Merge pull request #1118 from hashicorp/ssh-api-fix

ssh-helper related API changes
This commit is contained in:
Vishal Nayak 2016-02-23 00:20:20 -05:00
commit eb95205f99
2 changed files with 24 additions and 25 deletions

View file

@ -10,7 +10,7 @@ type SSH struct {
// SSH returns the client for logical-backend API calls. // SSH returns the client for logical-backend API calls.
func (c *Client) SSH() *SSH { func (c *Client) SSH() *SSH {
return c.SSHWithMountPoint(SSHAgentDefaultMountPoint) return c.SSHWithMountPoint(SSHHelperDefaultMountPoint)
} }
// SSHWithMountPoint returns the client with specific SSH mount point. // SSHWithMountPoint returns the client with specific SSH mount point.

View file

@ -14,19 +14,19 @@ import (
const ( const (
// Default path at which SSH backend will be mounted in Vault server // Default path at which SSH backend will be mounted in Vault server
SSHAgentDefaultMountPoint = "ssh" SSHHelperDefaultMountPoint = "ssh"
// Echo request message sent as OTP by the agent // Echo request message sent as OTP by the ssh-helper
VerifyEchoRequest = "verify-echo-request" VerifyEchoRequest = "verify-echo-request"
// Echo response message sent as a response to OTP matching echo request // Echo response message sent as a response to OTP matching echo request
VerifyEchoResponse = "verify-echo-response" VerifyEchoResponse = "verify-echo-response"
) )
// SSHAgent is a structure representing an SSH agent which can talk to vault server // SSHHelper is a structure representing a ssh-helper which can talk to vault server
// in order to verify the OTP entered by the user. It contains the path at which // in order to verify the OTP entered by the user. It contains the path at which
// SSH backend is mounted at the server. // SSH backend is mounted at the server.
type SSHAgent struct { type SSHHelper struct {
c *Client c *Client
MountPoint string MountPoint string
} }
@ -45,21 +45,20 @@ type SSHVerifyResponse struct {
IP string `mapstructure:"ip"` IP string `mapstructure:"ip"`
} }
// SSHAgentConfig is a structure which represents the entries from the agent's configuration file. // SSHHelperConfig is a structure which represents the entries from the ssh-helper's configuration file.
type SSHAgentConfig struct { type SSHHelperConfig struct {
VaultAddr string `hcl:"vault_addr"` VaultAddr string `hcl:"vault_addr"`
SSHMountPoint string `hcl:"ssh_mount_point"` SSHMountPoint string `hcl:"ssh_mount_point"`
CACert string `hcl:"ca_cert"` CACert string `hcl:"ca_cert"`
CAPath string `hcl:"ca_path"` CAPath string `hcl:"ca_path"`
TLSSkipVerify bool `hcl:"tls_skip_verify"`
AllowedCidrList string `hcl:"allowed_cidr_list"` AllowedCidrList string `hcl:"allowed_cidr_list"`
} }
// TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given // TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given
// certificate pool. // certificate pool.
func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) { func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) {
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
InsecureSkipVerify: c.TLSSkipVerify, InsecureSkipVerify: true,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
RootCAs: certPool, RootCAs: certPool,
} }
@ -70,10 +69,10 @@ func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.C
} }
// NewClient returns a new client for the configuration. This client will be used by the // NewClient returns a new client for the configuration. This client will be used by the
// SSH agent to communicate with Vault server and verify the OTP entered by user. // ssh-helper to communicate with Vault server and verify the OTP entered by user.
// If the configuration supplies Vault SSL certificates, then the client will // If the configuration supplies Vault SSL certificates, then the client will
// have TLS configured in its transport. // have TLS configured in its transport.
func (c *SSHAgentConfig) NewClient() (*Client, error) { func (c *SSHHelperConfig) NewClient() (*Client, error) {
// Creating a default client configuration for communicating with vault server. // Creating a default client configuration for communicating with vault server.
clientConfig := DefaultConfig() clientConfig := DefaultConfig()
@ -81,7 +80,7 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
clientConfig.Address = c.VaultAddr clientConfig.Address = c.VaultAddr
// Check if certificates are provided via config file. // Check if certificates are provided via config file.
if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify { if c.CACert != "" || c.CAPath != "" {
var certPool *x509.CertPool var certPool *x509.CertPool
var err error var err error
if c.CACert != "" { if c.CACert != "" {
@ -106,13 +105,13 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
return client, nil return client, nil
} }
// LoadSSHAgentConfig loads agent's configuration from the file and populates the corresponding // LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding
// in-memory structure. // in-memory structure.
// //
// Vault address is a required parameter. // Vault address is a required parameter.
// Mount point defaults to "ssh". // Mount point defaults to "ssh".
func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) { func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) {
var config SSHAgentConfig var config SSHHelperConfig
contents, err := ioutil.ReadFile(path) contents, err := ioutil.ReadFile(path)
if !os.IsNotExist(err) { if !os.IsNotExist(err) {
obj, err := hcl.Parse(string(contents)) obj, err := hcl.Parse(string(contents))
@ -131,22 +130,22 @@ func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) {
return nil, fmt.Errorf("config missing vault_addr") return nil, fmt.Errorf("config missing vault_addr")
} }
if config.SSHMountPoint == "" { if config.SSHMountPoint == "" {
config.SSHMountPoint = SSHAgentDefaultMountPoint config.SSHMountPoint = SSHHelperDefaultMountPoint
} }
return &config, nil return &config, nil
} }
// SSHAgent creates an SSHAgent object which can talk to Vault server with SSH backend // SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend
// mounted at default path ("ssh"). // mounted at default path ("ssh").
func (c *Client) SSHAgent() *SSHAgent { func (c *Client) SSHHelper() *SSHHelper {
return c.SSHAgentWithMountPoint(SSHAgentDefaultMountPoint) return c.SSHHelperWithMountPoint(SSHHelperDefaultMountPoint)
} }
// SSHAgentWithMountPoint creates an SSHAgent object which can talk to Vault server with SSH backend // SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend
// mounted at a specific mount point. // mounted at a specific mount point.
func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent { func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper {
return &SSHAgent{ return &SSHHelper{
c: c, c: c,
MountPoint: mountPoint, MountPoint: mountPoint,
} }
@ -155,9 +154,9 @@ func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent {
// Verify verifies if the key provided by user is present in Vault server. The response // Verify verifies if the key provided by user is present in Vault server. The response
// will contain the IP address and username associated with the OTP. In case the // will contain the IP address and username associated with the OTP. In case the
// OTP matches the echo request message, instead of searching an entry for the OTP, // OTP matches the echo request message, instead of searching an entry for the OTP,
// an echo response message is returned. This feature is used by agent to verify if // an echo response message is returned. This feature is used by ssh-helper to verify if
// its configured correctly. // its configured correctly.
func (c *SSHAgent) Verify(otp string) (*SSHVerifyResponse, error) { func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error) {
data := map[string]interface{}{ data := map[string]interface{}{
"otp": otp, "otp": otp,
} }