2015-03-15 20:52:43 +00:00
|
|
|
package logical
|
|
|
|
|
2015-03-15 21:53:41 +00:00
|
|
|
import (
|
|
|
|
"errors"
|
2015-03-31 03:55:01 +00:00
|
|
|
"fmt"
|
2015-03-15 21:53:41 +00:00
|
|
|
)
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Request is a struct that stores the parameters and context
|
|
|
|
// of a request being made to Vault. It is used to abstract
|
|
|
|
// the details of the higher level request protocol from the handlers.
|
|
|
|
type Request struct {
|
|
|
|
// Operation is the requested operation type
|
|
|
|
Operation Operation
|
|
|
|
|
|
|
|
// Path is the part of the request path not consumed by the
|
|
|
|
// routing. As an example, if the original request path is "prod/aws/foo"
|
|
|
|
// and the AWS logical backend is mounted at "prod/aws/", then the
|
|
|
|
// final path is "foo" since the mount prefix is trimmed.
|
|
|
|
Path string
|
|
|
|
|
|
|
|
// Request data is an opaque map that must have string keys.
|
|
|
|
Data map[string]interface{}
|
|
|
|
|
|
|
|
// Storage can be used to durably store and retrieve state.
|
|
|
|
Storage Storage
|
2015-03-19 22:11:42 +00:00
|
|
|
|
|
|
|
// Secret will be non-nil only for Revoke and Renew operations
|
|
|
|
// to represent the secret that was returned prior.
|
|
|
|
Secret *Secret
|
2015-03-24 18:09:25 +00:00
|
|
|
|
2015-04-09 21:21:06 +00:00
|
|
|
// Auth will be non-nil only for Renew operations
|
|
|
|
// to represent the auth that was returned prior.
|
|
|
|
Auth *Auth
|
|
|
|
|
2015-03-30 21:23:32 +00:00
|
|
|
// Connection will be non-nil only for credential providers to
|
|
|
|
// inspect the connection information and potentially use it for
|
|
|
|
// authentication/protection.
|
|
|
|
Connection *Connection
|
|
|
|
|
2015-03-24 18:09:25 +00:00
|
|
|
// ClientToken is provided to the core so that the identity
|
2015-04-15 20:56:42 +00:00
|
|
|
// can be verified and ACLs applied. This value is passed
|
|
|
|
// through to the logical backends but after being salted and
|
|
|
|
// hashed.
|
2015-03-24 18:09:25 +00:00
|
|
|
ClientToken string
|
2015-04-15 20:56:42 +00:00
|
|
|
|
|
|
|
// DisplayName is provided to the logical backend to help associate
|
|
|
|
// dynamic secrets with the source entity. This is not a sensitive
|
|
|
|
// name, but is useful for operators.
|
|
|
|
DisplayName string
|
2015-05-27 18:46:42 +00:00
|
|
|
|
|
|
|
// MountPoint is provided so that a logical backend can generate
|
|
|
|
// paths relative to itself. The `Path` is effectively the client
|
|
|
|
// request path with the MountPoint trimmed off.
|
|
|
|
MountPoint string
|
2015-03-15 20:52:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get returns a data field and guards for nil Data
|
|
|
|
func (r *Request) Get(key string) interface{} {
|
|
|
|
if r.Data == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return r.Data[key]
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetString returns a data field as a string
|
|
|
|
func (r *Request) GetString(key string) string {
|
|
|
|
raw := r.Get(key)
|
|
|
|
s, _ := raw.(string)
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2015-03-31 03:55:01 +00:00
|
|
|
func (r *Request) GoString() string {
|
|
|
|
return fmt.Sprintf("*%#v", *r)
|
|
|
|
}
|
|
|
|
|
2015-03-19 19:20:25 +00:00
|
|
|
// RenewRequest creates the structure of the renew request.
|
|
|
|
func RenewRequest(
|
2015-03-19 22:11:42 +00:00
|
|
|
path string, secret *Secret, data map[string]interface{}) *Request {
|
2015-03-19 19:20:25 +00:00
|
|
|
return &Request{
|
|
|
|
Operation: RenewOperation,
|
|
|
|
Path: path,
|
2015-03-19 22:11:42 +00:00
|
|
|
Data: data,
|
|
|
|
Secret: secret,
|
2015-03-19 19:20:25 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-11 21:46:09 +00:00
|
|
|
// RenewAuthRequest creates the structure of the renew request for an auth.
|
|
|
|
func RenewAuthRequest(
|
|
|
|
path string, auth *Auth, data map[string]interface{}) *Request {
|
|
|
|
return &Request{
|
|
|
|
Operation: RenewOperation,
|
|
|
|
Path: path,
|
|
|
|
Data: data,
|
|
|
|
Auth: auth,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-19 19:20:25 +00:00
|
|
|
// RevokeRequest creates the structure of the revoke request.
|
|
|
|
func RevokeRequest(
|
2015-03-19 22:11:42 +00:00
|
|
|
path string, secret *Secret, data map[string]interface{}) *Request {
|
2015-03-19 19:20:25 +00:00
|
|
|
return &Request{
|
|
|
|
Operation: RevokeOperation,
|
|
|
|
Path: path,
|
2015-03-19 22:11:42 +00:00
|
|
|
Data: data,
|
|
|
|
Secret: secret,
|
2015-03-19 19:20:25 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-20 16:20:55 +00:00
|
|
|
// RollbackRequest creates the structure of the revoke request.
|
|
|
|
func RollbackRequest(path string) *Request {
|
|
|
|
return &Request{
|
|
|
|
Operation: RollbackOperation,
|
|
|
|
Path: path,
|
2015-03-21 10:18:33 +00:00
|
|
|
Data: make(map[string]interface{}),
|
2015-03-20 16:20:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-15 20:52:43 +00:00
|
|
|
// Operation is an enum that is used to specify the type
|
|
|
|
// of request being made
|
|
|
|
type Operation string
|
|
|
|
|
|
|
|
const (
|
2015-03-19 18:41:41 +00:00
|
|
|
// The operations below are called per path
|
|
|
|
ReadOperation Operation = "read"
|
|
|
|
WriteOperation = "write"
|
|
|
|
DeleteOperation = "delete"
|
|
|
|
ListOperation = "list"
|
|
|
|
HelpOperation = "help"
|
|
|
|
|
|
|
|
// The operations below are called globally, the path is less relevant.
|
|
|
|
RevokeOperation Operation = "revoke"
|
2015-03-17 23:16:04 +00:00
|
|
|
RenewOperation = "renew"
|
|
|
|
RollbackOperation = "rollback"
|
2015-03-15 20:52:43 +00:00
|
|
|
)
|
2015-03-15 21:53:41 +00:00
|
|
|
|
|
|
|
var (
|
|
|
|
// ErrUnsupportedOperation is returned if the operation is not supported
|
|
|
|
// by the logical backend.
|
|
|
|
ErrUnsupportedOperation = errors.New("unsupported operation")
|
|
|
|
|
|
|
|
// ErrUnsupportedPath is returned if the path is not supported
|
|
|
|
// by the logical backend.
|
|
|
|
ErrUnsupportedPath = errors.New("unsupported path")
|
|
|
|
|
|
|
|
// ErrInvalidRequest is returned if the request is invalid
|
|
|
|
ErrInvalidRequest = errors.New("invalid request")
|
2015-03-24 18:23:59 +00:00
|
|
|
|
2015-08-09 19:20:06 +00:00
|
|
|
// ErrPermissionDenied is returned if the client is not authorized
|
2015-03-24 18:23:59 +00:00
|
|
|
ErrPermissionDenied = errors.New("permission denied")
|
2015-03-15 21:53:41 +00:00
|
|
|
)
|