open-vault/vault/dynamic_system_view.go

package vault

import (
	"fmt"
	"time"

	"github.com/hashicorp/vault/helper/consts"
	"github.com/hashicorp/vault/helper/pluginutil"
	"github.com/hashicorp/vault/helper/wrapping"
	"github.com/hashicorp/vault/logical"
)

type dynamicSystemView struct {
	core       *Core
	mountEntry *MountEntry
}

func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
	def, _ := d.fetchTTLs()
	return def
}

func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
	_, max := d.fetchTTLs()
	return max
}

func (d dynamicSystemView) SudoPrivilege(path string, token string) bool {
	// Resolve the token policy
	te, err := d.core.tokenStore.Lookup(token)
	if err != nil {
		d.core.logger.Error("core: failed to lookup token", "error", err)
		return false
	}

	// Ensure the token is valid
	if te == nil {
		d.core.logger.Error("entry not found for given token")
		return false
	}

	// Construct the corresponding ACL object
	acl, err := d.core.policyStore.ACL(te.Policies...)
	if err != nil {
		d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
		return false
	}

	// The operation type isn't important here as this is run from a path the
	// user has already been given access to; we only care about whether they
	// have sudo
	req := new(logical.Request)
	req.Operation = logical.ReadOperation
	req.Path = path
	_, rootPrivs := acl.AllowOperation(req)
	return rootPrivs
}

// TTLsByPath returns the default and max TTLs corresponding to a particular
// mount point, or the system default
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
	def = d.core.defaultLeaseTTL
	max = d.core.maxLeaseTTL

	if d.mountEntry.Config.DefaultLeaseTTL != 0 {
		def = d.mountEntry.Config.DefaultLeaseTTL
	}
	if d.mountEntry.Config.MaxLeaseTTL != 0 {
		max = d.mountEntry.Config.MaxLeaseTTL
	}

	return
}

// Tainted indicates that the mount is in the process of being removed
func (d dynamicSystemView) Tainted() bool {
	return d.mountEntry.Tainted
}

// CachingDisabled indicates whether to use caching behavior
func (d dynamicSystemView) CachingDisabled() bool {
	return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
}

// Checks if this is a primary Vault instance.
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
	var state consts.ReplicationState
	d.core.clusterParamsLock.RLock()
	state = d.core.replicationState
	d.core.clusterParamsLock.RUnlock()
	return state
}

// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
func (d dynamicSystemView) ResponseWrapData(data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
	req := &logical.Request{
		Operation: logical.CreateOperation,
		Path:      "sys/wrapping/wrap",
	}

	resp := &logical.Response{
		WrapInfo: &wrapping.ResponseWrapInfo{
			TTL: ttl,
		},
		Data: data,
	}

	if jwt {
		resp.WrapInfo.Format = "jwt"
	}

	_, err := d.core.wrapInCubbyhole(req, resp)
	if err != nil {
		return nil, err
	}

	return resp.WrapInfo, nil
}

// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
// returns a PluginRunner or an error if no plugin was found.
func (d dynamicSystemView) LookupPlugin(name string) (*pluginutil.PluginRunner, error) {
	r, err := d.core.pluginCatalog.Get(name)
	if err != nil {
		return nil, err
	}
	if r == nil {
		return nil, fmt.Errorf("no plugin found with name: %s", name)
	}

	return r, nil
}

// MlockEnabled returns the configuration setting for enabling mlock on plugins.
func (d dynamicSystemView) MlockEnabled() bool {
	return d.core.enableMlock
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`package vault`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`import (`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`"fmt"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"time"`

Move ReplicationState to consts 2017-02-16 18:37:21 +00:00			`"github.com/hashicorp/vault/helper/consts"`
Plugin catalog 2017-04-04 00:52:29 +00:00			`"github.com/hashicorp/vault/helper/pluginutil"`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`"github.com/hashicorp/vault/helper/wrapping"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"github.com/hashicorp/vault/logical"`
			`)`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00
			`type dynamicSystemView struct {`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`core *Core`
			`mountEntry *MountEntry`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {`
			`def, _ := d.fetchTTLs()`
			`return def`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) MaxLeaseTTL() time.Duration {`
			`_, max := d.fetchTTLs()`
			`return max`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`func (d dynamicSystemView) SudoPrivilege(path string, token string) bool {`
			`// Resolve the token policy`
			`te, err := d.core.tokenStore.Lookup(token)`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`if err != nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("core: failed to lookup token", "error", err)`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`return false`
			`}`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00
			`// Ensure the token is valid`
			`if te == nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("entry not found for given token")`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`return false`
			`}`

			`// Construct the corresponding ACL object`
Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 16:52:26 +00:00			`acl, err := d.core.policyStore.ACL(te.Policies...)`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`if err != nil {`
Convert to logxi 2016-08-19 20:45:17 +00:00			`d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)`
Take ClientToken instead of Policies 2015-09-21 14:04:03 +00:00			`return false`
			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`// The operation type isn't important here as this is run from a path the`
			`// user has already been given access to; we only care about whether they`
			`// have sudo`
Format dynamic_system_view.go 2017-01-20 00:54:08 +00:00			`req := new(logical.Request)`
			`req.Operation = logical.ReadOperation`
			`req.Path = path`
Changed AllowOperation to take logical.Request 2016-10-16 23:29:52 +00:00			`_, rootPrivs := acl.AllowOperation(req)`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`return rootPrivs`
TokenStore: Provide access based on sudo permissions and not policy name 2015-09-18 23:59:06 +00:00			`}`

Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`// TTLsByPath returns the default and max TTLs corresponding to a particular`
			`// mount point, or the system default`
Remove error returns from sysview TTL calls 2015-09-10 19:09:34 +00:00			`func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`def = d.core.defaultLeaseTTL`
			`max = d.core.maxLeaseTTL`

Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`if d.mountEntry.Config.DefaultLeaseTTL != 0 {`
			`def = d.mountEntry.Config.DefaultLeaseTTL`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`if d.mountEntry.Config.MaxLeaseTTL != 0 {`
			`max = d.mountEntry.Config.MaxLeaseTTL`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`}`

			`return`
			`}`
Allow backends to see taint status. This can be seen via System(). In the PKI backend, if the CA is reconfigured but not fully (e.g. an intermediate CSR is generated but no corresponding cert set) and there are already leases (issued certs), the CRL is unable to be built. As a result revocation fails. But in this case we don't actually need revocation to be successful since the CRL is useless after unmounting. By checking taint status we know if we can simply fast-path out of revocation with a success in this case. Fixes #946 2016-01-22 22:01:22 +00:00
			`// Tainted indicates that the mount is in the process of being removed`
			`func (d dynamicSystemView) Tainted() bool {`
			`return d.mountEntry.Tainted`
			`}`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`// CachingDisabled indicates whether to use caching behavior`
			`func (d dynamicSystemView) CachingDisabled() bool {`
Add option to disable caching per-backend. (#2455) 2017-03-08 14:20:09 +00:00			`return d.core.cachingDisabled \|\| (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`}`
Rejig dynamic system view to build without tags 2017-01-12 20:13:47 +00:00
			`// Checks if this is a primary Vault instance.`
Move ReplicationState to consts 2017-02-16 18:37:21 +00:00			`func (d dynamicSystemView) ReplicationState() consts.ReplicationState {`
			`var state consts.ReplicationState`
Port over some work to make the system views a bit nicer 2017-01-13 19:51:10 +00:00			`d.core.clusterParamsLock.RLock()`
			`state = d.core.replicationState`
			`d.core.clusterParamsLock.RUnlock()`
			`return state`
Rejig dynamic system view to build without tags 2017-01-12 20:13:47 +00:00			`}`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00
			`// ResponseWrapData wraps the given data in a cubbyhole and returns the`
			`// token used to unwrap.`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`func (d dynamicSystemView) ResponseWrapData(data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`req := &logical.Request{`
			`Operation: logical.CreateOperation,`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`Path: "sys/wrapping/wrap",`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`

			`resp := &logical.Response{`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`WrapInfo: &wrapping.ResponseWrapInfo{`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`TTL: ttl,`
			`},`
			`Data: data,`
			`}`

			`if jwt {`
			`resp.WrapInfo.Format = "jwt"`
			`}`

			`_, err := d.core.wrapInCubbyhole(req, resp)`
			`if err != nil {`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`return nil, err`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`

Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`return resp.WrapInfo, nil`
Work on TLS communication over plugins 2017-03-16 00:14:48 +00:00			`}`
Plugin catalog 2017-04-04 00:52:29 +00:00
Mlock the plugin process 2017-04-11 00:12:52 +00:00			`// LookupPlugin looks for a plugin with the given name in the plugin catalog. It`
			`// returns a PluginRunner or an error if no plugin was found.`
Plugin catalog 2017-04-04 00:52:29 +00:00			`func (d dynamicSystemView) LookupPlugin(name string) (*pluginutil.PluginRunner, error) {`
return a 404 when no plugin is found 2017-04-25 01:31:27 +00:00			`r, err := d.core.pluginCatalog.Get(name)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if r == nil {`
			`return nil, fmt.Errorf("no plugin found with name: %s", name)`
			`}`

			`return r, nil`
Plugin catalog 2017-04-04 00:52:29 +00:00			`}`
Mlock the plugin process 2017-04-11 00:12:52 +00:00
Change MlockDisabled to MlockEnabled 2017-04-24 19:21:49 +00:00			`// MlockEnabled returns the configuration setting for enabling mlock on plugins.`
			`func (d dynamicSystemView) MlockEnabled() bool {`
			`return d.core.enableMlock`
Mlock the plugin process 2017-04-11 00:12:52 +00:00			`}`