open-vault/api/secret.go

package api

import (
	"fmt"
	"io"
	"time"

	"github.com/hashicorp/vault/helper/jsonutil"
	"github.com/hashicorp/vault/helper/parseutil"
)

// Secret is the structure returned for every secret within Vault.
type Secret struct {
	// The request ID that generated this response
	RequestID string `json:"request_id"`

	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`

	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data map[string]interface{} `json:"data"`

	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`

	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`

	// WrapInfo, if non-nil, means that the initial response was wrapped in the
	// cubbyhole of the given token (which has a TTL of the given number of
	// seconds)
	WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}

// TokenID returns the standardized token ID (token) for the given secret.
func (s *Secret) TokenID() (string, error) {
	if s == nil {
		return "", nil
	}

	if s.Auth != nil && len(s.Auth.ClientToken) > 0 {
		return s.Auth.ClientToken, nil
	}

	if s.Data == nil || s.Data["id"] == nil {
		return "", nil
	}

	id, ok := s.Data["id"].(string)
	if !ok {
		return "", fmt.Errorf("token found but in the wrong format")
	}

	return id, nil
}

// TokenAccessor returns the standardized token accessor for the given secret.
// If the secret is nil or does not contain an accessor, this returns the empty
// string.
func (s *Secret) TokenAccessor() (string, error) {
	if s == nil {
		return "", nil
	}

	if s.Auth != nil && len(s.Auth.Accessor) > 0 {
		return s.Auth.Accessor, nil
	}

	if s.Data == nil || s.Data["accessor"] == nil {
		return "", nil
	}

	accessor, ok := s.Data["accessor"].(string)
	if !ok {
		return "", fmt.Errorf("token found but in the wrong format")
	}

	return accessor, nil
}

// TokenRemainingUses returns the standardized remaining uses for the given
// secret. If the secret is nil or does not contain the "num_uses", this
// returns -1. On error, this will return -1 and a non-nil error.
func (s *Secret) TokenRemainingUses() (int, error) {
	if s == nil || s.Data == nil || s.Data["num_uses"] == nil {
		return -1, nil
	}

	uses, err := parseutil.ParseInt(s.Data["num_uses"])
	if err != nil {
		return 0, err
	}

	return int(uses), nil
}

// TokenPolicies returns the standardized list of policies for the given secret.
// If the secret is nil or does not contain any policies, this returns nil.
func (s *Secret) TokenPolicies() ([]string, error) {
	if s == nil {
		return nil, nil
	}

	if s.Auth != nil && len(s.Auth.Policies) > 0 {
		return s.Auth.Policies, nil
	}

	if s.Data == nil || s.Data["policies"] == nil {
		return nil, nil
	}

	sList, ok := s.Data["policies"].([]string)
	if ok {
		return sList, nil
	}

	list, ok := s.Data["policies"].([]interface{})
	if !ok {
		return nil, fmt.Errorf("unable to convert token policies to expected format")
	}

	policies := make([]string, len(list))
	for i := range list {
		p, ok := list[i].(string)
		if !ok {
			return nil, fmt.Errorf("unable to convert policy %v to string", list[i])
		}
		policies[i] = p
	}

	return policies, nil
}

// TokenMetadata returns the map of metadata associated with this token, if any
// exists. If the secret is nil or does not contain the "metadata" key, this
// returns nil.
func (s *Secret) TokenMetadata() (map[string]string, error) {
	if s == nil {
		return nil, nil
	}

	if s.Auth != nil && len(s.Auth.Metadata) > 0 {
		return s.Auth.Metadata, nil
	}

	if s.Data == nil || (s.Data["metadata"] == nil && s.Data["meta"] == nil) {
		return nil, nil
	}

	data, ok := s.Data["metadata"].(map[string]interface{})
	if !ok {
		data, ok = s.Data["meta"].(map[string]interface{})
		if !ok {
			return nil, fmt.Errorf("unable to convert metadata field to expected format")
		}
	}

	metadata := make(map[string]string, len(data))
	for k, v := range data {
		typed, ok := v.(string)
		if !ok {
			return nil, fmt.Errorf("unable to convert metadata value %v to string", v)
		}
		metadata[k] = typed
	}

	return metadata, nil
}

// TokenIsRenewable returns the standardized token renewability for the given
// secret. If the secret is nil or does not contain the "renewable" key, this
// returns false.
func (s *Secret) TokenIsRenewable() (bool, error) {
	if s == nil {
		return false, nil
	}

	if s.Auth != nil && s.Auth.Renewable {
		return s.Auth.Renewable, nil
	}

	if s.Data == nil || s.Data["renewable"] == nil {
		return false, nil
	}

	renewable, err := parseutil.ParseBool(s.Data["renewable"])
	if err != nil {
		return false, fmt.Errorf("could not convert renewable value to a boolean: %v", err)
	}

	return renewable, nil
}

// TokenTTL returns the standardized remaining token TTL for the given secret.
// If the secret is nil or does not contain a TTL, this returns 0.
func (s *Secret) TokenTTL() (time.Duration, error) {
	if s == nil {
		return 0, nil
	}

	if s.Auth != nil && s.Auth.LeaseDuration > 0 {
		return time.Duration(s.Auth.LeaseDuration) * time.Second, nil
	}

	if s.Data == nil || s.Data["ttl"] == nil {
		return 0, nil
	}

	ttl, err := parseutil.ParseDurationSecond(s.Data["ttl"])
	if err != nil {
		return 0, err
	}

	return ttl, nil
}

// SecretWrapInfo contains wrapping information if we have it. If what is
// contained is an authentication token, the accessor for the token will be
// available in WrappedAccessor.
type SecretWrapInfo struct {
	Token           string    `json:"token"`
	Accessor        string    `json:"accessor"`
	TTL             int       `json:"ttl"`
	CreationTime    time.Time `json:"creation_time"`
	CreationPath    string    `json:"creation_path"`
	WrappedAccessor string    `json:"wrapped_accessor"`
}

// SecretAuth is the structure containing auth information if we have it.
type SecretAuth struct {
	ClientToken string            `json:"client_token"`
	Accessor    string            `json:"accessor"`
	Policies    []string          `json:"policies"`
	Metadata    map[string]string `json:"metadata"`

	LeaseDuration int  `json:"lease_duration"`
	Renewable     bool `json:"renewable"`
}

// ParseSecret is used to parse a secret value from JSON from an io.Reader.
func ParseSecret(r io.Reader) (*Secret, error) {
	// First decode the JSON into a map[string]interface{}
	var secret Secret
	if err := jsonutil.DecodeJSONFromReader(r, &secret); err != nil {
		return nil, err
	}

	return &secret, nil
}
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`package api`

			`import (`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`"fmt"`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`"io"`
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 20:01:09 +00:00			`"time"`
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests. 2016-07-06 16:25:40 +00:00
			`"github.com/hashicorp/vault/helper/jsonutil"`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`"github.com/hashicorp/vault/helper/parseutil"`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`)`

			`// Secret is the structure returned for every secret within Vault.`
			`type Secret struct {`
Plumb request UUID through the API 2016-07-27 13:25:04 +00:00			`// The request ID that generated this response`
			RequestID string `json:"request_id"`

api: update docs 2015-04-14 00:40:05 +00:00			LeaseID string `json:"lease_id"`
			LeaseDuration int `json:"lease_duration"`
			Renewable bool `json:"renewable"`

			`// Data is the actual contents of the secret. The format of the data`
			`// is arbitrary and up to the secret backend.`
			Data map[string]interface{} `json:"data"`

Add the ability for warnings to be added to responses. These are marshalled into JSON or displayed from the CLI depending on the output mode. This allows conferring information such as "no such policy exists" when creating a token -- not an error, but something the user should be aware of. Fixes #676 2015-10-07 19:30:54 +00:00			`// Warnings contains any warnings related to the operation. These`
			`// are not issues that caused the command to fail, but that the`
			`// client should be aware of.`
			Warnings []string `json:"warnings"`

api: update docs 2015-04-14 00:40:05 +00:00			`// Auth, if non-nil, means that there was authentication information`
			`// attached to this response.`
			Auth *SecretAuth `json:"auth,omitempty"`
Add wrap support to API/CLI 2016-05-02 05:58:58 +00:00
			`// WrapInfo, if non-nil, means that the initial response was wrapped in the`
			`// cubbyhole of the given token (which has a TTL of the given number of`
			`// seconds)`
			WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
			`}`

Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`// TokenID returns the standardized token ID (token) for the given secret.`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`func (s *Secret) TokenID() (string, error) {`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if s == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return "", nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Auth != nil && len(s.Auth.ClientToken) > 0 {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return s.Auth.ClientToken, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Data == nil \|\| s.Data["id"] == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return "", nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`id, ok := s.Data["id"].(string)`
			`if !ok {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return "", fmt.Errorf("token found but in the wrong format")`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return id, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`// TokenAccessor returns the standardized token accessor for the given secret.`
			`// If the secret is nil or does not contain an accessor, this returns the empty`
			`// string.`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`func (s *Secret) TokenAccessor() (string, error) {`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if s == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return "", nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Auth != nil && len(s.Auth.Accessor) > 0 {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return s.Auth.Accessor, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Data == nil \|\| s.Data["accessor"] == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return "", nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`accessor, ok := s.Data["accessor"].(string)`
			`if !ok {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return "", fmt.Errorf("token found but in the wrong format")`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return accessor, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`// TokenRemainingUses returns the standardized remaining uses for the given`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`// secret. If the secret is nil or does not contain the "num_uses", this`
			`// returns -1. On error, this will return -1 and a non-nil error.`
			`func (s *Secret) TokenRemainingUses() (int, error) {`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if s == nil \|\| s.Data == nil \|\| s.Data["num_uses"] == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return -1, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`uses, err := parseutil.ParseInt(s.Data["num_uses"])`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if err != nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return 0, err`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return int(uses), nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`// TokenPolicies returns the standardized list of policies for the given secret.`
			`// If the secret is nil or does not contain any policies, this returns nil.`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`func (s *Secret) TokenPolicies() ([]string, error) {`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if s == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Auth != nil && len(s.Auth.Policies) > 0 {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return s.Auth.Policies, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Data == nil \|\| s.Data["policies"] == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, nil`
			`}`

			`sList, ok := s.Data["policies"].([]string)`
			`if ok {`
			`return sList, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`list, ok := s.Data["policies"].([]interface{})`
			`if !ok {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, fmt.Errorf("unable to convert token policies to expected format")`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`policies := make([]string, len(list))`
			`for i := range list {`
			`p, ok := list[i].(string)`
			`if !ok {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, fmt.Errorf("unable to convert policy %v to string", list[i])`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`
			`policies[i] = p`
			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return policies, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`// TokenMetadata returns the map of metadata associated with this token, if any`
			`// exists. If the secret is nil or does not contain the "metadata" key, this`
			`// returns nil.`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`func (s *Secret) TokenMetadata() (map[string]string, error) {`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`if s == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, nil`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

			`if s.Auth != nil && len(s.Auth.Metadata) > 0 {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return s.Auth.Metadata, nil`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

			`if s.Data == nil \|\| (s.Data["metadata"] == nil && s.Data["meta"] == nil) {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, nil`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

			`data, ok := s.Data["metadata"].(map[string]interface{})`
			`if !ok {`
			`data, ok = s.Data["meta"].(map[string]interface{})`
			`if !ok {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, fmt.Errorf("unable to convert metadata field to expected format")`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`
			`}`

			`metadata := make(map[string]string, len(data))`
			`for k, v := range data {`
			`typed, ok := v.(string)`
			`if !ok {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return nil, fmt.Errorf("unable to convert metadata value %v to string", v)`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`
			`metadata[k] = typed`
			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return metadata, nil`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`// TokenIsRenewable returns the standardized token renewability for the given`
			`// secret. If the secret is nil or does not contain the "renewable" key, this`
			`// returns false.`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`func (s *Secret) TokenIsRenewable() (bool, error) {`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if s == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return false, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Auth != nil && s.Auth.Renewable {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return s.Auth.Renewable, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Data == nil \|\| s.Data["renewable"] == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return false, nil`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`renewable, err := parseutil.ParseBool(s.Data["renewable"])`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`if err != nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return false, fmt.Errorf("could not convert renewable value to a boolean: %v", err)`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return renewable, nil`
Add more secret helpers for getting secret data 2017-09-08 01:55:36 +00:00			`}`

Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`// TokenTTL returns the standardized remaining token TTL for the given secret.`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`// If the secret is nil or does not contain a TTL, this returns 0.`
			`func (s *Secret) TokenTTL() (time.Duration, error) {`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if s == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return 0, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Auth != nil && s.Auth.LeaseDuration > 0 {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return time.Duration(s.Auth.LeaseDuration) * time.Second, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

			`if s.Data == nil \|\| s.Data["ttl"] == nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return 0, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`ttl, err := parseutil.ParseDurationSecond(s.Data["ttl"])`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`if err != nil {`
Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return 0, err`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Don't swallow errors on token functions. 2017-10-07 22:41:07 +00:00			`return ttl, nil`
Add API functions for token helpers 2017-09-02 22:48:48 +00:00			`}`

Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			`// SecretWrapInfo contains wrapping information if we have it. If what is`
			`// contained is an authentication token, the accessor for the token will be`
			`// available in WrappedAccessor.`
Add wrap support to API/CLI 2016-05-02 05:58:58 +00:00			`type SecretWrapInfo struct {`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			Token string `json:"token"`
Port over bits (#3575) 2017-11-13 20:31:32 +00:00			Accessor string `json:"accessor"`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			TTL int `json:"ttl"`
			CreationTime time.Time `json:"creation_time"`
Store original request path in WrapInfo (#3100) * Store original request path in WrapInfo as CreationPath * Add wrapping_token_creation_path to CLI output * Add CreationPath to AuditResponseWrapInfo * Fix tests * Add and fix tests, update API docs with new sample responses 2017-08-02 22:28:58 +00:00			CreationPath string `json:"creation_path"`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			WrappedAccessor string `json:"wrapped_accessor"`
api: add auth information to results 2015-04-04 22:40:41 +00:00			`}`

Fix some lint warnings. 2015-09-29 07:35:16 +00:00			`// SecretAuth is the structure containing auth information if we have it.`
api: add auth information to results 2015-04-04 22:40:41 +00:00			`type SecretAuth struct {`
Use lowercase JSON keys for client_token 2015-04-24 16:00:00 +00:00			ClientToken string `json:"client_token"`
AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 11:23:31 +00:00			Accessor string `json:"accessor"`
api: add auth information to results 2015-04-04 22:40:41 +00:00			Policies []string `json:"policies"`
			Metadata map[string]string `json:"metadata"`

			LeaseDuration int `json:"lease_duration"`
			Renewable bool `json:"renewable"`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`}`

			`// ParseSecret is used to parse a secret value from JSON from an io.Reader.`
			`func ParseSecret(r io.Reader) (*Secret, error) {`
			`// First decode the JSON into a map[string]interface{}`
command/write 2015-03-16 03:35:33 +00:00			`var secret Secret`
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests. 2016-07-06 16:25:40 +00:00			`if err := jsonutil.DecodeJSONFromReader(r, &secret); err != nil {`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`return nil, err`
			`}`

command/write 2015-03-16 03:35:33 +00:00			`return &secret, nil`
api: secret parsing and leasing 2015-03-12 00:46:25 +00:00			`}`