2017-10-11 17:21:20 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
|
|
|
"regexp"
|
|
|
|
"sync"
|
|
|
|
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2019-07-03 03:15:43 +00:00
|
|
|
"github.com/hashicorp/go-memdb"
|
2017-11-02 20:05:48 +00:00
|
|
|
"github.com/hashicorp/vault/helper/identity"
|
2017-10-11 17:21:20 +00:00
|
|
|
"github.com/hashicorp/vault/helper/storagepacker"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2017-10-11 17:21:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// Storage prefixes
|
|
|
|
entityPrefix = "entity/"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
// metaKeyFormatRegEx checks if a metadata key string is valid
|
|
|
|
metaKeyFormatRegEx = regexp.MustCompile(`^[a-zA-Z0-9=/+_-]+$`).MatchString
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// The meta key prefix reserved for Vault's internal use
|
|
|
|
metaKeyReservedPrefix = "vault-"
|
|
|
|
|
|
|
|
// The maximum number of metadata key pairs allowed to be registered
|
|
|
|
metaMaxKeyPairs = 64
|
|
|
|
|
|
|
|
// The maximum allowed length of a metadata key
|
|
|
|
metaKeyMaxLength = 128
|
|
|
|
|
|
|
|
// The maximum allowed length of a metadata value
|
|
|
|
metaValueMaxLength = 512
|
|
|
|
)
|
|
|
|
|
|
|
|
// IdentityStore is composed of its own storage view and a MemDB which
|
|
|
|
// maintains active in-memory replicas of the storage contents indexed by
|
|
|
|
// multiple fields.
|
|
|
|
type IdentityStore struct {
|
|
|
|
// IdentityStore is a secret backend in Vault
|
|
|
|
*framework.Backend
|
|
|
|
|
|
|
|
// view is the storage sub-view where all the artifacts of identity store
|
|
|
|
// gets persisted
|
|
|
|
view logical.Storage
|
|
|
|
|
|
|
|
// db is the in-memory database where the storage artifacts gets replicated
|
|
|
|
// to enable richer queries based on multiple indexes.
|
|
|
|
db *memdb.MemDB
|
|
|
|
|
2019-07-03 03:15:43 +00:00
|
|
|
// locks to make sure things are consistent
|
|
|
|
lock sync.RWMutex
|
|
|
|
oidcLock sync.RWMutex
|
2017-10-11 17:21:20 +00:00
|
|
|
|
|
|
|
// groupLock is used to protect modifications to group entries
|
|
|
|
groupLock sync.RWMutex
|
|
|
|
|
2019-06-21 17:23:39 +00:00
|
|
|
// oidcCache stores common response data as well as when the periodic func needs
|
|
|
|
// to run. This is conservatively managed, and most writes to the OIDC endpoints
|
|
|
|
// will invalidate the cache.
|
2019-07-03 03:15:43 +00:00
|
|
|
oidcCache *oidcCache
|
2019-06-21 17:23:39 +00:00
|
|
|
|
2017-10-11 17:21:20 +00:00
|
|
|
// logger is the server logger copied over from core
|
|
|
|
logger log.Logger
|
|
|
|
|
|
|
|
// entityPacker is used to pack multiple entity storage entries into 256
|
|
|
|
// buckets
|
|
|
|
entityPacker *storagepacker.StoragePacker
|
|
|
|
|
|
|
|
// groupPacker is used to pack multiple group storage entries into 256
|
|
|
|
// buckets
|
|
|
|
groupPacker *storagepacker.StoragePacker
|
2018-04-03 02:17:33 +00:00
|
|
|
|
|
|
|
// core is the pointer to Vault's core
|
|
|
|
core *Core
|
2018-10-19 19:47:26 +00:00
|
|
|
|
|
|
|
// disableLowerCaseNames indicates whether or not identity artifacts are
|
|
|
|
// operated case insensitively
|
|
|
|
disableLowerCasedNames bool
|
2017-10-11 17:21:20 +00:00
|
|
|
}
|
2017-11-02 20:05:48 +00:00
|
|
|
|
|
|
|
type groupDiff struct {
|
|
|
|
New []*identity.Group
|
|
|
|
Deleted []*identity.Group
|
|
|
|
Unmodified []*identity.Group
|
|
|
|
}
|