77e7379ab5
In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
317 lines
8 KiB
Go
317 lines
8 KiB
Go
package vault
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/vault/helper/uuid"
|
|
"github.com/hashicorp/vault/logical"
|
|
)
|
|
|
|
const (
|
|
// coreAuthConfigPath is used to store the auth configuration.
|
|
// Auth configuration is protected within the Vault itself, which means it
|
|
// can only be viewed or modified after an unseal.
|
|
coreAuthConfigPath = "core/auth"
|
|
|
|
// credentialBarrierPrefix is the prefix to the UUID used in the
|
|
// barrier view for the credential backends.
|
|
credentialBarrierPrefix = "auth/"
|
|
|
|
// credentialRoutePrefix is the mount prefix used for the router
|
|
credentialRoutePrefix = "auth/"
|
|
)
|
|
|
|
var (
|
|
// errLoadAuthFailed if loadCreddentials encounters an error
|
|
errLoadAuthFailed = errors.New("failed to setup auth table")
|
|
)
|
|
|
|
// enableCredential is used to enable a new credential backend
|
|
func (c *Core) enableCredential(entry *MountEntry) error {
|
|
c.auth.Lock()
|
|
defer c.auth.Unlock()
|
|
|
|
// Ensure we end the path in a slash
|
|
if !strings.HasSuffix(entry.Path, "/") {
|
|
entry.Path += "/"
|
|
}
|
|
|
|
// Ensure there is a name
|
|
if entry.Path == "/" {
|
|
return fmt.Errorf("backend path must be specified")
|
|
}
|
|
|
|
// Look for matching name
|
|
for _, ent := range c.auth.Entries {
|
|
switch {
|
|
// Existing is oauth/github/ new is oauth/ or
|
|
// existing is oauth/ and new is oauth/github/
|
|
case strings.HasPrefix(ent.Path, entry.Path):
|
|
fallthrough
|
|
case strings.HasPrefix(entry.Path, ent.Path):
|
|
return logical.CodedError(409, "path is already in use")
|
|
}
|
|
}
|
|
|
|
// Ensure the token backend is a singleton
|
|
if entry.Type == "token" {
|
|
return fmt.Errorf("token credential backend cannot be instantiated")
|
|
}
|
|
|
|
// Generate a new UUID and view
|
|
entry.UUID = uuid.GenerateUUID()
|
|
view := NewBarrierView(c.barrier, credentialBarrierPrefix+entry.UUID+"/")
|
|
|
|
// Create the new backend
|
|
backend, err := c.newCredentialBackend(entry.Type, c.mountEntrySysView(entry), view, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Update the auth table
|
|
newTable := c.auth.ShallowClone()
|
|
newTable.Entries = append(newTable.Entries, entry)
|
|
if err := c.persistAuth(newTable); err != nil {
|
|
return errors.New("failed to update auth table")
|
|
}
|
|
c.auth = newTable
|
|
|
|
// Mount the backend
|
|
path := credentialRoutePrefix + entry.Path
|
|
if err := c.router.Mount(backend, path, entry, view); err != nil {
|
|
return err
|
|
}
|
|
c.logger.Printf("[INFO] core: enabled credential backend '%s' type: %s",
|
|
entry.Path, entry.Type)
|
|
return nil
|
|
}
|
|
|
|
// disableCredential is used to disable an existing credential backend
|
|
func (c *Core) disableCredential(path string) error {
|
|
c.auth.Lock()
|
|
defer c.auth.Unlock()
|
|
|
|
// Ensure we end the path in a slash
|
|
if !strings.HasSuffix(path, "/") {
|
|
path += "/"
|
|
}
|
|
|
|
// Ensure the token backend is not affected
|
|
if path == "token/" {
|
|
return fmt.Errorf("token credential backend cannot be disabled")
|
|
}
|
|
|
|
// Store the view for this backend
|
|
fullPath := credentialRoutePrefix + path
|
|
view := c.router.MatchingView(fullPath)
|
|
if view == nil {
|
|
return fmt.Errorf("no matching backend")
|
|
}
|
|
|
|
// Mark the entry as tainted
|
|
if err := c.taintCredEntry(path); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Taint the router path to prevent routing
|
|
if err := c.router.Taint(fullPath); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Revoke credentials from this path
|
|
if err := c.expiration.RevokePrefix(fullPath); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Unmount the backend
|
|
if err := c.router.Unmount(fullPath); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Clear the data in the view
|
|
if view != nil {
|
|
if err := ClearView(view); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Remove the mount table entry
|
|
if err := c.removeCredEntry(path); err != nil {
|
|
return err
|
|
}
|
|
c.logger.Printf("[INFO] core: disabled credential backend '%s'", path)
|
|
return nil
|
|
}
|
|
|
|
// removeCredEntry is used to remove an entry in the auth table
|
|
func (c *Core) removeCredEntry(path string) error {
|
|
// Taint the entry from the auth table
|
|
newTable := c.auth.ShallowClone()
|
|
newTable.Remove(path)
|
|
|
|
// Update the auth table
|
|
if err := c.persistAuth(newTable); err != nil {
|
|
return errors.New("failed to update auth table")
|
|
}
|
|
c.auth = newTable
|
|
return nil
|
|
}
|
|
|
|
// taintCredEntry is used to mark an entry in the auth table as tainted
|
|
func (c *Core) taintCredEntry(path string) error {
|
|
// Taint the entry from the auth table
|
|
newTable := c.auth.ShallowClone()
|
|
found := newTable.SetTaint(path, true)
|
|
|
|
// Ensure there was a match
|
|
if !found {
|
|
return fmt.Errorf("no matching backend")
|
|
}
|
|
|
|
// Update the auth table
|
|
if err := c.persistAuth(newTable); err != nil {
|
|
return errors.New("failed to update auth table")
|
|
}
|
|
c.auth = newTable
|
|
return nil
|
|
}
|
|
|
|
// loadCredentials is invoked as part of postUnseal to load the auth table
|
|
func (c *Core) loadCredentials() error {
|
|
// Load the existing mount table
|
|
raw, err := c.barrier.Get(coreAuthConfigPath)
|
|
if err != nil {
|
|
c.logger.Printf("[ERR] core: failed to read auth table: %v", err)
|
|
return errLoadAuthFailed
|
|
}
|
|
if raw != nil {
|
|
c.auth = &MountTable{}
|
|
if err := json.Unmarshal(raw.Value, c.auth); err != nil {
|
|
c.logger.Printf("[ERR] core: failed to decode auth table: %v", err)
|
|
return errLoadAuthFailed
|
|
}
|
|
}
|
|
|
|
// Done if we have restored the auth table
|
|
if c.auth != nil {
|
|
return nil
|
|
}
|
|
|
|
// Create and persist the default auth table
|
|
c.auth = defaultAuthTable()
|
|
if err := c.persistAuth(c.auth); err != nil {
|
|
return errLoadAuthFailed
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// persistAuth is used to persist the auth table after modification
|
|
func (c *Core) persistAuth(table *MountTable) error {
|
|
// Marshal the table
|
|
raw, err := json.Marshal(table)
|
|
if err != nil {
|
|
c.logger.Printf("[ERR] core: failed to encode auth table: %v", err)
|
|
return err
|
|
}
|
|
|
|
// Create an entry
|
|
entry := &Entry{
|
|
Key: coreAuthConfigPath,
|
|
Value: raw,
|
|
}
|
|
|
|
// Write to the physical backend
|
|
if err := c.barrier.Put(entry); err != nil {
|
|
c.logger.Printf("[ERR] core: failed to persist auth table: %v", err)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// setupCredentials is invoked after we've loaded the auth table to
|
|
// initialize the credential backends and setup the router
|
|
func (c *Core) setupCredentials() error {
|
|
var backend logical.Backend
|
|
var view *BarrierView
|
|
var err error
|
|
for _, entry := range c.auth.Entries {
|
|
// Create a barrier view using the UUID
|
|
view = NewBarrierView(c.barrier, credentialBarrierPrefix+entry.UUID+"/")
|
|
|
|
// Initialize the backend
|
|
backend, err = c.newCredentialBackend(entry.Type, c.mountEntrySysView(entry), view, nil)
|
|
if err != nil {
|
|
c.logger.Printf(
|
|
"[ERR] core: failed to create credential entry %#v: %v",
|
|
entry, err)
|
|
return errLoadAuthFailed
|
|
}
|
|
|
|
// Mount the backend
|
|
path := credentialRoutePrefix + entry.Path
|
|
err = c.router.Mount(backend, path, entry, view)
|
|
if err != nil {
|
|
c.logger.Printf("[ERR] core: failed to mount auth entry %#v: %v", entry, err)
|
|
return errLoadAuthFailed
|
|
}
|
|
|
|
// Ensure the path is tainted if set in the mount table
|
|
if entry.Tainted {
|
|
c.router.Taint(path)
|
|
}
|
|
|
|
// Check if this is the token store
|
|
if entry.Type == "token" {
|
|
c.tokenStore = backend.(*TokenStore)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// teardownCredentials is used before we seal the vault to reset the credential
|
|
// backends to their unloaded state. This is reversed by loadCredentials.
|
|
func (c *Core) teardownCredentials() error {
|
|
c.auth = nil
|
|
c.tokenStore = nil
|
|
return nil
|
|
}
|
|
|
|
// newCredentialBackend is used to create and configure a new credential backend by name
|
|
func (c *Core) newCredentialBackend(
|
|
t string, sysView logical.SystemView, view logical.Storage, conf map[string]string) (logical.Backend, error) {
|
|
f, ok := c.credentialBackends[t]
|
|
if !ok {
|
|
return nil, fmt.Errorf("unknown backend type: %s", t)
|
|
}
|
|
|
|
config := &logical.BackendConfig{
|
|
StorageView: view,
|
|
Logger: c.logger,
|
|
Config: conf,
|
|
System: sysView,
|
|
}
|
|
|
|
b, err := f(config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return b, nil
|
|
}
|
|
|
|
// defaultAuthTable creates a default auth table
|
|
func defaultAuthTable() *MountTable {
|
|
table := &MountTable{}
|
|
tokenAuth := &MountEntry{
|
|
Path: "token/",
|
|
Type: "token",
|
|
Description: "token based credentials",
|
|
UUID: uuid.GenerateUUID(),
|
|
}
|
|
table.Entries = append(table.Entries, tokenAuth)
|
|
return table
|
|
}
|