open-vault/builtin/logical/ssh/path_roles.go

822 lines
31 KiB
Go
Raw Normal View History

package ssh
import (
"context"
"fmt"
"strings"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/framework"
2019-04-12 22:03:59 +00:00
"github.com/hashicorp/vault/sdk/helper/cidrutil"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
"golang.org/x/crypto/ssh"
)
const (
// KeyTypeOTP is an key of type OTP
KeyTypeOTP = "otp"
// KeyTypeDynamic is dynamic key type
KeyTypeDynamic = "dynamic"
// KeyTypeCA is an key of type CA
KeyTypeCA = "ca"
// Present version of the sshRole struct; when adding a new field or are
// needing to perform a migration, increment this struct and read the note
// in checkUpgrade(...).
roleEntryVersion = 1
)
// Structure that represents a role in SSH backend. This is a common role structure
// for both OTP and Dynamic roles. Not all the fields are mandatory for both type.
// Some are applicable for one and not for other. It doesn't matter.
type sshRole struct {
KeyType string `mapstructure:"key_type" json:"key_type"`
KeyName string `mapstructure:"key" json:"key"`
KeyBits int `mapstructure:"key_bits" json:"key_bits"`
AdminUser string `mapstructure:"admin_user" json:"admin_user"`
DefaultUser string `mapstructure:"default_user" json:"default_user"`
CIDRList string `mapstructure:"cidr_list" json:"cidr_list"`
ExcludeCIDRList string `mapstructure:"exclude_cidr_list" json:"exclude_cidr_list"`
Port int `mapstructure:"port" json:"port"`
InstallScript string `mapstructure:"install_script" json:"install_script"`
AllowedUsers string `mapstructure:"allowed_users" json:"allowed_users"`
AllowedUsersTemplate bool `mapstructure:"allowed_users_template" json:"allowed_users_template"`
AllowedDomains string `mapstructure:"allowed_domains" json:"allowed_domains"`
KeyOptionSpecs string `mapstructure:"key_option_specs" json:"key_option_specs"`
MaxTTL string `mapstructure:"max_ttl" json:"max_ttl"`
TTL string `mapstructure:"ttl" json:"ttl"`
DefaultCriticalOptions map[string]string `mapstructure:"default_critical_options" json:"default_critical_options"`
DefaultExtensions map[string]string `mapstructure:"default_extensions" json:"default_extensions"`
DefaultExtensionsTemplate bool `mapstructure:"default_extensions_template" json:"default_extensions_template"`
AllowedCriticalOptions string `mapstructure:"allowed_critical_options" json:"allowed_critical_options"`
AllowedExtensions string `mapstructure:"allowed_extensions" json:"allowed_extensions"`
AllowUserCertificates bool `mapstructure:"allow_user_certificates" json:"allow_user_certificates"`
AllowHostCertificates bool `mapstructure:"allow_host_certificates" json:"allow_host_certificates"`
AllowBareDomains bool `mapstructure:"allow_bare_domains" json:"allow_bare_domains"`
AllowSubdomains bool `mapstructure:"allow_subdomains" json:"allow_subdomains"`
AllowUserKeyIDs bool `mapstructure:"allow_user_key_ids" json:"allow_user_key_ids"`
KeyIDFormat string `mapstructure:"key_id_format" json:"key_id_format"`
OldAllowedUserKeyLengths map[string]int `mapstructure:"allowed_user_key_lengths" json:"allowed_user_key_lengths,omitempty"`
AllowedUserKeyTypesLengths map[string][]int `mapstructure:"allowed_user_key_types_lengths" json:"allowed_user_key_types_lengths"`
AlgorithmSigner string `mapstructure:"algorithm_signer" json:"algorithm_signer"`
Version int `mapstructure:"role_version" json:"role_version"`
}
2015-07-29 18:21:36 +00:00
2016-01-28 17:48:00 +00:00
func pathListRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/?$",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathRoleList,
},
HelpSynopsis: pathRoleHelpSyn,
HelpDescription: pathRoleHelpDesc,
}
}
func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/" + framework.GenericNameWithAtRegex("role"),
Fields: map[string]*framework.FieldSchema{
"role": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Required for all types]
Name of the role being created.`,
},
"key": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type]
Name of the registered key in Vault. Before creating the role, use the
'keys/' endpoint to create a named key.`,
},
"admin_user": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Required for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type]
Admin user at remote host. The shared key being registered should be
for this user and should have root privileges. Everytime a dynamic
credential is being generated for other users, Vault uses this admin
username to login to remote host and install the generated credential
for the other user.`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Admin Username",
},
},
"default_user": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Required for Dynamic type] [Required for OTP type] [Optional for CA type]
Default username for which a credential will be generated.
When the endpoint 'creds/' is used without a username, this
value will be used as default username.`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Default Username",
},
},
"cidr_list": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type]
Comma separated list of CIDR blocks for which the role is applicable for.
CIDR blocks can belong to more than one role.`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "CIDR List",
},
},
"exclude_cidr_list": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type]
Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not
accepted by the role. This is particularly useful when big CIDR blocks are being used
by the role and certain parts of it needs to be kept out.`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Exclude CIDR List",
},
},
"port": {
Type: framework.TypeInt,
Description: `
2016-12-26 14:03:27 +00:00
[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type]
2015-08-13 23:55:47 +00:00
Port number for SSH connection. Default is '22'. Port number does not
play any role in creation of OTP. For 'otp' type, this is just a way
to inform client about the port number to use. Port number will be
returned to client by Vault server along with OTP.`,
DisplayAttrs: &framework.DisplayAttributes{
Value: 22,
},
},
"key_type": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Required for all types]
Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'.
'otp' type requires agent to be installed in remote hosts.`,
2019-02-20 20:12:21 +00:00
AllowedValues: []interface{}{"otp", "dynamic", "ca"},
DisplayAttrs: &framework.DisplayAttributes{
Value: "ca",
},
2015-07-22 18:15:19 +00:00
},
"key_bits": {
Type: framework.TypeInt,
Description: `
2016-12-26 14:03:27 +00:00
[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type]
Length of the RSA dynamic key in bits. It is 1024 by default or it can be 2048.`,
2015-07-29 18:21:36 +00:00
},
"install_script": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Optional for Dynamic type] [Not-applicable for OTP type] [Not applicable for CA type]
Script used to install and uninstall public keys in the target machine.
The inbuilt default install script will be for Linux hosts. For sample
script, refer the project documentation website.`,
},
"allowed_users": {
Type: framework.TypeString,
Description: `
[Optional for all types] [Works differently for CA type]
If this option is not specified, or is '*', client can request a
credential for any valid user at the remote host, including the
admin user. If only certain usernames are to be allowed, then
this list enforces it. If this field is set, then credentials
can only be created for default_user and usernames present in
this list. Setting this option will enable all the users with
access to this role to fetch credentials for all other usernames
in this list. Use with caution. N.B.: with the CA type, an empty
list means that no users are allowed; explicitly specify '*' to
allow any user.
`,
},
"allowed_users_template": {
Type: framework.TypeBool,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, Allowed users can be specified using identity template policies.
Non-templated users are also permitted.
`,
Default: false,
},
"allowed_domains": {
Type: framework.TypeString,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If this option is not specified, client can request for a signed certificate for any
valid host. If only certain domains are allowed, then this list enforces it.
`,
},
"key_option_specs": {
Type: framework.TypeString,
Description: `
2016-12-26 14:03:27 +00:00
[Optional for Dynamic type] [Not applicable for OTP type] [Not applicable for CA type]
Comma separated option specifications which will be prefixed to RSA key in
authorized_keys file. Options should be valid and comply with authorized_keys
file format and should not contain spaces.
`,
},
"ttl": {
Type: framework.TypeDurationSecond,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
The lease duration if no specific lease duration is
requested. The lease duration controls the expiration
of certificates issued by this backend. Defaults to
the value of max_ttl.`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "TTL",
},
2016-12-26 14:03:27 +00:00
},
"max_ttl": {
Type: framework.TypeDurationSecond,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
The maximum allowed lease duration
`,
DisplayAttrs: &framework.DisplayAttributes{
UI - add kmip engine (#6936) * add kmip engine * adjust where kmip engine is mounted and sketch out routes * add secret mount path service to share params to engines * move list-controller and list-route mixins to core addon and adjust imports * properly link kmip secrets from the secrets list page * tweak routes and add list controllers * stub out some models and adapters * fix mixin exports * move a bunch of components into the core addon * use new empty yield in list-view in the namespace template * scopes list using list-view and list-item components * simplify and flatten routes, templates for all of the list pages * role show route and template and scope create template * add ember-router-helpers * add more packages to the dependencies of the core addon * add field-group-show component for listing fields from a model * move more components to the shared addon * make configure and configuration routes work and save a generated model * save and list scopes * role create, list, read * list credentials properly * move allowed attributes to field group * show allowed operations on role details page * add kmip logo to mount secrets engine list page * add role edit page * show all model attributes on role show page * enable role edit * fix newFields error by creating open api role model on the role list route * only show selected fields on role edit page * do not send scope and backend attrs to api * move path-or-array to core addon * move string-list component to core addon * remove extra top border when there is only one field group * add icons for all of the list pages * update kmip config model so defaultValue doesn't error * generate credentials * credential create and show * only show kmip when feature is enabled * fix saving of TTL fields generated from Open API * move masked-input and list-pagination components to core addon * add param on edit form to allow for calling onSave after render happens * polish credential show page and redirect there after generating credentials * add externalLink for kmip engine * add kmip-breadcrumb component * use kmip-breadcrumb component * add linkPrefix param to linked-block component to allow for routing programmatically inside an engine * redirect to the right place when enabling kmip * fix linting * review feedback * update signature for path-help usage * fix ttl field expansion test * remove role filed from role form, fix generate redirect * remove field-group-show because it's in the core addon * remove bottom rule from show pages * fix Max TTL displayAttrs for ssh role * update edit-form to take fields or attrs * fix linting * remove listenAddrs and set default val on ttl if a val is passed in
2019-06-21 21:05:45 +00:00
Name: "Max TTL",
},
2016-12-26 14:03:27 +00:00
},
"allowed_critical_options": {
2016-12-26 14:03:27 +00:00
Type: framework.TypeString,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
A comma-separated list of critical options that certificates can have when signed.
To allow any critical options, set this to an empty string.
`,
2016-12-26 14:03:27 +00:00
},
"allowed_extensions": {
2016-12-26 14:03:27 +00:00
Type: framework.TypeString,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
A comma-separated list of extensions that certificates can have when signed.
An empty list means that no extension overrides are allowed by an end-user; explicitly
specify '*' to allow any extensions to be set.
2016-12-26 14:03:27 +00:00
`,
},
"default_critical_options": {
Type: framework.TypeMap,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type]
[Optional for CA type] Critical options certificates should
have if none are provided when signing. This field takes in key
value pairs in JSON format. Note that these are not restricted
by "allowed_critical_options". Defaults to none.
`,
2016-12-26 14:03:27 +00:00
},
"default_extensions": {
Type: framework.TypeMap,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type]
[Optional for CA type] Extensions certificates should have if
none are provided when signing. This field takes in key value
pairs in JSON format. Note that these are not restricted by
"allowed_extensions". Defaults to none.
2016-12-26 14:03:27 +00:00
`,
},
"default_extensions_template": {
Type: framework.TypeBool,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, Default extension values can be specified using identity template policies.
Non-templated extension values are also permitted.
`,
Default: false,
},
"allow_user_certificates": {
Type: framework.TypeBool,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, certificates are allowed to be signed for use as a 'user'.
`,
2019-02-20 20:12:21 +00:00
Default: false,
2016-12-26 14:03:27 +00:00
},
"allow_host_certificates": {
Type: framework.TypeBool,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, certificates are allowed to be signed for use as a 'host'.
`,
2019-02-20 20:12:21 +00:00
Default: false,
2016-12-26 14:03:27 +00:00
},
"allow_bare_domains": {
2016-12-26 14:03:27 +00:00
Type: framework.TypeBool,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, host certificates that are requested are allowed to use the base domains listed in
"allowed_domains", e.g. "example.com".
2016-12-26 14:03:27 +00:00
This is a separate option as in some cases this can be considered a security threat.
`,
},
"allow_subdomains": {
Type: framework.TypeBool,
2016-12-26 14:03:27 +00:00
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, host certificates that are requested are allowed to use subdomains of those listed in "allowed_domains".
2016-12-26 14:03:27 +00:00
`,
},
"allow_user_key_ids": {
Type: framework.TypeBool,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If true, users can override the key ID for a signed certificate with the "key_id" field.
When false, the key ID will always be the token display name.
The key ID is logged by the SSH server and can be useful for auditing.
`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Allow User Key IDs",
},
},
"key_id_format": {
Type: framework.TypeString,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
When supplied, this value specifies a custom format for the key id of a signed certificate.
2018-03-20 18:54:10 +00:00
The following variables are available for use: '{{token_display_name}}' - The display name of
the token used to make the request. '{{role_name}}' - The name of the role signing the request.
'{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Key ID Format",
},
},
"allowed_user_key_lengths": {
Type: framework.TypeMap,
Description: `
[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
If set, allows the enforcement of key types and minimum key sizes to be signed.
`,
},
"algorithm_signer": {
Type: framework.TypeString,
Description: `
When supplied, this value specifies a signing algorithm for the key. Possible values:
ssh-rsa, rsa-sha2-256, rsa-sha2-512.
`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Signing Algorithm",
},
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathRoleRead,
2016-01-28 17:48:00 +00:00
logical.UpdateOperation: b.pathRoleWrite,
logical.DeleteOperation: b.pathRoleDelete,
},
HelpSynopsis: pathRoleHelpSyn,
HelpDescription: pathRoleHelpDesc,
}
}
func (b *backend) pathRoleWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
roleName := d.Get("role").(string)
2015-07-22 18:15:19 +00:00
if roleName == "" {
2016-09-19 18:40:43 +00:00
return logical.ErrorResponse("missing role name"), nil
2015-07-22 18:15:19 +00:00
}
2015-07-27 17:02:31 +00:00
2015-08-19 02:00:27 +00:00
// Allowed users is an optional field, applicable for both OTP and Dynamic types.
allowedUsers := d.Get("allowed_users").(string)
2016-09-19 18:40:43 +00:00
// Validate the CIDR blocks
2015-08-13 15:46:55 +00:00
cidrList := d.Get("cidr_list").(string)
2016-09-22 15:37:55 +00:00
if cidrList != "" {
valid, err := cidrutil.ValidateCIDRListString(cidrList, ",")
if err != nil {
return nil, fmt.Errorf("failed to validate cidr_list: %w", err)
2016-09-22 15:37:55 +00:00
}
if !valid {
return logical.ErrorResponse("failed to validate cidr_list"), nil
}
2015-07-22 18:15:19 +00:00
}
2016-09-19 18:40:43 +00:00
// Validate the excluded CIDR blocks
excludeCidrList := d.Get("exclude_cidr_list").(string)
2016-09-22 15:37:55 +00:00
if excludeCidrList != "" {
valid, err := cidrutil.ValidateCIDRListString(excludeCidrList, ",")
if err != nil {
return nil, fmt.Errorf("failed to validate exclude_cidr_list entry: %w", err)
2016-09-22 15:37:55 +00:00
}
if !valid {
return logical.ErrorResponse(fmt.Sprintf("failed to validate exclude_cidr_list entry: %v", err)), nil
}
2015-07-22 18:15:19 +00:00
}
2015-07-27 17:02:31 +00:00
2015-08-13 15:46:55 +00:00
port := d.Get("port").(int)
if port == 0 {
port = 22
2015-07-22 18:15:19 +00:00
}
2015-07-27 17:02:31 +00:00
2015-07-29 18:21:36 +00:00
keyType := d.Get("key_type").(string)
if keyType == "" {
2016-09-19 18:40:43 +00:00
return logical.ErrorResponse("missing key type"), nil
2015-07-22 18:15:19 +00:00
}
2015-07-29 18:21:36 +00:00
keyType = strings.ToLower(keyType)
2015-07-22 18:15:19 +00:00
var roleEntry sshRole
2015-07-29 18:21:36 +00:00
if keyType == KeyTypeOTP {
2016-12-26 14:03:27 +00:00
defaultUser := d.Get("default_user").(string)
if defaultUser == "" {
return logical.ErrorResponse("missing default user"), nil
}
// Admin user is not used if OTP key type is used because there is
// no need to login to remote machine.
2015-07-29 18:21:36 +00:00
adminUser := d.Get("admin_user").(string)
if adminUser != "" {
2016-09-19 18:40:43 +00:00
return logical.ErrorResponse("admin user not required for OTP type"), nil
2015-07-29 18:21:36 +00:00
}
2015-07-22 18:15:19 +00:00
// Below are the only fields used from the role structure for OTP type.
roleEntry = sshRole{
DefaultUser: defaultUser,
CIDRList: cidrList,
ExcludeCIDRList: excludeCidrList,
KeyType: KeyTypeOTP,
Port: port,
AllowedUsers: allowedUsers,
Version: roleEntryVersion,
}
2015-07-29 18:21:36 +00:00
} else if keyType == KeyTypeDynamic {
2016-12-26 14:03:27 +00:00
defaultUser := d.Get("default_user").(string)
if defaultUser == "" {
return logical.ErrorResponse("missing default user"), nil
}
// Key name is required by dynamic type and not by OTP type.
2015-07-29 18:21:36 +00:00
keyName := d.Get("key").(string)
if keyName == "" {
2016-09-19 18:40:43 +00:00
return logical.ErrorResponse("missing key name"), nil
2015-07-29 18:21:36 +00:00
}
keyEntry, err := req.Storage.Get(ctx, fmt.Sprintf("keys/%s", keyName))
2015-07-29 18:21:36 +00:00
if err != nil || keyEntry == nil {
return logical.ErrorResponse(fmt.Sprintf("invalid 'key': %q", keyName)), nil
2015-07-29 18:21:36 +00:00
}
2015-07-27 17:02:31 +00:00
installScript := d.Get("install_script").(string)
keyOptionSpecs := d.Get("key_option_specs").(string)
// Setting the default script here. The script will install the
// generated public key in the authorized_keys file of linux host.
if installScript == "" {
installScript = DefaultPublicKeyInstallScript
}
2015-07-29 18:21:36 +00:00
adminUser := d.Get("admin_user").(string)
if adminUser == "" {
2016-09-19 18:40:43 +00:00
return logical.ErrorResponse("missing admin username"), nil
2015-07-29 18:21:36 +00:00
}
2015-07-27 17:02:31 +00:00
// This defaults to 2048, but it can also be 1024, 3072, 4096, or 8192.
// In the near future, we should disallow 1024-bit SSH keys.
keyBits := d.Get("key_bits").(int)
if keyBits == 0 {
keyBits = 2048
2015-07-29 18:21:36 +00:00
}
if keyBits != 1024 && keyBits != 2048 && keyBits != 3072 && keyBits != 4096 && keyBits != 8192 {
return logical.ErrorResponse("invalid key_bits field"), nil
}
2015-07-27 17:02:31 +00:00
// Store all the fields required by dynamic key type
roleEntry = sshRole{
KeyName: keyName,
AdminUser: adminUser,
DefaultUser: defaultUser,
CIDRList: cidrList,
ExcludeCIDRList: excludeCidrList,
Port: port,
KeyType: KeyTypeDynamic,
KeyBits: keyBits,
InstallScript: installScript,
AllowedUsers: allowedUsers,
KeyOptionSpecs: keyOptionSpecs,
Version: roleEntryVersion,
}
2016-12-26 14:03:27 +00:00
} else if keyType == KeyTypeCA {
algorithmSigner := ""
algorithmSignerRaw, ok := d.GetOk("algorithm_signer")
if ok {
algorithmSigner = algorithmSignerRaw.(string)
switch algorithmSigner {
case ssh.SigAlgoRSA, ssh.SigAlgoRSASHA2256, ssh.SigAlgoRSASHA2512:
case "":
// This case is valid, and the sign operation will use the signer's
// default algorithm.
default:
return nil, fmt.Errorf("unknown algorithm signer %q", algorithmSigner)
}
}
role, errorResponse := b.createCARole(allowedUsers, d.Get("default_user").(string), algorithmSigner, d)
2016-12-26 14:03:27 +00:00
if errorResponse != nil {
return errorResponse, nil
}
roleEntry = *role
2015-07-29 18:21:36 +00:00
} else {
2016-09-19 18:40:43 +00:00
return logical.ErrorResponse("invalid key type"), nil
}
entry, err := logical.StorageEntryJSON(fmt.Sprintf("roles/%s", roleName), roleEntry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) createCARole(allowedUsers, defaultUser, signer string, data *framework.FieldData) (*sshRole, *logical.Response) {
ttl := time.Duration(data.Get("ttl").(int)) * time.Second
maxTTL := time.Duration(data.Get("max_ttl").(int)) * time.Second
2016-12-26 14:03:27 +00:00
role := &sshRole{
AllowedCriticalOptions: data.Get("allowed_critical_options").(string),
AllowedExtensions: data.Get("allowed_extensions").(string),
AllowUserCertificates: data.Get("allow_user_certificates").(bool),
AllowHostCertificates: data.Get("allow_host_certificates").(bool),
AllowedUsers: allowedUsers,
AllowedUsersTemplate: data.Get("allowed_users_template").(bool),
AllowedDomains: data.Get("allowed_domains").(string),
DefaultUser: defaultUser,
AllowBareDomains: data.Get("allow_bare_domains").(bool),
AllowSubdomains: data.Get("allow_subdomains").(bool),
AllowUserKeyIDs: data.Get("allow_user_key_ids").(bool),
DefaultExtensionsTemplate: data.Get("default_extensions_template").(bool),
KeyIDFormat: data.Get("key_id_format").(string),
KeyType: KeyTypeCA,
AlgorithmSigner: signer,
Version: roleEntryVersion,
2016-12-26 14:03:27 +00:00
}
if !role.AllowUserCertificates && !role.AllowHostCertificates {
return nil, logical.ErrorResponse("Either 'allow_user_certificates' or 'allow_host_certificates' must be set to 'true'")
}
2016-12-26 14:03:27 +00:00
defaultCriticalOptions := convertMapToStringValue(data.Get("default_critical_options").(map[string]interface{}))
defaultExtensions := convertMapToStringValue(data.Get("default_extensions").(map[string]interface{}))
allowedUserKeyLengths, err := convertMapToIntSlice(data.Get("allowed_user_key_lengths").(map[string]interface{}))
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("error processing allowed_user_key_lengths: %s", err.Error()))
}
2016-12-26 14:03:27 +00:00
if ttl != 0 && maxTTL != 0 && ttl > maxTTL {
return nil, logical.ErrorResponse(
`"ttl" value must be less than "max_ttl" when both are specified`)
2016-12-26 14:03:27 +00:00
}
// Persist TTLs
2016-12-26 14:03:27 +00:00
role.TTL = ttl.String()
role.MaxTTL = maxTTL.String()
role.DefaultCriticalOptions = defaultCriticalOptions
role.DefaultExtensions = defaultExtensions
role.AllowedUserKeyTypesLengths = allowedUserKeyLengths
2016-12-26 14:03:27 +00:00
return role, nil
}
func (b *backend) getRole(ctx context.Context, s logical.Storage, n string) (*sshRole, error) {
entry, err := s.Get(ctx, "roles/"+n)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
2015-07-27 17:02:31 +00:00
var result sshRole
if err := entry.DecodeJSON(&result); err != nil {
2015-07-02 21:23:09 +00:00
return nil, err
}
2015-07-27 17:02:31 +00:00
if err := b.checkUpgrade(ctx, s, n, &result); err != nil {
return nil, err
}
return &result, nil
}
func (b *backend) checkUpgrade(ctx context.Context, s logical.Storage, n string, result *sshRole) error {
modified := false
// NOTE: When introducing a new migration, increment roleEntryVersion and
// check if the version is less than the version this change was introduced
// at and perform the change. At the end, set modified and update the
// version to the version this migration was introduced at! Additionally,
// add new migrations after all existing migrations.
//
// Otherwise, past or future migrations may not execute!
if result.Version == roleEntryVersion {
return nil
}
// Role version introduced at version 1, migrating OldAllowedUserKeyLengths
// to the newer AllowedUserKeyTypesLengths field.
if result.Version < 1 {
// Only migrate if we have old data and no new data to avoid clobbering.
//
// This change introduced the first role version, value of 1.
if len(result.OldAllowedUserKeyLengths) > 0 && len(result.AllowedUserKeyTypesLengths) == 0 {
result.AllowedUserKeyTypesLengths = make(map[string][]int)
for k, v := range result.OldAllowedUserKeyLengths {
result.AllowedUserKeyTypesLengths[k] = []int{v}
}
result.OldAllowedUserKeyLengths = nil
}
result.Version = 1
modified = true
}
// Add new migrations just before here.
//
// Condition copied from PKI builtin.
if modified && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) {
jsonEntry, err := logical.StorageEntryJSON("roles/"+n, &result)
if err != nil {
return err
}
if err := s.Put(ctx, jsonEntry); err != nil {
// Only perform upgrades on replication primary
if !strings.Contains(err.Error(), logical.ErrReadOnly.Error()) {
return err
}
}
}
return nil
}
// parseRole converts a sshRole object into its map[string]interface representation,
2018-03-20 18:54:10 +00:00
// with appropriate values for each KeyType. If the KeyType is invalid, it will return
// an error.
func (b *backend) parseRole(role *sshRole) (map[string]interface{}, error) {
var result map[string]interface{}
switch role.KeyType {
case KeyTypeOTP:
result = map[string]interface{}{
"default_user": role.DefaultUser,
"cidr_list": role.CIDRList,
"exclude_cidr_list": role.ExcludeCIDRList,
"key_type": role.KeyType,
"port": role.Port,
"allowed_users": role.AllowedUsers,
}
case KeyTypeCA:
ttl, err := parseutil.ParseDurationSecond(role.TTL)
if err != nil {
return nil, err
}
maxTTL, err := parseutil.ParseDurationSecond(role.MaxTTL)
if err != nil {
return nil, err
}
result = map[string]interface{}{
"allowed_users": role.AllowedUsers,
"allowed_users_template": role.AllowedUsersTemplate,
"allowed_domains": role.AllowedDomains,
"default_user": role.DefaultUser,
"ttl": int64(ttl.Seconds()),
"max_ttl": int64(maxTTL.Seconds()),
"allowed_critical_options": role.AllowedCriticalOptions,
"allowed_extensions": role.AllowedExtensions,
"allow_user_certificates": role.AllowUserCertificates,
"allow_host_certificates": role.AllowHostCertificates,
"allow_bare_domains": role.AllowBareDomains,
"allow_subdomains": role.AllowSubdomains,
"allow_user_key_ids": role.AllowUserKeyIDs,
"key_id_format": role.KeyIDFormat,
"key_type": role.KeyType,
"key_bits": role.KeyBits,
"default_critical_options": role.DefaultCriticalOptions,
"default_extensions": role.DefaultExtensions,
"default_extensions_template": role.DefaultExtensionsTemplate,
"allowed_user_key_lengths": role.AllowedUserKeyTypesLengths,
"algorithm_signer": role.AlgorithmSigner,
}
case KeyTypeDynamic:
result = map[string]interface{}{
"key": role.KeyName,
"admin_user": role.AdminUser,
"default_user": role.DefaultUser,
"cidr_list": role.CIDRList,
"exclude_cidr_list": role.ExcludeCIDRList,
"port": role.Port,
"key_type": role.KeyType,
"key_bits": role.KeyBits,
"allowed_users": role.AllowedUsers,
"key_option_specs": role.KeyOptionSpecs,
// Returning install script will make the output look messy.
// But this is one way for clients to see the script that is
// being used to install the key. If there is some problem,
// the script can be modified and configured by clients.
"install_script": role.InstallScript,
}
default:
return nil, fmt.Errorf("invalid key type: %v", role.KeyType)
}
return result, nil
}
func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
entries, err := req.Storage.List(ctx, "roles/")
2016-01-28 17:48:00 +00:00
if err != nil {
return nil, err
}
keyInfo := map[string]interface{}{}
for _, entry := range entries {
role, err := b.getRole(ctx, req.Storage, entry)
if err != nil {
// On error, log warning and continue
if b.Logger().IsWarn() {
b.Logger().Warn("error getting role info", "role", entry, "error", err)
}
continue
}
if role == nil {
// On empty role, log warning and continue
if b.Logger().IsWarn() {
b.Logger().Warn("no role info found", "role", entry)
}
continue
}
roleInfo, err := b.parseRole(role)
if err != nil {
if b.Logger().IsWarn() {
b.Logger().Warn("error parsing role info", "role", entry, "error", err)
}
continue
}
if keyType, ok := roleInfo["key_type"]; ok {
keyInfo[entry] = map[string]interface{}{
"key_type": keyType,
}
}
}
return logical.ListResponseWithInfo(entries, keyInfo), nil
2016-01-28 17:48:00 +00:00
}
func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
role, err := b.getRole(ctx, req.Storage, d.Get("role").(string))
if err != nil {
return nil, err
}
if role == nil {
return nil, nil
}
roleInfo, err := b.parseRole(role)
if err != nil {
return nil, err
2015-07-31 17:24:23 +00:00
}
return &logical.Response{
Data: roleInfo,
}, nil
}
func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
roleName := d.Get("role").(string)
// If the role was given privilege to accept any IP address, there will
// be an entry for this role in zero-address roles list. Before the role
// is removed, the entry in the list has to be removed.
err := b.removeZeroAddressRole(ctx, req.Storage, roleName)
if err != nil {
return nil, err
}
err = req.Storage.Delete(ctx, fmt.Sprintf("roles/%s", roleName))
if err != nil {
return nil, err
}
return nil, nil
}
const pathRoleHelpSyn = `
Manage the 'roles' that can be created with this backend.
`
const pathRoleHelpDesc = `
This path allows you to manage the roles that are used to generate credentials.
Role takes a 'key_type' parameter that decides what type of credential this role
can generate. If remote hosts have Vault SSH Agent installed, an 'otp' type can
be used, otherwise 'dynamic' type can be used.
If the backend is mounted at "ssh" and the role is created at "ssh/roles/web",
then a user could request for a credential at "ssh/creds/web" for an IP that
belongs to the role. The credential will be for the 'default_user' registered
with the role. There is also an optional parameter 'username' for 'creds/' endpoint.
`