open-vault/vendor/github.com/hashicorp/vault-plugin-auth-oci/backend.go
2019-09-04 16:46:00 -07:00

96 lines
2.6 KiB
Go

// Copyright © 2019, Oracle and/or its affiliates.
package ociauth
import (
"context"
"fmt"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
"github.com/oracle/oci-go-sdk/common/auth"
"sync"
)
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
b, err := Backend()
if err != nil {
return nil, err
}
if err := b.Setup(ctx, conf); err != nil {
return nil, err
}
return b, nil
}
type backend struct {
*framework.Backend
// Lock to make changes to authClient entries
authClientMutex sync.RWMutex
// The client used to authenticate with OCI Identity
authenticationClient *AuthenticationClient
}
func Backend() (*backend, error) {
b := &backend{}
b.Backend = &framework.Backend{
Help: backendHelp,
PathsSpecial: &logical.Paths{
Unauthenticated: []string{
"login/*",
},
},
Paths: []*framework.Path{
pathLogin(b),
pathRole(b),
pathListRoles(b),
pathConfig(b),
},
BackendType: logical.TypeCredential,
}
return b, nil
}
// createAuthClient creates an authentication client if one was not already created and stores in the backend.
func (b *backend) createAuthClient() error {
b.authClientMutex.Lock()
defer b.authClientMutex.Unlock()
if b.authenticationClient != nil {
return nil
}
// Create the instance principal provider
ip, err := auth.InstancePrincipalConfigurationProvider()
if err != nil {
b.Logger().Debug("Unable to create InstancePrincipalConfigurationProvider", "err", err)
return fmt.Errorf("unable to create InstancePrincipalConfigurationProvider")
}
// Create the authentication client
authenticationClient, err := NewAuthenticationClientWithConfigurationProvider(ip)
if err != nil {
b.Logger().Debug("Unable to create authenticationClient", "err", err)
return fmt.Errorf("unable to create authenticationClient")
}
b.authenticationClient = &authenticationClient
return nil
}
const backendHelp = `
The OCI Auth plugin enables authentication and authorization using OCI Identity credentials.
The OCI Auth plugin authorizes using roles. A role is defined as a set of allowed policies for specific entities.
When an entity such as a user or instance logs in, it requests a role.
The OCI Auth plugin checks whether the entity is allowed to use the role and which policies are associated with that role.
It then assigns the given policies to the request.
The goal of roles is to restrict access to only the subset of secrets that are required,
even if the entity has access to many more secrets. This conforms to the least-privilege security model.
`