (d StaticSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) {
|
|
|
|
select {
|
|
|
|
case <-ctx.Done():
|
|
|
|
return "", fmt.Errorf("context timed out")
|
|
|
|
default:
|
|
|
|
}
|
|
|
|
|
|
|
|
if d.PasswordPolicies == nil {
|
|
|
|
return "", fmt.Errorf("password policy not found")
|
|
|
|
}
|
|
|
|
policy, exists := d.PasswordPolicies[policyName]
|
|
|
|
if !exists {
|
|
|
|
return "", fmt.Errorf("password policy not found")
|
|
|
|
}
|
2020-06-17 20:24:38 +00:00
|
|
|
return policy()
|
2020-05-27 18:28:00 +00:00
|
|
|
}
|
2020-06-11 22:08:20 +00:00
|
|
|
|
2020-06-17 20:24:38 +00:00
|
|
|
func (d *StaticSystemView) SetPasswordPolicy(name string, generator PasswordGenerator) {
|
2020-06-11 22:08:20 +00:00
|
|
|
if d.PasswordPolicies == nil {
|
2020-06-17 20:24:38 +00:00
|
|
|
d.PasswordPolicies = map[string]PasswordGenerator{}
|
2020-06-11 22:08:20 +00:00
|
|
|
}
|
2020-06-17 20:24:38 +00:00
|
|
|
d.PasswordPolicies[name] = generator
|
2020-06-11 22:08:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) {
|
|
|
|
_, existed = d.PasswordPolicies[name]
|
|
|
|
delete(d.PasswordPolicies, name)
|
|
|
|
return existed
|
|
|
|
}
|