287 lines
7.8 KiB
Go
287 lines
7.8 KiB
Go
package vault
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/golang/protobuf/ptypes"
|
|
memdb "github.com/hashicorp/go-memdb"
|
|
"github.com/hashicorp/vault/helper/identity"
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
)
|
|
|
|
func groupPaths(i *IdentityStore) []*framework.Path {
|
|
return []*framework.Path{
|
|
{
|
|
Pattern: "group$",
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"id": {
|
|
Type: framework.TypeString,
|
|
Description: "ID of the group.",
|
|
},
|
|
"name": {
|
|
Type: framework.TypeString,
|
|
Description: "Name of the group.",
|
|
},
|
|
"metadata": {
|
|
Type: framework.TypeStringSlice,
|
|
Description: "Metadata to be associated with the group. Format should be a list of `key=value` pairs.",
|
|
},
|
|
"policies": {
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: "Policies to be tied to the group.",
|
|
},
|
|
"member_group_ids": {
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: "Group IDs to be assigned as group members.",
|
|
},
|
|
"member_entity_ids": {
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: "Entity IDs to be assigned as group members.",
|
|
},
|
|
},
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.UpdateOperation: i.pathGroupRegister,
|
|
},
|
|
|
|
HelpSynopsis: strings.TrimSpace(groupHelp["register"][0]),
|
|
HelpDescription: strings.TrimSpace(groupHelp["register"][1]),
|
|
},
|
|
{
|
|
Pattern: "group/id/" + framework.GenericNameRegex("id"),
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"id": {
|
|
Type: framework.TypeString,
|
|
Description: "ID of the group.",
|
|
},
|
|
"name": {
|
|
Type: framework.TypeString,
|
|
Description: "Name of the group.",
|
|
},
|
|
"metadata": {
|
|
Type: framework.TypeStringSlice,
|
|
Description: "Metadata to be associated with the group. Format should be a list of `key=value` pairs.",
|
|
},
|
|
"policies": {
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: "Policies to be tied to the group.",
|
|
},
|
|
"member_group_ids": {
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: "Group IDs to be assigned as group members.",
|
|
},
|
|
"member_entity_ids": {
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: "Entity IDs to be assigned as group members.",
|
|
},
|
|
},
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.UpdateOperation: i.pathGroupIDUpdate,
|
|
logical.ReadOperation: i.pathGroupIDRead,
|
|
logical.DeleteOperation: i.pathGroupIDDelete,
|
|
},
|
|
|
|
HelpSynopsis: strings.TrimSpace(groupHelp["group-by-id"][0]),
|
|
HelpDescription: strings.TrimSpace(groupHelp["group-by-id"][1]),
|
|
},
|
|
{
|
|
Pattern: "group/id/?$",
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.ListOperation: i.pathGroupIDList,
|
|
},
|
|
|
|
HelpSynopsis: strings.TrimSpace(entityHelp["group-id-list"][0]),
|
|
HelpDescription: strings.TrimSpace(entityHelp["group-id-list"][1]),
|
|
},
|
|
}
|
|
}
|
|
|
|
func (i *IdentityStore) pathGroupRegister(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
_, ok := d.GetOk("id")
|
|
if ok {
|
|
return i.pathGroupIDUpdate(req, d)
|
|
}
|
|
|
|
i.groupLock.Lock()
|
|
defer i.groupLock.Unlock()
|
|
|
|
return i.handleGroupUpdateCommon(req, d, nil)
|
|
}
|
|
|
|
func (i *IdentityStore) pathGroupIDUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
groupID := d.Get("id").(string)
|
|
if groupID == "" {
|
|
return logical.ErrorResponse("empty group ID"), nil
|
|
}
|
|
|
|
i.groupLock.Lock()
|
|
defer i.groupLock.Unlock()
|
|
|
|
group, err := i.memDBGroupByID(groupID, true)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if group == nil {
|
|
return logical.ErrorResponse("invalid group ID"), nil
|
|
}
|
|
|
|
return i.handleGroupUpdateCommon(req, d, group)
|
|
}
|
|
|
|
func (i *IdentityStore) handleGroupUpdateCommon(req *logical.Request, d *framework.FieldData, group *identity.Group) (*logical.Response, error) {
|
|
var err error
|
|
var newGroup bool
|
|
if group == nil {
|
|
group = &identity.Group{}
|
|
newGroup = true
|
|
}
|
|
|
|
// Update the policies if supplied
|
|
policiesRaw, ok := d.GetOk("policies")
|
|
if ok {
|
|
group.Policies = policiesRaw.([]string)
|
|
}
|
|
|
|
// Get the name
|
|
groupName := d.Get("name").(string)
|
|
if groupName != "" {
|
|
// Check if there is a group already existing for the given name
|
|
groupByName, err := i.memDBGroupByName(groupName, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// If this is a new group and if there already exists a group by this
|
|
// name, error out. If the name of an existing group is about to be
|
|
// modified into something which is already tied to a different group,
|
|
// error out.
|
|
switch {
|
|
case (newGroup && groupByName != nil), (groupByName != nil && group.ID != "" && groupByName.ID != group.ID):
|
|
return logical.ErrorResponse("group name is already in use"), nil
|
|
}
|
|
group.Name = groupName
|
|
}
|
|
|
|
metadataRaw, ok := d.GetOk("metadata")
|
|
if ok {
|
|
group.Metadata, err = parseMetadata(metadataRaw.([]string))
|
|
if err != nil {
|
|
return logical.ErrorResponse(fmt.Sprintf("failed to parse group metadata: %v", err)), nil
|
|
}
|
|
}
|
|
|
|
memberEntityIDsRaw, ok := d.GetOk("member_entity_ids")
|
|
if ok {
|
|
group.MemberEntityIDs = memberEntityIDsRaw.([]string)
|
|
if len(group.MemberEntityIDs) > 512 {
|
|
return logical.ErrorResponse("member entity IDs exceeding the limit of 512"), nil
|
|
}
|
|
}
|
|
|
|
memberGroupIDsRaw, ok := d.GetOk("member_group_ids")
|
|
var memberGroupIDs []string
|
|
if ok {
|
|
memberGroupIDs = memberGroupIDsRaw.([]string)
|
|
}
|
|
|
|
err = i.sanitizeAndUpsertGroup(group, memberGroupIDs)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
respData := map[string]interface{}{
|
|
"id": group.ID,
|
|
"name": group.Name,
|
|
}
|
|
return &logical.Response{
|
|
Data: respData,
|
|
}, nil
|
|
}
|
|
|
|
func (i *IdentityStore) pathGroupIDRead(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
groupID := d.Get("id").(string)
|
|
if groupID == "" {
|
|
return logical.ErrorResponse("empty group id"), nil
|
|
}
|
|
|
|
group, err := i.memDBGroupByID(groupID, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if group == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
return i.handleGroupReadCommon(group)
|
|
}
|
|
|
|
func (i *IdentityStore) handleGroupReadCommon(group *identity.Group) (*logical.Response, error) {
|
|
if group == nil {
|
|
return nil, fmt.Errorf("nil group")
|
|
}
|
|
|
|
respData := map[string]interface{}{}
|
|
respData["id"] = group.ID
|
|
respData["name"] = group.Name
|
|
respData["policies"] = group.Policies
|
|
respData["member_entity_ids"] = group.MemberEntityIDs
|
|
respData["metadata"] = group.Metadata
|
|
respData["creation_time"] = ptypes.TimestampString(group.CreationTime)
|
|
respData["last_update_time"] = ptypes.TimestampString(group.LastUpdateTime)
|
|
respData["modify_index"] = group.ModifyIndex
|
|
|
|
memberGroupIDs, err := i.memberGroupIDsByID(group.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
respData["member_group_ids"] = memberGroupIDs
|
|
|
|
return &logical.Response{
|
|
Data: respData,
|
|
}, nil
|
|
}
|
|
|
|
func (i *IdentityStore) pathGroupIDDelete(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
groupID := d.Get("id").(string)
|
|
if groupID == "" {
|
|
return logical.ErrorResponse("empty group ID"), nil
|
|
}
|
|
return nil, i.deleteGroupByID(groupID)
|
|
}
|
|
|
|
// pathGroupIDList lists the IDs of all the groups in the identity store
|
|
func (i *IdentityStore) pathGroupIDList(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
ws := memdb.NewWatchSet()
|
|
iter, err := i.memDBGroupIterator(ws)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to fetch iterator for group in memdb: %v", err)
|
|
}
|
|
|
|
var groupIDs []string
|
|
for {
|
|
raw := iter.Next()
|
|
if raw == nil {
|
|
break
|
|
}
|
|
groupIDs = append(groupIDs, raw.(*identity.Group).ID)
|
|
}
|
|
|
|
return logical.ListResponse(groupIDs), nil
|
|
}
|
|
|
|
var groupHelp = map[string][2]string{
|
|
"register": {
|
|
"Create a new group.",
|
|
"",
|
|
},
|
|
"group-by-id": {
|
|
"Update or delete an existing group using its ID.",
|
|
"",
|
|
},
|
|
"group-id-list": {
|
|
"List all the group IDs.",
|
|
"",
|
|
},
|
|
}
|