Add ability to disable an entity (#4353)
This commit is contained in:
parent
c1209b0cd5
commit
530121c655
|
@ -200,6 +200,9 @@ type Entity struct {
|
|||
// the entities belonging to a particular bucket during invalidation of the
|
||||
// storage key.
|
||||
BucketKeyHash string `sentinel:"" protobuf:"bytes,9,opt,name=bucket_key_hash,json=bucketKeyHash" json:"bucket_key_hash,omitempty"`
|
||||
// Disabled indicates whether tokens associated with the account should not
|
||||
// be able to be used
|
||||
Disabled bool `sentinel:"" protobuf:"varint,11,opt,name=disabled" json:"disabled,omitempty"`
|
||||
}
|
||||
|
||||
func (m *Entity) Reset() { *m = Entity{} }
|
||||
|
@ -270,6 +273,13 @@ func (m *Entity) GetBucketKeyHash() string {
|
|||
return ""
|
||||
}
|
||||
|
||||
func (m *Entity) GetDisabled() bool {
|
||||
if m != nil {
|
||||
return m.Disabled
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// Alias represents the alias that gets stored inside of the
|
||||
// entity object in storage and also represents in an in-memory index of an
|
||||
// alias object.
|
||||
|
@ -392,43 +402,44 @@ func init() {
|
|||
func init() { proto.RegisterFile("types.proto", fileDescriptor0) }
|
||||
|
||||
var fileDescriptor0 = []byte{
|
||||
// 603 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x93, 0xdd, 0x6e, 0xd3, 0x30,
|
||||
0x14, 0xc7, 0xd5, 0xa6, 0x9f, 0x27, 0x5d, 0x37, 0x2c, 0x84, 0x4c, 0xa5, 0x41, 0x37, 0x69, 0x28,
|
||||
0x70, 0x91, 0x49, 0xe3, 0x86, 0x8d, 0x0b, 0x34, 0xc1, 0x80, 0x09, 0x21, 0xa1, 0x68, 0x5c, 0x47,
|
||||
0x6e, 0xe2, 0xb5, 0xd6, 0x92, 0x38, 0x8a, 0x1d, 0x44, 0x5e, 0x87, 0x97, 0xe1, 0x69, 0x78, 0x07,
|
||||
0xe4, 0xe3, 0xa6, 0x0d, 0x74, 0x7c, 0x4c, 0xdb, 0x9d, 0xf3, 0x3f, 0xc7, 0xc7, 0x27, 0xe7, 0xff,
|
||||
0x3b, 0xe0, 0xea, 0x2a, 0xe7, 0xca, 0xcf, 0x0b, 0xa9, 0x25, 0x19, 0x88, 0x98, 0x67, 0x5a, 0xe8,
|
||||
0x6a, 0xf2, 0x78, 0x2e, 0xe5, 0x3c, 0xe1, 0x87, 0xa8, 0xcf, 0xca, 0xcb, 0x43, 0x2d, 0x52, 0xae,
|
||||
0x34, 0x4b, 0x73, 0x9b, 0xba, 0xff, 0xad, 0x03, 0xdd, 0x77, 0x85, 0x2c, 0x73, 0x32, 0x86, 0xb6,
|
||||
0x88, 0x69, 0x6b, 0xda, 0xf2, 0x86, 0x41, 0x5b, 0xc4, 0x84, 0x40, 0x27, 0x63, 0x29, 0xa7, 0x6d,
|
||||
0x54, 0xf0, 0x4c, 0x26, 0x30, 0xc8, 0x65, 0x22, 0x22, 0xc1, 0x15, 0x75, 0xa6, 0x8e, 0x37, 0x0c,
|
||||
0x56, 0xdf, 0xc4, 0x83, 0x9d, 0x9c, 0x15, 0x3c, 0xd3, 0xe1, 0xdc, 0xd4, 0x0b, 0x45, 0xac, 0x68,
|
||||
0x07, 0x73, 0xc6, 0x56, 0xc7, 0x67, 0xce, 0x63, 0x45, 0x9e, 0xc1, 0xbd, 0x94, 0xa7, 0x33, 0x5e,
|
||||
0x84, 0xb6, 0x4b, 0x4c, 0xed, 0x62, 0xea, 0xb6, 0x0d, 0x9c, 0xa1, 0x6e, 0x72, 0x8f, 0x61, 0x90,
|
||||
0x72, 0xcd, 0x62, 0xa6, 0x19, 0xed, 0x4d, 0x1d, 0xcf, 0x3d, 0xda, 0xf5, 0xeb, 0xbf, 0xf3, 0xb1,
|
||||
0xa2, 0xff, 0x71, 0x19, 0x3f, 0xcb, 0x74, 0x51, 0x05, 0xab, 0x74, 0xf2, 0x0a, 0xb6, 0xa2, 0x82,
|
||||
0x33, 0x2d, 0x64, 0x16, 0x9a, 0xdf, 0xa6, 0xfd, 0x69, 0xcb, 0x73, 0x8f, 0x26, 0xbe, 0x9d, 0x89,
|
||||
0x5f, 0xcf, 0xc4, 0xbf, 0xa8, 0x67, 0x12, 0x8c, 0xea, 0x0b, 0x46, 0x22, 0x6f, 0x60, 0x27, 0x61,
|
||||
0x4a, 0x87, 0x65, 0x1e, 0x33, 0xcd, 0x6d, 0x8d, 0xc1, 0x3f, 0x6b, 0x8c, 0xcd, 0x9d, 0xcf, 0x78,
|
||||
0x05, 0xab, 0xec, 0xc1, 0x28, 0x95, 0xb1, 0xb8, 0xac, 0x42, 0x91, 0xc5, 0xfc, 0x2b, 0x1d, 0x4e,
|
||||
0x5b, 0x5e, 0x27, 0x70, 0xad, 0x76, 0x6e, 0x24, 0xf2, 0x04, 0xb6, 0x67, 0x65, 0x74, 0xc5, 0x75,
|
||||
0x78, 0xc5, 0xab, 0x70, 0xc1, 0xd4, 0x82, 0x02, 0x4e, 0x7d, 0xcb, 0xca, 0x1f, 0x78, 0xf5, 0x9e,
|
||||
0xa9, 0x05, 0x39, 0x80, 0x2e, 0x4b, 0x04, 0x53, 0xd4, 0xc5, 0x2e, 0xb6, 0xd7, 0x93, 0x38, 0x35,
|
||||
0x72, 0x60, 0xa3, 0xc6, 0x39, 0x43, 0x03, 0x1d, 0x59, 0xe7, 0xcc, 0x79, 0xf2, 0x12, 0xb6, 0x7e,
|
||||
0x99, 0x13, 0xd9, 0x01, 0xe7, 0x8a, 0x57, 0x4b, 0xbf, 0xcd, 0x91, 0xdc, 0x87, 0xee, 0x17, 0x96,
|
||||
0x94, 0xb5, 0xe3, 0xf6, 0xe3, 0xa4, 0xfd, 0xa2, 0xb5, 0xff, 0xdd, 0x81, 0x9e, 0xb5, 0x84, 0x3c,
|
||||
0x85, 0x3e, 0x3e, 0xc2, 0x15, 0x6d, 0xa1, 0x1d, 0x1b, 0x4d, 0xd4, 0xf1, 0x25, 0x50, 0xed, 0x0d,
|
||||
0xa0, 0x9c, 0x06, 0x50, 0x27, 0x0d, 0x7b, 0x3b, 0x58, 0xef, 0xd1, 0xba, 0x9e, 0x7d, 0xf2, 0xff,
|
||||
0xfd, 0xed, 0xde, 0x81, 0xbf, 0xbd, 0x1b, 0xfb, 0x8b, 0x34, 0x17, 0x73, 0x1e, 0x37, 0x69, 0xee,
|
||||
0xd7, 0x34, 0x9b, 0xc0, 0x9a, 0xe6, 0xe6, 0xfe, 0x0c, 0x7e, 0xdb, 0x9f, 0x6b, 0x20, 0x18, 0x5e,
|
||||
0x03, 0xc1, 0xed, 0x9c, 0xfc, 0xe1, 0x40, 0x17, 0x6d, 0xda, 0x58, 0xf7, 0x3d, 0x18, 0x45, 0x2c,
|
||||
0x93, 0x99, 0x88, 0x58, 0x12, 0xae, 0x7c, 0x73, 0x57, 0xda, 0x79, 0x4c, 0x76, 0x01, 0x52, 0x59,
|
||||
0x66, 0x3a, 0x44, 0xba, 0xac, 0x8d, 0x43, 0x54, 0x2e, 0xaa, 0x9c, 0x93, 0x03, 0x18, 0xdb, 0x30,
|
||||
0x8b, 0x22, 0xae, 0x94, 0x2c, 0x68, 0xc7, 0xf6, 0x8f, 0xea, 0xe9, 0x52, 0x5c, 0x57, 0xc9, 0x99,
|
||||
0x5e, 0xa0, 0x67, 0x75, 0x95, 0x4f, 0x4c, 0x2f, 0xfe, 0xbe, 0xf0, 0xd8, 0xfa, 0x1f, 0x81, 0xa8,
|
||||
0x01, 0xeb, 0x37, 0x00, 0xdb, 0x80, 0x64, 0x70, 0x07, 0x90, 0x0c, 0x6f, 0x0c, 0xc9, 0x31, 0x3c,
|
||||
0x5c, 0x42, 0x72, 0x59, 0xc8, 0x34, 0x6c, 0x4e, 0x5a, 0x51, 0x40, 0x12, 0x1e, 0xd8, 0x84, 0xb7,
|
||||
0x85, 0x4c, 0x5f, 0xaf, 0x87, 0xae, 0x6e, 0xe5, 0xf7, 0xac, 0x87, 0xbd, 0x3d, 0xff, 0x19, 0x00,
|
||||
0x00, 0xff, 0xff, 0x8e, 0x4a, 0xc5, 0xdb, 0x1f, 0x06, 0x00, 0x00,
|
||||
// 617 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x94, 0xdd, 0x6e, 0xd3, 0x30,
|
||||
0x14, 0xc7, 0xd5, 0xa6, 0x1f, 0xe9, 0x69, 0xd7, 0x0d, 0x0b, 0x21, 0x53, 0x69, 0xd0, 0x4d, 0x1a,
|
||||
0x2a, 0x5c, 0x64, 0xd2, 0xb8, 0x61, 0xe3, 0x02, 0x4d, 0x30, 0x60, 0x42, 0x48, 0x28, 0x1a, 0xd7,
|
||||
0x91, 0x1b, 0x7b, 0xad, 0xb5, 0x24, 0x8e, 0x62, 0x17, 0x91, 0xd7, 0xe1, 0xd5, 0xb8, 0xe6, 0x1d,
|
||||
0x90, 0x8f, 0x9b, 0x36, 0xd0, 0xf1, 0x31, 0x6d, 0x77, 0xf6, 0xff, 0x1c, 0x1f, 0x1f, 0x9f, 0xff,
|
||||
0x2f, 0x81, 0xbe, 0x29, 0x73, 0xa1, 0x83, 0xbc, 0x50, 0x46, 0x11, 0x5f, 0x72, 0x91, 0x19, 0x69,
|
||||
0xca, 0xd1, 0xe3, 0x99, 0x52, 0xb3, 0x44, 0x1c, 0xa2, 0x3e, 0x5d, 0x5c, 0x1e, 0x1a, 0x99, 0x0a,
|
||||
0x6d, 0x58, 0x9a, 0xbb, 0xd4, 0xfd, 0x6f, 0x2d, 0x68, 0xbf, 0x2b, 0xd4, 0x22, 0x27, 0x43, 0x68,
|
||||
0x4a, 0x4e, 0x1b, 0xe3, 0xc6, 0xa4, 0x17, 0x36, 0x25, 0x27, 0x04, 0x5a, 0x19, 0x4b, 0x05, 0x6d,
|
||||
0xa2, 0x82, 0x6b, 0x32, 0x02, 0x3f, 0x57, 0x89, 0x8c, 0xa5, 0xd0, 0xd4, 0x1b, 0x7b, 0x93, 0x5e,
|
||||
0xb8, 0xda, 0x93, 0x09, 0xec, 0xe4, 0xac, 0x10, 0x99, 0x89, 0x66, 0xb6, 0x5e, 0x24, 0xb9, 0xa6,
|
||||
0x2d, 0xcc, 0x19, 0x3a, 0x1d, 0xaf, 0x39, 0xe7, 0x9a, 0x3c, 0x83, 0x7b, 0xa9, 0x48, 0xa7, 0xa2,
|
||||
0x88, 0x5c, 0x97, 0x98, 0xda, 0xc6, 0xd4, 0x6d, 0x17, 0x38, 0x43, 0xdd, 0xe6, 0x1e, 0x83, 0x9f,
|
||||
0x0a, 0xc3, 0x38, 0x33, 0x8c, 0x76, 0xc6, 0xde, 0xa4, 0x7f, 0xb4, 0x1b, 0x54, 0xaf, 0x0b, 0xb0,
|
||||
0x62, 0xf0, 0x71, 0x19, 0x3f, 0xcb, 0x4c, 0x51, 0x86, 0xab, 0x74, 0xf2, 0x0a, 0xb6, 0xe2, 0x42,
|
||||
0x30, 0x23, 0x55, 0x16, 0xd9, 0x67, 0xd3, 0xee, 0xb8, 0x31, 0xe9, 0x1f, 0x8d, 0x02, 0x37, 0x93,
|
||||
0xa0, 0x9a, 0x49, 0x70, 0x51, 0xcd, 0x24, 0x1c, 0x54, 0x07, 0xac, 0x44, 0xde, 0xc0, 0x4e, 0xc2,
|
||||
0xb4, 0x89, 0x16, 0x39, 0x67, 0x46, 0xb8, 0x1a, 0xfe, 0x3f, 0x6b, 0x0c, 0xed, 0x99, 0xcf, 0x78,
|
||||
0x04, 0xab, 0xec, 0xc1, 0x20, 0x55, 0x5c, 0x5e, 0x96, 0x91, 0xcc, 0xb8, 0xf8, 0x4a, 0x7b, 0xe3,
|
||||
0xc6, 0xa4, 0x15, 0xf6, 0x9d, 0x76, 0x6e, 0x25, 0xf2, 0x04, 0xb6, 0xa7, 0x8b, 0xf8, 0x4a, 0x98,
|
||||
0xe8, 0x4a, 0x94, 0xd1, 0x9c, 0xe9, 0x39, 0x05, 0x9c, 0xfa, 0x96, 0x93, 0x3f, 0x88, 0xf2, 0x3d,
|
||||
0xd3, 0x73, 0x72, 0x00, 0x6d, 0x96, 0x48, 0xa6, 0x69, 0x1f, 0xbb, 0xd8, 0x5e, 0x4f, 0xe2, 0xd4,
|
||||
0xca, 0xa1, 0x8b, 0x5a, 0xe7, 0x2c, 0x0d, 0x74, 0xe0, 0x9c, 0xb3, 0xeb, 0xd1, 0x4b, 0xd8, 0xfa,
|
||||
0x65, 0x4e, 0x64, 0x07, 0xbc, 0x2b, 0x51, 0x2e, 0xfd, 0xb6, 0x4b, 0x72, 0x1f, 0xda, 0x5f, 0x58,
|
||||
0xb2, 0xa8, 0x1c, 0x77, 0x9b, 0x93, 0xe6, 0x8b, 0xc6, 0xfe, 0x77, 0x0f, 0x3a, 0xce, 0x12, 0xf2,
|
||||
0x14, 0xba, 0x78, 0x89, 0xd0, 0xb4, 0x81, 0x76, 0x6c, 0x34, 0x51, 0xc5, 0x97, 0x40, 0x35, 0x37,
|
||||
0x80, 0xf2, 0x6a, 0x40, 0x9d, 0xd4, 0xec, 0x6d, 0x61, 0xbd, 0x47, 0xeb, 0x7a, 0xee, 0xca, 0xff,
|
||||
0xf7, 0xb7, 0x7d, 0x07, 0xfe, 0x76, 0x6e, 0xec, 0x2f, 0xd2, 0x5c, 0xcc, 0x04, 0xaf, 0xd3, 0xdc,
|
||||
0xad, 0x68, 0xb6, 0x81, 0x35, 0xcd, 0xf5, 0xef, 0xc7, 0xff, 0xed, 0xfb, 0xb9, 0x06, 0x82, 0xde,
|
||||
0x75, 0x10, 0x8c, 0xc0, 0xe7, 0x52, 0xb3, 0x69, 0x22, 0x38, 0x72, 0xe0, 0x87, 0xab, 0xfd, 0xed,
|
||||
0x5c, 0xfe, 0xe1, 0x41, 0x1b, 0x2d, 0xdc, 0xf8, 0x15, 0xec, 0xc1, 0x20, 0x66, 0x99, 0xca, 0x64,
|
||||
0xcc, 0x92, 0x68, 0xe5, 0x69, 0x7f, 0xa5, 0x9d, 0x73, 0xb2, 0x0b, 0x90, 0xaa, 0x45, 0x66, 0x22,
|
||||
0x24, 0xcf, 0x59, 0xdc, 0x43, 0xe5, 0xa2, 0xcc, 0x05, 0x39, 0x80, 0xa1, 0x0b, 0xb3, 0x38, 0x16,
|
||||
0x5a, 0xab, 0x82, 0xb6, 0xdc, 0xdb, 0x50, 0x3d, 0x5d, 0x8a, 0xeb, 0x2a, 0x39, 0x33, 0x73, 0xf4,
|
||||
0xb3, 0xaa, 0xf2, 0x89, 0x99, 0xf9, 0xdf, 0x7f, 0x06, 0xd8, 0xfa, 0x1f, 0x61, 0xa9, 0xe0, 0xeb,
|
||||
0xd6, 0xe0, 0xdb, 0x00, 0xc8, 0xbf, 0x03, 0x80, 0x7a, 0x37, 0x06, 0xe8, 0x18, 0x1e, 0x2e, 0x01,
|
||||
0xba, 0x2c, 0x54, 0x1a, 0xd5, 0x27, 0xad, 0x29, 0x20, 0x25, 0x0f, 0x5c, 0xc2, 0xdb, 0x42, 0xa5,
|
||||
0xaf, 0xd7, 0x43, 0xd7, 0xb7, 0xf2, 0x7b, 0xda, 0xc1, 0xde, 0x9e, 0xff, 0x0c, 0x00, 0x00, 0xff,
|
||||
0xff, 0x60, 0x0b, 0xc9, 0x74, 0x3b, 0x06, 0x00, 0x00,
|
||||
}
|
||||
|
|
|
@ -110,6 +110,10 @@ message Entity {
|
|||
// MFASecrets holds the MFA secrets indexed by the identifier of the MFA
|
||||
// method configuration.
|
||||
//map<string, mfa.Secret> mfa_secrets = 10;
|
||||
|
||||
// Disabled indicates whether tokens associated with the account should not
|
||||
// be able to be used
|
||||
bool disabled = 11;
|
||||
}
|
||||
|
||||
// Alias represents the alias that gets stored inside of the
|
||||
|
|
|
@ -273,6 +273,10 @@ var (
|
|||
// ErrPermissionDenied is returned if the client is not authorized
|
||||
ErrPermissionDenied = errors.New("permission denied")
|
||||
|
||||
// ErrDisabledEntity is returned if the entity tied to a token is marked as
|
||||
// disabled
|
||||
ErrEntityDisabled = errors.New("entity associated with token is disabled")
|
||||
|
||||
// ErrMultiAuthzPending is returned if the the request needs more
|
||||
// authorizations
|
||||
ErrMultiAuthzPending = errors.New("request needs further approval")
|
||||
|
|
|
@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
|
|||
}
|
||||
}
|
||||
|
||||
if entity != nil && entity.Disabled {
|
||||
return nil, te, logical.ErrEntityDisabled
|
||||
}
|
||||
|
||||
// Check if this is a root protected path
|
||||
rootPath := c.router.RootPath(req.Path)
|
||||
|
||||
|
@ -1319,20 +1323,21 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
|
|||
return retErr
|
||||
}
|
||||
|
||||
// Since there is no token store in standby nodes, sealing cannot be done.
|
||||
// Ideally, the request has to be forwarded to leader node for validation
|
||||
// and the operation should be performed. But for now, just returning with
|
||||
// an error and recommending a vault restart, which essentially does the
|
||||
// same thing.
|
||||
if c.standby {
|
||||
c.logger.Error("vault cannot seal when in standby mode; please restart instead")
|
||||
retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
|
||||
c.stateLock.RUnlock()
|
||||
return retErr
|
||||
}
|
||||
|
||||
// Validate the token is a root token
|
||||
acl, te, entity, err := c.fetchACLTokenEntryAndEntity(req.ClientToken)
|
||||
if err != nil {
|
||||
// Since there is no token store in standby nodes, sealing cannot
|
||||
// be done. Ideally, the request has to be forwarded to leader node
|
||||
// for validation and the operation should be performed. But for now,
|
||||
// just returning with an error and recommending a vault restart, which
|
||||
// essentially does the same thing.
|
||||
if c.standby {
|
||||
c.logger.Error("vault cannot seal when in standby mode; please restart instead")
|
||||
retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
|
||||
c.stateLock.RUnlock()
|
||||
return retErr
|
||||
}
|
||||
retErr = multierror.Append(retErr, err)
|
||||
c.stateLock.RUnlock()
|
||||
return retErr
|
||||
|
@ -1341,10 +1346,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
|
|||
// Audit-log the request before going any further
|
||||
auth := &logical.Auth{
|
||||
ClientToken: req.ClientToken,
|
||||
Policies: te.Policies,
|
||||
Metadata: te.Meta,
|
||||
DisplayName: te.DisplayName,
|
||||
EntityID: te.EntityID,
|
||||
}
|
||||
if te != nil {
|
||||
auth.Policies = te.Policies
|
||||
auth.Metadata = te.Meta
|
||||
auth.DisplayName = te.DisplayName
|
||||
auth.EntityID = te.EntityID
|
||||
}
|
||||
|
||||
logInput := &audit.LogInput{
|
||||
|
@ -1358,6 +1365,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
|
|||
return retErr
|
||||
}
|
||||
|
||||
if entity != nil && entity.Disabled {
|
||||
retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
|
||||
c.stateLock.RUnlock()
|
||||
return retErr
|
||||
}
|
||||
|
||||
// Attempt to use the token (decrement num_uses)
|
||||
// On error bail out; if the token has been revoked, bail out too
|
||||
if te != nil {
|
||||
|
@ -1450,10 +1463,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
|
|||
// Audit-log the request before going any further
|
||||
auth := &logical.Auth{
|
||||
ClientToken: req.ClientToken,
|
||||
Policies: te.Policies,
|
||||
Metadata: te.Meta,
|
||||
DisplayName: te.DisplayName,
|
||||
EntityID: te.EntityID,
|
||||
}
|
||||
if te != nil {
|
||||
auth.Policies = te.Policies
|
||||
auth.Metadata = te.Meta
|
||||
auth.DisplayName = te.DisplayName
|
||||
auth.EntityID = te.EntityID
|
||||
}
|
||||
|
||||
logInput := &audit.LogInput{
|
||||
|
@ -1466,6 +1481,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
|
|||
return retErr
|
||||
}
|
||||
|
||||
if entity != nil && entity.Disabled {
|
||||
retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
|
||||
c.stateLock.RUnlock()
|
||||
return retErr
|
||||
}
|
||||
|
||||
// Attempt to use the token (decrement num_uses)
|
||||
if te != nil {
|
||||
te, err = c.tokenStore.UseToken(ctx, te)
|
||||
|
|
|
@ -45,6 +45,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
|
|||
Type: framework.TypeCommaStringSlice,
|
||||
Description: "Policies to be tied to the entity.",
|
||||
},
|
||||
"disabled": {
|
||||
Type: framework.TypeBool,
|
||||
Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
|
||||
},
|
||||
},
|
||||
Callbacks: map[logical.Operation]framework.OperationFunc{
|
||||
logical.UpdateOperation: i.pathEntityRegister(),
|
||||
|
@ -76,6 +80,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
|
|||
Type: framework.TypeCommaStringSlice,
|
||||
Description: "Policies to be tied to the entity.",
|
||||
},
|
||||
"disabled": {
|
||||
Type: framework.TypeBool,
|
||||
Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
|
||||
},
|
||||
},
|
||||
Callbacks: map[logical.Operation]framework.OperationFunc{
|
||||
logical.UpdateOperation: i.pathEntityIDUpdate(),
|
||||
|
@ -354,6 +362,11 @@ func (i *IdentityStore) handleEntityUpdateCommon(req *logical.Request, d *framew
|
|||
entity.Policies = entityPoliciesRaw.([]string)
|
||||
}
|
||||
|
||||
disabledRaw, ok := d.GetOk("disabled")
|
||||
if ok {
|
||||
entity.Disabled = disabledRaw.(bool)
|
||||
}
|
||||
|
||||
// Get the name
|
||||
entityName := d.Get("name").(string)
|
||||
if entityName != "" {
|
||||
|
@ -434,6 +447,7 @@ func (i *IdentityStore) handleEntityReadCommon(entity *identity.Entity) (*logica
|
|||
respData["metadata"] = entity.Metadata
|
||||
respData["merged_entity_ids"] = entity.MergedEntityIDs
|
||||
respData["policies"] = entity.Policies
|
||||
respData["disabled"] = entity.Disabled
|
||||
|
||||
// Convert protobuf timestamp into RFC3339 format
|
||||
respData["creation_time"] = ptypes.TimestampString(entity.CreationTime)
|
||||
|
|
176
vault/identity_store_entities_ext_test.go
Normal file
176
vault/identity_store_entities_ext_test.go
Normal file
|
@ -0,0 +1,176 @@
|
|||
package vault_test
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/vault/api"
|
||||
"github.com/hashicorp/vault/builtin/credential/approle"
|
||||
vaulthttp "github.com/hashicorp/vault/http"
|
||||
"github.com/hashicorp/vault/logical"
|
||||
"github.com/hashicorp/vault/vault"
|
||||
)
|
||||
|
||||
func TestIdentityStore_EntityDisabled(t *testing.T) {
|
||||
// Use a TestCluster and the approle backend to get a token and entity for testing
|
||||
coreConfig := &vault.CoreConfig{
|
||||
CredentialBackends: map[string]logical.Factory{
|
||||
"approle": approle.Factory,
|
||||
},
|
||||
}
|
||||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||||
HandlerFunc: vaulthttp.Handler,
|
||||
})
|
||||
cluster.Start()
|
||||
defer cluster.Cleanup()
|
||||
|
||||
core := cluster.Cores[0].Core
|
||||
vault.TestWaitActive(t, core)
|
||||
client := cluster.Cores[0].Client
|
||||
|
||||
// Mount the auth backend
|
||||
err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
|
||||
Type: "approle",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Tune the mount
|
||||
err = client.Sys().TuneMount("auth/approle", api.MountConfigInput{
|
||||
DefaultLeaseTTL: "5m",
|
||||
MaxLeaseTTL: "5m",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Create role
|
||||
resp, err := client.Logical().Write("auth/approle/role/role-period", map[string]interface{}{
|
||||
"period": "5m",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Get role_id
|
||||
resp, err = client.Logical().Read("auth/approle/role/role-period/role-id")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatal("expected a response for fetching the role-id")
|
||||
}
|
||||
roleID := resp.Data["role_id"]
|
||||
|
||||
// Get secret_id
|
||||
resp, err = client.Logical().Write("auth/approle/role/role-period/secret-id", map[string]interface{}{})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatal("expected a response for fetching the secret-id")
|
||||
}
|
||||
secretID := resp.Data["secret_id"]
|
||||
|
||||
// Login
|
||||
resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
|
||||
"role_id": roleID,
|
||||
"secret_id": secretID,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatal("expected a response for login")
|
||||
}
|
||||
if resp.Auth == nil {
|
||||
t.Fatal("expected auth object from response")
|
||||
}
|
||||
if resp.Auth.ClientToken == "" {
|
||||
t.Fatal("expected a client token")
|
||||
}
|
||||
|
||||
roleToken := resp.Auth.ClientToken
|
||||
|
||||
client.SetToken(roleToken)
|
||||
resp, err = client.Auth().Token().LookupSelf()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatal("expected a response for token lookup")
|
||||
}
|
||||
entityIDRaw, ok := resp.Data["entity_id"]
|
||||
if !ok {
|
||||
t.Fatal("expected an entity ID")
|
||||
}
|
||||
entityID, ok := entityIDRaw.(string)
|
||||
if !ok {
|
||||
t.Fatal("entity_id not a string")
|
||||
}
|
||||
|
||||
client.SetToken(cluster.RootToken)
|
||||
resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{
|
||||
"disabled": true,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// This call should now fail
|
||||
client.SetToken(roleToken)
|
||||
resp, err = client.Auth().Token().LookupSelf()
|
||||
if err == nil {
|
||||
t.Fatalf("expected error, got %#v", *resp)
|
||||
}
|
||||
if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
|
||||
t.Fatalf("expected to see entity disabled error, got %v", err)
|
||||
}
|
||||
|
||||
// Attempting to get a new token should also now fail
|
||||
client.SetToken("")
|
||||
resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
|
||||
"role_id": roleID,
|
||||
"secret_id": secretID,
|
||||
})
|
||||
if err == nil {
|
||||
t.Fatalf("expected error, got %#v", *resp)
|
||||
}
|
||||
if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) {
|
||||
t.Fatalf("expected to see entity disabled error, got %v", err)
|
||||
}
|
||||
|
||||
client.SetToken(cluster.RootToken)
|
||||
resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{
|
||||
"disabled": false,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
client.SetToken(roleToken)
|
||||
resp, err = client.Auth().Token().LookupSelf()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Getting a new token should now work again too
|
||||
client.SetToken("")
|
||||
resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
|
||||
"role_id": roleID,
|
||||
"secret_id": secretID,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatal("expected a response for login")
|
||||
}
|
||||
if resp.Auth == nil {
|
||||
t.Fatal("expected auth object from response")
|
||||
}
|
||||
if resp.Auth.ClientToken == "" {
|
||||
t.Fatal("expected a client token")
|
||||
}
|
||||
}
|
|
@ -204,7 +204,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
|
|||
// return invalid request so that the status codes can be correct
|
||||
errType := logical.ErrInvalidRequest
|
||||
switch ctErr {
|
||||
case ErrInternalError, logical.ErrPermissionDenied:
|
||||
case ErrInternalError, logical.ErrPermissionDenied, logical.ErrEntityDisabled:
|
||||
errType = ctErr
|
||||
}
|
||||
|
||||
|
@ -519,6 +519,10 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
|
|||
return nil, nil, fmt.Errorf("failed to create an entity for the authenticated alias")
|
||||
}
|
||||
|
||||
if entity.Disabled {
|
||||
return nil, nil, logical.ErrEntityDisabled
|
||||
}
|
||||
|
||||
auth.EntityID = entity.ID
|
||||
if auth.GroupAliases != nil {
|
||||
err = c.identityStore.refreshExternalGroupMembershipsByEntityID(auth.EntityID, auth.GroupAliases)
|
||||
|
|
|
@ -26,6 +26,9 @@ This endpoint creates or updates an Entity.
|
|||
|
||||
- `policies` `(list of strings: [])` – Policies to be tied to the entity.
|
||||
|
||||
- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
|
||||
entities' associated tokens cannot be used, but are not revoked.
|
||||
|
||||
### Sample Payload
|
||||
|
||||
```json
|
||||
|
@ -86,6 +89,7 @@ $ curl \
|
|||
"data": {
|
||||
"bucket_key_hash": "177553e4c58987f4cc5d7e530136c642",
|
||||
"creation_time": "2017-07-25T20:29:22.614756844Z",
|
||||
"disabled": false,
|
||||
"id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297",
|
||||
"last_update_time": "2017-07-25T20:29:22.614756844Z",
|
||||
"metadata": {
|
||||
|
@ -120,6 +124,8 @@ This endpoint is used to update an existing entity.
|
|||
|
||||
- `policies` `(list of strings: [])` – Policies to be tied to the entity.
|
||||
|
||||
- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled
|
||||
entities' associated tokens cannot be used, but are not revoked.
|
||||
|
||||
### Sample Payload
|
||||
|
||||
|
|
Loading…
Reference in a new issue