open-vault/builtin/logical/ssh/secret_dynamic_key.go

package ssh

import (
	"fmt"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

const SecretDynamicKeyType = "secret_dynamic_key_type"

func secretDynamicKey(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretDynamicKeyType,
		Fields: map[string]*framework.FieldSchema{
			"username": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Username in host",
			},
			"ip": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "IP address of host",
			},
		},

		Renew:  b.secretDynamicKeyRenew,
		Revoke: b.secretDynamicKeyRevoke,
	}
}

func (b *backend) secretDynamicKeyRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	f := framework.LeaseExtend(0, 0, b.System())
	return f(req, d)
}

func (b *backend) secretDynamicKeyRevoke(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	adminUserRaw, ok := req.Secret.InternalData["admin_user"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	adminUser, ok := adminUserRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	usernameRaw, ok := req.Secret.InternalData["username"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	username, ok := usernameRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	ipRaw, ok := req.Secret.InternalData["ip"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	ip, ok := ipRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	hostKeyNameRaw, ok := req.Secret.InternalData["host_key_name"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	hostKeyName := hostKeyNameRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	dynamicPublicKeyRaw, ok := req.Secret.InternalData["dynamic_public_key"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	dynamicPublicKey := dynamicPublicKeyRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	installScriptRaw, ok := req.Secret.InternalData["install_script"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	installScript := installScriptRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	portRaw, ok := req.Secret.InternalData["port"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	port := int(portRaw.(float64))

	// Fetch the host key using the key name
	hostKey, err := b.getKey(req.Storage, hostKeyName)
	if err != nil {
		return nil, fmt.Errorf("key '%s' not found error:%s", hostKeyName, err)
	}
	if hostKey == nil {
		return nil, fmt.Errorf("key '%s' not found", hostKeyName)
	}

	// Remove the public key from authorized_keys file in target machine
	// The last param 'false' indicates that the key should be uninstalled.
	err = b.installPublicKeyInTarget(adminUser, username, ip, port, hostKey.Key, dynamicPublicKey, installScript, false)
	if err != nil {
		return nil, fmt.Errorf("error removing public key from authorized_keys file in target")
	}
	return nil, nil
}
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`package ssh`

			`import (`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`"fmt"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 23:00:14 +00:00			`const SecretDynamicKeyType = "secret_dynamic_key_type"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00
Vault SSH: keys/ designated special path 2015-07-23 22:12:13 +00:00			`func secretDynamicKey(b backend) framework.Secret {`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`return &framework.Secret{`
Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 23:00:14 +00:00			`Type: SecretDynamicKeyType,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"username": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Username in host",`
			`},`
			`"ip": &framework.FieldSchema{`
			`Type: framework.TypeString,`
Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`Description: "IP address of host",`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`},`
			`},`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00
			`Renew: b.secretDynamicKeyRenew,`
			`Revoke: b.secretDynamicKeyRevoke,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`}`
			`}`

Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`func (b backend) secretDynamicKeyRenew(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Make backends much more consistent: 1) Use the new LeaseExtend 2) Use default values controlled by mount tuning/system defaults instead of a random hard coded value 3) Remove grace periods 2016-01-29 22:44:09 +00:00			`f := framework.LeaseExtend(0, 0, b.System())`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`return f(req, d)`
			`}`

Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`func (b backend) secretDynamicKeyRevoke(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00			`adminUserRaw, ok := req.Secret.InternalData["admin_user"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`adminUser, ok := adminUserRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`

ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`usernameRaw, ok := req.Secret.InternalData["username"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`username, ok := usernameRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`ipRaw, ok := req.Secret.InternalData["ip"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`ip, ok := ipRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`hostKeyNameRaw, ok := req.Secret.InternalData["host_key_name"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`hostKeyName := hostKeyNameRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`dynamicPublicKeyRaw, ok := req.Secret.InternalData["dynamic_public_key"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`dynamicPublicKey := dynamicPublicKeyRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
Vault SSH: uninstall dynamic keys using script 2015-08-06 19:50:12 +00:00			`installScriptRaw, ok := req.Secret.InternalData["install_script"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`installScript := installScriptRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`

Vault SSH: Made port number configurable 2015-07-06 20:56:45 +00:00			`portRaw, ok := req.Secret.InternalData["port"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: cidr to cidr_list 2015-08-13 15:46:55 +00:00			`port := int(portRaw.(float64))`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Fetch the host key using the key name`
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP 2015-08-13 21:18:30 +00:00			`hostKey, err := b.getKey(req.Storage, hostKeyName)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`if err != nil {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return nil, fmt.Errorf("key '%s' not found error:%s", hostKeyName, err)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP 2015-08-13 21:18:30 +00:00			`if hostKey == nil {`
			`return nil, fmt.Errorf("key '%s' not found", hostKeyName)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Remove the public key from authorized_keys file in target machine`
Vault SSH: Mandate default_user. Other refactoring 2015-08-13 17:36:31 +00:00			`// The last param 'false' indicates that the key should be uninstalled.`
Vault SSH: Documentation update and minor refactoring changes. 2015-08-18 01:22:03 +00:00			`err = b.installPublicKeyInTarget(adminUser, username, ip, port, hostKey.Key, dynamicPublicKey, installScript, false)`
Refactoring changes 2015-06-30 02:00:08 +00:00			`if err != nil {`
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`return nil, fmt.Errorf("error removing public key from authorized_keys file in target")`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`return nil, nil`
			`}`