open-vault/builtin/logical/nomad/path_creds_create.go

98 lines
2.5 KiB
Go
Raw Normal View History

2017-09-20 20:59:35 +00:00
package nomad
import (
"context"
2017-09-20 20:59:35 +00:00
"fmt"
"time"
"github.com/hashicorp/nomad/api"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
2017-09-20 20:59:35 +00:00
)
// maxTokenNameLength is the maximum length for the name of a Nomad access
// token
const maxTokenNameLength = 256
func pathCredsCreate(b *backend) *framework.Path {
2017-09-20 20:59:35 +00:00
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": {
2017-09-20 20:59:35 +00:00
Type: framework.TypeString,
Description: "Name of the role",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathTokenRead,
},
}
}
func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
2017-09-20 20:59:35 +00:00
name := d.Get("name").(string)
conf, _ := b.readConfigAccess(ctx, req.Storage)
// establish a default
tokenNameLength := maxTokenNameLength
if conf != nil && conf.MaxTokenNameLength > 0 {
tokenNameLength = conf.MaxTokenNameLength
}
2017-09-20 20:59:35 +00:00
role, err := b.Role(ctx, req.Storage, name)
2017-09-20 20:59:35 +00:00
if err != nil {
return nil, fmt.Errorf("error retrieving role: %w", err)
2017-09-20 20:59:35 +00:00
}
if role == nil {
2017-12-15 22:06:56 +00:00
return logical.ErrorResponse(fmt.Sprintf("role %q not found", name)), nil
2017-09-20 20:59:35 +00:00
}
// Determine if we have a lease configuration
leaseConfig, err := b.LeaseConfig(ctx, req.Storage)
if err != nil {
2017-09-20 20:59:35 +00:00
return nil, err
}
if leaseConfig == nil {
leaseConfig = &configLease{}
}
2017-09-20 20:59:35 +00:00
// Get the nomad client
c, err := b.client(ctx, req.Storage)
2017-11-06 21:34:20 +00:00
if err != nil {
return nil, err
2017-09-20 20:59:35 +00:00
}
// Generate a name for the token
2017-12-15 22:06:56 +00:00
tokenName := fmt.Sprintf("vault-%s-%s-%d", name, req.DisplayName, time.Now().UnixNano())
2017-09-20 20:59:35 +00:00
// Note: if the given role name is sufficiently long, the UnixNano() portion
// of the pseudo randomized token name is the part that gets trimmed off,
// weakening it's randomness.
if len(tokenName) > tokenNameLength {
tokenName = tokenName[:tokenNameLength]
}
2017-09-20 20:59:35 +00:00
// Create it
token, _, err := c.ACLTokens().Create(&api.ACLToken{
Name: tokenName,
Type: role.TokenType,
2017-11-29 16:31:17 +00:00
Policies: role.Policies,
Global: role.Global,
2017-09-20 20:59:35 +00:00
}, nil)
if err != nil {
2017-11-29 10:58:02 +00:00
return nil, err
2017-09-20 20:59:35 +00:00
}
// Use the helper to create the secret
resp := b.Secret(SecretTokenType).Response(map[string]interface{}{
2017-09-20 22:14:35 +00:00
"secret_id": token.SecretID,
"accessor_id": token.AccessorID,
2017-09-20 20:59:35 +00:00
}, map[string]interface{}{
2017-09-20 22:14:35 +00:00
"accessor_id": token.AccessorID,
2017-09-20 20:59:35 +00:00
})
resp.Secret.TTL = leaseConfig.TTL
resp.Secret.MaxTTL = leaseConfig.MaxTTL
2017-09-20 20:59:35 +00:00
return resp, nil
2017-09-20 20:59:35 +00:00
}