2015-03-30 21:23:32 +00:00
|
|
|
package logical
|
|
|
|
|
2016-05-30 18:30:01 +00:00
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
2018-05-09 22:39:55 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/go-sockaddr"
|
2016-05-30 18:30:01 +00:00
|
|
|
)
|
2015-04-01 22:08:43 +00:00
|
|
|
|
2015-03-30 21:23:32 +00:00
|
|
|
// Auth is the resulting authentication information that is part of
|
|
|
|
// Response for credential backends.
|
|
|
|
type Auth struct {
|
2015-04-09 19:14:04 +00:00
|
|
|
LeaseOptions
|
2015-03-31 03:26:39 +00:00
|
|
|
|
2015-05-09 18:39:54 +00:00
|
|
|
// InternalData is JSON-encodable data that is stored with the auth struct.
|
|
|
|
// This will be sent back during a Renew/Revoke for storing internal data
|
|
|
|
// used for those operations.
|
2016-05-30 18:30:01 +00:00
|
|
|
InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`
|
2015-05-09 18:39:54 +00:00
|
|
|
|
2015-04-15 20:56:42 +00:00
|
|
|
// DisplayName is a non-security sensitive identifier that is
|
|
|
|
// applicable to this Auth. It is used for logging and prefixing
|
|
|
|
// of dynamic secrets. For example, DisplayName may be "armon" for
|
|
|
|
// the github credential backend. If the client token is used to
|
|
|
|
// generate a SQL credential, the user may be "github-armon-uuid".
|
|
|
|
// This is to help identify the source without using audit tables.
|
2016-05-30 18:30:01 +00:00
|
|
|
DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`
|
2015-04-15 20:56:42 +00:00
|
|
|
|
2015-03-30 21:23:32 +00:00
|
|
|
// Policies is the list of policies that the authenticated user
|
|
|
|
// is associated with.
|
2016-05-30 18:30:01 +00:00
|
|
|
Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`
|
2015-03-30 21:23:32 +00:00
|
|
|
|
2018-06-14 13:49:33 +00:00
|
|
|
// TokenPolicies and IdentityPolicies break down the list in Policies to
|
|
|
|
// help determine where a policy was sourced
|
|
|
|
TokenPolicies []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"`
|
|
|
|
IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"`
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
// ExternalNamespacePolicies represent the policies authorized from
|
|
|
|
// different namespaces indexed by respective namespace identifiers
|
|
|
|
ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`
|
|
|
|
|
2015-03-30 21:23:32 +00:00
|
|
|
// Metadata is used to attach arbitrary string-type metadata to
|
|
|
|
// an authenticated user. This metadata will be outputted into the
|
|
|
|
// audit log.
|
2016-05-30 18:30:01 +00:00
|
|
|
Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`
|
2015-04-03 00:25:22 +00:00
|
|
|
|
2015-04-09 19:14:04 +00:00
|
|
|
// ClientToken is the token that is generated for the authentication.
|
|
|
|
// This will be filled in by Vault core when an auth structure is
|
|
|
|
// returned. Setting this manually will have no effect.
|
2016-05-30 18:30:01 +00:00
|
|
|
ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`
|
2016-03-08 17:51:38 +00:00
|
|
|
|
2016-03-09 11:23:31 +00:00
|
|
|
// Accessor is the identifier for the ClientToken. This can be used
|
2016-03-08 17:51:38 +00:00
|
|
|
// to perform management functionalities (especially revocation) when
|
2016-03-09 11:23:31 +00:00
|
|
|
// ClientToken in the audit logs are obfuscated. Accessor can be used
|
2016-03-08 17:51:38 +00:00
|
|
|
// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
|
2016-03-09 03:27:24 +00:00
|
|
|
// both without actually knowing the ClientToken.
|
2016-05-30 18:30:01 +00:00
|
|
|
Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`
|
|
|
|
|
|
|
|
// Period indicates that the token generated using this Auth object
|
|
|
|
// should never expire. The token should be renewed within the duration
|
|
|
|
// specified by this period.
|
|
|
|
Period time.Duration `json:"period" mapstructure:"period" structs:"period"`
|
2017-03-03 14:31:20 +00:00
|
|
|
|
2018-04-03 16:20:20 +00:00
|
|
|
// ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal
|
|
|
|
// tokens, this value is constrained by the configured max ttl.
|
2018-09-21 21:31:29 +00:00
|
|
|
ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`
|
2018-04-03 16:20:20 +00:00
|
|
|
|
2017-03-03 14:31:20 +00:00
|
|
|
// Number of allowed uses of the issued token
|
|
|
|
NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`
|
2017-08-15 17:55:53 +00:00
|
|
|
|
2017-10-11 17:21:20 +00:00
|
|
|
// EntityID is the identifier of the entity in identity store to which the
|
|
|
|
// identity of the authenticating client belongs to.
|
|
|
|
EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`
|
|
|
|
|
2017-10-04 17:35:05 +00:00
|
|
|
// Alias is the information about the authenticated client returned by
|
2017-08-15 17:55:53 +00:00
|
|
|
// the auth backend
|
2017-11-02 20:05:48 +00:00
|
|
|
Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`
|
|
|
|
|
|
|
|
// GroupAliases are the informational mappings of external groups which an
|
|
|
|
// authenticated user belongs to. This is used to check if there are
|
|
|
|
// mappings groups for the group aliases in identity store. For all the
|
|
|
|
// matching groups, the entity ID of the user will be added.
|
|
|
|
GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`
|
2018-05-09 22:39:55 +00:00
|
|
|
|
|
|
|
// The set of CIDRs that this token can be used with
|
|
|
|
BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
|
2018-06-03 22:14:51 +00:00
|
|
|
|
|
|
|
// CreationPath is a path that the backend can return to use in the lease.
|
|
|
|
// This is currently only supported for the token store where roles may
|
|
|
|
// change the perceived path of the lease, even though they don't change
|
|
|
|
// the request path itself.
|
|
|
|
CreationPath string `json:"creation_path"`
|
2018-10-15 16:56:24 +00:00
|
|
|
|
|
|
|
// TokenType is the type of token being requested
|
|
|
|
TokenType TokenType `json:"token_type"`
|
2015-03-30 21:23:32 +00:00
|
|
|
}
|
2015-04-01 22:08:43 +00:00
|
|
|
|
|
|
|
func (a *Auth) GoString() string {
|
|
|
|
return fmt.Sprintf("*%#v", *a)
|
|
|
|
}
|