open-vault/vault/dynamic_system_view.go
2017-03-15 17:14:48 -07:00

117 lines
2.8 KiB
Go

package vault
import (
"time"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/logical"
)
type dynamicSystemView struct {
core *Core
mountEntry *MountEntry
}
func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
def, _ := d.fetchTTLs()
return def
}
func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
_, max := d.fetchTTLs()
return max
}
func (d dynamicSystemView) SudoPrivilege(path string, token string) bool {
// Resolve the token policy
te, err := d.core.tokenStore.Lookup(token)
if err != nil {
d.core.logger.Error("core: failed to lookup token", "error", err)
return false
}
// Ensure the token is valid
if te == nil {
d.core.logger.Error("entry not found for given token")
return false
}
// Construct the corresponding ACL object
acl, err := d.core.policyStore.ACL(te.Policies...)
if err != nil {
d.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
return false
}
// The operation type isn't important here as this is run from a path the
// user has already been given access to; we only care about whether they
// have sudo
req := new(logical.Request)
req.Operation = logical.ReadOperation
req.Path = path
_, rootPrivs := acl.AllowOperation(req)
return rootPrivs
}
// TTLsByPath returns the default and max TTLs corresponding to a particular
// mount point, or the system default
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
def = d.core.defaultLeaseTTL
max = d.core.maxLeaseTTL
if d.mountEntry.Config.DefaultLeaseTTL != 0 {
def = d.mountEntry.Config.DefaultLeaseTTL
}
if d.mountEntry.Config.MaxLeaseTTL != 0 {
max = d.mountEntry.Config.MaxLeaseTTL
}
return
}
// Tainted indicates that the mount is in the process of being removed
func (d dynamicSystemView) Tainted() bool {
return d.mountEntry.Tainted
}
// CachingDisabled indicates whether to use caching behavior
func (d dynamicSystemView) CachingDisabled() bool {
return d.core.cachingDisabled
}
// Checks if this is a primary Vault instance.
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
var state consts.ReplicationState
d.core.clusterParamsLock.RLock()
state = d.core.replicationState
d.core.clusterParamsLock.RUnlock()
return state
}
// ResponseWrapData wraps the given data in a cubbyhole and returns the
// token used to unwrap.
func (d dynamicSystemView) ResponseWrapData(data map[string]interface{}, ttl time.Duration, jwt bool) (string, error) {
req := &logical.Request{
Operation: logical.CreateOperation,
Path: "sys/init",
}
resp := &logical.Response{
WrapInfo: &logical.ResponseWrapInfo{
TTL: ttl,
},
Data: data,
}
if jwt {
resp.WrapInfo.Format = "jwt"
}
_, err := d.core.wrapInCubbyhole(req, resp)
if err != nil {
return "", err
}
return resp.WrapInfo.Token, nil
}