2015-04-24 17:31:57 +00:00
package cert
import (
2018-01-08 18:31:38 +00:00
"context"
2016-02-29 15:40:15 +00:00
"crypto/x509"
2015-10-06 01:10:20 +00:00
"fmt"
2015-04-24 17:31:57 +00:00
"strings"
2015-04-24 19:58:39 +00:00
"time"
2015-04-24 17:31:57 +00:00
2018-05-09 22:39:55 +00:00
"github.com/hashicorp/go-sockaddr"
2016-04-06 00:30:38 +00:00
"github.com/hashicorp/vault/helper/policyutil"
2015-04-24 17:31:57 +00:00
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
2016-03-15 18:07:40 +00:00
func pathListCerts ( b * backend ) * framework . Path {
return & framework . Path {
Pattern : "certs/?" ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . ListOperation : b . pathCertList ,
} ,
HelpSynopsis : pathCertHelpSyn ,
HelpDescription : pathCertHelpDesc ,
}
}
2015-04-24 17:31:57 +00:00
func pathCerts ( b * backend ) * framework . Path {
return & framework . Path {
2015-08-21 07:56:13 +00:00
Pattern : "certs/" + framework . GenericNameRegex ( "name" ) ,
2015-04-24 17:31:57 +00:00
Fields : map [ string ] * framework . FieldSchema {
"name" : & framework . FieldSchema {
Type : framework . TypeString ,
Description : "The name of the certificate" ,
} ,
"certificate" : & framework . FieldSchema {
2015-09-18 18:01:28 +00:00
Type : framework . TypeString ,
Description : ` The public certificate that should be trusted .
Must be x509 PEM encoded . ` ,
2015-04-24 17:31:57 +00:00
} ,
2017-04-30 15:37:10 +00:00
"allowed_names" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated list of names .
At least one must exist in either the Common Name or SANs . Supports globbing . ` ,
} ,
2017-12-18 17:53:44 +00:00
"required_extensions" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` A comma - separated string or array of extensions
formatted as "oid:value" . Expects the extension value to be some type of ASN1 encoded string .
All values much match . Supports globbing on "value" . ` ,
} ,
2015-04-24 17:31:57 +00:00
"display_name" : & framework . FieldSchema {
2015-09-18 18:01:28 +00:00
Type : framework . TypeString ,
Description : ` The display name to use for clients using this
certificate . ` ,
2015-04-24 17:31:57 +00:00
} ,
"policies" : & framework . FieldSchema {
2017-09-13 15:36:52 +00:00
Type : framework . TypeCommaStringSlice ,
2018-02-06 18:35:01 +00:00
Description : "Comma-separated list of policies." ,
2015-04-24 17:31:57 +00:00
} ,
2015-04-24 19:58:39 +00:00
"lease" : & framework . FieldSchema {
2015-09-18 18:01:28 +00:00
Type : framework . TypeInt ,
Description : ` Deprecated : use "ttl" instead . TTL time in
seconds . Defaults to system / backend default TTL . ` ,
} ,
"ttl" : & framework . FieldSchema {
2015-10-30 21:45:01 +00:00
Type : framework . TypeDurationSecond ,
2015-10-06 01:10:20 +00:00
Description : ` TTL for tokens issued by this backend .
Defaults to system / backend default TTL time . ` ,
2015-04-24 19:58:39 +00:00
} ,
2017-12-18 20:29:45 +00:00
"max_ttl" : & framework . FieldSchema {
Type : framework . TypeDurationSecond ,
Description : ` Duration in either an integer number of seconds ( 3600 ) or
2018-02-06 18:35:01 +00:00
an integer time unit ( 60 m ) after which the
2017-12-18 20:29:45 +00:00
issued token can no longer be renewed . ` ,
} ,
"period" : & framework . FieldSchema {
Type : framework . TypeDurationSecond ,
Description : ` If set , indicates that the token generated using this role
should never expire . The token should be renewed within the
duration specified by this value . At each renewal , the token ' s
TTL will be set to the value of this parameter . ` ,
} ,
2018-05-09 22:39:55 +00:00
"bound_cidrs" : & framework . FieldSchema {
Type : framework . TypeCommaStringSlice ,
Description : ` Comma separated string or list of CIDR blocks . If set , specifies the blocks of
IP addresses which can perform the login operation . ` ,
} ,
2015-04-24 17:31:57 +00:00
} ,
Callbacks : map [ logical . Operation ] framework . OperationFunc {
logical . DeleteOperation : b . pathCertDelete ,
logical . ReadOperation : b . pathCertRead ,
2016-02-29 15:40:15 +00:00
logical . UpdateOperation : b . pathCertWrite ,
2015-04-24 17:31:57 +00:00
} ,
HelpSynopsis : pathCertHelpSyn ,
HelpDescription : pathCertHelpDesc ,
}
}
2018-01-19 06:44:44 +00:00
func ( b * backend ) Cert ( ctx context . Context , s logical . Storage , n string ) ( * CertEntry , error ) {
entry , err := s . Get ( ctx , "cert/" + strings . ToLower ( n ) )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
if entry == nil {
return nil , nil
}
var result CertEntry
if err := entry . DecodeJSON ( & result ) ; err != nil {
return nil , err
}
return & result , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertDelete ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2018-01-19 06:44:44 +00:00
err := req . Storage . Delete ( ctx , "cert/" + strings . ToLower ( d . Get ( "name" ) . ( string ) ) )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
return nil , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertList ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2018-01-19 06:44:44 +00:00
certs , err := req . Storage . List ( ctx , "cert/" )
2016-03-15 18:07:40 +00:00
if err != nil {
return nil , err
}
return logical . ListResponse ( certs ) , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertRead ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2018-01-19 06:44:44 +00:00
cert , err := b . Cert ( ctx , req . Storage , strings . ToLower ( d . Get ( "name" ) . ( string ) ) )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
if cert == nil {
return nil , nil
}
return & logical . Response {
Data : map [ string ] interface { } {
2018-01-16 18:41:58 +00:00
"certificate" : cert . Certificate ,
"display_name" : cert . DisplayName ,
"policies" : cert . Policies ,
"ttl" : cert . TTL / time . Second ,
"max_ttl" : cert . MaxTTL / time . Second ,
"period" : cert . Period / time . Second ,
"allowed_names" : cert . AllowedNames ,
2015-04-24 17:31:57 +00:00
} ,
} , nil
}
2018-01-08 18:31:38 +00:00
func ( b * backend ) pathCertWrite ( ctx context . Context , req * logical . Request , d * framework . FieldData ) ( * logical . Response , error ) {
2015-04-24 17:31:57 +00:00
name := strings . ToLower ( d . Get ( "name" ) . ( string ) )
certificate := d . Get ( "certificate" ) . ( string )
displayName := d . Get ( "display_name" ) . ( string )
2017-09-13 15:36:52 +00:00
policies := policyutil . ParsePolicies ( d . Get ( "policies" ) )
2017-04-30 15:37:10 +00:00
allowedNames := d . Get ( "allowed_names" ) . ( [ ] string )
2017-12-18 17:53:44 +00:00
requiredExtensions := d . Get ( "required_extensions" ) . ( [ ] string )
2015-04-24 17:31:57 +00:00
2017-12-18 20:29:45 +00:00
var resp logical . Response
// Parse the ttl (or lease duration)
systemDefaultTTL := b . System ( ) . DefaultLeaseTTL ( )
ttl := time . Duration ( d . Get ( "ttl" ) . ( int ) ) * time . Second
if ttl == 0 {
ttl = time . Duration ( d . Get ( "lease" ) . ( int ) ) * time . Second
}
if ttl > systemDefaultTTL {
resp . AddWarning ( fmt . Sprintf ( "Given ttl of %d seconds is greater than current mount/system default of %d seconds" , ttl / time . Second , systemDefaultTTL / time . Second ) )
}
if ttl < time . Duration ( 0 ) {
return logical . ErrorResponse ( "ttl cannot be negative" ) , nil
}
// Parse max_ttl
systemMaxTTL := b . System ( ) . MaxLeaseTTL ( )
maxTTL := time . Duration ( d . Get ( "max_ttl" ) . ( int ) ) * time . Second
if maxTTL > systemMaxTTL {
resp . AddWarning ( fmt . Sprintf ( "Given max_ttl of %d seconds is greater than current mount/system default of %d seconds" , maxTTL / time . Second , systemMaxTTL / time . Second ) )
}
if maxTTL < time . Duration ( 0 ) {
return logical . ErrorResponse ( "max_ttl cannot be negative" ) , nil
}
if maxTTL != 0 && ttl > maxTTL {
return logical . ErrorResponse ( "ttl should be shorter than max_ttl" ) , nil
}
// Parse period
period := time . Duration ( d . Get ( "period" ) . ( int ) ) * time . Second
if period > systemMaxTTL {
resp . AddWarning ( fmt . Sprintf ( "Given period of %d seconds is greater than the backend's maximum TTL of %d seconds" , period / time . Second , systemMaxTTL / time . Second ) )
}
if period < time . Duration ( 0 ) {
return logical . ErrorResponse ( "period cannot be negative" ) , nil
}
2015-04-24 17:52:17 +00:00
// Default the display name to the certificate name if not given
if displayName == "" {
displayName = name
}
2015-04-24 17:39:44 +00:00
parsed := parsePEM ( [ ] byte ( certificate ) )
if len ( parsed ) == 0 {
return logical . ErrorResponse ( "failed to parse certificate" ) , nil
}
2016-02-29 15:40:15 +00:00
// If the certificate is not a CA cert, then ensure that x509.ExtKeyUsageClientAuth is set
2016-02-29 23:29:41 +00:00
if ! parsed [ 0 ] . IsCA && parsed [ 0 ] . ExtKeyUsage != nil {
2016-02-29 21:02:19 +00:00
var clientAuth bool
2016-02-29 15:40:15 +00:00
for _ , usage := range parsed [ 0 ] . ExtKeyUsage {
2016-03-01 15:24:22 +00:00
if usage == x509 . ExtKeyUsageClientAuth || usage == x509 . ExtKeyUsageAny {
2016-02-29 15:40:15 +00:00
clientAuth = true
2016-03-01 15:24:22 +00:00
break
2016-02-29 15:40:15 +00:00
}
}
if ! clientAuth {
2016-02-29 23:29:41 +00:00
return logical . ErrorResponse ( "non-CA certificates should have TLS client authentication set as an extended key usage" ) , nil
2016-02-29 15:40:15 +00:00
}
}
2018-05-09 22:39:55 +00:00
var parsedCIDRs [ ] * sockaddr . SockAddrMarshaler
for _ , v := range d . Get ( "bound_cidrs" ) . ( [ ] string ) {
parsedCIDR , err := sockaddr . NewSockAddr ( v )
if err != nil {
if b . Logger ( ) . IsDebug ( ) {
b . Logger ( ) . Debug ( fmt . Sprintf ( "unable to parse %s as a cidr: %s" , v , err ) )
}
return logical . ErrorResponse ( fmt . Sprintf ( "unable to parse %s as a cidr" , v ) ) , logical . ErrInvalidRequest
}
parsedCIDRs = append ( parsedCIDRs , & sockaddr . SockAddrMarshaler { parsedCIDR } )
}
2015-10-06 01:10:20 +00:00
certEntry := & CertEntry {
2017-12-18 17:53:44 +00:00
Name : name ,
Certificate : certificate ,
DisplayName : displayName ,
Policies : policies ,
AllowedNames : allowedNames ,
RequiredExtensions : requiredExtensions ,
2017-12-18 20:29:45 +00:00
TTL : ttl ,
MaxTTL : maxTTL ,
Period : period ,
2018-05-09 22:39:55 +00:00
BoundCIDRs : parsedCIDRs ,
2015-04-24 19:58:39 +00:00
}
2015-04-24 17:31:57 +00:00
// Store it
2015-10-06 01:10:20 +00:00
entry , err := logical . StorageEntryJSON ( "cert/" + name , certEntry )
2015-04-24 17:31:57 +00:00
if err != nil {
return nil , err
}
2018-01-19 06:44:44 +00:00
if err := req . Storage . Put ( ctx , entry ) ; err != nil {
2015-04-24 17:31:57 +00:00
return nil , err
}
2017-12-18 20:29:45 +00:00
if len ( resp . Warnings ) == 0 {
return nil , nil
}
return & resp , nil
2015-04-24 17:31:57 +00:00
}
type CertEntry struct {
2017-12-18 17:53:44 +00:00
Name string
Certificate string
DisplayName string
Policies [ ] string
TTL time . Duration
2017-12-18 20:29:45 +00:00
MaxTTL time . Duration
Period time . Duration
2017-12-18 17:53:44 +00:00
AllowedNames [ ] string
RequiredExtensions [ ] string
2018-05-09 22:39:55 +00:00
BoundCIDRs [ ] * sockaddr . SockAddrMarshaler
2015-04-24 17:31:57 +00:00
}
const pathCertHelpSyn = `
Manage trusted certificates used for authentication .
`
const pathCertHelpDesc = `
This endpoint allows you to create , read , update , and delete trusted certificates
that are allowed to authenticate .
Deleting a certificate will not revoke auth for prior authenticated connections .
To do this , do a revoke on "login" . If you don ' t need to revoke login immediately ,
then the next renew will cause the lease to expire .
`