open-vault/helper/mfa/path_mfa_config.go

package mfa

import (
	"context"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/logical"
)

func pathMFAConfig(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: `mfa_config`,
		Fields: map[string]*framework.FieldSchema{
			"type": {
				Type:        framework.TypeString,
				Description: "Enables MFA with given backend (available: duo)",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathMFAConfigWrite,
			logical.ReadOperation:   b.pathMFAConfigRead,
		},

		HelpSynopsis:    pathMFAConfigHelpSyn,
		HelpDescription: pathMFAConfigHelpDesc,
	}
}

func (b *backend) MFAConfig(ctx context.Context, req *logical.Request) (*MFAConfig, error) {
	entry, err := req.Storage.Get(ctx, "mfa_config")
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}
	var result MFAConfig
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}
	return &result, nil
}

func (b *backend) pathMFAConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	entry, err := logical.StorageEntryJSON("mfa_config", MFAConfig{
		Type: d.Get("type").(string),
	})
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

func (b *backend) pathMFAConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	config, err := b.MFAConfig(ctx, req)
	if err != nil {
		return nil, err
	}
	if config == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"type": config.Type,
		},
	}, nil
}

type MFAConfig struct {
	Type string `json:"type"`
}

const pathMFAConfigHelpSyn = `
Configure multi factor backend. 
`

const pathMFAConfigHelpDesc = `
This endpoint allows you to turn on multi-factor authentication with a given backend.
Currently only Duo is supported.
`