luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Refactor common token fields and operations into a helper (#5953)

This commit is contained in:
Jeff Mitchell 2019-01-30 16:23:28 -05:00 committed by GitHub
parent 3592bfdcb0
commit 85a560abba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
40 changed files with 1139 additions and 757 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
audit/format.go
View File

@ -131,6 +131,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
TokenPolicies: auth.TokenPolicies,
IdentityPolicies: auth.IdentityPolicies,
ExternalNamespacePolicies: auth.ExternalNamespacePolicies,
NoDefaultPolicy: auth.NoDefaultPolicy,
Metadata: auth.Metadata,
EntityID: auth.EntityID,
RemainingUses: req.ClientTokenRemainingUses,
@ -303,6 +304,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
TokenPolicies: resp.Auth.TokenPolicies,
IdentityPolicies: resp.Auth.IdentityPolicies,
ExternalNamespacePolicies: resp.Auth.ExternalNamespacePolicies,
NoDefaultPolicy: resp.Auth.NoDefaultPolicy,
Metadata: resp.Auth.Metadata,
NumUses: resp.Auth.NumUses,
EntityID: resp.Auth.EntityID,
@ -344,6 +346,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
TokenPolicies: auth.TokenPolicies,
IdentityPolicies: auth.IdentityPolicies,
ExternalNamespacePolicies: auth.ExternalNamespacePolicies,
NoDefaultPolicy: auth.NoDefaultPolicy,
Metadata: auth.Metadata,
RemainingUses: req.ClientTokenRemainingUses,
EntityID: auth.EntityID,
@ -437,6 +440,7 @@ type AuditAuth struct {
TokenPolicies []string `json:"token_policies,omitempty"`
IdentityPolicies []string `json:"identity_policies,omitempty"`
ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
NoDefaultPolicy bool `json:"no_default_policy,omitempty"`
Metadata map[string]string `json:"metadata"`
NumUses int `json:"num_uses,omitempty"`
RemainingUses int `json:"remaining_uses,omitempty"`

24
audit/format_json_test.go
View File

@ -38,11 +38,12 @@ func TestFormatJSON_formatRequest(t *testing.T) {
}{
"auth, request": {
&logical.Auth{
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
NoDefaultPolicy: true,
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
},
&logical.Request{
Operation: logical.UpdateOperation,
@ -63,11 +64,12 @@ func TestFormatJSON_formatRequest(t *testing.T) {
},
"auth, request with prefix": {
&logical.Auth{
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
NoDefaultPolicy: true,
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
},
&logical.Request{
Operation: logical.UpdateOperation,
@ -139,5 +141,5 @@ func TestFormatJSON_formatRequest(t *testing.T) {
}
}
const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"no_default_policy":true,"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
`

26
audit/format_jsonx_test.go
View File

@ -37,11 +37,12 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
}{
"auth, request": {
&logical.Auth{
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
Policies: []string{"root"},
NoDefaultPolicy: true,
TokenType: logical.TokenTypeService,
},
&logical.Request{
Operation: logical.UpdateOperation,
@ -59,16 +60,17 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
errors.New("this is an error"),
"",
"",
fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:boolean name="no_default_policy">true</json:boolean><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
fooSalted),
},
"auth, request with prefix": {
&logical.Auth{
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
ClientToken: "foo",
Accessor: "bar",
DisplayName: "testtoken",
NoDefaultPolicy: true,
Policies: []string{"root"},
TokenType: logical.TokenTypeService,
},
&logical.Request{
Operation: logical.UpdateOperation,
@ -86,7 +88,7 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
errors.New("this is an error"),
"",
"@cee: ",
fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:boolean name="no_default_policy">true</json:boolean><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
fooSalted),
},
}

3
builtin/credential/app-id/path_login.go
View File

@ -116,9 +116,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
DisplayName: displayName,
Policies: policies,
Metadata: metadata,
LeaseOptions: logical.LeaseOptions{
Renewable: true,
},
Alias: &logical.Alias{
Name: appId,
},

5
builtin/credential/approle/path_login.go
View File

@ -294,9 +294,8 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
Metadata: metadata,
Policies: role.Policies,
LeaseOptions: logical.LeaseOptions{
Renewable: true,
TTL: role.TokenTTL,
MaxTTL: role.TokenMaxTTL,
TTL: role.TokenTTL,
MaxTTL: role.TokenMaxTTL,
},
Alias: &logical.Alias{
Name: role.RoleID,

10
builtin/credential/aws/path_login.go
View File

@ -825,9 +825,8 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
"ami_id": identityDocParsed.AmiID,
},
LeaseOptions: logical.LeaseOptions{
Renewable: true,
TTL: roleEntry.TTL,
MaxTTL: shortestMaxTTL,
TTL: roleEntry.TTL,
MaxTTL: shortestMaxTTL,
},
Alias: &logical.Alias{
Name: identityAlias,
@ -1338,9 +1337,8 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
},
DisplayName: entity.FriendlyName,
LeaseOptions: logical.LeaseOptions{
Renewable: true,
TTL: roleEntry.TTL,
MaxTTL: roleEntry.MaxTTL,
TTL: roleEntry.TTL,
MaxTTL: roleEntry.MaxTTL,
},
Alias: &logical.Alias{
Name: identityAlias,

68
builtin/credential/cert/backend_test.go
View File

@ -21,14 +21,17 @@ import (
"testing"
"time"
"github.com/go-test/deep"
cleanhttp "github.com/hashicorp/go-cleanhttp"
log "github.com/hashicorp/go-hclog"
sockaddr "github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/vault/api"
vaulthttp "github.com/hashicorp/vault/http"
rootcerts "github.com/hashicorp/go-rootcerts"
"github.com/hashicorp/vault/builtin/logical/pki"
"github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
logicaltest "github.com/hashicorp/vault/logical/testing"
@ -1788,3 +1791,68 @@ func Test_Renew(t *testing.T) {
t.Fatal("expected error")
}
}
func TestBackend_CertUpgrade(t *testing.T) {
s := &logical.InmemStorage{}
config := logical.TestBackendConfig()
config.StorageView = s
ctx := context.Background()
b := Backend()
if b == nil {
t.Fatalf("failed to create backend")
}
if err := b.Setup(ctx, config); err != nil {
t.Fatal(err)
}
type B struct {
Policies []string
TTL time.Duration
MaxTTL time.Duration
Period time.Duration
BoundCIDRs []*sockaddr.SockAddrMarshaler
}
foo := &B{
Policies: []string{"foo"},
TTL: time.Second,
MaxTTL: time.Second,
Period: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
}
entry, err := logical.StorageEntryJSON("cert/foo", foo)
if err != nil {
t.Fatal(err)
}
err = s.Put(ctx, entry)
if err != nil {
t.Fatal(err)
}
certEntry, err := b.Cert(ctx, s, "foo")
if err != nil {
t.Fatal(err)
}
exp := &CertEntry{
TokenParams: tokenhelper.TokenParams{
Policies: []string{"foo"},
TTL: time.Second,
MaxTTL: time.Second,
Period: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
},
OldPolicies: nil,
OldTTL: 0,
OldMaxTTL: 0,
OldPeriod: 0,
OldBoundCIDRs: nil,
}
if diff := deep.Equal(certEntry, exp); diff != nil {
t.Fatal(diff)
}
}

200
builtin/credential/cert/path_certs.go
View File

@ -4,12 +4,11 @@ import (
"context"
"crypto/x509"
"fmt"
"strings"
"time"
sockaddr "github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -28,11 +27,11 @@ func pathListCerts(b *backend) *framework.Path {
}
func pathCerts(b *backend) *framework.Path {
return &framework.Path{
path := &framework.Path{
Pattern: "certs/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
Type: framework.TypeString,
Type: framework.TypeLowerCaseString,
Description: "The name of the certificate",
},
@ -93,42 +92,11 @@ All values much match. Supports globbing on "value".`,
certificate.`,
},
"policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: "Comma-separated list of policies.",
},
"lease": &framework.FieldSchema{
Type: framework.TypeInt,
Description: `Deprecated: use "ttl" instead. TTL time in
seconds. Defaults to system/backend default TTL.`,
},
"ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: `TTL for tokens issued by this backend.
Defaults to system/backend default TTL time.`,
},
"max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: `Duration in either an integer number of seconds (3600) or
an integer time unit (60m) after which the
issued token can no longer be renewed.`,
},
"period": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: `If set, indicates that the token generated using this role
should never expire. The token should be renewed within the
duration specified by this value. At each renewal, the token's
TTL will be set to the value of this parameter.`,
},
"bound_cidrs": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
IP addresses which can perform the login operation.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
@ -140,10 +108,13 @@ IP addresses which can perform the login operation.`,
HelpSynopsis: pathCertHelpSyn,
HelpDescription: pathCertHelpDesc,
}
tokenhelper.AddTokenFields(path.Fields)
return path
}
func (b *backend) Cert(ctx context.Context, s logical.Storage, n string) (*CertEntry, error) {
entry, err := s.Get(ctx, "cert/"+strings.ToLower(n))
entry, err := s.Get(ctx, "cert/"+n)
if err != nil {
return nil, err
}
@ -155,11 +126,48 @@ func (b *backend) Cert(ctx context.Context, s logical.Storage, n string) (*CertE
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
var needsUpgrade bool
if result.OldTTL != 0 {
needsUpgrade = true
result.TTL = result.OldTTL
result.OldTTL = 0
}
if result.OldMaxTTL != 0 {
needsUpgrade = true
result.MaxTTL = result.OldMaxTTL
result.OldMaxTTL = 0
}
if result.OldPeriod != 0 {
needsUpgrade = true
result.Period = result.OldPeriod
result.OldPeriod = 0
}
if len(result.OldPolicies) > 0 {
needsUpgrade = true
result.Policies = result.OldPolicies
result.OldPolicies = nil
}
if len(result.OldBoundCIDRs) > 0 {
needsUpgrade = true
result.BoundCIDRs = result.OldBoundCIDRs
result.OldBoundCIDRs = nil
}
if needsUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
entry, err := logical.StorageEntryJSON("cert/"+n, result)
if err != nil {
return nil, err
}
if err := s.Put(ctx, entry); err != nil {
return nil, err
}
}
return &result, nil
}
func (b *backend) pathCertDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
err := req.Storage.Delete(ctx, "cert/"+strings.ToLower(d.Get("name").(string)))
err := req.Storage.Delete(ctx, "cert/"+d.Get("name").(string))
if err != nil {
return nil, err
}
@ -175,7 +183,7 @@ func (b *backend) pathCertList(ctx context.Context, req *logical.Request, d *fra
}
func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
cert, err := b.Cert(ctx, req.Storage, strings.ToLower(d.Get("name").(string)))
cert, err := b.Cert(ctx, req.Storage, d.Get("name").(string))
if err != nil {
return nil, err
}
@ -183,30 +191,27 @@ func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *fra
return nil, nil
}
data := map[string]interface{}{
"certificate": cert.Certificate,
"display_name": cert.DisplayName,
"allowed_names": cert.AllowedNames,
"allowed_common_names": cert.AllowedCommonNames,
"allowed_dns_sans": cert.AllowedDNSSANs,
"allowed_email_sans": cert.AllowedEmailSANs,
"allowed_uri_sans": cert.AllowedURISANs,
"allowed_organizational_units": cert.AllowedOrganizationalUnits,
"required_extensions": cert.RequiredExtensions,
}
cert.PopulateTokenData(data)
return &logical.Response{
Data: map[string]interface{}{
"certificate": cert.Certificate,
"display_name": cert.DisplayName,
"policies": cert.Policies,
"ttl": cert.TTL / time.Second,
"max_ttl": cert.MaxTTL / time.Second,
"period": cert.Period / time.Second,
"allowed_names": cert.AllowedNames,
"allowed_common_names": cert.AllowedCommonNames,
"allowed_dns_sans": cert.AllowedDNSSANs,
"allowed_email_sans": cert.AllowedEmailSANs,
"allowed_uri_sans": cert.AllowedURISANs,
"allowed_organizational_units": cert.AllowedOrganizationalUnits,
"required_extensions": cert.RequiredExtensions,
},
Data: data,
}, nil
}
func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := strings.ToLower(d.Get("name").(string))
name := d.Get("name").(string)
certificate := d.Get("certificate").(string)
displayName := d.Get("display_name").(string)
policies := policyutil.ParsePolicies(d.Get("policies"))
allowedNames := d.Get("allowed_names").([]string)
allowedCommonNames := d.Get("allowed_common_names").([]string)
allowedDNSSANs := d.Get("allowed_dns_sans").([]string)
@ -215,45 +220,32 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
allowedOrganizationalUnits := d.Get("allowed_organizational_units").([]string)
requiredExtensions := d.Get("required_extensions").([]string)
certEntry := &CertEntry{}
var resp logical.Response
if err := certEntry.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), nil
}
// Parse the ttl (or lease duration)
systemDefaultTTL := b.System().DefaultLeaseTTL()
ttl := time.Duration(d.Get("ttl").(int)) * time.Second
if ttl == 0 {
ttl = time.Duration(d.Get("lease").(int)) * time.Second
}
if ttl > systemDefaultTTL {
resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds is greater than current mount/system default of %d seconds", ttl/time.Second, systemDefaultTTL/time.Second))
}
if ttl < time.Duration(0) {
return logical.ErrorResponse("ttl cannot be negative"), nil
if certEntry.TTL > systemDefaultTTL {
resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds is greater than current mount/system default of %d seconds", certEntry.TTL/time.Second, systemDefaultTTL/time.Second))
}
// Parse max_ttl
systemMaxTTL := b.System().MaxLeaseTTL()
maxTTL := time.Duration(d.Get("max_ttl").(int)) * time.Second
if maxTTL > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", maxTTL/time.Second, systemMaxTTL/time.Second))
if certEntry.MaxTTL > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", certEntry.MaxTTL/time.Second, systemMaxTTL/time.Second))
}
if maxTTL < time.Duration(0) {
return logical.ErrorResponse("max_ttl cannot be negative"), nil
}
if maxTTL != 0 && ttl > maxTTL {
if certEntry.MaxTTL != 0 && certEntry.TTL > certEntry.MaxTTL {
return logical.ErrorResponse("ttl should be shorter than max_ttl"), nil
}
// Parse period
period := time.Duration(d.Get("period").(int)) * time.Second
if period > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", period/time.Second, systemMaxTTL/time.Second))
}
if period < time.Duration(0) {
return logical.ErrorResponse("period cannot be negative"), nil
if certEntry.Period > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", certEntry.Period/time.Second, systemMaxTTL/time.Second))
}
// Default the display name to the certificate name if not given
@ -280,28 +272,16 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
}
}
parsedCIDRs, err := parseutil.ParseAddrs(d.Get("bound_cidrs"))
if err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
certEntry := &CertEntry{
Name: name,
Certificate: certificate,
DisplayName: displayName,
Policies: policies,
AllowedNames: allowedNames,
AllowedCommonNames: allowedCommonNames,
AllowedDNSSANs: allowedDNSSANs,
AllowedEmailSANs: allowedEmailSANs,
AllowedURISANs: allowedURISANs,
AllowedOrganizationalUnits: allowedOrganizationalUnits,
RequiredExtensions: requiredExtensions,
TTL: ttl,
MaxTTL: maxTTL,
Period: period,
BoundCIDRs: parsedCIDRs,
}
certEntry.Name = name
certEntry.Certificate = certificate
certEntry.DisplayName = displayName
certEntry.AllowedNames = allowedNames
certEntry.AllowedCommonNames = allowedCommonNames
certEntry.AllowedDNSSANs = allowedDNSSANs
certEntry.AllowedEmailSANs = allowedEmailSANs
certEntry.AllowedURISANs = allowedURISANs
certEntry.AllowedOrganizationalUnits = allowedOrganizationalUnits
certEntry.RequiredExtensions = requiredExtensions
// Store it
entry, err := logical.StorageEntryJSON("cert/"+name, certEntry)
@ -320,13 +300,11 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr
}
type CertEntry struct {
tokenhelper.TokenParams
Name string
Certificate string
DisplayName string
Policies []string
TTL time.Duration
MaxTTL time.Duration
Period time.Duration
AllowedNames []string
AllowedCommonNames []string
AllowedDNSSANs []string
@ -334,7 +312,13 @@ type CertEntry struct {
AllowedURISANs []string
AllowedOrganizationalUnits []string
RequiredExtensions []string
BoundCIDRs []*sockaddr.SockAddrMarshaler
// These token-related fields have been moved to the embedded tokenhelper.TokenParams struct
OldPolicies []string `json:"Policies"`
OldTTL time.Duration `json:"TTL"`
OldMaxTTL time.Duration `json:"MaxTTL"`
OldPeriod time.Duration `json:"Period"`
OldBoundCIDRs []*sockaddr.SockAddrMarshaler `json:"BoundCIDRs"`
}
const pathCertHelpSyn = `

45
builtin/credential/cert/path_login.go
View File

@ -83,32 +83,27 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
skid := base64.StdEncoding.EncodeToString(clientCerts[0].SubjectKeyId)
akid := base64.StdEncoding.EncodeToString(clientCerts[0].AuthorityKeyId)
resp := &logical.Response{
Auth: &logical.Auth{
Period: matched.Entry.Period,
InternalData: map[string]interface{}{
"subject_key_id": skid,
"authority_key_id": akid,
},
Policies: matched.Entry.Policies,
DisplayName: matched.Entry.DisplayName,
Metadata: map[string]string{
"cert_name": matched.Entry.Name,
"common_name": clientCerts[0].Subject.CommonName,
"serial_number": clientCerts[0].SerialNumber.String(),
"subject_key_id": certutil.GetHexFormatted(clientCerts[0].SubjectKeyId, ":"),
"authority_key_id": certutil.GetHexFormatted(clientCerts[0].AuthorityKeyId, ":"),
},
LeaseOptions: logical.LeaseOptions{
Renewable: true,
TTL: matched.Entry.TTL,
MaxTTL: matched.Entry.MaxTTL,
},
Alias: &logical.Alias{
Name: clientCerts[0].Subject.CommonName,
},
BoundCIDRs: matched.Entry.BoundCIDRs,
auth := &logical.Auth{
InternalData: map[string]interface{}{
"subject_key_id": skid,
"authority_key_id": akid,
},
DisplayName: matched.Entry.DisplayName,
Metadata: map[string]string{
"cert_name": matched.Entry.Name,
"common_name": clientCerts[0].Subject.CommonName,
"serial_number": clientCerts[0].SerialNumber.String(),
"subject_key_id": certutil.GetHexFormatted(clientCerts[0].SubjectKeyId, ":"),
"authority_key_id": certutil.GetHexFormatted(clientCerts[0].AuthorityKeyId, ":"),
},
Alias: &logical.Alias{
Name: clientCerts[0].Subject.CommonName,
},
}
matched.Entry.PopulateTokenAuth(auth)
resp := &logical.Response{
Auth: auth,
}
// Generate a response

77
builtin/credential/github/path_config.go
View File

@ -4,15 +4,15 @@ import (
"context"
"fmt"
"net/url"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
func pathConfig(b *backend) *framework.Path {
return &framework.Path{
ret := &framework.Path{
Pattern: "config",
Fields: map[string]*framework.FieldSchema{
"organization": &framework.FieldSchema{
@ -26,14 +26,6 @@ func pathConfig(b *backend) *framework.Path {
are running GitHub Enterprise or an
API-compatible authentication server.`,
},
"ttl": &framework.FieldSchema{
Type: framework.TypeString,
Description: `Duration after which authentication will be expired`,
},
"max_ttl": &framework.FieldSchema{
Type: framework.TypeString,
Description: `Maximum duration after which authentication will be expired`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
@ -41,6 +33,9 @@ API-compatible authentication server.`,
logical.ReadOperation: b.pathConfigRead,
},
}
tokenhelper.AddTokenFields(ret.Fields)
return ret
}
func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@ -53,35 +48,16 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
}
}
var ttl time.Duration
var err error
ttlRaw, ok := data.GetOk("ttl")
if !ok || len(ttlRaw.(string)) == 0 {
ttl = 0
} else {
ttl, err = time.ParseDuration(ttlRaw.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Invalid 'ttl':%s", err)), nil
}
}
var maxTTL time.Duration
maxTTLRaw, ok := data.GetOk("max_ttl")
if !ok || len(maxTTLRaw.(string)) == 0 {
maxTTL = 0
} else {
maxTTL, err = time.ParseDuration(maxTTLRaw.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Invalid 'max_ttl':%s", err)), nil
}
}
entry, err := logical.StorageEntryJSON("config", config{
cfg := &config{
Organization: organization,
BaseURL: baseURL,
TTL: ttl,
MaxTTL: maxTTL,
})
}
if err := cfg.ParseTokenFields(req, data); err != nil {
return logical.ErrorResponse(err.Error()), nil
}
entry, err := logical.StorageEntryJSON("config", cfg)
if err != nil {
return nil, err
@ -104,18 +80,15 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, data
return nil, fmt.Errorf("configuration object not found")
}
config.TTL /= time.Second
config.MaxTTL /= time.Second
resp := &logical.Response{
Data: map[string]interface{}{
"organization": config.Organization,
"base_url": config.BaseURL,
"ttl": config.TTL,
"max_ttl": config.MaxTTL,
},
respData := map[string]interface{}{
"organization": config.Organization,
"base_url": config.BaseURL,
}
return resp, nil
config.PopulateTokenData(respData)
return &logical.Response{
Data: respData,
}, nil
}
// Config returns the configuration for this backend.
@ -136,8 +109,8 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
}
type config struct {
Organization string `json:"organization" structs:"organization" mapstructure:"organization"`
BaseURL string `json:"base_url" structs:"base_url" mapstructure:"base_url"`
TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"`
MaxTTL time.Duration `json:"max_ttl" structs:"max_ttl" mapstructure:"max_ttl"`
tokenhelper.TokenParams
Organization string `json:"organization" structs:"organization" mapstructure:"organization"`
BaseURL string `json:"base_url" structs:"base_url" mapstructure:"base_url"`
}

40
builtin/credential/github/path_login.go
View File

@ -9,6 +9,7 @@ import (
"github.com/google/go-github/github"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -68,38 +69,35 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
return nil, err
}
resp := &logical.Response{
Auth: &logical.Auth{
InternalData: map[string]interface{}{
"token": token,
},
Policies: verifyResp.Policies,
Metadata: map[string]string{
"username": *verifyResp.User.Login,
"org": *verifyResp.Org.Login,
},
DisplayName: *verifyResp.User.Login,
LeaseOptions: logical.LeaseOptions{
TTL: config.TTL,
MaxTTL: config.MaxTTL,
Renewable: true,
},
Alias: &logical.Alias{
Name: *verifyResp.User.Login,
},
auth := &logical.Auth{
InternalData: map[string]interface{}{
"token": token,
},
Metadata: map[string]string{
"username": *verifyResp.User.Login,
"org": *verifyResp.Org.Login,
},
DisplayName: *verifyResp.User.Login,
Alias: &logical.Alias{
Name: *verifyResp.User.Login,
},
}
config.PopulateTokenAuth(auth)
auth.Policies = append(auth.Policies, verifyResp.Policies...)
auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
for _, teamName := range verifyResp.TeamNames {
if teamName == "" {
continue
}
resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
auth.GroupAliases = append(auth.GroupAliases, &logical.Alias{
Name: teamName,
})
}
return resp, nil
return &logical.Response{
Auth: auth,
}, nil
}
func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {

11
builtin/credential/ldap/path_config.go
View File

@ -12,7 +12,7 @@ import (
func pathConfig(b *backend) *framework.Path {
return &framework.Path{
Pattern: `config`,
Fields: ldaputil.ConfigFields(),
Fields: ldaputil.ConfigFields(true),
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathConfigRead,
@ -89,8 +89,11 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
return nil, nil
}
data := cfg.PasswordlessMap()
cfg.PopulateTokenData(data)
resp := &logical.Response{
Data: cfg.PasswordlessMap(),
Data: data,
}
return resp, nil
}
@ -109,6 +112,10 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
*cfg.CaseSensitiveNames = false
}
if err := cfg.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
entry, err := logical.StorageEntryJSON("config", cfg)
if err != nil {
return nil, err

25
builtin/credential/ldap/path_login.go
View File

@ -3,9 +3,9 @@ package ldap
import (
"context"
"fmt"
"sort"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -54,6 +54,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
username := d.Get("username").(string)
password := d.Get("password").(string)
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, err
}
if cfg == nil {
return logical.ErrorResponse("ldap backend not configured"), nil
}
policies, resp, groupNames, err := b.Login(ctx, req, username, password)
// Handle an internal error
if err != nil {
@ -68,10 +76,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
resp = &logical.Response{}
}
sort.Strings(policies)
resp.Auth = &logical.Auth{
Policies: policies,
auth := &logical.Auth{
Metadata: map[string]string{
"username": username,
},
@ -79,22 +84,24 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
"password": password,
},
DisplayName: username,
LeaseOptions: logical.LeaseOptions{
Renewable: true,
},
Alias: &logical.Alias{
Name: username,
},
}
cfg.PopulateTokenAuth(auth)
auth.Policies = append(auth.Policies, policies...)
auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
for _, groupName := range groupNames {
if groupName == "" {
continue
}
resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
auth.GroupAliases = append(auth.GroupAliases, &logical.Alias{
Name: groupName,
})
}
resp.Auth = auth
return resp, nil
}

62
builtin/credential/okta/path_config.go
View File

@ -5,10 +5,9 @@ import (
"fmt"
"net/url"
"time"
"github.com/chrismalek/oktasdk-go/okta"
cleanhttp "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -19,7 +18,7 @@ const (
)
func pathConfig(b *backend) *framework.Path {
return &framework.Path{
ret := &framework.Path{
Pattern: `config`,
Fields: map[string]*framework.FieldSchema{
"organization": &framework.FieldSchema{
@ -46,14 +45,6 @@ func pathConfig(b *backend) *framework.Path {
Type: framework.TypeBool,
Description: `(DEPRECATED) Use base_url.`,
},
"ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: `Duration after which authentication will be expired`,
},
"max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: `Maximum duration after which authentication will be expired`,
},
"bypass_okta_mfa": &framework.FieldSchema{
Type: framework.TypeBool,
Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
@ -70,6 +61,9 @@ func pathConfig(b *backend) *framework.Path {
HelpSynopsis: pathConfigHelp,
}
tokenhelper.AddTokenFields(ret.Fields)
return ret
}
// Config returns the configuration for this backend.
@ -101,15 +95,17 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
return nil, nil
}
resp := &logical.Response{
Data: map[string]interface{}{
"organization": cfg.Org,
"org_name": cfg.Org,
"ttl": cfg.TTL.Seconds(),
"max_ttl": cfg.MaxTTL.Seconds(),
"bypass_okta_mfa": cfg.BypassOktaMFA,
},
data := map[string]interface{}{
"organization": cfg.Org,
"org_name": cfg.Org,
"bypass_okta_mfa": cfg.BypassOktaMFA,
}
cfg.PopulateTokenData(data)
resp := &logical.Response{
Data: data,
}
if cfg.BaseURL != "" {
resp.Data["base_url"] = cfg.BaseURL
}
@ -185,18 +181,8 @@ func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *
cfg.BypassOktaMFA = bypass.(bool)
}
ttl, ok := d.GetOk("ttl")
if ok {
cfg.TTL = time.Duration(ttl.(int)) * time.Second
} else if req.Operation == logical.CreateOperation {
cfg.TTL = time.Duration(d.Get("ttl").(int)) * time.Second
}
maxTTL, ok := d.GetOk("max_ttl")
if ok {
cfg.MaxTTL = time.Duration(maxTTL.(int)) * time.Second
} else if req.Operation == logical.CreateOperation {
cfg.MaxTTL = time.Duration(d.Get("max_ttl").(int)) * time.Second
if err := cfg.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), nil
}
jsonCfg, err := logical.StorageEntryJSON("config", cfg)
@ -244,13 +230,13 @@ func (c *ConfigEntry) OktaClient() *okta.Client {
// ConfigEntry for Okta
type ConfigEntry struct {
Org string `json:"organization"`
Token string `json:"token"`
BaseURL string `json:"base_url"`
Production *bool `json:"is_production,omitempty"`
TTL time.Duration `json:"ttl"`
MaxTTL time.Duration `json:"max_ttl"`
BypassOktaMFA bool `json:"bypass_okta_mfa"`
tokenhelper.TokenParams
Org string `json:"organization"`
Token string `json:"token"`
BaseURL string `json:"base_url"`
Production *bool `json:"is_production,omitempty"`
BypassOktaMFA bool `json:"bypass_okta_mfa"`
}
const pathConfigHelp = `

14
builtin/credential/okta/path_login.go
View File

@ -8,6 +8,7 @@ import (
"github.com/go-errors/errors"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -77,8 +78,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
return nil, err
}
resp.Auth = &logical.Auth{
Policies: policies,
auth := &logical.Auth{
Metadata: map[string]string{
"username": username,
"policies": strings.Join(policies, ","),
@ -87,15 +87,15 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
"password": password,
},
DisplayName: username,
LeaseOptions: logical.LeaseOptions{
TTL: cfg.TTL,
MaxTTL: cfg.MaxTTL,
Renewable: true,
},
Alias: &logical.Alias{
Name: username,
},
}
cfg.PopulateTokenAuth(auth)
auth.Policies = append(auth.Policies, policies...)
auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
resp.Auth = auth
for _, groupName := range groupNames {
if groupName == "" {

36
builtin/credential/radius/path_config.go
View File

@ -4,12 +4,13 @@ import (
"context"
"strings"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
func pathConfig(b *backend) *framework.Path {
return &framework.Path{
ret := &framework.Path{
Pattern: "config",
Fields: map[string]*framework.FieldSchema{
"host": &framework.FieldSchema{
@ -64,6 +65,9 @@ func pathConfig(b *backend) *framework.Path {
HelpSynopsis: pathConfigHelpSyn,
HelpDescription: pathConfigHelpDesc,
}
tokenhelper.AddTokenFields(ret.Fields)
return ret
}
// Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
@ -107,18 +111,20 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
return nil, nil
}
resp := &logical.Response{
Data: map[string]interface{}{
"host": cfg.Host,
"port": cfg.Port,
"unregistered_user_policies": cfg.UnregisteredUserPolicies,
"dial_timeout": cfg.DialTimeout,
"read_timeout": cfg.ReadTimeout,
"nas_port": cfg.NasPort,
"nas_identifier": cfg.NasIdentifier,
},
data := map[string]interface{}{
"host": cfg.Host,
"port": cfg.Port,
"unregistered_user_policies": cfg.UnregisteredUserPolicies,
"dial_timeout": cfg.DialTimeout,
"read_timeout": cfg.ReadTimeout,
"nas_port": cfg.NasPort,
"nas_identifier": cfg.NasIdentifier,
}
return resp, nil
cfg.PopulateTokenData(data)
return &logical.Response{
Data: data,
}, nil
}
func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@ -203,6 +209,10 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque
cfg.NasIdentifier = d.Get("nas_identifier").(string)
}
if err := cfg.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), nil
}
entry, err := logical.StorageEntryJSON("config", cfg)
if err != nil {
return nil, err
@ -215,6 +225,8 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque
}
type ConfigEntry struct {
tokenhelper.TokenParams
Host string `json:"host" structs:"host" mapstructure:"host"`
Port int `json:"port" structs:"port" mapstructure:"port"`
Secret string `json:"secret" structs:"secret" mapstructure:"secret"`

21
builtin/credential/radius/path_login.go
View File

@ -12,6 +12,7 @@ import (
. "layeh.com/radius/rfc2865"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -76,6 +77,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
return logical.ErrorResponse("password cannot be empty"), nil
}
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, err
}
if cfg == nil {
return logical.ErrorResponse("radius backend not configured"), nil
}
policies, resp, err := b.RadiusLogin(ctx, req, username, password)
// Handle an internal error
if err != nil {
@ -88,8 +97,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
}
}
resp.Auth = &logical.Auth{
Policies: policies,
auth := &logical.Auth{
Metadata: map[string]string{
"username": username,
"policies": strings.Join(policies, ","),
@ -98,13 +106,16 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
"password": password,
},
DisplayName: username,
LeaseOptions: logical.LeaseOptions{
Renewable: true,
},
Alias: &logical.Alias{
Name: username,
},
}
cfg.PopulateTokenAuth(auth)
auth.Policies = append(auth.Policies, policies...)
auth.Policies = strutil.RemoveDuplicates(auth.Policies, false)
resp.Auth = auth
return resp, nil
}

60
builtin/credential/userpass/backend_test.go
View File

@ -9,7 +9,10 @@ import (
"crypto/tls"
"github.com/go-test/deep"
sockaddr "github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
logicaltest "github.com/hashicorp/vault/logical/testing"
"github.com/mitchellh/mapstructure"
@ -20,6 +23,63 @@ const (
testSysMaxTTL = time.Hour * 20
)
func TestBackend_UserUpgrade(t *testing.T) {
s := &logical.InmemStorage{}
config := logical.TestBackendConfig()
config.StorageView = s
ctx := context.Background()
b := Backend()
if b == nil {
t.Fatalf("failed to create backend")
}
if err := b.Setup(ctx, config); err != nil {
t.Fatal(err)
}
type B struct {
Policies []string
TTL time.Duration
MaxTTL time.Duration
BoundCIDRs []*sockaddr.SockAddrMarshaler
}
foo := &B{
Policies: []string{"foo"},
TTL: time.Second,
MaxTTL: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
}
entry, err := logical.StorageEntryJSON("user/foo", foo)
if err != nil {
t.Fatal(err)
}
err = s.Put(ctx, entry)
if err != nil {
t.Fatal(err)
}
userEntry, err := b.user(ctx, s, "foo")
if err != nil {
t.Fatal(err)
}
exp := &UserEntry{
TokenParams: tokenhelper.TokenParams{
Policies: []string{"foo"},
TTL: time.Second,
MaxTTL: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
},
}
if diff := deep.Equal(userEntry, exp); diff != nil {
t.Fatal(diff)
}
}
func TestBackend_TTL(t *testing.T) {
var resp *logical.Response
var err error

28
builtin/credential/userpass/path_login.go
View File

@ -108,23 +108,19 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
return logical.ErrorResponse("login request originated from invalid CIDR"), nil
}
return &logical.Response{
Auth: &logical.Auth{
Policies: user.Policies,
Metadata: map[string]string{
"username": username,
},
DisplayName: username,
LeaseOptions: logical.LeaseOptions{
TTL: user.TTL,
MaxTTL: user.MaxTTL,
Renewable: true,
},
Alias: &logical.Alias{
Name: username,
},
BoundCIDRs: user.BoundCIDRs,
auth := &logical.Auth{
Metadata: map[string]string{
"username": username,
},
DisplayName: username,
Alias: &logical.Alias{
Name: username,
},
}
user.PopulateTokenAuth(auth)
return &logical.Response{
Auth: auth,
}, nil
}

96
builtin/credential/userpass/path_users.go
View File

@ -7,8 +7,8 @@ import (
"time"
sockaddr "github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -27,7 +27,7 @@ func pathUsersList(b *backend) *framework.Path {
}
func pathUsers(b *backend) *framework.Path {
return &framework.Path{
p := &framework.Path{
Pattern: "users/" + framework.GenericNameRegex("username"),
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
@ -39,27 +39,6 @@ func pathUsers(b *backend) *framework.Path {
Type: framework.TypeString,
Description: "Password for this user.",
},
"policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: "Comma-separated list of policies",
},
"ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: "Duration after which authentication will be expired",
},
"max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: "Maximum duration after which authentication will be expired",
},
"bound_cidrs": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
IP addresses which can perform the login operation.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
@ -74,6 +53,10 @@ IP addresses which can perform the login operation.`,
HelpSynopsis: pathUserHelpSyn,
HelpDescription: pathUserHelpDesc,
}
tokenhelper.AddTokenFields(p.Fields)
return p
}
func (b *backend) userExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) {
@ -103,6 +86,33 @@ func (b *backend) user(ctx context.Context, s logical.Storage, username string)
return nil, err
}
var needsUpgrade bool
if result.OldTTL != 0 {
needsUpgrade = true
result.TTL = result.OldTTL
result.OldTTL = 0
}
if result.OldMaxTTL != 0 {
needsUpgrade = true
result.MaxTTL = result.OldMaxTTL
result.OldMaxTTL = 0
}
if len(result.OldPolicies) != 0 {
needsUpgrade = true
result.Policies = result.OldPolicies
result.OldPolicies = nil
}
if result.OldBoundCIDRs != nil {
needsUpgrade = true
result.BoundCIDRs = result.OldBoundCIDRs
result.OldBoundCIDRs = nil
}
if needsUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
if err := b.setUser(ctx, s, strings.ToLower(username), &result); err != nil {
return nil, err
}
}
return &result, nil
}
@ -141,13 +151,10 @@ func (b *backend) pathUserRead(ctx context.Context, req *logical.Request, d *fra
return nil, nil
}
data := map[string]interface{}{}
user.PopulateTokenData(data)
return &logical.Response{
Data: map[string]interface{}{
"policies": user.Policies,
"ttl": user.TTL.Seconds(),
"max_ttl": user.MaxTTL.Seconds(),
"bound_cidrs": user.BoundCIDRs,
},
Data: data,
}, nil
}
@ -172,25 +179,9 @@ func (b *backend) userCreateUpdate(ctx context.Context, req *logical.Request, d
}
}
if policiesRaw, ok := d.GetOk("policies"); ok {
userEntry.Policies = policyutil.ParsePolicies(policiesRaw)
}
ttl, ok := d.GetOk("ttl")
if ok {
userEntry.TTL = time.Duration(ttl.(int)) * time.Second
}
maxTTL, ok := d.GetOk("max_ttl")
if ok {
userEntry.MaxTTL = time.Duration(maxTTL.(int)) * time.Second
}
boundCIDRs, err := parseutil.ParseAddrs(d.Get("bound_cidrs"))
if err != nil {
if err := userEntry.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
userEntry.BoundCIDRs = boundCIDRs
return nil, b.setUser(ctx, req.Storage, username, userEntry)
}
@ -204,6 +195,8 @@ func (b *backend) pathUserWrite(ctx context.Context, req *logical.Request, d *fr
}
type UserEntry struct {
tokenhelper.TokenParams
// Password is deprecated in Vault 0.2 in favor of
// PasswordHash, but is retained for backwards compatibility.
Password string
@ -212,15 +205,16 @@ type UserEntry struct {
// used instead of the actual password in Vault 0.2+.
PasswordHash []byte
Policies []string
// These token-related fields have been moved to the embedded tokenhelper.TokenParams struct
OldPolicies []string `json:"Policies"`
// Duration after which the user will be revoked unless renewed
TTL time.Duration
OldTTL time.Duration `json:"TTL"`
// Maximum duration for which user can be valid
MaxTTL time.Duration
OldMaxTTL time.Duration `json:"MaxTTL"`
BoundCIDRs []*sockaddr.SockAddrMarshaler
OldBoundCIDRs []*sockaddr.SockAddrMarshaler `json:"BoundCIDRs"`
}
const pathUserHelpSyn = `

114
builtin/logical/database/dbplugin/database.pb.go
View File

@ -5,15 +5,11 @@ package dbplugin
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
timestamp "github.com/golang/protobuf/ptypes/timestamp"
)
import (
context "golang.org/x/net/context"
grpc "google.golang.org/grpc"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
@ -679,6 +675,60 @@ func init() {
proto.RegisterType((*Empty)(nil), "dbplugin.Empty")
}
func init() {
proto.RegisterFile("builtin/logical/database/dbplugin/database.proto", fileDescriptor_7bf7b4c7fef2f66e)
}
var fileDescriptor_7bf7b4c7fef2f66e = []byte{
// 724 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xd1, 0x4e, 0xdb, 0x4a,
0x10, 0x95, 0x93, 0x00, 0xc9, 0x80, 0x80, 0xec, 0x05, 0x64, 0xf9, 0x72, 0x6f, 0x91, 0x1f, 0x28,
0x55, 0xd5, 0xb8, 0x82, 0x56, 0x54, 0xa8, 0xa2, 0x2a, 0xa1, 0xaa, 0x2a, 0x55, 0x3c, 0x2c, 0xf0,
0x52, 0x55, 0x42, 0x1b, 0x67, 0x49, 0x56, 0x38, 0x5e, 0xd7, 0xbb, 0x0e, 0x4d, 0x7f, 0xa0, 0xfd,
0x8c, 0x7e, 0x4e, 0x1f, 0xfb, 0x49, 0x95, 0x37, 0x59, 0xef, 0x26, 0x86, 0xf2, 0x40, 0xfb, 0xe6,
0xd9, 0x99, 0x33, 0x73, 0xe6, 0x78, 0x76, 0x16, 0x9e, 0x76, 0x32, 0x16, 0x49, 0x16, 0x07, 0x11,
0xef, 0xb1, 0x90, 0x44, 0x41, 0x97, 0x48, 0xd2, 0x21, 0x82, 0x06, 0xdd, 0x4e, 0x12, 0x65, 0x3d,
0x16, 0x17, 0x27, 0xad, 0x24, 0xe5, 0x92, 0xa3, 0xba, 0x76, 0x78, 0x0f, 0x7a, 0x9c, 0xf7, 0x22,
0x1a, 0xa8, 0xf3, 0x4e, 0x76, 0x19, 0x48, 0x36, 0xa0, 0x42, 0x92, 0x41, 0x32, 0x0e, 0xf5, 0x3f,
0x42, 0xf3, 0x5d, 0xcc, 0x24, 0x23, 0x11, 0xfb, 0x42, 0x31, 0xfd, 0x94, 0x51, 0x21, 0xd1, 0x06,
0xcc, 0x87, 0x3c, 0xbe, 0x64, 0x3d, 0xd7, 0xd9, 0x72, 0x76, 0x96, 0xf0, 0xc4, 0x42, 0x8f, 0xa1,
0x39, 0xa4, 0x29, 0xbb, 0x1c, 0x5d, 0x84, 0x3c, 0x8e, 0x69, 0x28, 0x19, 0x8f, 0xdd, 0xca, 0x96,
0xb3, 0x53, 0xc7, 0xab, 0x63, 0x47, 0xbb, 0x38, 0x3f, 0xa8, 0xb8, 0x8e, 0x8f, 0x61, 0x31, 0xcf,
0xfe, 0x27, 0xf3, 0xfa, 0x3f, 0x1c, 0x68, 0xb6, 0x53, 0x4a, 0x24, 0x3d, 0x17, 0x34, 0xd5, 0xa9,
0x9f, 0x01, 0x08, 0x49, 0x24, 0x1d, 0xd0, 0x58, 0x0a, 0x95, 0x7e, 0x71, 0x77, 0xad, 0xa5, 0x75,
0x68, 0x9d, 0x16, 0x3e, 0x6c, 0xc5, 0xa1, 0xd7, 0xb0, 0x92, 0x09, 0x9a, 0xc6, 0x64, 0x40, 0x2f,
0x26, 0xcc, 0x2a, 0x0a, 0xea, 0x1a, 0xe8, 0xf9, 0x24, 0xa0, 0xad, 0xfc, 0x78, 0x39, 0x9b, 0xb2,
0xd1, 0x01, 0x00, 0xfd, 0x9c, 0xb0, 0x94, 0x28, 0xd2, 0x55, 0x85, 0xf6, 0x5a, 0x63, 0xd9, 0x5b,
0x5a, 0xf6, 0xd6, 0x99, 0x96, 0x1d, 0x5b, 0xd1, 0xfe, 0x77, 0x07, 0x56, 0x31, 0x8d, 0xe9, 0xf5,
0xfd, 0x3b, 0xf1, 0xa0, 0xae, 0x89, 0xa9, 0x16, 0x1a, 0xb8, 0xb0, 0xef, 0x45, 0x91, 0x42, 0x13,
0xd3, 0x21, 0xbf, 0xa2, 0x7f, 0x95, 0xa2, 0x7f, 0x08, 0x9b, 0x98, 0xe7, 0xa1, 0x98, 0x73, 0xd9,
0x4e, 0x69, 0x97, 0xc6, 0xf9, 0x4c, 0x0a, 0x5d, 0xf1, 0xff, 0x99, 0x8a, 0xd5, 0x9d, 0x86, 0x9d,
0xdb, 0xff, 0x59, 0x01, 0x30, 0x65, 0xd1, 0x1e, 0xfc, 0x13, 0xe6, 0x23, 0xc2, 0x78, 0x7c, 0x31,
0xc3, 0xb4, 0x71, 0x54, 0x71, 0x1d, 0x8c, 0xb4, 0xdb, 0x02, 0xed, 0xc3, 0x7a, 0x4a, 0x87, 0x3c,
0x2c, 0xc1, 0x2a, 0x05, 0x6c, 0xcd, 0x04, 0x4c, 0x57, 0x4b, 0x79, 0x14, 0x75, 0x48, 0x78, 0x65,
0xc3, 0xaa, 0xa6, 0x9a, 0x76, 0x5b, 0xa0, 0x27, 0xb0, 0x9a, 0xe6, 0xbf, 0xde, 0x46, 0xd4, 0x0a,
0xc4, 0x8a, 0xf2, 0x9d, 0x4e, 0x89, 0xa7, 0x29, 0xbb, 0x73, 0xaa, 0xfd, 0xc2, 0xce, 0xc5, 0x31,
0xbc, 0xdc, 0xf9, 0xb1, 0x38, 0xe6, 0x24, 0xc7, 0x6a, 0x02, 0xee, 0xc2, 0x18, 0xab, 0x6d, 0xe4,
0xc2, 0x82, 0x2a, 0x45, 0x22, 0xb7, 0xae, 0x5c, 0xda, 0xf4, 0x4f, 0x60, 0x79, 0x7a, 0xf4, 0xd1,
0x16, 0x2c, 0x1e, 0x33, 0x91, 0x44, 0x64, 0x74, 0x92, 0xff, 0x43, 0xa5, 0x26, 0xb6, 0x8f, 0xf2,
0x4a, 0x98, 0x47, 0xf4, 0xc4, 0xfa, 0xc5, 0xda, 0xf6, 0xb7, 0x61, 0x69, 0xbc, 0x0b, 0x44, 0xc2,
0x63, 0x41, 0x6f, 0x5b, 0x06, 0xfe, 0x7b, 0x40, 0xf6, 0xf5, 0x9e, 0x44, 0xdb, 0xc3, 0xe3, 0xcc,
0xcc, 0xb7, 0x07, 0xf5, 0x84, 0x08, 0x71, 0xcd, 0xd3, 0xae, 0xae, 0xaa, 0x6d, 0xdf, 0x87, 0xa5,
0xb3, 0x51, 0x42, 0x8b, 0x3c, 0x08, 0x6a, 0x72, 0x94, 0xe8, 0x1c, 0xea, 0xdb, 0xdf, 0x87, 0xff,
0x6e, 0x19, 0xbe, 0x3b, 0xa8, 0x2e, 0xc0, 0xdc, 0x9b, 0x41, 0x22, 0x47, 0xbb, 0x5f, 0x6b, 0x50,
0x3f, 0x9e, 0xec, 0x60, 0x14, 0x40, 0x2d, 0x2f, 0x89, 0x56, 0xcc, 0x8d, 0x50, 0x51, 0xde, 0x86,
0x39, 0x98, 0xe2, 0xf4, 0x16, 0xc0, 0x74, 0x8c, 0xfe, 0x35, 0x51, 0xa5, 0x35, 0xe7, 0x6d, 0xde,
0xec, 0x9c, 0x24, 0x7a, 0x01, 0x8d, 0x62, 0x9d, 0x20, 0xcf, 0x84, 0xce, 0xee, 0x18, 0x6f, 0x96,
0x5a, 0xbe, 0x22, 0xcc, 0x35, 0xb7, 0x29, 0x94, 0x2e, 0x7f, 0x19, 0xdb, 0x87, 0xf5, 0x1b, 0xe5,
0x43, 0xdb, 0x56, 0x9a, 0xdf, 0x5c, 0x6e, 0xef, 0xe1, 0x9d, 0x71, 0x93, 0xfe, 0x9e, 0x43, 0x2d,
0x1f, 0x21, 0xb4, 0x6e, 0x00, 0xd6, 0xf3, 0x62, 0xeb, 0x3b, 0x35, 0x69, 0x8f, 0x60, 0xae, 0x1d,
0x71, 0x71, 0xc3, 0x1f, 0x29, 0xf5, 0xf2, 0x0a, 0xc0, 0x3c, 0x87, 0xb6, 0x0e, 0xa5, 0x47, 0xb2,
0x84, 0xf5, 0xab, 0xdf, 0x2a, 0xce, 0xd1, 0xe1, 0x87, 0x97, 0x3d, 0x26, 0xfb, 0x59, 0xa7, 0x15,
0xf2, 0x41, 0xd0, 0x27, 0xa2, 0xcf, 0x42, 0x9e, 0x26, 0xc1, 0x90, 0x64, 0x91, 0x0c, 0xee, 0x7c,
0xc9, 0x3b, 0xf3, 0x6a, 0x1f, 0xef, 0xfd, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x9c, 0x49, 0x0b, 0x5b,
0xf5, 0x07, 0x00, 0x00,
}
// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConn
@ -982,57 +1032,3 @@ var _Database_serviceDesc = grpc.ServiceDesc{
Streams: []grpc.StreamDesc{},
Metadata: "builtin/logical/database/dbplugin/database.proto",
}
func init() {
proto.RegisterFile("builtin/logical/database/dbplugin/database.proto", fileDescriptor_7bf7b4c7fef2f66e)
}
var fileDescriptor_7bf7b4c7fef2f66e = []byte{
// 724 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0xd1, 0x4e, 0xdb, 0x4a,
0x10, 0x95, 0x93, 0x00, 0xc9, 0x80, 0x80, 0xec, 0x05, 0x64, 0xf9, 0x72, 0x6f, 0x91, 0x1f, 0x28,
0x55, 0xd5, 0xb8, 0x82, 0x56, 0x54, 0xa8, 0xa2, 0x2a, 0xa1, 0xaa, 0x2a, 0x55, 0x3c, 0x2c, 0xf0,
0x52, 0x55, 0x42, 0x1b, 0x67, 0x49, 0x56, 0x38, 0x5e, 0xd7, 0xbb, 0x0e, 0x4d, 0x7f, 0xa0, 0xfd,
0x8c, 0x7e, 0x4e, 0x1f, 0xfb, 0x49, 0x95, 0x37, 0x59, 0xef, 0x26, 0x86, 0xf2, 0x40, 0xfb, 0xe6,
0xd9, 0x99, 0x33, 0x73, 0xe6, 0x78, 0x76, 0x16, 0x9e, 0x76, 0x32, 0x16, 0x49, 0x16, 0x07, 0x11,
0xef, 0xb1, 0x90, 0x44, 0x41, 0x97, 0x48, 0xd2, 0x21, 0x82, 0x06, 0xdd, 0x4e, 0x12, 0x65, 0x3d,
0x16, 0x17, 0x27, 0xad, 0x24, 0xe5, 0x92, 0xa3, 0xba, 0x76, 0x78, 0x0f, 0x7a, 0x9c, 0xf7, 0x22,
0x1a, 0xa8, 0xf3, 0x4e, 0x76, 0x19, 0x48, 0x36, 0xa0, 0x42, 0x92, 0x41, 0x32, 0x0e, 0xf5, 0x3f,
0x42, 0xf3, 0x5d, 0xcc, 0x24, 0x23, 0x11, 0xfb, 0x42, 0x31, 0xfd, 0x94, 0x51, 0x21, 0xd1, 0x06,
0xcc, 0x87, 0x3c, 0xbe, 0x64, 0x3d, 0xd7, 0xd9, 0x72, 0x76, 0x96, 0xf0, 0xc4, 0x42, 0x8f, 0xa1,
0x39, 0xa4, 0x29, 0xbb, 0x1c, 0x5d, 0x84, 0x3c, 0x8e, 0x69, 0x28, 0x19, 0x8f, 0xdd, 0xca, 0x96,
0xb3, 0x53, 0xc7, 0xab, 0x63, 0x47, 0xbb, 0x38, 0x3f, 0xa8, 0xb8, 0x8e, 0x8f, 0x61, 0x31, 0xcf,
0xfe, 0x27, 0xf3, 0xfa, 0x3f, 0x1c, 0x68, 0xb6, 0x53, 0x4a, 0x24, 0x3d, 0x17, 0x34, 0xd5, 0xa9,
0x9f, 0x01, 0x08, 0x49, 0x24, 0x1d, 0xd0, 0x58, 0x0a, 0x95, 0x7e, 0x71, 0x77, 0xad, 0xa5, 0x75,
0x68, 0x9d, 0x16, 0x3e, 0x6c, 0xc5, 0xa1, 0xd7, 0xb0, 0x92, 0x09, 0x9a, 0xc6, 0x64, 0x40, 0x2f,
0x26, 0xcc, 0x2a, 0x0a, 0xea, 0x1a, 0xe8, 0xf9, 0x24, 0xa0, 0xad, 0xfc, 0x78, 0x39, 0x9b, 0xb2,
0xd1, 0x01, 0x00, 0xfd, 0x9c, 0xb0, 0x94, 0x28, 0xd2, 0x55, 0x85, 0xf6, 0x5a, 0x63, 0xd9, 0x5b,
0x5a, 0xf6, 0xd6, 0x99, 0x96, 0x1d, 0x5b, 0xd1, 0xfe, 0x77, 0x07, 0x56, 0x31, 0x8d, 0xe9, 0xf5,
0xfd, 0x3b, 0xf1, 0xa0, 0xae, 0x89, 0xa9, 0x16, 0x1a, 0xb8, 0xb0, 0xef, 0x45, 0x91, 0x42, 0x13,
0xd3, 0x21, 0xbf, 0xa2, 0x7f, 0x95, 0xa2, 0x7f, 0x08, 0x9b, 0x98, 0xe7, 0xa1, 0x98, 0x73, 0xd9,
0x4e, 0x69, 0x97, 0xc6, 0xf9, 0x4c, 0x0a, 0x5d, 0xf1, 0xff, 0x99, 0x8a, 0xd5, 0x9d, 0x86, 0x9d,
0xdb, 0xff, 0x59, 0x01, 0x30, 0x65, 0xd1, 0x1e, 0xfc, 0x13, 0xe6, 0x23, 0xc2, 0x78, 0x7c, 0x31,
0xc3, 0xb4, 0x71, 0x54, 0x71, 0x1d, 0x8c, 0xb4, 0xdb, 0x02, 0xed, 0xc3, 0x7a, 0x4a, 0x87, 0x3c,
0x2c, 0xc1, 0x2a, 0x05, 0x6c, 0xcd, 0x04, 0x4c, 0x57, 0x4b, 0x79, 0x14, 0x75, 0x48, 0x78, 0x65,
0xc3, 0xaa, 0xa6, 0x9a, 0x76, 0x5b, 0xa0, 0x27, 0xb0, 0x9a, 0xe6, 0xbf, 0xde, 0x46, 0xd4, 0x0a,
0xc4, 0x8a, 0xf2, 0x9d, 0x4e, 0x89, 0xa7, 0x29, 0xbb, 0x73, 0xaa, 0xfd, 0xc2, 0xce, 0xc5, 0x31,
0xbc, 0xdc, 0xf9, 0xb1, 0x38, 0xe6, 0x24, 0xc7, 0x6a, 0x02, 0xee, 0xc2, 0x18, 0xab, 0x6d, 0xe4,
0xc2, 0x82, 0x2a, 0x45, 0x22, 0xb7, 0xae, 0x5c, 0xda, 0xf4, 0x4f, 0x60, 0x79, 0x7a, 0xf4, 0xd1,
0x16, 0x2c, 0x1e, 0x33, 0x91, 0x44, 0x64, 0x74, 0x92, 0xff, 0x43, 0xa5, 0x26, 0xb6, 0x8f, 0xf2,
0x4a, 0x98, 0x47, 0xf4, 0xc4, 0xfa, 0xc5, 0xda, 0xf6, 0xb7, 0x61, 0x69, 0xbc, 0x0b, 0x44, 0xc2,
0x63, 0x41, 0x6f, 0x5b, 0x06, 0xfe, 0x7b, 0x40, 0xf6, 0xf5, 0x9e, 0x44, 0xdb, 0xc3, 0xe3, 0xcc,
0xcc, 0xb7, 0x07, 0xf5, 0x84, 0x08, 0x71, 0xcd, 0xd3, 0xae, 0xae, 0xaa, 0x6d, 0xdf, 0x87, 0xa5,
0xb3, 0x51, 0x42, 0x8b, 0x3c, 0x08, 0x6a, 0x72, 0x94, 0xe8, 0x1c, 0xea, 0xdb, 0xdf, 0x87, 0xff,
0x6e, 0x19, 0xbe, 0x3b, 0xa8, 0x2e, 0xc0, 0xdc, 0x9b, 0x41, 0x22, 0x47, 0xbb, 0x5f, 0x6b, 0x50,
0x3f, 0x9e, 0xec, 0x60, 0x14, 0x40, 0x2d, 0x2f, 0x89, 0x56, 0xcc, 0x8d, 0x50, 0x51, 0xde, 0x86,
0x39, 0x98, 0xe2, 0xf4, 0x16, 0xc0, 0x74, 0x8c, 0xfe, 0x35, 0x51, 0xa5, 0x35, 0xe7, 0x6d, 0xde,
0xec, 0x9c, 0x24, 0x7a, 0x01, 0x8d, 0x62, 0x9d, 0x20, 0xcf, 0x84, 0xce, 0xee, 0x18, 0x6f, 0x96,
0x5a, 0xbe, 0x22, 0xcc, 0x35, 0xb7, 0x29, 0x94, 0x2e, 0x7f, 0x19, 0xdb, 0x87, 0xf5, 0x1b, 0xe5,
0x43, 0xdb, 0x56, 0x9a, 0xdf, 0x5c, 0x6e, 0xef, 0xe1, 0x9d, 0x71, 0x93, 0xfe, 0x9e, 0x43, 0x2d,
0x1f, 0x21, 0xb4, 0x6e, 0x00, 0xd6, 0xf3, 0x62, 0xeb, 0x3b, 0x35, 0x69, 0x8f, 0x60, 0xae, 0x1d,
0x71, 0x71, 0xc3, 0x1f, 0x29, 0xf5, 0xf2, 0x0a, 0xc0, 0x3c, 0x87, 0xb6, 0x0e, 0xa5, 0x47, 0xb2,
0x84, 0xf5, 0xab, 0xdf, 0x2a, 0xce, 0xd1, 0xe1, 0x87, 0x97, 0x3d, 0x26, 0xfb, 0x59, 0xa7, 0x15,
0xf2, 0x41, 0xd0, 0x27, 0xa2, 0xcf, 0x42, 0x9e, 0x26, 0xc1, 0x90, 0x64, 0x91, 0x0c, 0xee, 0x7c,
0xc9, 0x3b, 0xf3, 0x6a, 0x1f, 0xef, 0xfd, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x9c, 0x49, 0x0b, 0x5b,
0xf5, 0x07, 0x00, 0x00,
}

3
helper/forwarding/types.pb.go
View File

@ -5,9 +5,8 @@ package forwarding
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

3
helper/identity/mfa/types.pb.go
View File

@ -6,9 +6,8 @@ package mfa
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

3
helper/identity/types.pb.go
View File

@ -5,11 +5,10 @@ package identity
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
timestamp "github.com/golang/protobuf/ptypes/timestamp"
mfa "github.com/hashicorp/vault/helper/identity/mfa"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

13
helper/ldaputil/config.go
View File

@ -9,6 +9,7 @@ import (
"text/template"
"github.com/hashicorp/vault/helper/tlsutil"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical/framework"
"github.com/hashicorp/errwrap"
@ -16,8 +17,8 @@ import (
// ConfigFields returns all the config fields that can potentially be used by the LDAP client.
// Not all fields will be used by every integration.
func ConfigFields() map[string]*framework.FieldSchema {
return map[string]*framework.FieldSchema{
func ConfigFields(tokenFields bool) map[string]*framework.FieldSchema {
ret := map[string]*framework.FieldSchema{
"url": {
Type: framework.TypeString,
Default: "ldap://127.0.0.1",
@ -122,6 +123,12 @@ Default: cn`,
Description: "If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.",
},
}
if tokenFields {
tokenhelper.AddTokenFields(ret)
}
return ret
}
/*
@ -246,6 +253,8 @@ func NewConfigEntry(d *framework.FieldData) (*ConfigEntry, error) {
}
type ConfigEntry struct {
tokenhelper.TokenParams
Url string `json:"url"`
UserDN string `json:"userdn"`
GroupDN string `json:"groupdn"`

3
helper/storagepacker/types.pb.go
View File

@ -5,10 +5,9 @@ package storagepacker
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
any "github.com/golang/protobuf/ptypes/any"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

6
helper/strutil/strutil.go
View File

@ -14,6 +14,9 @@ import (
// StrListContainsGlob looks for a string in a list of strings and allows
// globs.
func StrListContainsGlob(haystack []string, needle string) bool {
if len(haystack) == 0 {
return false
}
for _, item := range haystack {
if glob.Glob(item, needle) {
return true
@ -24,6 +27,9 @@ func StrListContainsGlob(haystack []string, needle string) bool {
// StrListContains looks for a string in a list of strings.
func StrListContains(haystack []string, needle string) bool {
if len(haystack) == 0 {
return false
}
for _, item := range haystack {
if item == needle {
return true

210
helper/tokenhelper/tokenhelper.go Normal file
View File

@ -0,0 +1,210 @@
package tokenhelper
import (
"errors"
"fmt"
"time"
sockaddr "github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
type TokenParams struct {
// The set of CIDRs that tokens generated using this role will be bound to
BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
// If set, the token entry will have an explicit maximum TTL set, rather
// than deferring to role/mount values
ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl"`
// The max TTL to use for the token
MaxTTL time.Duration `json:"max_ttl" mapstructure:"max_ttl"`
// If set, core will not automatically add default to the policy list
NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy"`
// If non-zero, tokens created using this role will be able to be renewed
// forever, but will have a fixed renewal period of this value
Period time.Duration `json:"period" mapstructure:"period"`
// The policies to set
Policies []string `json:"policies" mapstructure:"policies"`
// The type of token this role should issue
TokenType logical.TokenType `json:"token_type" mapstructure:"token_type"`
// The TTL to user for the token
TTL time.Duration `json:"ttl" mapstructure:"ttl"`
}
// AddTokenFields adds fields to an existing role. It panics if it would
// overwrite an existing field.
func AddTokenFields(m map[string]*framework.FieldSchema) {
AddTokenFieldsWithAllowList(m, nil)
}
func AddTokenFieldsWithAllowList(m map[string]*framework.FieldSchema, allowed []string) {
r := TokenFields()
for k, v := range r {
if len(allowed) > 0 && !strutil.StrListContains(allowed, k) {
continue
}
if _, has := m[k]; has {
panic(fmt.Sprintf("adding role field %s would overwrite existing field", k))
}
m[k] = v
}
}
func TokenFields() map[string]*framework.FieldSchema {
return map[string]*framework.FieldSchema{
"bound_cidrs": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
},
"explicit_max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: tokenExplicitMaxTTLHelp,
},
"max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: "The maximum lifetime of the generated token",
},
"no_default_policy": &framework.FieldSchema{
Type: framework.TypeBool,
Description: "If true, the 'default' policy will not automatically be added to generated tokens",
},
"period": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: tokenPeriodHelp,
},
"policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: "Comma-separated list of policies",
},
"token_type": &framework.FieldSchema{
Type: framework.TypeString,
Description: "The type of token to generate, service or batch",
},
"ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: "The initial ttl of the token to generate",
},
}
}
func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldData) error {
if boundCIDRsRaw, ok := d.GetOk("bound_cidrs"); ok {
boundCIDRs, err := parseutil.ParseAddrs(boundCIDRsRaw.([]string))
if err != nil {
return err
}
t.BoundCIDRs = boundCIDRs
}
if explicitMaxTTLRaw, ok := d.GetOk("explicit_max_ttl"); ok {
t.ExplicitMaxTTL = time.Duration(explicitMaxTTLRaw.(int)) * time.Second
}
if maxTTLRaw, ok := d.GetOk("max_ttl"); ok {
t.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
} else if maxTTLRaw, ok := d.GetOk("lease_max"); ok {
t.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
}
if t.MaxTTL < 0 {
return errors.New("'max_ttl' cannot be negative")
}
if noDefaultRaw, ok := d.GetOk("no_default_policy"); ok {
t.NoDefaultPolicy = noDefaultRaw.(bool)
}
if periodRaw, ok := d.GetOk("period"); ok {
t.Period = time.Duration(periodRaw.(int)) * time.Second
}
if t.Period < 0 {
return errors.New("'period' cannot be negative")
}
if policiesRaw, ok := d.GetOk("policies"); ok {
t.Policies = policiesRaw.([]string)
}
if tokenTypeRaw, ok := d.GetOk("token_type"); ok {
var tokenType logical.TokenType
tokenTypeStr := tokenTypeRaw.(string)
switch tokenTypeStr {
case "service":
tokenType = logical.TokenTypeService
case "batch":
tokenType = logical.TokenTypeBatch
case "default-service":
tokenType = logical.TokenTypeDefaultService
case "default-batch":
tokenType = logical.TokenTypeDefaultBatch
default:
return fmt.Errorf("invalid 'token_type' value %q", tokenTypeStr)
}
t.TokenType = tokenType
}
if ttlRaw, ok := d.GetOk("ttl"); ok {
t.TTL = time.Duration(ttlRaw.(int)) * time.Second
} else if ttlRaw, ok := d.GetOk("lease"); ok {
t.TTL = time.Duration(ttlRaw.(int)) * time.Second
}
if t.TTL < 0 {
return errors.New("'ttl' cannot be negative")
}
if t.TTL > 0 && t.MaxTTL > 0 && t.TTL > t.MaxTTL {
return errors.New("'ttl' cannot be greater than 'max_ttl'")
}
return nil
}
func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
m["bound_cidrs"] = t.BoundCIDRs
m["explicit_max_ttl"] = t.ExplicitMaxTTL.Seconds()
m["max_ttl"] = t.MaxTTL.Seconds()
m["no_default_policy"] = t.NoDefaultPolicy
m["period"] = t.Period.Seconds()
m["policies"] = t.Policies
m["token_type"] = t.TokenType.String()
m["ttl"] = t.TTL.Seconds()
}
func (t *TokenParams) PopulateTokenAuth(auth *logical.Auth) {
auth.BoundCIDRs = t.BoundCIDRs
auth.ExplicitMaxTTL = t.ExplicitMaxTTL
auth.MaxTTL = t.MaxTTL
auth.NoDefaultPolicy = t.NoDefaultPolicy
auth.Period = t.Period
auth.Policies = t.Policies
auth.TokenType = t.TokenType
auth.TTL = t.TTL
}
const (
tokenPeriodHelp = `If set, tokens created via this role
will have no max lifetime; instead, their
renewal period will be fixed to this value.
This takes an integer number of seconds,
or a string duration (e.g. "24h").`
tokenExplicitMaxTTLHelp = `If set, tokens created via this role
carry an explicit maximum TTL. During renewal,
the current maximum TTL values of the role
and the mount are not checked for changes,
and any updates to these values will have
no effect on the token being renewed.`
)

5
logical/auth.go
View File

@ -38,6 +38,11 @@ type Auth struct {
// different namespaces indexed by respective namespace identifiers
ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`
// Indicates that the default policy should not be added by core when
// creating a token. The default policy will still be added if it's
// explicitly defined.
NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`
// Metadata is used to attach arbitrary string-type metadata to
// an authenticated user. This metadata will be outputted into the
// audit log.

3
logical/identity.pb.go
View File

@ -5,9 +5,8 @@ package logical
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

3
logical/plugin.pb.go
View File

@ -5,9 +5,8 @@ package logical
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

342
logical/plugin/pb/backend.pb.go
View File

@ -5,16 +5,12 @@ package pb
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
timestamp "github.com/golang/protobuf/ptypes/timestamp"
logical "github.com/hashicorp/vault/logical"
)
import (
context "golang.org/x/net/context"
grpc "google.golang.org/grpc"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
@ -530,7 +526,9 @@ type Auth struct {
// TTL is a hard limit and cannot be exceeded, also counts for periodic tokens.
ExplicitMaxTTL int64 `sentinel:"" protobuf:"varint,16,opt,name=explicit_max_ttl,json=explicitMaxTtl,proto3" json:"explicit_max_ttl,omitempty"`
// TokenType is the type of token being requested
TokenType uint32 `sentinel:"" protobuf:"varint,17,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`
TokenType uint32 `sentinel:"" protobuf:"varint,17,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"`
// Whether the default policy should be added automatically by core
NoDefaultPolicy bool `sentinel:"" protobuf:"varint,18,opt,name=no_default_policy,json=noDefaultPolicy,proto3" json:"no_default_policy,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
@ -680,6 +678,13 @@ func (m *Auth) GetTokenType() uint32 {
return 0
}
func (m *Auth) GetNoDefaultPolicy() bool {
if m != nil {
return m.NoDefaultPolicy
}
return false
}
type TokenEntry struct {
ID string `sentinel:"" protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
Accessor string `sentinel:"" protobuf:"bytes,2,opt,name=accessor,proto3" json:"accessor,omitempty"`
@ -2702,6 +2707,169 @@ func init() {
proto.RegisterType((*Connection)(nil), "pb.Connection")
}
func init() { proto.RegisterFile("logical/plugin/pb/backend.proto", fileDescriptor_25821d34acc7c5ef) }
var fileDescriptor_25821d34acc7c5ef = []byte{
// 2503 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x59, 0xdd, 0x72, 0xdb, 0xc6,
0x15, 0x1e, 0x92, 0xe2, 0xdf, 0xe1, 0x9f, 0xb8, 0x56, 0x54, 0x98, 0x71, 0x6a, 0x06, 0xa9, 0x6d,
0xc5, 0xb5, 0x29, 0x5b, 0x69, 0x1a, 0xa7, 0x9d, 0xa4, 0xa3, 0xc8, 0x8a, 0xa3, 0x46, 0x4a, 0x34,
0x10, 0xdd, 0xf4, 0x6f, 0x06, 0x59, 0x02, 0x2b, 0x0a, 0x23, 0x10, 0x40, 0x17, 0x0b, 0x59, 0xbc,
0xea, 0x5b, 0xf4, 0x35, 0x7a, 0xdb, 0xbb, 0xde, 0x75, 0x3a, 0xed, 0x75, 0x5f, 0xa1, 0x97, 0x7d,
0x86, 0xce, 0x9e, 0x5d, 0x80, 0x00, 0x49, 0xc5, 0xce, 0x4c, 0x7b, 0xb7, 0x7b, 0xce, 0xd9, 0xbf,
0xb3, 0xdf, 0xf9, 0xce, 0x59, 0x00, 0xee, 0xfa, 0xe1, 0xd4, 0x73, 0xa8, 0xbf, 0x1b, 0xf9, 0xc9,
0xd4, 0x0b, 0x76, 0xa3, 0xc9, 0xee, 0x84, 0x3a, 0x97, 0x2c, 0x70, 0x47, 0x11, 0x0f, 0x45, 0x48,
0xca, 0xd1, 0x64, 0x70, 0x77, 0x1a, 0x86, 0x53, 0x9f, 0xed, 0xa2, 0x64, 0x92, 0x9c, 0xef, 0x0a,
0x6f, 0xc6, 0x62, 0x41, 0x67, 0x91, 0x32, 0x1a, 0x6c, 0xa7, 0xb3, 0x78, 0x2e, 0x0b, 0x84, 0x27,
0xe6, 0x5a, 0xbe, 0x55, 0x9c, 0x5d, 0x49, 0xcd, 0x3a, 0x54, 0x0f, 0x67, 0x91, 0x98, 0x9b, 0x43,
0xa8, 0x7d, 0xc1, 0xa8, 0xcb, 0x38, 0xd9, 0x86, 0xda, 0x05, 0xb6, 0x8c, 0xd2, 0xb0, 0xb2, 0xd3,
0xb4, 0x74, 0xcf, 0xfc, 0x1d, 0xc0, 0xa9, 0x1c, 0x73, 0xc8, 0x79, 0xc8, 0xc9, 0x6d, 0x68, 0x30,
0xce, 0x6d, 0x31, 0x8f, 0x98, 0x51, 0x1a, 0x96, 0x76, 0x3a, 0x56, 0x9d, 0x71, 0x3e, 0x9e, 0x47,
0x8c, 0xfc, 0x00, 0x64, 0xd3, 0x9e, 0xc5, 0x53, 0xa3, 0x3c, 0x2c, 0xc9, 0x19, 0x18, 0xe7, 0x27,
0xf1, 0x34, 0x1d, 0xe3, 0x84, 0x2e, 0x33, 0x2a, 0xc3, 0xd2, 0x4e, 0x05, 0xc7, 0x1c, 0x84, 0x2e,
0x33, 0xff, 0x54, 0x82, 0xea, 0x29, 0x15, 0x17, 0x31, 0x21, 0xb0, 0xc1, 0xc3, 0x50, 0xe8, 0xc5,
0xb1, 0x4d, 0x76, 0xa0, 0x97, 0x04, 0x34, 0x11, 0x17, 0xf2, 0x44, 0x0e, 0x15, 0xcc, 0x35, 0xca,
0xa8, 0x5e, 0x16, 0x93, 0xf7, 0xa0, 0xe3, 0x87, 0x0e, 0xf5, 0xed, 0x58, 0x84, 0x9c, 0x4e, 0xe5,
0x3a, 0xd2, 0xae, 0x8d, 0xc2, 0x33, 0x25, 0x23, 0x0f, 0xa1, 0x1f, 0x33, 0xea, 0xdb, 0xaf, 0x38,
0x8d, 0x32, 0xc3, 0x0d, 0x35, 0xa1, 0x54, 0x7c, 0xc3, 0x69, 0xa4, 0x6d, 0xcd, 0xbf, 0xd6, 0xa0,
0x6e, 0xb1, 0x3f, 0x24, 0x2c, 0x16, 0xa4, 0x0b, 0x65, 0xcf, 0xc5, 0xd3, 0x36, 0xad, 0xb2, 0xe7,
0x92, 0x11, 0x10, 0x8b, 0x45, 0xbe, 0x5c, 0xda, 0x0b, 0x83, 0x03, 0x3f, 0x89, 0x05, 0xe3, 0xfa,
0xcc, 0x6b, 0x34, 0xe4, 0x0e, 0x34, 0xc3, 0x88, 0x71, 0x94, 0xa1, 0x03, 0x9a, 0xd6, 0x42, 0x20,
0x0f, 0x1e, 0x51, 0x71, 0x61, 0x6c, 0xa0, 0x02, 0xdb, 0x52, 0xe6, 0x52, 0x41, 0x8d, 0xaa, 0x92,
0xc9, 0x36, 0x31, 0xa1, 0x16, 0x33, 0x87, 0x33, 0x61, 0xd4, 0x86, 0xa5, 0x9d, 0xd6, 0x1e, 0x8c,
0xa2, 0xc9, 0xe8, 0x0c, 0x25, 0x96, 0xd6, 0x90, 0x3b, 0xb0, 0x21, 0xfd, 0x62, 0xd4, 0xd1, 0xa2,
0x21, 0x2d, 0xf6, 0x13, 0x71, 0x61, 0xa1, 0x94, 0xec, 0x41, 0x5d, 0xdd, 0x69, 0x6c, 0x34, 0x86,
0x95, 0x9d, 0xd6, 0x9e, 0x21, 0x0d, 0xf4, 0x29, 0x47, 0x0a, 0x06, 0xf1, 0x61, 0x20, 0xf8, 0xdc,
0x4a, 0x0d, 0xc9, 0xbb, 0xd0, 0x76, 0x7c, 0x8f, 0x05, 0xc2, 0x16, 0xe1, 0x25, 0x0b, 0x8c, 0x26,
0xee, 0xa8, 0xa5, 0x64, 0x63, 0x29, 0x22, 0x7b, 0xf0, 0x56, 0xde, 0xc4, 0xa6, 0x8e, 0xc3, 0xe2,
0x38, 0xe4, 0x06, 0xa0, 0xed, 0xad, 0x9c, 0xed, 0xbe, 0x56, 0xc9, 0x69, 0x5d, 0x2f, 0x8e, 0x7c,
0x3a, 0xb7, 0x03, 0x3a, 0x63, 0x46, 0x4b, 0x4d, 0xab, 0x65, 0x5f, 0xd1, 0x19, 0x23, 0x77, 0xa1,
0x35, 0x0b, 0x93, 0x40, 0xd8, 0x51, 0xe8, 0x05, 0xc2, 0x68, 0xa3, 0x05, 0xa0, 0xe8, 0x54, 0x4a,
0xc8, 0x3b, 0xa0, 0x7a, 0x0a, 0x8c, 0x1d, 0xe5, 0x57, 0x94, 0x20, 0x1c, 0xef, 0x41, 0x57, 0xa9,
0xb3, 0xfd, 0x74, 0xd1, 0xa4, 0x83, 0xd2, 0x6c, 0x27, 0x4f, 0xa0, 0x89, 0x78, 0xf0, 0x82, 0xf3,
0xd0, 0xe8, 0xa1, 0xdf, 0x6e, 0xe5, 0xdc, 0x22, 0x31, 0x71, 0x14, 0x9c, 0x87, 0x56, 0xe3, 0x95,
0x6e, 0x91, 0x4f, 0xe0, 0xed, 0xc2, 0x79, 0x39, 0x9b, 0x51, 0x2f, 0xf0, 0x82, 0xa9, 0x9d, 0xc4,
0x2c, 0x36, 0x36, 0x11, 0xe1, 0x46, 0xee, 0xd4, 0x56, 0x6a, 0xf0, 0x32, 0x66, 0x31, 0x79, 0x1b,
0x9a, 0x2a, 0x40, 0x6d, 0xcf, 0x35, 0xfa, 0xb8, 0xa5, 0x86, 0x12, 0x1c, 0xb9, 0xe4, 0x01, 0xf4,
0xa2, 0xd0, 0xf7, 0x9c, 0xb9, 0x1d, 0x5e, 0x31, 0xce, 0x3d, 0x97, 0x19, 0x64, 0x58, 0xda, 0x69,
0x58, 0x5d, 0x25, 0xfe, 0x5a, 0x4b, 0xd7, 0x85, 0xc6, 0x2d, 0x34, 0x5c, 0x09, 0x8d, 0x11, 0x80,
0x13, 0x06, 0x01, 0x73, 0x10, 0x7e, 0x5b, 0x78, 0xc2, 0xae, 0x3c, 0xe1, 0x41, 0x26, 0xb5, 0x72,
0x16, 0x83, 0xcf, 0xa1, 0x9d, 0x87, 0x02, 0xd9, 0x84, 0xca, 0x25, 0x9b, 0x6b, 0xf8, 0xcb, 0x26,
0x19, 0x42, 0xf5, 0x8a, 0xfa, 0x09, 0x43, 0xc8, 0x6b, 0x20, 0xaa, 0x21, 0x96, 0x52, 0xfc, 0xac,
0xfc, 0xac, 0x64, 0xfe, 0xbb, 0x0a, 0x1b, 0x12, 0x7c, 0xe4, 0x43, 0xe8, 0xf8, 0x8c, 0xc6, 0xcc,
0x0e, 0x23, 0xb9, 0x40, 0x8c, 0x53, 0xb5, 0xf6, 0x36, 0xe5, 0xb0, 0x63, 0xa9, 0xf8, 0x5a, 0xc9,
0xad, 0xb6, 0x9f, 0xeb, 0xc9, 0x90, 0xf6, 0x02, 0xc1, 0x78, 0x40, 0x7d, 0x1b, 0x83, 0x41, 0x05,
0x58, 0x3b, 0x15, 0x3e, 0x97, 0x41, 0xb1, 0x8c, 0xa3, 0xca, 0x2a, 0x8e, 0x06, 0xd0, 0x40, 0xdf,
0x79, 0x2c, 0xd6, 0xc1, 0x9e, 0xf5, 0xc9, 0x1e, 0x34, 0x66, 0x4c, 0x50, 0x1d, 0x6b, 0x32, 0x24,
0xb6, 0xd3, 0x98, 0x19, 0x9d, 0x68, 0x85, 0x0a, 0x88, 0xcc, 0x6e, 0x25, 0x22, 0x6a, 0xab, 0x11,
0x31, 0x80, 0x46, 0x06, 0xba, 0xba, 0xba, 0xe1, 0xb4, 0x2f, 0x69, 0x36, 0x62, 0xdc, 0x0b, 0x5d,
0xa3, 0x81, 0x40, 0xd1, 0x3d, 0x49, 0x92, 0x41, 0x32, 0x53, 0x10, 0x6a, 0x2a, 0x92, 0x0c, 0x92,
0xd9, 0x2a, 0x62, 0x60, 0x09, 0x31, 0x3f, 0x82, 0x2a, 0xf5, 0x3d, 0x1a, 0x63, 0x08, 0xc9, 0x9b,
0xd5, 0x7c, 0x3f, 0xda, 0x97, 0x52, 0x4b, 0x29, 0xc9, 0x07, 0xd0, 0x99, 0xf2, 0x30, 0x89, 0x6c,
0xec, 0xb2, 0xd8, 0x68, 0xe3, 0x69, 0x97, 0xad, 0xdb, 0x68, 0xb4, 0xaf, 0x6c, 0x64, 0x04, 0x4e,
0xc2, 0x24, 0x70, 0x6d, 0xc7, 0x73, 0x79, 0x6c, 0x74, 0xd0, 0x79, 0x80, 0xa2, 0x03, 0x29, 0x91,
0x21, 0xa6, 0x42, 0x20, 0x73, 0x70, 0x17, 0x6d, 0x3a, 0x28, 0x3d, 0x4d, 0xbd, 0xfc, 0x63, 0xe8,
0xa7, 0x49, 0x69, 0x61, 0xd9, 0x43, 0xcb, 0xcd, 0x54, 0x91, 0x19, 0xef, 0xc0, 0x26, 0xbb, 0x96,
0x14, 0xea, 0x09, 0x7b, 0x46, 0xaf, 0x6d, 0x21, 0x7c, 0x1d, 0x52, 0xdd, 0x54, 0x7e, 0x42, 0xaf,
0xc7, 0xc2, 0x97, 0xf1, 0xaf, 0x56, 0xc7, 0xf8, 0xef, 0x63, 0x32, 0x6a, 0xa2, 0x04, 0xe3, 0xff,
0x21, 0xf4, 0x83, 0xd0, 0x76, 0xd9, 0x39, 0x4d, 0x7c, 0xa1, 0xd6, 0x9d, 0xeb, 0x60, 0xea, 0x05,
0xe1, 0x73, 0x25, 0xc7, 0x65, 0xe7, 0x83, 0x9f, 0x43, 0xa7, 0x70, 0xdd, 0x6b, 0x40, 0xbf, 0x95,
0x07, 0x7d, 0x33, 0x0f, 0xf4, 0x7f, 0x6c, 0x00, 0xe0, 0xbd, 0xab, 0xa1, 0xcb, 0xd9, 0x22, 0x0f,
0x86, 0xf2, 0x1a, 0x30, 0x50, 0xce, 0x02, 0xa1, 0x81, 0xab, 0x7b, 0xdf, 0x89, 0xd9, 0x34, 0x5f,
0x54, 0x73, 0xf9, 0xe2, 0x11, 0x6c, 0x48, 0x7c, 0x1a, 0xb5, 0x05, 0xad, 0x2f, 0x76, 0x84, 0x48,
0x56, 0x28, 0x46, 0xab, 0x95, 0xa0, 0xa9, 0xaf, 0x06, 0x4d, 0x1e, 0x8d, 0x8d, 0x22, 0x1a, 0xdf,
0x83, 0x8e, 0xc3, 0x19, 0xe6, 0x2e, 0x5b, 0x16, 0x21, 0x1a, 0xad, 0xed, 0x54, 0x38, 0xf6, 0x66,
0x4c, 0xfa, 0x4f, 0x5e, 0x1c, 0xa0, 0x4a, 0x36, 0xd7, 0xde, 0x6b, 0x6b, 0xed, 0xbd, 0x62, 0x25,
0xe0, 0x33, 0xcd, 0xf8, 0xd8, 0xce, 0x45, 0x4d, 0xa7, 0x10, 0x35, 0x85, 0xd0, 0xe8, 0x2e, 0x85,
0xc6, 0x12, 0x7e, 0x7b, 0x2b, 0xf8, 0x7d, 0x17, 0xda, 0xd2, 0x01, 0x71, 0x44, 0x1d, 0x26, 0x27,
0xd8, 0x54, 0x8e, 0xc8, 0x64, 0x47, 0x2e, 0x46, 0x7b, 0x32, 0x99, 0xcc, 0x2f, 0x42, 0x9f, 0x2d,
0x08, 0xbb, 0x95, 0xc9, 0x8e, 0x5c, 0xb9, 0x5f, 0x44, 0x20, 0x41, 0x04, 0x62, 0x7b, 0xf0, 0x11,
0x34, 0x33, 0xaf, 0x7f, 0x2f, 0x30, 0xfd, 0xb9, 0x04, 0xed, 0x3c, 0x29, 0xca, 0xc1, 0xe3, 0xf1,
0x31, 0x0e, 0xae, 0x58, 0xb2, 0x29, 0xcb, 0x09, 0xce, 0x02, 0xf6, 0x8a, 0x4e, 0x7c, 0x35, 0x41,
0xc3, 0x5a, 0x08, 0xa4, 0xd6, 0x0b, 0x1c, 0xce, 0x66, 0x29, 0xaa, 0x2a, 0xd6, 0x42, 0x40, 0x3e,
0x06, 0xf0, 0xe2, 0x38, 0x61, 0xea, 0xe6, 0x36, 0x90, 0x32, 0x06, 0x23, 0x55, 0x5b, 0x8e, 0xd2,
0xda, 0x72, 0x34, 0x4e, 0x6b, 0x4b, 0xab, 0x89, 0xd6, 0x78, 0xa5, 0xdb, 0x50, 0x93, 0x17, 0x34,
0x3e, 0x46, 0xe4, 0x55, 0x2c, 0xdd, 0x33, 0xff, 0x08, 0x35, 0x55, 0x85, 0xfc, 0x5f, 0x89, 0xfe,
0x36, 0x34, 0xd4, 0xdc, 0x9e, 0xab, 0x63, 0xa5, 0x8e, 0xfd, 0x23, 0xd7, 0xfc, 0x67, 0x09, 0x1a,
0x16, 0x8b, 0xa3, 0x30, 0x88, 0x59, 0xae, 0x4a, 0x2a, 0xbd, 0xb6, 0x4a, 0x2a, 0xaf, 0xad, 0x92,
0xd2, 0xda, 0xab, 0x92, 0xab, 0xbd, 0x06, 0xd0, 0xe0, 0xcc, 0xf5, 0x38, 0x73, 0x84, 0xae, 0xd3,
0xb2, 0xbe, 0xd4, 0xbd, 0xa2, 0x5c, 0xa6, 0xf7, 0x18, 0x73, 0x48, 0xd3, 0xca, 0xfa, 0xe4, 0x69,
0xbe, 0xb8, 0x50, 0x65, 0xdb, 0x96, 0x2a, 0x2e, 0xd4, 0x76, 0x57, 0xab, 0x0b, 0xf3, 0xef, 0x65,
0xd8, 0x5c, 0x56, 0xaf, 0x01, 0xc1, 0x16, 0x54, 0x55, 0xfa, 0xd1, 0x08, 0x12, 0x2b, 0x89, 0xa7,
0xb2, 0xc4, 0x35, 0xbf, 0x58, 0x8e, 0xdb, 0xd7, 0xdf, 0x7e, 0x31, 0xa6, 0xdf, 0x87, 0x4d, 0xb9,
0xcb, 0x88, 0xb9, 0x8b, 0x92, 0x4a, 0x91, 0x50, 0x4f, 0xcb, 0xb3, 0xa2, 0xea, 0x21, 0xf4, 0x53,
0xd3, 0x45, 0x78, 0xd6, 0x0a, 0xb6, 0x87, 0x69, 0x94, 0x6e, 0x43, 0xed, 0x3c, 0xe4, 0x33, 0x2a,
0x34, 0x0f, 0xe9, 0x5e, 0x81, 0x67, 0x90, 0xf0, 0x1a, 0x0a, 0x16, 0xa9, 0x50, 0x3e, 0x1b, 0x64,
0xfc, 0x67, 0x25, 0x3d, 0x12, 0x51, 0xc3, 0x6a, 0xa4, 0xa5, 0xbc, 0xf9, 0x6b, 0xe8, 0x2d, 0x55,
0x71, 0x6b, 0x1c, 0xb9, 0x58, 0xbe, 0x5c, 0x58, 0xbe, 0x30, 0x73, 0x65, 0x69, 0xe6, 0xdf, 0x40,
0xff, 0x0b, 0x1a, 0xb8, 0x3e, 0xd3, 0xf3, 0xef, 0xf3, 0x69, 0x2c, 0xf3, 0x91, 0x7e, 0x54, 0xd8,
0x3a, 0x01, 0x74, 0xac, 0xa6, 0x96, 0x1c, 0xb9, 0xe4, 0x1e, 0xd4, 0xb9, 0xb2, 0xd6, 0xc0, 0x6b,
0xe5, 0xca, 0x4c, 0x2b, 0xd5, 0x99, 0xdf, 0x02, 0x29, 0x4c, 0x2d, 0xdf, 0x13, 0x73, 0xb2, 0x23,
0x01, 0xa8, 0x40, 0xa1, 0x81, 0xdd, 0xce, 0xe3, 0xc8, 0xca, 0xb4, 0x64, 0x08, 0x15, 0xc6, 0xb9,
0x5e, 0x02, 0xeb, 0xbc, 0xc5, 0xeb, 0xcd, 0x92, 0x2a, 0xf3, 0x27, 0xd0, 0x3f, 0x8b, 0x98, 0xe3,
0x51, 0x1f, 0x5f, 0x5e, 0x6a, 0x81, 0xbb, 0x50, 0x95, 0x4e, 0x4e, 0x63, 0xb6, 0x89, 0x03, 0x51,
0xad, 0xe4, 0xe6, 0xb7, 0x60, 0xa8, 0x7d, 0x1d, 0x5e, 0x7b, 0xb1, 0x60, 0x81, 0xc3, 0x0e, 0x2e,
0x98, 0x73, 0xf9, 0x3f, 0x3c, 0xf9, 0x15, 0xdc, 0x5e, 0xb7, 0x42, 0xba, 0xbf, 0x96, 0x23, 0x7b,
0xf6, 0xb9, 0xa4, 0x6f, 0x5c, 0xa3, 0x61, 0x01, 0x8a, 0x3e, 0x97, 0x12, 0x79, 0x8f, 0x4c, 0x8e,
0x8b, 0x35, 0x25, 0xea, 0x5e, 0xea, 0x8f, 0xca, 0xcd, 0xfe, 0xf8, 0x4b, 0x09, 0x9a, 0x67, 0x4c,
0x24, 0x11, 0x9e, 0xe5, 0x6d, 0x68, 0x4e, 0x78, 0x78, 0xc9, 0xf8, 0xe2, 0x28, 0x0d, 0x25, 0x38,
0x72, 0xc9, 0x53, 0xa8, 0x1d, 0x84, 0xc1, 0xb9, 0x37, 0xc5, 0x77, 0x68, 0x6b, 0xef, 0xb6, 0x62,
0x17, 0x3d, 0x76, 0xa4, 0x74, 0x2a, 0xd5, 0x6a, 0x43, 0x32, 0x84, 0x96, 0x7e, 0xcd, 0xbf, 0x7c,
0x79, 0xf4, 0x3c, 0x2d, 0x50, 0x73, 0xa2, 0xc1, 0xc7, 0xd0, 0xca, 0x0d, 0xfc, 0x5e, 0xd9, 0xe2,
0x87, 0x00, 0xb8, 0xba, 0xf2, 0xd1, 0xa6, 0x3a, 0xaa, 0x1e, 0x29, 0x8f, 0x76, 0x17, 0x9a, 0xb2,
0x16, 0x52, 0xea, 0x34, 0x4f, 0x95, 0x16, 0x79, 0xca, 0xbc, 0x07, 0xfd, 0xa3, 0xe0, 0x8a, 0xfa,
0x9e, 0x4b, 0x05, 0xfb, 0x92, 0xcd, 0xd1, 0x05, 0x2b, 0x3b, 0x30, 0xcf, 0xa0, 0xad, 0x1f, 0xc6,
0x6f, 0xb4, 0xc7, 0xb6, 0xde, 0xe3, 0x77, 0x07, 0xd1, 0xfb, 0xd0, 0xd3, 0x93, 0x1e, 0x7b, 0x3a,
0x84, 0x64, 0x9a, 0xe7, 0xec, 0xdc, 0xbb, 0xd6, 0x53, 0xeb, 0x9e, 0xf9, 0x0c, 0x36, 0x73, 0xa6,
0xd9, 0x71, 0x2e, 0xd9, 0x3c, 0x4e, 0x3f, 0x18, 0xc8, 0x76, 0xea, 0x81, 0xf2, 0xc2, 0x03, 0x26,
0x74, 0xf5, 0xc8, 0x17, 0x4c, 0xdc, 0x70, 0xba, 0x2f, 0xb3, 0x8d, 0xbc, 0x60, 0x7a, 0xf2, 0xfb,
0x50, 0x65, 0xf2, 0xa4, 0xf9, 0x14, 0x96, 0xf7, 0x80, 0xa5, 0xd4, 0x6b, 0x16, 0x7c, 0x96, 0x2d,
0x78, 0x9a, 0xa8, 0x05, 0xdf, 0x70, 0x2e, 0xf3, 0xbd, 0x6c, 0x1b, 0xa7, 0x89, 0xb8, 0xe9, 0x46,
0xef, 0x41, 0x5f, 0x1b, 0x3d, 0x67, 0x3e, 0x13, 0xec, 0x86, 0x23, 0xdd, 0x07, 0x52, 0x30, 0xbb,
0x69, 0xba, 0x3b, 0xd0, 0x18, 0x8f, 0x8f, 0x33, 0x6d, 0x91, 0x1b, 0xcd, 0x4f, 0xa0, 0x7f, 0x96,
0xb8, 0xe1, 0x29, 0xf7, 0xae, 0x3c, 0x9f, 0x4d, 0xd5, 0x62, 0x69, 0xfd, 0x59, 0xca, 0xd5, 0x9f,
0x6b, 0xb3, 0x91, 0xb9, 0x03, 0xa4, 0x30, 0x3c, 0xbb, 0xb7, 0x38, 0x71, 0x43, 0x1d, 0xc2, 0xd8,
0x36, 0x77, 0xa0, 0x3d, 0xa6, 0x32, 0xdf, 0xbb, 0xca, 0xc6, 0x80, 0xba, 0x50, 0x7d, 0x6d, 0x96,
0x76, 0xcd, 0x3d, 0xd8, 0x3a, 0xa0, 0xce, 0x85, 0x17, 0x4c, 0x9f, 0x7b, 0xb1, 0x2c, 0x78, 0xf4,
0x88, 0x01, 0x34, 0x5c, 0x2d, 0xd0, 0x43, 0xb2, 0xbe, 0xf9, 0x18, 0xde, 0xca, 0x7d, 0x95, 0x39,
0x13, 0x34, 0xf5, 0xc7, 0x16, 0x54, 0x63, 0xd9, 0xc3, 0x11, 0x55, 0x4b, 0x75, 0xcc, 0xaf, 0x60,
0x2b, 0x9f, 0x80, 0x65, 0xf9, 0x91, 0x1e, 0x1c, 0x0b, 0x83, 0x52, 0xae, 0x30, 0xd0, 0x3e, 0x2b,
0x2f, 0xf2, 0xc9, 0x26, 0x54, 0x7e, 0xf9, 0xcd, 0x58, 0x83, 0x5d, 0x36, 0xcd, 0xdf, 0xcb, 0xe5,
0x8b, 0xf3, 0xa9, 0xe5, 0x0b, 0xd5, 0x41, 0xe9, 0x4d, 0xaa, 0x83, 0x35, 0x78, 0x7b, 0x0c, 0xfd,
0x13, 0x3f, 0x74, 0x2e, 0x0f, 0x83, 0x9c, 0x37, 0x0c, 0xa8, 0xb3, 0x20, 0xef, 0x8c, 0xb4, 0x6b,
0x3e, 0x80, 0xde, 0x71, 0xe8, 0x50, 0xff, 0x24, 0x4c, 0x02, 0x91, 0x79, 0x01, 0x3f, 0x93, 0x69,
0x53, 0xd5, 0x31, 0x1f, 0x43, 0x57, 0xa7, 0xe8, 0xe0, 0x3c, 0x4c, 0x99, 0x71, 0x91, 0xcc, 0x4b,
0xc5, 0x5a, 0xdb, 0x3c, 0x86, 0xde, 0xc2, 0x5c, 0xcd, 0xfb, 0x00, 0x6a, 0x4a, 0xad, 0xcf, 0xd6,
0xcb, 0x1e, 0x9b, 0xca, 0xd2, 0xd2, 0xea, 0x35, 0x87, 0x9a, 0x41, 0xf7, 0x14, 0x3f, 0x57, 0x1e,
0x06, 0x57, 0x6a, 0xb2, 0x23, 0x20, 0xea, 0x03, 0xa6, 0xcd, 0x82, 0x2b, 0x8f, 0x87, 0x01, 0xd6,
0xb7, 0x25, 0x5d, 0xc2, 0xa4, 0x13, 0x67, 0x83, 0x52, 0x0b, 0xab, 0x1f, 0x2d, 0x8b, 0xd6, 0xfa,
0x10, 0x16, 0x1f, 0x43, 0x64, 0xaa, 0xe1, 0x6c, 0x16, 0x0a, 0x66, 0x53, 0xd7, 0x4d, 0xa3, 0x05,
0x94, 0x68, 0xdf, 0x75, 0xf9, 0xde, 0x7f, 0xca, 0x50, 0xff, 0x4c, 0x11, 0x38, 0xf9, 0x14, 0x3a,
0x85, 0x74, 0x4d, 0xde, 0xc2, 0xaf, 0x21, 0xcb, 0xc5, 0xc1, 0x60, 0x7b, 0x45, 0xac, 0xce, 0xf5,
0x04, 0xda, 0xf9, 0x64, 0x4c, 0x30, 0xf1, 0xe2, 0xa7, 0xd9, 0x01, 0xce, 0xb4, 0x9a, 0xa9, 0xcf,
0x60, 0x6b, 0x5d, 0x9a, 0x24, 0x77, 0x16, 0x2b, 0xac, 0xa6, 0xe8, 0xc1, 0x3b, 0x37, 0x69, 0xd3,
0xf4, 0x5a, 0x3f, 0xf0, 0x19, 0x0d, 0x92, 0x28, 0xbf, 0x83, 0x45, 0x93, 0x3c, 0x85, 0x4e, 0x21,
0x51, 0xa8, 0x73, 0xae, 0xe4, 0x8e, 0xfc, 0x90, 0xfb, 0x50, 0xc5, 0xe4, 0x44, 0x3a, 0x85, 0x2c,
0x39, 0xe8, 0x66, 0x5d, 0xb5, 0xf6, 0x10, 0x36, 0xf0, 0xc1, 0x9e, 0x5b, 0x18, 0x47, 0x64, 0x99,
0x6b, 0xef, 0x5f, 0x25, 0xa8, 0xa7, 0x1f, 0x71, 0x9f, 0xc2, 0x86, 0xcc, 0x01, 0xe4, 0x56, 0x8e,
0x46, 0xd3, 0xfc, 0x31, 0xd8, 0x5a, 0x12, 0xaa, 0x05, 0x46, 0x50, 0x79, 0xc1, 0x04, 0x21, 0x39,
0xa5, 0x4e, 0x06, 0x83, 0x5b, 0x45, 0x59, 0x66, 0x7f, 0x9a, 0x14, 0xed, 0x35, 0x97, 0x17, 0xec,
0x33, 0x96, 0xfe, 0x08, 0x6a, 0x8a, 0x65, 0x95, 0x53, 0x56, 0xf8, 0x59, 0x5d, 0xfe, 0x2a, 0x1f,
0xef, 0xfd, 0x6d, 0x03, 0xe0, 0x6c, 0x1e, 0x0b, 0x36, 0xfb, 0x95, 0xc7, 0x5e, 0x91, 0x87, 0xd0,
0xd3, 0x9f, 0x25, 0xf0, 0xb5, 0x24, 0xd9, 0x24, 0xe7, 0x13, 0x2c, 0xf8, 0x32, 0xb2, 0xbe, 0x0f,
0xad, 0x13, 0x7a, 0xfd, 0x7a, 0xbb, 0x4f, 0xa1, 0x53, 0xe0, 0x60, 0xbd, 0xc5, 0x65, 0x56, 0xd7,
0x5b, 0x5c, 0x65, 0xeb, 0xfb, 0x50, 0xd7, 0xcc, 0x9c, 0x5f, 0x03, 0x73, 0x58, 0x81, 0xb1, 0x7f,
0x0a, 0xbd, 0x25, 0x5e, 0xce, 0xdb, 0xe3, 0x17, 0x89, 0xb5, 0xbc, 0xfd, 0x4c, 0xbe, 0x76, 0x8a,
0xdc, 0x9c, 0x1f, 0x78, 0x5b, 0xf1, 0xe1, 0x3a, 0xf2, 0x7e, 0x51, 0x7c, 0x27, 0xe1, 0x2b, 0xd1,
0x58, 0xa6, 0xcf, 0x94, 0xbc, 0xd3, 0x89, 0xd6, 0xd1, 0xf0, 0x13, 0x68, 0xe7, 0x19, 0x74, 0x25,
0x04, 0x57, 0xe9, 0xf5, 0x11, 0xc0, 0x82, 0x44, 0xf3, 0xf6, 0x08, 0x8f, 0x65, 0x7e, 0xfd, 0x10,
0x60, 0x41, 0x8d, 0x0a, 0x55, 0x45, 0x66, 0x55, 0xc3, 0x96, 0xe9, 0xf3, 0x21, 0x34, 0x33, 0x3a,
0xcb, 0xaf, 0x81, 0x13, 0x14, 0xd9, 0xf1, 0xb3, 0xd1, 0x6f, 0x1f, 0x4d, 0x3d, 0x71, 0x91, 0x4c,
0x46, 0x4e, 0x38, 0xdb, 0xbd, 0xa0, 0xf1, 0x85, 0xe7, 0x84, 0x3c, 0xda, 0xbd, 0x92, 0x60, 0xda,
0x5d, 0xf9, 0xbf, 0x34, 0xa9, 0xe1, 0x63, 0xef, 0x83, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0x87,
0x96, 0xca, 0x22, 0x7b, 0x1a, 0x00, 0x00,
}
// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConn
@ -3628,165 +3796,3 @@ var _SystemView_serviceDesc = grpc.ServiceDesc{
Streams: []grpc.StreamDesc{},
Metadata: "logical/plugin/pb/backend.proto",
}
func init() { proto.RegisterFile("logical/plugin/pb/backend.proto", fileDescriptor_25821d34acc7c5ef) }
var fileDescriptor_25821d34acc7c5ef = []byte{
// 2483 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x59, 0xcd, 0x72, 0x1b, 0xc7,
0x11, 0x2e, 0x00, 0xc4, 0x5f, 0xe3, 0x8f, 0x18, 0xd1, 0xcc, 0x0a, 0x96, 0x23, 0x78, 0x1d, 0x49,
0xb4, 0x22, 0x81, 0x12, 0x1d, 0xc7, 0x72, 0x52, 0x76, 0x8a, 0xa6, 0x68, 0x99, 0x31, 0x69, 0xb3,
0x96, 0x50, 0x9c, 0xbf, 0x2a, 0x78, 0xb0, 0x3b, 0x04, 0xb7, 0xb8, 0xd8, 0xdd, 0xcc, 0xce, 0x52,
0xc4, 0x29, 0x6f, 0x91, 0xd7, 0xc8, 0x35, 0x95, 0x4b, 0x6e, 0xa9, 0x54, 0x72, 0xce, 0x6b, 0xe4,
0x19, 0x52, 0xd3, 0x33, 0xfb, 0x07, 0x80, 0x96, 0x5c, 0x95, 0xdc, 0x66, 0xba, 0x7b, 0x7a, 0x66,
0x7a, 0xbe, 0xfe, 0xba, 0x17, 0x80, 0xbb, 0x5e, 0x30, 0x73, 0x6d, 0xea, 0xed, 0x86, 0x5e, 0x3c,
0x73, 0xfd, 0xdd, 0x70, 0xba, 0x3b, 0xa5, 0xf6, 0x25, 0xf3, 0x9d, 0x51, 0xc8, 0x03, 0x11, 0x90,
0x72, 0x38, 0x1d, 0xdc, 0x9d, 0x05, 0xc1, 0xcc, 0x63, 0xbb, 0x28, 0x99, 0xc6, 0xe7, 0xbb, 0xc2,
0x9d, 0xb3, 0x48, 0xd0, 0x79, 0xa8, 0x8c, 0x06, 0xdb, 0x89, 0x17, 0xd7, 0x61, 0xbe, 0x70, 0xc5,
0x42, 0xcb, 0xb7, 0x8a, 0xde, 0x95, 0xd4, 0xac, 0x43, 0xf5, 0x70, 0x1e, 0x8a, 0x85, 0x39, 0x84,
0xda, 0x17, 0x8c, 0x3a, 0x8c, 0x93, 0x6d, 0xa8, 0x5d, 0xe0, 0xc8, 0x28, 0x0d, 0x2b, 0x3b, 0x4d,
0x4b, 0xcf, 0xcc, 0xdf, 0x01, 0x9c, 0xca, 0x35, 0x87, 0x9c, 0x07, 0x9c, 0xdc, 0x86, 0x06, 0xe3,
0x7c, 0x22, 0x16, 0x21, 0x33, 0x4a, 0xc3, 0xd2, 0x4e, 0xc7, 0xaa, 0x33, 0xce, 0xc7, 0x8b, 0x90,
0x91, 0x1f, 0x80, 0x1c, 0x4e, 0xe6, 0xd1, 0xcc, 0x28, 0x0f, 0x4b, 0xd2, 0x03, 0xe3, 0xfc, 0x24,
0x9a, 0x25, 0x6b, 0xec, 0xc0, 0x61, 0x46, 0x65, 0x58, 0xda, 0xa9, 0xe0, 0x9a, 0x83, 0xc0, 0x61,
0xe6, 0x9f, 0x4a, 0x50, 0x3d, 0xa5, 0xe2, 0x22, 0x22, 0x04, 0x36, 0x78, 0x10, 0x08, 0xbd, 0x39,
0x8e, 0xc9, 0x0e, 0xf4, 0x62, 0x9f, 0xc6, 0xe2, 0x42, 0xde, 0xc8, 0xa6, 0x82, 0x39, 0x46, 0x19,
0xd5, 0xcb, 0x62, 0xf2, 0x1e, 0x74, 0xbc, 0xc0, 0xa6, 0xde, 0x24, 0x12, 0x01, 0xa7, 0x33, 0xb9,
0x8f, 0xb4, 0x6b, 0xa3, 0xf0, 0x4c, 0xc9, 0xc8, 0x43, 0xe8, 0x47, 0x8c, 0x7a, 0x93, 0x57, 0x9c,
0x86, 0xa9, 0xe1, 0x86, 0x72, 0x28, 0x15, 0xdf, 0x70, 0x1a, 0x6a, 0x5b, 0xf3, 0x6f, 0x35, 0xa8,
0x5b, 0xec, 0x0f, 0x31, 0x8b, 0x04, 0xe9, 0x42, 0xd9, 0x75, 0xf0, 0xb6, 0x4d, 0xab, 0xec, 0x3a,
0x64, 0x04, 0xc4, 0x62, 0xa1, 0x27, 0xb7, 0x76, 0x03, 0xff, 0xc0, 0x8b, 0x23, 0xc1, 0xb8, 0xbe,
0xf3, 0x1a, 0x0d, 0xb9, 0x03, 0xcd, 0x20, 0x64, 0x1c, 0x65, 0x18, 0x80, 0xa6, 0x95, 0x09, 0xe4,
0xc5, 0x43, 0x2a, 0x2e, 0x8c, 0x0d, 0x54, 0xe0, 0x58, 0xca, 0x1c, 0x2a, 0xa8, 0x51, 0x55, 0x32,
0x39, 0x26, 0x26, 0xd4, 0x22, 0x66, 0x73, 0x26, 0x8c, 0xda, 0xb0, 0xb4, 0xd3, 0xda, 0x83, 0x51,
0x38, 0x1d, 0x9d, 0xa1, 0xc4, 0xd2, 0x1a, 0x72, 0x07, 0x36, 0x64, 0x5c, 0x8c, 0x3a, 0x5a, 0x34,
0xa4, 0xc5, 0x7e, 0x2c, 0x2e, 0x2c, 0x94, 0x92, 0x3d, 0xa8, 0xab, 0x37, 0x8d, 0x8c, 0xc6, 0xb0,
0xb2, 0xd3, 0xda, 0x33, 0xa4, 0x81, 0xbe, 0xe5, 0x48, 0xc1, 0x20, 0x3a, 0xf4, 0x05, 0x5f, 0x58,
0x89, 0x21, 0x79, 0x17, 0xda, 0xb6, 0xe7, 0x32, 0x5f, 0x4c, 0x44, 0x70, 0xc9, 0x7c, 0xa3, 0x89,
0x27, 0x6a, 0x29, 0xd9, 0x58, 0x8a, 0xc8, 0x1e, 0xbc, 0x95, 0x37, 0x99, 0x50, 0xdb, 0x66, 0x51,
0x14, 0x70, 0x03, 0xd0, 0xf6, 0x56, 0xce, 0x76, 0x5f, 0xab, 0xa4, 0x5b, 0xc7, 0x8d, 0x42, 0x8f,
0x2e, 0x26, 0x3e, 0x9d, 0x33, 0xa3, 0xa5, 0xdc, 0x6a, 0xd9, 0x57, 0x74, 0xce, 0xc8, 0x5d, 0x68,
0xcd, 0x83, 0xd8, 0x17, 0x93, 0x30, 0x70, 0x7d, 0x61, 0xb4, 0xd1, 0x02, 0x50, 0x74, 0x2a, 0x25,
0xe4, 0x1d, 0x50, 0x33, 0x05, 0xc6, 0x8e, 0x8a, 0x2b, 0x4a, 0x10, 0x8e, 0xf7, 0xa0, 0xab, 0xd4,
0xe9, 0x79, 0xba, 0x68, 0xd2, 0x41, 0x69, 0x7a, 0x92, 0x27, 0xd0, 0x44, 0x3c, 0xb8, 0xfe, 0x79,
0x60, 0xf4, 0x30, 0x6e, 0xb7, 0x72, 0x61, 0x91, 0x98, 0x38, 0xf2, 0xcf, 0x03, 0xab, 0xf1, 0x4a,
0x8f, 0xc8, 0x27, 0xf0, 0x76, 0xe1, 0xbe, 0x9c, 0xcd, 0xa9, 0xeb, 0xbb, 0xfe, 0x6c, 0x12, 0x47,
0x2c, 0x32, 0x36, 0x11, 0xe1, 0x46, 0xee, 0xd6, 0x56, 0x62, 0xf0, 0x32, 0x62, 0x11, 0x79, 0x1b,
0x9a, 0x2a, 0x41, 0x27, 0xae, 0x63, 0xf4, 0xf1, 0x48, 0x0d, 0x25, 0x38, 0x72, 0xc8, 0x03, 0xe8,
0x85, 0x81, 0xe7, 0xda, 0x8b, 0x49, 0x70, 0xc5, 0x38, 0x77, 0x1d, 0x66, 0x90, 0x61, 0x69, 0xa7,
0x61, 0x75, 0x95, 0xf8, 0x6b, 0x2d, 0x5d, 0x97, 0x1a, 0xb7, 0xd0, 0x70, 0x25, 0x35, 0x46, 0x00,
0x76, 0xe0, 0xfb, 0xcc, 0x46, 0xf8, 0x6d, 0xe1, 0x0d, 0xbb, 0xf2, 0x86, 0x07, 0xa9, 0xd4, 0xca,
0x59, 0x0c, 0x3e, 0x87, 0x76, 0x1e, 0x0a, 0x64, 0x13, 0x2a, 0x97, 0x6c, 0xa1, 0xe1, 0x2f, 0x87,
0x64, 0x08, 0xd5, 0x2b, 0xea, 0xc5, 0x0c, 0x21, 0xaf, 0x81, 0xa8, 0x96, 0x58, 0x4a, 0xf1, 0xb3,
0xf2, 0xb3, 0x92, 0xf9, 0xd7, 0x2a, 0x6c, 0x48, 0xf0, 0x91, 0x0f, 0xa1, 0xe3, 0x31, 0x1a, 0xb1,
0x49, 0x10, 0xca, 0x0d, 0x22, 0x74, 0xd5, 0xda, 0xdb, 0x94, 0xcb, 0x8e, 0xa5, 0xe2, 0x6b, 0x25,
0xb7, 0xda, 0x5e, 0x6e, 0x26, 0x53, 0xda, 0xf5, 0x05, 0xe3, 0x3e, 0xf5, 0x26, 0x98, 0x0c, 0x2a,
0xc1, 0xda, 0x89, 0xf0, 0xb9, 0x4c, 0x8a, 0x65, 0x1c, 0x55, 0x56, 0x71, 0x34, 0x80, 0x06, 0xc6,
0xce, 0x65, 0x91, 0x4e, 0xf6, 0x74, 0x4e, 0xf6, 0xa0, 0x31, 0x67, 0x82, 0xea, 0x5c, 0x93, 0x29,
0xb1, 0x9d, 0xe4, 0xcc, 0xe8, 0x44, 0x2b, 0x54, 0x42, 0xa4, 0x76, 0x2b, 0x19, 0x51, 0x5b, 0xcd,
0x88, 0x01, 0x34, 0x52, 0xd0, 0xd5, 0xd5, 0x0b, 0x27, 0x73, 0x49, 0xb3, 0x21, 0xe3, 0x6e, 0xe0,
0x18, 0x0d, 0x04, 0x8a, 0x9e, 0x49, 0x92, 0xf4, 0xe3, 0xb9, 0x82, 0x50, 0x53, 0x91, 0xa4, 0x1f,
0xcf, 0x57, 0x11, 0x03, 0x4b, 0x88, 0xf9, 0x11, 0x54, 0xa9, 0xe7, 0xd2, 0x08, 0x53, 0x48, 0xbe,
0xac, 0xe6, 0xfb, 0xd1, 0xbe, 0x94, 0x5a, 0x4a, 0x49, 0x3e, 0x80, 0xce, 0x8c, 0x07, 0x71, 0x38,
0xc1, 0x29, 0x8b, 0x8c, 0x36, 0xde, 0x76, 0xd9, 0xba, 0x8d, 0x46, 0xfb, 0xca, 0x46, 0x66, 0xe0,
0x34, 0x88, 0x7d, 0x67, 0x62, 0xbb, 0x0e, 0x8f, 0x8c, 0x0e, 0x06, 0x0f, 0x50, 0x74, 0x20, 0x25,
0x32, 0xc5, 0x54, 0x0a, 0xa4, 0x01, 0xee, 0xa2, 0x4d, 0x07, 0xa5, 0xa7, 0x49, 0x94, 0x7f, 0x0c,
0xfd, 0xa4, 0x28, 0x65, 0x96, 0x3d, 0xb4, 0xdc, 0x4c, 0x14, 0xa9, 0xf1, 0x0e, 0x6c, 0xb2, 0x6b,
0x49, 0xa1, 0xae, 0x98, 0xcc, 0xe9, 0xf5, 0x44, 0x08, 0x4f, 0xa7, 0x54, 0x37, 0x91, 0x9f, 0xd0,
0xeb, 0xb1, 0xf0, 0x64, 0xfe, 0xab, 0xdd, 0x31, 0xff, 0xfb, 0x58, 0x8c, 0x9a, 0x28, 0x91, 0xf9,
0x3f, 0xf8, 0x39, 0x74, 0x0a, 0x4f, 0xb8, 0x06, 0xc8, 0x5b, 0x79, 0x20, 0x37, 0xf3, 0xe0, 0xfd,
0xe7, 0x06, 0x00, 0xbe, 0xa5, 0x5a, 0xba, 0x5c, 0x01, 0xf2, 0x0f, 0x5c, 0x5e, 0xf3, 0xc0, 0x94,
0x33, 0x5f, 0x68, 0x30, 0xea, 0xd9, 0x77, 0xe2, 0x30, 0xa9, 0x01, 0xd5, 0x5c, 0x0d, 0x78, 0x04,
0x1b, 0x12, 0x73, 0x46, 0x2d, 0xa3, 0xea, 0xec, 0x44, 0x88, 0x4e, 0x85, 0x4c, 0xb4, 0x5a, 0x49,
0x84, 0xfa, 0x6a, 0x22, 0xe4, 0x11, 0xd6, 0x28, 0x22, 0xec, 0x3d, 0xe8, 0xd8, 0x9c, 0x61, 0x3d,
0x9a, 0xc8, 0xc6, 0x42, 0x23, 0xb0, 0x9d, 0x08, 0xc7, 0xee, 0x9c, 0xc9, 0xf8, 0xc9, 0xc7, 0x00,
0x54, 0xc9, 0xe1, 0xda, 0xb7, 0x6a, 0xad, 0x7d, 0x2b, 0xac, 0xee, 0x1e, 0xd3, 0x2c, 0x8e, 0xe3,
0x5c, 0x26, 0x74, 0x0a, 0x99, 0x50, 0x80, 0x7b, 0x77, 0x09, 0xee, 0x4b, 0x98, 0xec, 0xad, 0x60,
0xf2, 0x5d, 0x68, 0xcb, 0x00, 0x44, 0x21, 0xb5, 0x99, 0x74, 0xb0, 0xa9, 0x02, 0x91, 0xca, 0x8e,
0x1c, 0xcc, 0xe0, 0x78, 0x3a, 0x5d, 0x5c, 0x04, 0x1e, 0xcb, 0x48, 0xb8, 0x95, 0xca, 0x8e, 0x1c,
0x79, 0x5e, 0x44, 0x15, 0x41, 0x54, 0xe1, 0x78, 0xf0, 0x11, 0x34, 0xd3, 0xa8, 0x7f, 0x2f, 0x30,
0xfd, 0xb9, 0x04, 0xed, 0x3c, 0xd1, 0xc9, 0xc5, 0xe3, 0xf1, 0x31, 0x2e, 0xae, 0x58, 0x72, 0x28,
0x5b, 0x04, 0xce, 0x7c, 0xf6, 0x8a, 0x4e, 0x3d, 0xe5, 0xa0, 0x61, 0x65, 0x02, 0xa9, 0x75, 0x7d,
0x9b, 0xb3, 0x79, 0x82, 0xaa, 0x8a, 0x95, 0x09, 0xc8, 0xc7, 0x00, 0x6e, 0x14, 0xc5, 0x4c, 0xbd,
0xdc, 0x06, 0xd2, 0xc0, 0x60, 0xa4, 0xfa, 0xc5, 0x51, 0xd2, 0x2f, 0x8e, 0xc6, 0x49, 0xbf, 0x68,
0x35, 0xd1, 0x1a, 0x9f, 0x74, 0x1b, 0x6a, 0xf2, 0x81, 0xc6, 0xc7, 0x88, 0xbc, 0x8a, 0xa5, 0x67,
0xe6, 0x1f, 0xa1, 0xa6, 0x3a, 0x8b, 0xff, 0x2b, 0x79, 0xdf, 0x86, 0x86, 0xf2, 0xed, 0x3a, 0x3a,
0x57, 0xea, 0x38, 0x3f, 0x72, 0xcc, 0x7f, 0x95, 0xa0, 0x61, 0xb1, 0x28, 0x0c, 0xfc, 0x88, 0xe5,
0x3a, 0x9f, 0xd2, 0x6b, 0x3b, 0x9f, 0xf2, 0xda, 0xce, 0x27, 0xe9, 0xa7, 0x2a, 0xb9, 0x7e, 0x6a,
0x00, 0x0d, 0xce, 0x1c, 0x97, 0x33, 0x5b, 0xe8, 0xde, 0x2b, 0x9d, 0x4b, 0xdd, 0x2b, 0xca, 0x65,
0xc9, 0x8e, 0xb0, 0x2e, 0x34, 0xad, 0x74, 0x4e, 0x9e, 0xe6, 0x1b, 0x06, 0xd5, 0x8a, 0x6d, 0xa9,
0x86, 0x41, 0x1d, 0x77, 0xb5, 0x63, 0x30, 0xff, 0x51, 0x86, 0xcd, 0x65, 0xf5, 0x1a, 0x10, 0x6c,
0x41, 0x55, 0x95, 0x14, 0x8d, 0x20, 0xb1, 0x52, 0x4c, 0x2a, 0x4b, 0x5c, 0xf3, 0x8b, 0xe5, 0xbc,
0x7d, 0xfd, 0xeb, 0x17, 0x73, 0xfa, 0x7d, 0xd8, 0x94, 0xa7, 0x0c, 0x99, 0x93, 0xb5, 0x49, 0x8a,
0x84, 0x7a, 0x5a, 0x9e, 0x36, 0x4a, 0x0f, 0xa1, 0x9f, 0x98, 0x66, 0xe9, 0x59, 0x2b, 0xd8, 0x1e,
0x26, 0x59, 0xba, 0x0d, 0xb5, 0xf3, 0x80, 0xcf, 0xa9, 0xd0, 0x3c, 0xa4, 0x67, 0x05, 0x9e, 0x41,
0xc2, 0x6b, 0x28, 0x58, 0x24, 0x42, 0xf9, 0x29, 0x20, 0xf3, 0x3f, 0x6d, 0xd3, 0x91, 0x88, 0x1a,
0x56, 0x23, 0x69, 0xcf, 0xcd, 0x5f, 0x43, 0x6f, 0xa9, 0x33, 0x5b, 0x13, 0xc8, 0x6c, 0xfb, 0x72,
0x61, 0xfb, 0x82, 0xe7, 0xca, 0x92, 0xe7, 0xdf, 0x40, 0xff, 0x0b, 0xea, 0x3b, 0x1e, 0xd3, 0xfe,
0xf7, 0xf9, 0x2c, 0x92, 0x35, 0x46, 0x7f, 0x28, 0x4c, 0x74, 0x01, 0xe8, 0x58, 0x4d, 0x2d, 0x39,
0x72, 0xc8, 0x3d, 0xa8, 0x73, 0x65, 0xad, 0x81, 0xd7, 0xca, 0xb5, 0x8e, 0x56, 0xa2, 0x33, 0xbf,
0x05, 0x52, 0x70, 0x2d, 0xbf, 0x11, 0x16, 0x64, 0x47, 0x02, 0x50, 0x81, 0x42, 0x03, 0xbb, 0x9d,
0xc7, 0x91, 0x95, 0x6a, 0xc9, 0x10, 0x2a, 0x8c, 0x73, 0xbd, 0x05, 0xf6, 0x6e, 0xd9, 0x17, 0x99,
0x25, 0x55, 0xe6, 0x4f, 0xa0, 0x7f, 0x16, 0x32, 0xdb, 0xa5, 0x1e, 0x7e, 0x4d, 0xa9, 0x0d, 0xee,
0x42, 0x55, 0x06, 0x39, 0xc9, 0xd9, 0x26, 0x2e, 0x44, 0xb5, 0x92, 0x9b, 0xdf, 0x82, 0xa1, 0xce,
0x75, 0x78, 0xed, 0x46, 0x82, 0xf9, 0x36, 0x3b, 0xb8, 0x60, 0xf6, 0xe5, 0xff, 0xf0, 0xe6, 0x57,
0x70, 0x7b, 0xdd, 0x0e, 0xc9, 0xf9, 0x5a, 0xb6, 0x9c, 0x4d, 0xce, 0x25, 0x7d, 0xe3, 0x1e, 0x0d,
0x0b, 0x50, 0xf4, 0xb9, 0x94, 0xc8, 0x77, 0x64, 0x72, 0x5d, 0xa4, 0x29, 0x51, 0xcf, 0x92, 0x78,
0x54, 0x6e, 0x8e, 0xc7, 0x5f, 0x4a, 0xd0, 0x3c, 0x63, 0x22, 0x0e, 0xf1, 0x2e, 0x6f, 0x43, 0x73,
0xca, 0x83, 0x4b, 0xc6, 0xb3, 0xab, 0x34, 0x94, 0xe0, 0xc8, 0x21, 0x4f, 0xa1, 0x76, 0x10, 0xf8,
0xe7, 0xee, 0x0c, 0xbf, 0x2d, 0x5b, 0x7b, 0xb7, 0x15, 0xbb, 0xe8, 0xb5, 0x23, 0xa5, 0x53, 0xa5,
0x56, 0x1b, 0x92, 0x21, 0xb4, 0xf4, 0x17, 0xfa, 0xcb, 0x97, 0x47, 0xcf, 0x93, 0xa6, 0x33, 0x27,
0x1a, 0x7c, 0x0c, 0xad, 0xdc, 0xc2, 0xef, 0x55, 0x2d, 0x7e, 0x08, 0x80, 0xbb, 0xab, 0x18, 0x6d,
0xaa, 0xab, 0xea, 0x95, 0xf2, 0x6a, 0x77, 0xa1, 0x29, 0xfb, 0x1b, 0xa5, 0x4e, 0xea, 0x54, 0x29,
0xab, 0x53, 0xe6, 0x3d, 0xe8, 0x1f, 0xf9, 0x57, 0xd4, 0x73, 0x1d, 0x2a, 0xd8, 0x97, 0x6c, 0x81,
0x21, 0x58, 0x39, 0x81, 0x79, 0x06, 0x6d, 0xfd, 0xb1, 0xfb, 0x46, 0x67, 0x6c, 0xeb, 0x33, 0x7e,
0x77, 0x12, 0xbd, 0x0f, 0x3d, 0xed, 0xf4, 0xd8, 0xd5, 0x29, 0x24, 0xcb, 0x3c, 0x67, 0xe7, 0xee,
0xb5, 0x76, 0xad, 0x67, 0xe6, 0x33, 0xd8, 0xcc, 0x99, 0xa6, 0xd7, 0xb9, 0x64, 0x8b, 0x28, 0xf9,
0x11, 0x40, 0x8e, 0x93, 0x08, 0x94, 0xb3, 0x08, 0x98, 0xd0, 0xd5, 0x2b, 0x5f, 0x30, 0x71, 0xc3,
0xed, 0xbe, 0x4c, 0x0f, 0xf2, 0x82, 0x69, 0xe7, 0xf7, 0xa1, 0xca, 0xe4, 0x4d, 0xf3, 0x25, 0x2c,
0x1f, 0x01, 0x4b, 0xa9, 0xd7, 0x6c, 0xf8, 0x2c, 0xdd, 0xf0, 0x34, 0x56, 0x1b, 0xbe, 0xa1, 0x2f,
0xf3, 0xbd, 0xf4, 0x18, 0xa7, 0xb1, 0xb8, 0xe9, 0x45, 0xef, 0x41, 0x5f, 0x1b, 0x3d, 0x67, 0x1e,
0x13, 0xec, 0x86, 0x2b, 0xdd, 0x07, 0x52, 0x30, 0xbb, 0xc9, 0xdd, 0x1d, 0x68, 0x8c, 0xc7, 0xc7,
0xa9, 0xb6, 0xc8, 0x8d, 0xe6, 0x27, 0xd0, 0x3f, 0x8b, 0x9d, 0xe0, 0x94, 0xbb, 0x57, 0xae, 0xc7,
0x66, 0x6a, 0xb3, 0xa4, 0xff, 0x2c, 0xe5, 0xfa, 0xcf, 0xb5, 0xd5, 0xc8, 0xdc, 0x01, 0x52, 0x58,
0x9e, 0xbe, 0x5b, 0x14, 0x3b, 0x81, 0x4e, 0x61, 0x1c, 0x9b, 0x3b, 0xd0, 0x1e, 0x53, 0x59, 0xef,
0x1d, 0x65, 0x63, 0x40, 0x5d, 0xa8, 0xb9, 0x36, 0x4b, 0xa6, 0xe6, 0x1e, 0x6c, 0x1d, 0x50, 0xfb,
0xc2, 0xf5, 0x67, 0xcf, 0xdd, 0x48, 0x36, 0x3c, 0x7a, 0xc5, 0x00, 0x1a, 0x8e, 0x16, 0xe8, 0x25,
0xe9, 0xdc, 0x7c, 0x0c, 0x6f, 0xe5, 0x7e, 0x69, 0x39, 0x13, 0x34, 0x89, 0xc7, 0x16, 0x54, 0x23,
0x39, 0xc3, 0x15, 0x55, 0x4b, 0x4d, 0xcc, 0xaf, 0x60, 0x2b, 0x5f, 0x80, 0x65, 0xfb, 0x91, 0x5c,
0x1c, 0x1b, 0x83, 0x52, 0xae, 0x31, 0xd0, 0x31, 0x2b, 0x67, 0xf5, 0x64, 0x13, 0x2a, 0xbf, 0xfc,
0x66, 0xac, 0xc1, 0x2e, 0x87, 0xe6, 0xef, 0xe5, 0xf6, 0x45, 0x7f, 0x6a, 0xfb, 0x42, 0x77, 0x50,
0x7a, 0x93, 0xee, 0x60, 0x0d, 0xde, 0x1e, 0x43, 0xff, 0xc4, 0x0b, 0xec, 0xcb, 0x43, 0x3f, 0x17,
0x0d, 0x03, 0xea, 0xcc, 0xcf, 0x07, 0x23, 0x99, 0x9a, 0x0f, 0xa0, 0x77, 0x1c, 0xd8, 0xd4, 0x3b,
0x09, 0x62, 0x5f, 0xa4, 0x51, 0xc0, 0x9f, 0xbe, 0xb4, 0xa9, 0x9a, 0x98, 0x8f, 0xa1, 0xab, 0x4b,
0xb4, 0x7f, 0x1e, 0x24, 0xcc, 0x98, 0x15, 0xf3, 0x52, 0xb1, 0xd7, 0x36, 0x8f, 0xa1, 0x97, 0x99,
0x2b, 0xbf, 0x0f, 0xa0, 0xa6, 0xd4, 0xfa, 0x6e, 0xbd, 0xf4, 0x03, 0x52, 0x59, 0x5a, 0x5a, 0xbd,
0xe6, 0x52, 0x73, 0xe8, 0x9e, 0xe2, 0x4f, 0x90, 0x87, 0xfe, 0x95, 0x72, 0x76, 0x04, 0x44, 0xfd,
0x28, 0x39, 0x61, 0xfe, 0x95, 0xcb, 0x03, 0x1f, 0xfb, 0xdb, 0x92, 0x6e, 0x61, 0x12, 0xc7, 0xe9,
0xa2, 0xc4, 0xc2, 0xea, 0x87, 0xcb, 0xa2, 0xb5, 0x31, 0x84, 0xec, 0x07, 0x0e, 0x59, 0x6a, 0x38,
0x9b, 0x07, 0x82, 0x4d, 0xa8, 0xe3, 0x24, 0xd9, 0x02, 0x4a, 0xb4, 0xef, 0x38, 0x7c, 0xef, 0x3f,
0x65, 0xa8, 0x7f, 0xa6, 0x08, 0x9c, 0x7c, 0x0a, 0x9d, 0x42, 0xb9, 0x26, 0x6f, 0xe1, 0x2f, 0x1c,
0xcb, 0xcd, 0xc1, 0x60, 0x7b, 0x45, 0xac, 0xee, 0xf5, 0x04, 0xda, 0xf9, 0x62, 0x4c, 0xb0, 0xf0,
0xe2, 0xcf, 0xad, 0x03, 0xf4, 0xb4, 0x5a, 0xa9, 0xcf, 0x60, 0x6b, 0x5d, 0x99, 0x24, 0x77, 0xb2,
0x1d, 0x56, 0x4b, 0xf4, 0xe0, 0x9d, 0x9b, 0xb4, 0x49, 0x79, 0xad, 0x1f, 0x78, 0x8c, 0xfa, 0x71,
0x98, 0x3f, 0x41, 0x36, 0x24, 0x4f, 0xa1, 0x53, 0x28, 0x14, 0xea, 0x9e, 0x2b, 0xb5, 0x23, 0xbf,
0xe4, 0x3e, 0x54, 0xb1, 0x38, 0x91, 0x4e, 0xa1, 0x4a, 0x0e, 0xba, 0xe9, 0x54, 0xed, 0x3d, 0x84,
0x0d, 0xfc, 0x11, 0x2e, 0xb7, 0x31, 0xae, 0x48, 0x2b, 0xd7, 0xde, 0xbf, 0x4b, 0x50, 0x4f, 0x7e,
0x98, 0x7d, 0x0a, 0x1b, 0xb2, 0x06, 0x90, 0x5b, 0x39, 0x1a, 0x4d, 0xea, 0xc7, 0x60, 0x6b, 0x49,
0xa8, 0x36, 0x18, 0x41, 0xe5, 0x05, 0x13, 0x84, 0xe4, 0x94, 0xba, 0x18, 0x0c, 0x6e, 0x15, 0x65,
0xa9, 0xfd, 0x69, 0x5c, 0xb4, 0xd7, 0x5c, 0x5e, 0xb0, 0x4f, 0x59, 0xfa, 0x23, 0xa8, 0x29, 0x96,
0x55, 0x41, 0x59, 0xe1, 0x67, 0xf5, 0xf8, 0xab, 0x7c, 0xbc, 0xf7, 0xf7, 0x0d, 0x80, 0xb3, 0x45,
0x24, 0xd8, 0xfc, 0x57, 0x2e, 0x7b, 0x45, 0x1e, 0x42, 0xef, 0x39, 0x3b, 0xa7, 0xb1, 0x27, 0xf0,
0x6b, 0x49, 0xb2, 0x49, 0x2e, 0x26, 0xd8, 0xf0, 0xa5, 0x64, 0x7d, 0x1f, 0x5a, 0x27, 0xf4, 0xfa,
0xf5, 0x76, 0x9f, 0x42, 0xa7, 0xc0, 0xc1, 0xfa, 0x88, 0xcb, 0xac, 0xae, 0x8f, 0xb8, 0xca, 0xd6,
0xf7, 0xa1, 0xae, 0x99, 0x39, 0xbf, 0x07, 0xd6, 0xb0, 0x02, 0x63, 0xff, 0x14, 0x7a, 0x4b, 0xbc,
0x9c, 0xb7, 0xc7, 0x5f, 0x24, 0xd6, 0xf2, 0xf6, 0x33, 0xf9, 0xb5, 0x53, 0xe4, 0xe6, 0xfc, 0xc2,
0xdb, 0x8a, 0x0f, 0xd7, 0x91, 0xf7, 0x8b, 0xe2, 0x77, 0x12, 0x7e, 0x25, 0x1a, 0xcb, 0xf4, 0x99,
0x90, 0x77, 0xe2, 0x68, 0x1d, 0x0d, 0x3f, 0x81, 0x76, 0x9e, 0x41, 0x57, 0x52, 0x70, 0x95, 0x5e,
0x1f, 0x01, 0x64, 0x24, 0x9a, 0xb7, 0x47, 0x78, 0x2c, 0xf3, 0xeb, 0x87, 0x00, 0x19, 0x35, 0x2a,
0x54, 0x15, 0x99, 0x55, 0x2d, 0x5b, 0xa6, 0xcf, 0x87, 0xd0, 0x4c, 0xe9, 0x2c, 0xbf, 0x07, 0x3a,
0x28, 0xb2, 0xe3, 0x67, 0xa3, 0xdf, 0x3e, 0x9a, 0xb9, 0xe2, 0x22, 0x9e, 0x8e, 0xec, 0x60, 0xbe,
0x7b, 0x41, 0xa3, 0x0b, 0xd7, 0x0e, 0x78, 0xb8, 0x7b, 0x25, 0xc1, 0xb4, 0xbb, 0xf2, 0x9f, 0xd1,
0xb4, 0x86, 0x1f, 0x7b, 0x1f, 0xfc, 0x37, 0x00, 0x00, 0xff, 0xff, 0x93, 0x15, 0xb9, 0x42, 0x4f,
0x1a, 0x00, 0x00,
}

3
logical/plugin/pb/backend.proto
View File

@ -210,6 +210,9 @@ message Auth {
// TokenType is the type of token being requested
uint32 token_type = 17;
// Whether the default policy should be added automatically by core
bool no_default_policy = 18;
}
message TokenEntry {

2
logical/plugin/pb/translation.go
View File

@ -492,6 +492,7 @@ func LogicalAuthToProtoAuth(a *logical.Auth) (*Auth, error) {
Policies: a.Policies,
TokenPolicies: a.TokenPolicies,
IdentityPolicies: a.IdentityPolicies,
NoDefaultPolicy: a.NoDefaultPolicy,
Metadata: a.Metadata,
ClientToken: a.ClientToken,
Accessor: a.Accessor,
@ -539,6 +540,7 @@ func ProtoAuthToLogicalAuth(a *Auth) (*logical.Auth, error) {
Policies: a.Policies,
TokenPolicies: a.TokenPolicies,
IdentityPolicies: a.IdentityPolicies,
NoDefaultPolicy: a.NoDefaultPolicy,
Metadata: a.Metadata,
ClientToken: a.ClientToken,
Accessor: a.Accessor,

3
physical/types.pb.go
View File

@ -5,9 +5,8 @@ package physical
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.

85
vault/external_tests/policy/no_default_test.go Normal file
View File

@ -0,0 +1,85 @@
package policy
import (
"testing"
"github.com/go-test/deep"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/builtin/credential/ldap"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/vault"
)
func TestNoDefaultPolicy(t *testing.T) {
var err error
coreConfig := &vault.CoreConfig{
DisableMlock: true,
DisableCache: true,
Logger: log.NewNullLogger(),
CredentialBackends: map[string]logical.Factory{
"ldap": ldap.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
vault.TestWaitActive(t, cores[0].Core)
client := cores[0].Client
err = client.Sys().EnableAuthWithOptions("ldap", &api.EnableAuthOptions{
Type: "ldap",
})
if err != nil {
t.Fatal(err)
}
// Configure LDAP auth backend
secret, err := client.Logical().Write("auth/ldap/config", map[string]interface{}{
"url": "ldap://ldap.forumsys.com",
"userattr": "uid",
"userdn": "dc=example,dc=com",
"groupdn": "dc=example,dc=com",
"binddn": "cn=read-only-admin,dc=example,dc=com",
"no_default_policy": true,
})
if err != nil {
t.Fatal(err)
}
// Create a local user in LDAP
secret, err = client.Logical().Write("auth/ldap/users/tesla", map[string]interface{}{
"policies": "foo",
})
if err != nil {
t.Fatal(err)
}
// Login with LDAP and create a token
secret, err = client.Logical().Write("auth/ldap/login/tesla", map[string]interface{}{
"password": "password",
})
if err != nil {
t.Fatal(err)
}
token := secret.Auth.ClientToken
// Lookup the token to get the entity ID
secret, err = client.Auth().Token().Lookup(token)
if err != nil {
t.Fatal(err)
}
if diff := deep.Equal(secret.Data["policies"], []interface{}{"foo"}); diff != nil {
t.Fatal(diff)
}
}

84
vault/request_forwarding_service.pb.go
View File

@ -5,15 +5,11 @@ package vault
import (
fmt "fmt"
math "math"
proto "github.com/golang/protobuf/proto"
forwarding "github.com/hashicorp/vault/helper/forwarding"
)
import (
context "golang.org/x/net/context"
grpc "google.golang.org/grpc"
math "math"
)
// Reference imports to suppress errors if they are not otherwise used.
@ -322,6 +318,45 @@ func init() {
proto.RegisterType((*PerfStandbyElectionResponse)(nil), "vault.PerfStandbyElectionResponse")
}
func init() {
proto.RegisterFile("vault/request_forwarding_service.proto", fileDescriptor_f5f7512e4ab7b58a)
}
var fileDescriptor_f5f7512e4ab7b58a = []byte{
// 493 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x53, 0x41, 0x6f, 0x1a, 0x3d,
0x10, 0x8d, 0x81, 0x10, 0x31, 0x90, 0x88, 0xf8, 0x8b, 0xf4, 0xad, 0xa8, 0xa2, 0x90, 0xad, 0x54,
0x21, 0x55, 0xda, 0x8d, 0xd2, 0x73, 0x0f, 0x2d, 0x4a, 0x25, 0xd4, 0x4b, 0xb5, 0xb9, 0xf5, 0xb2,
0x32, 0xf6, 0x04, 0xac, 0x2e, 0x6b, 0xd7, 0x36, 0x49, 0xf6, 0x27, 0xf7, 0xd6, 0x9f, 0x50, 0xad,
0xd7, 0x04, 0x10, 0x4d, 0x2f, 0x68, 0xe7, 0xcd, 0x63, 0xde, 0xf8, 0xf9, 0x19, 0xde, 0x3d, 0xb2,
0x75, 0xe1, 0x52, 0x83, 0x3f, 0xd7, 0x68, 0x5d, 0xfe, 0xa0, 0xcc, 0x13, 0x33, 0x42, 0x96, 0x8b,
0xdc, 0xa2, 0x79, 0x94, 0x1c, 0x13, 0x6d, 0x94, 0x53, 0xf4, 0xd8, 0xf3, 0x46, 0x97, 0x4b, 0x2c,
0x34, 0x9a, 0x74, 0xcb, 0x4b, 0x5d, 0xa5, 0xd1, 0x36, 0xac, 0x58, 0x41, 0xff, 0x8e, 0x2f, 0x55,
0xd6, 0x4c, 0xa3, 0x11, 0x9c, 0xac, 0xd0, 0x5a, 0xb6, 0xc0, 0x88, 0x8c, 0xc9, 0xa4, 0x97, 0x6d,
0x4a, 0x7a, 0x0d, 0x03, 0x5e, 0xac, 0xad, 0x43, 0x93, 0x33, 0x21, 0x4c, 0xd4, 0xf2, 0xed, 0x7e,
0xc0, 0x3e, 0x09, 0x61, 0xe8, 0x5b, 0x38, 0xdd, 0xa5, 0xd8, 0xa8, 0x3d, 0x6e, 0x4f, 0x7a, 0xd9,
0x60, 0x87, 0x63, 0xe3, 0x27, 0xe8, 0x35, 0x82, 0xba, 0xa8, 0xfe, 0x21, 0x77, 0x30, 0xab, 0x75,
0x38, 0x8b, 0xbe, 0x87, 0x73, 0x83, 0xba, 0x90, 0x9c, 0x39, 0xa9, 0xca, 0xdc, 0x3a, 0xe6, 0x30,
0x6a, 0x8f, 0xc9, 0xe4, 0x34, 0x1b, 0xee, 0x34, 0xee, 0x6b, 0x3c, 0x9e, 0x41, 0x6f, 0x5a, 0x48,
0x2c, 0xdd, 0x57, 0xac, 0x28, 0x85, 0x4e, 0xed, 0x42, 0x50, 0xf5, 0xdf, 0x74, 0x00, 0xe4, 0xd9,
0x1f, 0x6b, 0x90, 0x91, 0xe7, 0xba, 0xaa, 0xfc, 0xac, 0x41, 0x46, 0xaa, 0xba, 0x12, 0x51, 0xa7,
0xa9, 0x44, 0x3c, 0x82, 0xe8, 0x1b, 0x9a, 0x87, 0x7b, 0xc7, 0x4a, 0x31, 0xaf, 0xee, 0x0a, 0xe4,
0xb5, 0xcc, 0xac, 0xd4, 0x6b, 0x17, 0xff, 0x22, 0xf0, 0xe6, 0x2f, 0xcd, 0x0c, 0xad, 0x56, 0xa5,
0x45, 0x7a, 0x06, 0x2d, 0x29, 0x82, 0x6e, 0x4b, 0x0a, 0x7a, 0x09, 0xb0, 0x39, 0xa8, 0x14, 0xc1,
0xd5, 0x5e, 0x40, 0x66, 0x82, 0xde, 0xc0, 0x85, 0x36, 0x72, 0xc5, 0x4c, 0x95, 0xef, 0xd9, 0xdf,
0xf6, 0x44, 0x1a, 0x7a, 0xd3, 0x9d, 0x5b, 0xf8, 0x1f, 0x4e, 0x38, 0xcb, 0x39, 0x1a, 0x17, 0x16,
0xee, 0x72, 0x36, 0x45, 0xe3, 0xe8, 0x15, 0xf4, 0xb9, 0x37, 0xa0, 0x69, 0x1e, 0xfb, 0x26, 0x34,
0x90, 0x27, 0xa4, 0x10, 0xaa, 0xfc, 0x07, 0x56, 0x51, 0x77, 0x4c, 0x26, 0xfd, 0xdb, 0x61, 0xe2,
0x63, 0x94, 0xbc, 0x58, 0x57, 0x2f, 0x17, 0x3e, 0x6f, 0x7f, 0x13, 0x38, 0x0f, 0xc9, 0xf9, 0xf2,
0x12, 0x2f, 0xfa, 0x11, 0xce, 0x42, 0xb5, 0x49, 0xd5, 0x7f, 0xc9, 0x36, 0x7d, 0x49, 0x00, 0x47,
0x17, 0xfb, 0x60, 0x63, 0x4f, 0x7c, 0x44, 0x13, 0xe8, 0xd4, 0x01, 0xa1, 0x34, 0x28, 0xef, 0xc4,
0x73, 0x34, 0xdc, 0xc3, 0x74, 0x51, 0xc5, 0x47, 0xb4, 0x80, 0xeb, 0xda, 0x6f, 0x65, 0x56, 0xac,
0xe4, 0x78, 0x60, 0x7b, 0xb3, 0xc1, 0x55, 0xf8, 0xe3, 0x6b, 0xd7, 0x36, 0x8a, 0x5f, 0x27, 0x6c,
0x77, 0xbb, 0x21, 0x9f, 0xe3, 0xef, 0xe3, 0x85, 0x74, 0xcb, 0xf5, 0x3c, 0xe1, 0x6a, 0x95, 0x2e,
0x99, 0x5d, 0x4a, 0xae, 0x8c, 0x4e, 0x9b, 0x47, 0xe9, 0x7f, 0xe7, 0x5d, 0xff, 0xb4, 0x3e, 0xfc,
0x09, 0x00, 0x00, 0xff, 0xff, 0x03, 0x94, 0x0a, 0x17, 0xaa, 0x03, 0x00, 0x00,
}
// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConn
@ -487,42 +522,3 @@ var _RequestForwarding_serviceDesc = grpc.ServiceDesc{
},
Metadata: "vault/request_forwarding_service.proto",
}
func init() {
proto.RegisterFile("vault/request_forwarding_service.proto", fileDescriptor_f5f7512e4ab7b58a)
}
var fileDescriptor_f5f7512e4ab7b58a = []byte{
// 493 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x53, 0x41, 0x6f, 0x1a, 0x3d,
0x10, 0x8d, 0x81, 0x10, 0x31, 0x90, 0x88, 0xf8, 0x8b, 0xf4, 0xad, 0xa8, 0xa2, 0x90, 0xad, 0x54,
0x21, 0x55, 0xda, 0x8d, 0xd2, 0x73, 0x0f, 0x2d, 0x4a, 0x25, 0xd4, 0x4b, 0xb5, 0xb9, 0xf5, 0xb2,
0x32, 0xf6, 0x04, 0xac, 0x2e, 0x6b, 0xd7, 0x36, 0x49, 0xf6, 0x27, 0xf7, 0xd6, 0x9f, 0x50, 0xad,
0xd7, 0x04, 0x10, 0x4d, 0x2f, 0x68, 0xe7, 0xcd, 0x63, 0xde, 0xf8, 0xf9, 0x19, 0xde, 0x3d, 0xb2,
0x75, 0xe1, 0x52, 0x83, 0x3f, 0xd7, 0x68, 0x5d, 0xfe, 0xa0, 0xcc, 0x13, 0x33, 0x42, 0x96, 0x8b,
0xdc, 0xa2, 0x79, 0x94, 0x1c, 0x13, 0x6d, 0x94, 0x53, 0xf4, 0xd8, 0xf3, 0x46, 0x97, 0x4b, 0x2c,
0x34, 0x9a, 0x74, 0xcb, 0x4b, 0x5d, 0xa5, 0xd1, 0x36, 0xac, 0x58, 0x41, 0xff, 0x8e, 0x2f, 0x55,
0xd6, 0x4c, 0xa3, 0x11, 0x9c, 0xac, 0xd0, 0x5a, 0xb6, 0xc0, 0x88, 0x8c, 0xc9, 0xa4, 0x97, 0x6d,
0x4a, 0x7a, 0x0d, 0x03, 0x5e, 0xac, 0xad, 0x43, 0x93, 0x33, 0x21, 0x4c, 0xd4, 0xf2, 0xed, 0x7e,
0xc0, 0x3e, 0x09, 0x61, 0xe8, 0x5b, 0x38, 0xdd, 0xa5, 0xd8, 0xa8, 0x3d, 0x6e, 0x4f, 0x7a, 0xd9,
0x60, 0x87, 0x63, 0xe3, 0x27, 0xe8, 0x35, 0x82, 0xba, 0xa8, 0xfe, 0x21, 0x77, 0x30, 0xab, 0x75,
0x38, 0x8b, 0xbe, 0x87, 0x73, 0x83, 0xba, 0x90, 0x9c, 0x39, 0xa9, 0xca, 0xdc, 0x3a, 0xe6, 0x30,
0x6a, 0x8f, 0xc9, 0xe4, 0x34, 0x1b, 0xee, 0x34, 0xee, 0x6b, 0x3c, 0x9e, 0x41, 0x6f, 0x5a, 0x48,
0x2c, 0xdd, 0x57, 0xac, 0x28, 0x85, 0x4e, 0xed, 0x42, 0x50, 0xf5, 0xdf, 0x74, 0x00, 0xe4, 0xd9,
0x1f, 0x6b, 0x90, 0x91, 0xe7, 0xba, 0xaa, 0xfc, 0xac, 0x41, 0x46, 0xaa, 0xba, 0x12, 0x51, 0xa7,
0xa9, 0x44, 0x3c, 0x82, 0xe8, 0x1b, 0x9a, 0x87, 0x7b, 0xc7, 0x4a, 0x31, 0xaf, 0xee, 0x0a, 0xe4,
0xb5, 0xcc, 0xac, 0xd4, 0x6b, 0x17, 0xff, 0x22, 0xf0, 0xe6, 0x2f, 0xcd, 0x0c, 0xad, 0x56, 0xa5,
0x45, 0x7a, 0x06, 0x2d, 0x29, 0x82, 0x6e, 0x4b, 0x0a, 0x7a, 0x09, 0xb0, 0x39, 0xa8, 0x14, 0xc1,
0xd5, 0x5e, 0x40, 0x66, 0x82, 0xde, 0xc0, 0x85, 0x36, 0x72, 0xc5, 0x4c, 0x95, 0xef, 0xd9, 0xdf,
0xf6, 0x44, 0x1a, 0x7a, 0xd3, 0x9d, 0x5b, 0xf8, 0x1f, 0x4e, 0x38, 0xcb, 0x39, 0x1a, 0x17, 0x16,
0xee, 0x72, 0x36, 0x45, 0xe3, 0xe8, 0x15, 0xf4, 0xb9, 0x37, 0xa0, 0x69, 0x1e, 0xfb, 0x26, 0x34,
0x90, 0x27, 0xa4, 0x10, 0xaa, 0xfc, 0x07, 0x56, 0x51, 0x77, 0x4c, 0x26, 0xfd, 0xdb, 0x61, 0xe2,
0x63, 0x94, 0xbc, 0x58, 0x57, 0x2f, 0x17, 0x3e, 0x6f, 0x7f, 0x13, 0x38, 0x0f, 0xc9, 0xf9, 0xf2,
0x12, 0x2f, 0xfa, 0x11, 0xce, 0x42, 0xb5, 0x49, 0xd5, 0x7f, 0xc9, 0x36, 0x7d, 0x49, 0x00, 0x47,
0x17, 0xfb, 0x60, 0x63, 0x4f, 0x7c, 0x44, 0x13, 0xe8, 0xd4, 0x01, 0xa1, 0x34, 0x28, 0xef, 0xc4,
0x73, 0x34, 0xdc, 0xc3, 0x74, 0x51, 0xc5, 0x47, 0xb4, 0x80, 0xeb, 0xda, 0x6f, 0x65, 0x56, 0xac,
0xe4, 0x78, 0x60, 0x7b, 0xb3, 0xc1, 0x55, 0xf8, 0xe3, 0x6b, 0xd7, 0x36, 0x8a, 0x5f, 0x27, 0x6c,
0x77, 0xbb, 0x21, 0x9f, 0xe3, 0xef, 0xe3, 0x85, 0x74, 0xcb, 0xf5, 0x3c, 0xe1, 0x6a, 0x95, 0x2e,
0x99, 0x5d, 0x4a, 0xae, 0x8c, 0x4e, 0x9b, 0x47, 0xe9, 0x7f, 0xe7, 0x5d, 0xff, 0xb4, 0x3e, 0xfc,
0x09, 0x00, 0x00, 0xff, 0xff, 0x03, 0x94, 0x0a, 0x17, 0xaa, 0x03, 0x00, 0x00,
}

6
vault/request_handling.go
View File

@ -982,6 +982,10 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
var entity *identity.Entity
auth = resp.Auth
// Only the token store can toggle this off, and that's via a
// different path since it's not a login request; it's explicitly
// disallowed above
auth.Renewable = true
mEntry := c.router.MatchingMountEntry(ctx, req.Path)
@ -1058,7 +1062,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
return nil, nil, ErrInternalError
}
auth.TokenPolicies = policyutil.SanitizePolicies(auth.Policies, policyutil.AddDefaultPolicy)
auth.TokenPolicies = policyutil.SanitizePolicies(auth.Policies, !auth.NoDefaultPolicy)
allPolicies := policyutil.SanitizePolicies(append(auth.TokenPolicies, identityPolicies[ns.ID]...), policyutil.DoNotAddDefaultPolicy)
// Prevent internal policies from being assigned to tokens. We check

148
vault/token_store.go
View File

@ -14,13 +14,13 @@ import (
"strings"
"time"
metrics "github.com/armon/go-metrics"
proto "github.com/golang/protobuf/proto"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
multierror "github.com/hashicorp/go-multierror"
sockaddr "github.com/hashicorp/go-sockaddr"
metrics "github.com/armon/go-metrics"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/helper/base62"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/identity"
@ -31,6 +31,7 @@ import (
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/helper/salt"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/helper/tokenhelper"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
"github.com/hashicorp/vault/logical/plugin/pb"
@ -103,7 +104,7 @@ var (
)
func (ts *TokenStore) paths() []*framework.Path {
return []*framework.Path{
p := []*framework.Path{
{
Pattern: "roles/?$",
@ -126,76 +127,6 @@ func (ts *TokenStore) paths() []*framework.Path {
HelpDescription: tokenListAccessorsHelp,
},
{
Pattern: "roles/" + framework.GenericNameRegex("role_name"),
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the role",
},
"allowed_policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: tokenAllowedPoliciesHelp,
},
"disallowed_policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: tokenDisallowedPoliciesHelp,
},
"orphan": &framework.FieldSchema{
Type: framework.TypeBool,
Default: false,
Description: tokenOrphanHelp,
},
"period": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Default: 0,
Description: tokenPeriodHelp,
},
"path_suffix": &framework.FieldSchema{
Type: framework.TypeString,
Default: "",
Description: tokenPathSuffixHelp + pathSuffixSanitize.String(),
},
"explicit_max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Default: 0,
Description: tokenExplicitMaxTTLHelp,
},
"renewable": &framework.FieldSchema{
Type: framework.TypeBool,
Default: true,
Description: tokenRenewableHelp,
},
"bound_cidrs": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
},
"token_type": &framework.FieldSchema{
Type: framework.TypeString,
Default: "service",
Description: "The type of token to generate, service or batch",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: ts.tokenStoreRoleRead,
logical.CreateOperation: ts.tokenStoreRoleCreateUpdate,
logical.UpdateOperation: ts.tokenStoreRoleCreateUpdate,
logical.DeleteOperation: ts.tokenStoreRoleDelete,
},
ExistenceCheck: ts.tokenStoreRoleExistenceCheck,
},
{
Pattern: "create-orphan$",
@ -414,6 +345,61 @@ func (ts *TokenStore) paths() []*framework.Path {
HelpDescription: strings.TrimSpace(tokenTidyDesc),
},
}
rolesPath := &framework.Path{
Pattern: "roles/" + framework.GenericNameRegex("role_name"),
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the role",
},
"allowed_policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: tokenAllowedPoliciesHelp,
},
"disallowed_policies": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: tokenDisallowedPoliciesHelp,
},
"orphan": &framework.FieldSchema{
Type: framework.TypeBool,
Default: false,
Description: tokenOrphanHelp,
},
"path_suffix": &framework.FieldSchema{
Type: framework.TypeString,
Default: "",
Description: tokenPathSuffixHelp + pathSuffixSanitize.String(),
},
"renewable": &framework.FieldSchema{
Type: framework.TypeBool,
Default: true,
Description: tokenRenewableHelp,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: ts.tokenStoreRoleRead,
logical.CreateOperation: ts.tokenStoreRoleCreateUpdate,
logical.UpdateOperation: ts.tokenStoreRoleCreateUpdate,
logical.DeleteOperation: ts.tokenStoreRoleDelete,
},
ExistenceCheck: ts.tokenStoreRoleExistenceCheck,
}
// Roles in token store handle policies and TTLs differently
tokenhelper.AddTokenFieldsWithAllowList(rolesPath.Fields,
[]string{"bound_cidrs", "explicit_max_ttl", "period", "token_type"})
// For this backend default to service
rolesPath.Fields["token_type"].Default = "service"
p = append(p, rolesPath)
return p
}
// LookupToken returns the properties of the token from the token store. This
@ -581,6 +567,8 @@ func (ts *TokenStore) Salt(ctx context.Context) (*salt.Salt, error) {
// tsRoleEntry contains token store role information
type tsRoleEntry struct {
tokenhelper.TokenParams
// The name of the role. Embedded so it can be used for pathing
Name string `json:"name" mapstructure:"name" structs:"name"`
@ -594,26 +582,12 @@ type tsRoleEntry struct {
// If true, tokens created using this role will be orphans
Orphan bool `json:"orphan" mapstructure:"orphan" structs:"orphan"`
// If non-zero, tokens created using this role will be able to be renewed
// forever, but will have a fixed renewal period of this value
Period time.Duration `json:"period" mapstructure:"period" structs:"period"`
// If set, a suffix will be set on the token path, making it easier to
// revoke using 'revoke-prefix'
PathSuffix string `json:"path_suffix" mapstructure:"path_suffix" structs:"path_suffix"`
// If set, controls whether created tokens are marked as being renewable
Renewable bool `json:"renewable" mapstructure:"renewable" structs:"renewable"`
// If set, the token entry will have an explicit maximum TTL set, rather
// than deferring to role/mount values
ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`
// The set of CIDRs that tokens generated using this role will be bound to
BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`
// The type of token this role should issue
TokenType logical.TokenType `json:"token_type" mapstructure:"token_type"`
}
type accessorEntry struct {

2
vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/path_config.go generated vendored
View File

@ -54,7 +54,7 @@ func (b *backend) pathConfig() *framework.Path {
}
func (b *backend) configFields() map[string]*framework.FieldSchema {
fields := ldaputil.ConfigFields()
fields := ldaputil.ConfigFields(false)
fields["ttl"] = &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: "In seconds, the default password time-to-live.",