open-vault/vault/logical_system_user_lockout.go

201 lines
7.1 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package vault
import (
"context"
"fmt"
"sort"
"strings"
"github.com/hashicorp/vault/helper/namespace"
)
type LockedUsersResponse struct {
NamespaceID string `json:"namespace_id" mapstructure:"namespace_id"`
NamespacePath string `json:"namespace_path" mapstructure:"namespace_path"`
Counts int `json:"counts" mapstructure:"counts"`
MountAccessors []*ResponseMountAccessors `json:"mount_accessors" mapstructure:"mount_accessors"`
}
type ResponseMountAccessors struct {
MountAccessor string `json:"mount_accessor" mapstructure:"mount_accessor"`
Counts int `json:"counts" mapstructure:"counts"`
AliasIdentifiers []string `json:"alias_identifiers" mapstructure:"alias_identifiers"`
}
// unlockUser deletes the entry for locked user from storage and userFailedLoginInfo map
func unlockUser(ctx context.Context, core *Core, mountAccessor string, aliasName string) error {
ns, err := namespace.FromContext(ctx)
if err != nil {
return err
}
lockedUserStoragePath := coreLockedUsersPath + ns.ID + "/" + mountAccessor + "/" + aliasName
// remove entry for locked user from storage
// if read only error, the error is handled by handleError in logical_system.go
// this will be forwarded to the active node
if err := core.barrier.Delete(ctx, lockedUserStoragePath); err != nil {
return err
}
loginUserInfoKey := FailedLoginUser{
aliasName: aliasName,
mountAccessor: mountAccessor,
}
// remove entry for locked user from userFailedLoginInfo map and storage
if err := updateUserFailedLoginInfo(ctx, core, loginUserInfoKey, nil, true); err != nil {
return err
}
return nil
}
// handleLockedUsersQuery reports the locked user metrics by namespace in the decreasing order
// of locked users
func (b *SystemBackend) handleLockedUsersQuery(ctx context.Context, mountAccessor string) (map[string]interface{}, error) {
// Calculate the namespace response breakdowns of locked users for query namespace and child namespaces (if needed)
totalCount, byNamespaceResponse, err := b.getLockedUsersResponses(ctx, mountAccessor)
if err != nil {
return nil, err
}
// Now populate the response based on breakdowns.
responseData := make(map[string]interface{})
responseData["by_namespace"] = byNamespaceResponse
responseData["total"] = totalCount
return responseData, nil
}
// getLockedUsersResponses returns the locked users
// for a particular mount_accessor if provided in request
// else returns it for the current namespace and all the child namespaces that has locked users
// they are sorted in the decreasing order of locked users count
func (b *SystemBackend) getLockedUsersResponses(ctx context.Context, mountAccessor string) (int, []*LockedUsersResponse, error) {
lockedUsersResponse := make([]*LockedUsersResponse, 0)
totalCounts := 0
queryNS, err := namespace.FromContext(ctx)
if err != nil {
return 0, nil, err
}
if mountAccessor != "" {
// get the locked user response for mount_accessor, here for mount_accessor in request
totalCountForNSID, mountAccessorsResponse, err := b.getMountAccessorsLockedUsers(ctx, []string{mountAccessor + "/"},
coreLockedUsersPath+queryNS.ID+"/")
if err != nil {
return 0, nil, err
}
totalCounts += totalCountForNSID
lockedUsersResponse = append(lockedUsersResponse, &LockedUsersResponse{
NamespaceID: queryNS.ID,
NamespacePath: queryNS.Path,
Counts: totalCountForNSID,
MountAccessors: mountAccessorsResponse,
})
return totalCounts, lockedUsersResponse, nil
}
// no mount_accessor is provided in request, get information for current namespace and its child namespaces
// get all the namespaces of locked users
nsIDs, err := b.Core.barrier.List(ctx, coreLockedUsersPath)
if err != nil {
return 0, nil, err
}
// identify if the namespaces must be included in response and get counts
for _, nsID := range nsIDs {
nsID = strings.TrimSuffix(nsID, "/")
ns, err := NamespaceByID(ctx, nsID, b.Core)
if err != nil {
return 0, nil, err
}
if b.includeNSInLockedUsersResponse(queryNS, ns) {
var displayPath string
if ns == nil {
// deleted namespace
displayPath = fmt.Sprintf("deleted namespace %q", nsID)
} else {
displayPath = ns.Path
}
// get mount accessors of locked users for this namespace
mountAccessors, err := b.Core.barrier.List(ctx, coreLockedUsersPath+nsID+"/")
if err != nil {
return 0, nil, err
}
// get the locked user response for mount_accessor list
totalCountForNSID, mountAccessorsResponse, err := b.getMountAccessorsLockedUsers(ctx, mountAccessors, coreLockedUsersPath+nsID+"/")
if err != nil {
return 0, nil, err
}
totalCounts += totalCountForNSID
lockedUsersResponse = append(lockedUsersResponse, &LockedUsersResponse{
NamespaceID: strings.TrimSuffix(nsID, "/"),
NamespacePath: displayPath,
Counts: totalCountForNSID,
MountAccessors: mountAccessorsResponse,
})
}
}
// sort namespaces in response by decreasing order of counts
sort.Slice(lockedUsersResponse, func(i, j int) bool {
return lockedUsersResponse[i].Counts > lockedUsersResponse[j].Counts
})
return totalCounts, lockedUsersResponse, nil
}
// getMountAccessorsLockedUsers returns the locked users for all the mount_accessors of locked users for a namespace
// they are sorted in the decreasing order of locked users
// returns the total locked users for the namespace and locked users response for every mount_accessor for a namespace that has locked users
func (b *SystemBackend) getMountAccessorsLockedUsers(ctx context.Context, mountAccessors []string, lockedUsersPath string) (int, []*ResponseMountAccessors, error) {
byMountAccessorsResponse := make([]*ResponseMountAccessors, 0)
totalCountForMountAccessors := 0
for _, mountAccessor := range mountAccessors {
// get the list of aliases of locked users for a mount accessor
aliasIdentifiers, err := b.Core.barrier.List(ctx, lockedUsersPath+mountAccessor)
if err != nil {
return 0, nil, err
}
totalCountForMountAccessors += len(aliasIdentifiers)
byMountAccessorsResponse = append(byMountAccessorsResponse, &ResponseMountAccessors{
MountAccessor: strings.TrimSuffix(mountAccessor, "/"),
Counts: len(aliasIdentifiers),
AliasIdentifiers: aliasIdentifiers,
})
}
// sort mount Accessors in response by decreasing order of counts
sort.Slice(byMountAccessorsResponse, func(i, j int) bool {
return byMountAccessorsResponse[i].Counts > byMountAccessorsResponse[j].Counts
})
return totalCountForMountAccessors, byMountAccessorsResponse, nil
}
// includeNSInLockedUsersResponse checks if the namespace is the child namespace of namespace in query
// if child namespace, it can be included in response
// locked users from deleted namespaces are listed under root namespace
func (b *SystemBackend) includeNSInLockedUsersResponse(query *namespace.Namespace, record *namespace.Namespace) bool {
if record == nil {
// Deleted namespace, only include in root queries
return query.ID == namespace.RootNamespaceID
}
return record.HasParent(query)
}