2015-07-22 20:00:58 +00:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
|
|
|
func pathVerify(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "verify",
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"otp": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "One-time-key for SSH session",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.WriteOperation: b.pathVerifyWrite,
|
|
|
|
},
|
|
|
|
HelpSynopsis: pathVerifyHelpSyn,
|
|
|
|
HelpDescription: pathVerifyHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathVerifyWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
otp := d.Get("otp").(string)
|
|
|
|
otpSalted := b.salt.SaltID(otp)
|
|
|
|
entry, err := req.Storage.Get("otp/" + otpSalted)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if entry == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
var otpEntry sshOTP
|
|
|
|
if err := entry.DecodeJSON(&otpEntry); err != nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
err = req.Storage.Delete("otp/" + otpSalted)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"username": otpEntry.Username,
|
|
|
|
"ip": otpEntry.IP,
|
|
|
|
"valid": "yes",
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
const pathVerifyHelpSyn = `
|
|
|
|
Tells if the key provided by the client is valid or not.
|
|
|
|
`
|
|
|
|
|
|
|
|
const pathVerifyHelpDesc = `
|
|
|
|
This path will be used by the vault agent running in the
|
|
|
|
target machine to check if the key provided by the client
|
|
|
|
to establish the SSH connection is valid or not.
|
|
|
|
|
2015-07-27 20:42:03 +00:00
|
|
|
This key will be a one-time-password. The vault server responds
|
|
|
|
that the key is valid only once (hence one-time).
|
2015-07-22 20:00:58 +00:00
|
|
|
`
|