open-vault/builtin/logical/ssh/secret_dynamic_key.go

package ssh

import (
	"fmt"
	"time"

	"github.com/hashicorp/vault/helper/uuid"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

const SecretDynamicKeyType = "secret_dynamic_key_type"

func secretDynamicKey(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretDynamicKeyType,
		Fields: map[string]*framework.FieldSchema{
			"username": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Username in host",
			},
			"ip": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "IP address of host",
			},
		},
		DefaultDuration:    10 * time.Minute,
		DefaultGracePeriod: 2 * time.Minute,
		Renew:              b.secretDynamicKeyRenew,
		Revoke:             b.secretDynamicKeyRevoke,
	}
}

func (b *backend) secretDynamicKeyRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	lease, err := b.Lease(req.Storage)
	if err != nil {
		return nil, err
	}
	if lease == nil {
		lease = &configLease{Lease: 1 * time.Hour}
	}
	f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, false)
	return f(req, d)
}

func (b *backend) secretDynamicKeyRevoke(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	adminUserRaw, ok := req.Secret.InternalData["admin_user"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	adminUser, ok := adminUserRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	usernameRaw, ok := req.Secret.InternalData["username"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	username, ok := usernameRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	ipRaw, ok := req.Secret.InternalData["ip"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	ip, ok := ipRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	hostKeyNameRaw, ok := req.Secret.InternalData["host_key_name"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	hostKeyName := hostKeyNameRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	dynamicPublicKeyRaw, ok := req.Secret.InternalData["dynamic_public_key"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	dynamicPublicKey := dynamicPublicKeyRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	installScriptRaw, ok := req.Secret.InternalData["install_script"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	installScript := installScriptRaw.(string)
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}

	portRaw, ok := req.Secret.InternalData["port"]
	if !ok {
		return nil, fmt.Errorf("secret is missing internal data")
	}
	port := portRaw.(string)

	// Fetch the host key using the key name
	hostKeyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", hostKeyName))
	if err != nil {
		return nil, fmt.Errorf("key '%s' not found error:%s", hostKeyName, err)
	}
	var hostKey sshHostKey
	if err := hostKeyEntry.DecodeJSON(&hostKey); err != nil {
		return nil, fmt.Errorf("error reading the host key: %s", err)
	}

	// Transfer the dynamic public key to target machine and use it to remove the entry from authorized_keys file
	dynamicPublicKeyFileName := uuid.GenerateUUID()
	err = scpUpload(adminUser, ip, port, hostKey.Key, dynamicPublicKeyFileName, dynamicPublicKey)
	if err != nil {
		return nil, fmt.Errorf("error uploading pubic key: %s", err)
	}

	scriptFileName := fmt.Sprintf("%s.sh", dynamicPublicKeyFileName)
	err = scpUpload(adminUser, ip, port, hostKey.Key, scriptFileName, installScript)
	if err != nil {
		return nil, fmt.Errorf("error uploading script file: %s", err)
	}

	// Remove the public key from authorized_keys file in target machine
	err = uninstallPublicKeyInTarget(adminUser, dynamicPublicKeyFileName, username, ip, port, hostKey.Key)
	if err != nil {
		return nil, fmt.Errorf("error removing public key from authorized_keys file in target")
	}
	return nil, nil
}
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`package ssh`

			`import (`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`"fmt"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`"time"`

Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`"github.com/hashicorp/vault/helper/uuid"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 23:00:14 +00:00			`const SecretDynamicKeyType = "secret_dynamic_key_type"`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00
Vault SSH: keys/ designated special path 2015-07-23 22:12:13 +00:00			`func secretDynamicKey(b backend) framework.Secret {`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`return &framework.Secret{`
Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 23:00:14 +00:00			`Type: SecretDynamicKeyType,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"username": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Username in host",`
			`},`
			`"ip": &framework.FieldSchema{`
			`Type: framework.TypeString,`
Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`Description: "IP address of host",`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`},`
			`},`
Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`DefaultDuration: 10 * time.Minute,`
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`DefaultGracePeriod: 2 * time.Minute,`
Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`Renew: b.secretDynamicKeyRenew,`
			`Revoke: b.secretDynamicKeyRevoke,`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`}`
			`}`

Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`func (b backend) secretDynamicKeyRenew(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Roles, key renewal handled. End-to-end basic flow working. 2015-06-19 00:48:41 +00:00			`lease, err := b.Lease(req.Storage)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if lease == nil {`
			`lease = &configLease{Lease: 1 * time.Hour}`
			`}`
			`f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, false)`
			`return f(req, d)`
			`}`

Vault SSH: Refactoring 2015-07-27 20:42:03 +00:00			`func (b backend) secretDynamicKeyRevoke(req logical.Request, d framework.FieldData) (logical.Response, error) {`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00			`adminUserRaw, ok := req.Secret.InternalData["admin_user"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`adminUser, ok := adminUserRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`

ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`usernameRaw, ok := req.Secret.InternalData["username"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`username, ok := usernameRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`ipRaw, ok := req.Secret.InternalData["ip"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`ip, ok := ipRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`hostKeyNameRaw, ok := req.Secret.InternalData["host_key_name"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`hostKeyName := hostKeyNameRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`dynamicPublicKeyRaw, ok := req.Secret.InternalData["dynamic_public_key"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`dynamicPublicKey := dynamicPublicKeyRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
Vault SSH: admin_user/default_user fix 2015-07-27 19:03:10 +00:00
Vault SSH: uninstall dynamic keys using script 2015-08-06 19:50:12 +00:00			`installScriptRaw, ok := req.Secret.InternalData["install_script"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`installScript := installScriptRaw.(string)`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`

Vault SSH: Made port number configurable 2015-07-06 20:56:45 +00:00			`portRaw, ok := req.Secret.InternalData["port"]`
			`if !ok {`
			`return nil, fmt.Errorf("secret is missing internal data")`
			`}`
			`port := portRaw.(string)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Fetch the host key using the key name`
Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-02 00:35:11 +00:00			`hostKeyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", hostKeyName))`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`if err != nil {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return nil, fmt.Errorf("key '%s' not found error:%s", hostKeyName, err)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
			`var hostKey sshHostKey`
			`if err := hostKeyEntry.DecodeJSON(&hostKey); err != nil {`
Vault SSH: Regex supports hypen in key name and role names 2015-07-02 01:05:52 +00:00			`return nil, fmt.Errorf("error reading the host key: %s", err)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Transfer the dynamic public key to target machine and use it to remove the entry from authorized_keys file`
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`dynamicPublicKeyFileName := uuid.GenerateUUID()`
Vault SSH: uninstall dynamic keys using script 2015-08-06 19:50:12 +00:00			`err = scpUpload(adminUser, ip, port, hostKey.Key, dynamicPublicKeyFileName, dynamicPublicKey)`
			`if err != nil {`
			`return nil, fmt.Errorf("error uploading pubic key: %s", err)`
			`}`

			`scriptFileName := fmt.Sprintf("%s.sh", dynamicPublicKeyFileName)`
			`err = scpUpload(adminUser, ip, port, hostKey.Key, scriptFileName, installScript)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`if err != nil {`
Vault SSH: uninstall dynamic keys using script 2015-08-06 19:50:12 +00:00			`return nil, fmt.Errorf("error uploading script file: %s", err)`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`

Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`// Remove the public key from authorized_keys file in target machine`
Vault SSH: Review Rework 2015-07-29 18:21:36 +00:00			`err = uninstallPublicKeyInTarget(adminUser, dynamicPublicKeyFileName, username, ip, port, hostKey.Key)`
Refactoring changes 2015-06-30 02:00:08 +00:00			`if err != nil {`
Vault SSH: PR review rework 2015-07-02 21:23:09 +00:00			`return nil, fmt.Errorf("error removing public key from authorized_keys file in target")`
ssh/lookup implementation and refactoring 2015-06-26 01:47:32 +00:00			`}`
Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 20:58:54 +00:00			`return nil, nil`
			`}`