open-vault/sdk/framework/secret.go

package framework

import (
	"context"
	"time"

	"github.com/hashicorp/vault/sdk/logical"
)

// Secret is a type of secret that can be returned from a backend.
type Secret struct {
	// Type is the name of this secret type. This is used to setup the
	// vault ID and to look up the proper secret structure when revocation/
	// renewal happens. Once this is set this should not be changed.
	//
	// The format of this must match (case insensitive): ^a-Z0-9_$
	Type string

	// Fields is the mapping of data fields and schema that comprise
	// the structure of this secret.
	Fields map[string]*FieldSchema

	// DefaultDuration is the default value for the duration of the lease for
	// this secret. This can be manually overwritten with the result of
	// Response().
	//
	// If these aren't set, Vault core will set a default lease period which
	// may come from a mount tuning.
	DefaultDuration time.Duration

	// Renew is the callback called to renew this secret. If Renew is
	// not specified then renewable is set to false in the secret.
	// See lease.go for helpers for this value.
	Renew OperationFunc

	// Revoke is the callback called to revoke this secret. This is required.
	Revoke OperationFunc
}

func (s *Secret) Renewable() bool {
	return s.Renew != nil
}

func (s *Secret) Response(
	data, internal map[string]interface{}) *logical.Response {
	internalData := make(map[string]interface{})
	for k, v := range internal {
		internalData[k] = v
	}
	internalData["secret_type"] = s.Type

	return &logical.Response{
		Secret: &logical.Secret{
			LeaseOptions: logical.LeaseOptions{
				TTL:       s.DefaultDuration,
				Renewable: s.Renewable(),
			},
			InternalData: internalData,
		},

		Data: data,
	}
}

// HandleRenew is the request handler for renewing this secret.
func (s *Secret) HandleRenew(ctx context.Context, req *logical.Request) (*logical.Response, error) {
	if !s.Renewable() {
		return nil, logical.ErrUnsupportedOperation
	}

	data := &FieldData{
		Raw:    req.Data,
		Schema: s.Fields,
	}

	return s.Renew(ctx, req, data)
}

// HandleRevoke is the request handler for revoking this secret.
func (s *Secret) HandleRevoke(ctx context.Context, req *logical.Request) (*logical.Response, error) {
	data := &FieldData{
		Raw:    req.Data,
		Schema: s.Fields,
	}

	if s.Revoke != nil {
		return s.Revoke(ctx, req, data)
	}

	return nil, logical.ErrUnsupportedOperation
}
logical/framework: use custom request wrapper 2015-03-19 13:39:25 +00:00			`package framework`

logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`"time"`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`)`

logical/framework: use custom request wrapper 2015-03-19 13:39:25 +00:00			`// Secret is a type of secret that can be returned from a backend.`
			`type Secret struct {`
			`// Type is the name of this secret type. This is used to setup the`
			`// vault ID and to look up the proper secret structure when revocation/`
			`// renewal happens. Once this is set this should not be changed.`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`//`
			`// The format of this must match (case insensitive): ^a-Z0-9_$`
logical/framework: use custom request wrapper 2015-03-19 13:39:25 +00:00			`Type string`

			`// Fields is the mapping of data fields and schema that comprise`
			`// the structure of this secret.`
			`Fields map[string]*FieldSchema`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00
Remove grace periods 2016-02-01 00:33:16 +00:00			`// DefaultDuration is the default value for the duration of the lease for`
			`// this secret. This can be manually overwritten with the result of`
			`// Response().`
logical/framework: doc for defaultduration on secret 2015-04-14 00:05:32 +00:00			`//`
Remove grace periods 2016-02-01 00:33:16 +00:00			`// If these aren't set, Vault core will set a default lease period which`
			`// may come from a mount tuning.`
			`DefaultDuration time.Duration`
logical/framework: can specify renew/revoke functins for secret 2015-03-19 14:07:45 +00:00
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`// Renew is the callback called to renew this secret. If Renew is`
logical/framework: secret lease tests 2015-04-13 22:18:27 +00:00			`// not specified then renewable is set to false in the secret.`
			`// See lease.go for helpers for this value.`
			`Renew OperationFunc`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00
			`// Revoke is the callback called to revoke this secret. This is required.`
logical/framework: can specify renew/revoke functins for secret 2015-03-19 14:07:45 +00:00			`Revoke OperationFunc`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`}`

logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`func (s *Secret) Renewable() bool {`
logical/framework: secret lease tests 2015-04-13 22:18:27 +00:00			`return s.Renew != nil`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`}`

logical/framework: can specify InternalData for secret 2015-03-20 16:59:48 +00:00			`func (s *Secret) Response(`
			`data, internal map[string]interface{}) *logical.Response {`
			`internalData := make(map[string]interface{})`
			`for k, v := range internal {`
			`internalData[k] = v`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`}`
logical/framework: can specify InternalData for secret 2015-03-20 16:59:48 +00:00			`internalData["secret_type"] = s.Type`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00
			`return &logical.Response{`
vault: clean up VaultID duplications, make secret responses clearer /cc @armon - This is a reasonably major refactor that I think cleans up a lot of the logic with secrets in responses. The reason for the refactor is that while implementing Renew/Revoke in logical/framework I found the existing API to be really awkward to work with. Primarily, we needed a way to send down internal data for Vault core to store since not all the data you need to revoke a key is always sent down to the user (for example the user than AWS key belongs to). At first, I was doing this manually in logical/framework with req.Storage, but this is going to be such a common event that I think its something core should assist with. Additionally, I think the added context for secrets will be useful in the future when we have a Vault API for returning orphaned out keys: we can also return the internal data that might help an operator. So this leads me to this refactor. I've removed most of the fields in `logical.Response` and replaced it with a single `*Secret` pointer. If this is non-nil, then the response represents a secret. The Secret struct encapsulates all the lease info and such. It also has some fields on it that are only populated at _request_ time for Revoke/Renew operations. There is precedent for this sort of behavior in the Go stdlib where http.Request/http.Response have fields that differ based on client/server. I copied this style. All core unit tests pass. The APIs fail for obvious reasons but I'll fix that up in the next commit. 2015-03-19 22:11:42 +00:00			`Secret: &logical.Secret{`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`LeaseOptions: logical.LeaseOptions{`
Remove grace periods 2016-02-01 00:33:16 +00:00			`TTL: s.DefaultDuration,`
			`Renewable: s.Renewable(),`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`},`
			`InternalData: internalData,`
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`},`
vault: clean up VaultID duplications, make secret responses clearer /cc @armon - This is a reasonably major refactor that I think cleans up a lot of the logic with secrets in responses. The reason for the refactor is that while implementing Renew/Revoke in logical/framework I found the existing API to be really awkward to work with. Primarily, we needed a way to send down internal data for Vault core to store since not all the data you need to revoke a key is always sent down to the user (for example the user than AWS key belongs to). At first, I was doing this manually in logical/framework with req.Storage, but this is going to be such a common event that I think its something core should assist with. Additionally, I think the added context for secrets will be useful in the future when we have a Vault API for returning orphaned out keys: we can also return the internal data that might help an operator. So this leads me to this refactor. I've removed most of the fields in `logical.Response` and replaced it with a single `*Secret` pointer. If this is non-nil, then the response represents a secret. The Secret struct encapsulates all the lease info and such. It also has some fields on it that are only populated at _request_ time for Revoke/Renew operations. There is precedent for this sort of behavior in the Go stdlib where http.Request/http.Response have fields that differ based on client/server. I copied this style. All core unit tests pass. The APIs fail for obvious reasons but I'll fix that up in the next commit. 2015-03-19 22:11:42 +00:00
logical/framework: add methods to look up secret and gen response 2015-03-19 13:59:01 +00:00			`Data: data,`
vault: clean up VaultID duplications, make secret responses clearer /cc @armon - This is a reasonably major refactor that I think cleans up a lot of the logic with secrets in responses. The reason for the refactor is that while implementing Renew/Revoke in logical/framework I found the existing API to be really awkward to work with. Primarily, we needed a way to send down internal data for Vault core to store since not all the data you need to revoke a key is always sent down to the user (for example the user than AWS key belongs to). At first, I was doing this manually in logical/framework with req.Storage, but this is going to be such a common event that I think its something core should assist with. Additionally, I think the added context for secrets will be useful in the future when we have a Vault API for returning orphaned out keys: we can also return the internal data that might help an operator. So this leads me to this refactor. I've removed most of the fields in `logical.Response` and replaced it with a single `*Secret` pointer. If this is non-nil, then the response represents a secret. The Secret struct encapsulates all the lease info and such. It also has some fields on it that are only populated at _request_ time for Revoke/Renew operations. There is precedent for this sort of behavior in the Go stdlib where http.Request/http.Response have fields that differ based on client/server. I copied this style. All core unit tests pass. The APIs fail for obvious reasons but I'll fix that up in the next commit. 2015-03-19 22:11:42 +00:00			`}`
logical/framework: use custom request wrapper 2015-03-19 13:39:25 +00:00			`}`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00
			`// HandleRenew is the request handler for renewing this secret.`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (s Secret) HandleRenew(ctx context.Context, req logical.Request) (*logical.Response, error) {`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`if !s.Renewable() {`
			`return nil, logical.ErrUnsupportedOperation`
			`}`

			`data := &FieldData{`
			`Raw: req.Data,`
			`Schema: s.Fields,`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`return s.Renew(ctx, req, data)`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`}`

Incredibly tiny comment fix on secret.go (#6078) 2019-01-21 21:57:39 +00:00			`// HandleRevoke is the request handler for revoking this secret.`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (s Secret) HandleRevoke(ctx context.Context, req logical.Request) (*logical.Response, error) {`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`data := &FieldData{`
			`Raw: req.Data,`
			`Schema: s.Fields,`
			`}`

			`if s.Revoke != nil {`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`return s.Revoke(ctx, req, data)`
logical/framework: auto-extend leases if requested 2015-03-21 15:20:30 +00:00			`}`

			`return nil, logical.ErrUnsupportedOperation`
			`}`