b52950f884
* Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
359 lines
10 KiB
Go
359 lines
10 KiB
Go
package vault
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/hashicorp/errwrap"
|
|
"github.com/hashicorp/vault/helper/identity"
|
|
"github.com/hashicorp/vault/helper/namespace"
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
"github.com/hashicorp/vault/sdk/helper/license"
|
|
"github.com/hashicorp/vault/sdk/helper/pluginutil"
|
|
"github.com/hashicorp/vault/sdk/helper/random"
|
|
"github.com/hashicorp/vault/sdk/helper/wrapping"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
"github.com/hashicorp/vault/sdk/version"
|
|
)
|
|
|
|
type ctxKeyForwardedRequestMountAccessor struct{}
|
|
|
|
func (c ctxKeyForwardedRequestMountAccessor) String() string {
|
|
return "forwarded-req-mount-accessor"
|
|
}
|
|
|
|
type dynamicSystemView struct {
|
|
core *Core
|
|
mountEntry *MountEntry
|
|
}
|
|
|
|
type extendedSystemView interface {
|
|
logical.SystemView
|
|
logical.ExtendedSystemView
|
|
// SudoPrivilege won't work over the plugin system so we keep it here
|
|
// instead of in sdk/logical to avoid exposing to plugins
|
|
SudoPrivilege(context.Context, string, string) bool
|
|
}
|
|
|
|
type extendedSystemViewImpl struct {
|
|
dynamicSystemView
|
|
}
|
|
|
|
func (e extendedSystemViewImpl) Auditor() logical.Auditor {
|
|
return genericAuditor{
|
|
mountType: e.mountEntry.Type,
|
|
namespace: e.mountEntry.Namespace(),
|
|
c: e.core,
|
|
}
|
|
}
|
|
|
|
func (e extendedSystemViewImpl) ForwardGenericRequest(ctx context.Context, req *logical.Request) (*logical.Response, error) {
|
|
// Forward the request if allowed
|
|
if couldForward(e.core) {
|
|
ctx = namespace.ContextWithNamespace(ctx, e.mountEntry.Namespace())
|
|
ctx = context.WithValue(ctx, ctxKeyForwardedRequestMountAccessor{}, e.mountEntry.Accessor)
|
|
return forward(ctx, e.core, req)
|
|
}
|
|
|
|
return nil, logical.ErrReadOnly
|
|
}
|
|
|
|
// SudoPrivilege returns true if given path has sudo privileges
|
|
// for the given client token
|
|
func (e extendedSystemViewImpl) SudoPrivilege(ctx context.Context, path string, token string) bool {
|
|
// Resolve the token policy
|
|
te, err := e.core.tokenStore.Lookup(ctx, token)
|
|
if err != nil {
|
|
e.core.logger.Error("failed to lookup token", "error", err)
|
|
return false
|
|
}
|
|
|
|
// Ensure the token is valid
|
|
if te == nil {
|
|
e.core.logger.Error("entry not found for given token")
|
|
return false
|
|
}
|
|
|
|
policies := make(map[string][]string)
|
|
// Add token policies
|
|
policies[te.NamespaceID] = append(policies[te.NamespaceID], te.Policies...)
|
|
|
|
tokenNS, err := NamespaceByID(ctx, te.NamespaceID, e.core)
|
|
if err != nil {
|
|
e.core.logger.Error("failed to lookup token namespace", "error", err)
|
|
return false
|
|
}
|
|
if tokenNS == nil {
|
|
e.core.logger.Error("failed to lookup token namespace", "error", namespace.ErrNoNamespace)
|
|
return false
|
|
}
|
|
|
|
// Add identity policies from all the namespaces
|
|
entity, identityPolicies, err := e.core.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID)
|
|
if err != nil {
|
|
e.core.logger.Error("failed to fetch identity policies", "error", err)
|
|
return false
|
|
}
|
|
for nsID, nsPolicies := range identityPolicies {
|
|
policies[nsID] = append(policies[nsID], nsPolicies...)
|
|
}
|
|
|
|
tokenCtx := namespace.ContextWithNamespace(ctx, tokenNS)
|
|
|
|
// Construct the corresponding ACL object. Derive and use a new context that
|
|
// uses the req.ClientToken's namespace
|
|
acl, err := e.core.policyStore.ACL(tokenCtx, entity, policies)
|
|
if err != nil {
|
|
e.core.logger.Error("failed to retrieve ACL for token's policies", "token_policies", te.Policies, "error", err)
|
|
return false
|
|
}
|
|
|
|
// The operation type isn't important here as this is run from a path the
|
|
// user has already been given access to; we only care about whether they
|
|
// have sudo. Note that we use root context because the path that comes in
|
|
// must be fully-qualified already so we don't want AllowOperation to
|
|
// prepend a namespace prefix onto it.
|
|
req := new(logical.Request)
|
|
req.Operation = logical.ReadOperation
|
|
req.Path = path
|
|
authResults := acl.AllowOperation(namespace.RootContext(ctx), req, true)
|
|
return authResults.RootPrivs
|
|
}
|
|
|
|
func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
|
|
def, _ := d.fetchTTLs()
|
|
return def
|
|
}
|
|
|
|
func (d dynamicSystemView) MaxLeaseTTL() time.Duration {
|
|
_, max := d.fetchTTLs()
|
|
return max
|
|
}
|
|
|
|
// TTLsByPath returns the default and max TTLs corresponding to a particular
|
|
// mount point, or the system default
|
|
func (d dynamicSystemView) fetchTTLs() (def, max time.Duration) {
|
|
def = d.core.defaultLeaseTTL
|
|
max = d.core.maxLeaseTTL
|
|
|
|
if d.mountEntry != nil {
|
|
if d.mountEntry.Config.DefaultLeaseTTL != 0 {
|
|
def = d.mountEntry.Config.DefaultLeaseTTL
|
|
}
|
|
if d.mountEntry.Config.MaxLeaseTTL != 0 {
|
|
max = d.mountEntry.Config.MaxLeaseTTL
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// Tainted indicates that the mount is in the process of being removed
|
|
func (d dynamicSystemView) Tainted() bool {
|
|
return d.mountEntry.Tainted
|
|
}
|
|
|
|
// CachingDisabled indicates whether to use caching behavior
|
|
func (d dynamicSystemView) CachingDisabled() bool {
|
|
return d.core.cachingDisabled || (d.mountEntry != nil && d.mountEntry.Config.ForceNoCache)
|
|
}
|
|
|
|
func (d dynamicSystemView) LocalMount() bool {
|
|
return d.mountEntry != nil && d.mountEntry.Local
|
|
}
|
|
|
|
// Checks if this is a primary Vault instance. Caller should hold the stateLock
|
|
// in read mode.
|
|
func (d dynamicSystemView) ReplicationState() consts.ReplicationState {
|
|
state := d.core.ReplicationState()
|
|
if d.core.perfStandby {
|
|
state |= consts.ReplicationPerformanceStandby
|
|
}
|
|
return state
|
|
}
|
|
|
|
func (d dynamicSystemView) HasFeature(feature license.Features) bool {
|
|
return d.core.HasFeature(feature)
|
|
}
|
|
|
|
// ResponseWrapData wraps the given data in a cubbyhole and returns the
|
|
// token used to unwrap.
|
|
func (d dynamicSystemView) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
|
|
req := &logical.Request{
|
|
Operation: logical.CreateOperation,
|
|
Path: "sys/wrapping/wrap",
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
WrapInfo: &wrapping.ResponseWrapInfo{
|
|
TTL: ttl,
|
|
},
|
|
Data: data,
|
|
}
|
|
|
|
if jwt {
|
|
resp.WrapInfo.Format = "jwt"
|
|
}
|
|
|
|
_, err := d.core.wrapInCubbyhole(ctx, req, resp, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return resp.WrapInfo, nil
|
|
}
|
|
|
|
// LookupPlugin looks for a plugin with the given name in the plugin catalog. It
|
|
// returns a PluginRunner or an error if no plugin was found.
|
|
func (d dynamicSystemView) LookupPlugin(ctx context.Context, name string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error) {
|
|
if d.core == nil {
|
|
return nil, fmt.Errorf("system view core is nil")
|
|
}
|
|
if d.core.pluginCatalog == nil {
|
|
return nil, fmt.Errorf("system view core plugin catalog is nil")
|
|
}
|
|
r, err := d.core.pluginCatalog.Get(ctx, name, pluginType)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if r == nil {
|
|
return nil, errwrap.Wrapf(fmt.Sprintf("{{err}}: %s", name), ErrPluginNotFound)
|
|
}
|
|
|
|
return r, nil
|
|
}
|
|
|
|
// MlockEnabled returns the configuration setting for enabling mlock on plugins.
|
|
func (d dynamicSystemView) MlockEnabled() bool {
|
|
return d.core.enableMlock
|
|
}
|
|
|
|
func (d dynamicSystemView) EntityInfo(entityID string) (*logical.Entity, error) {
|
|
// Requests from token created from the token backend will not have entity information.
|
|
// Return missing entity instead of error when requesting from MemDB.
|
|
if entityID == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
if d.core == nil {
|
|
return nil, fmt.Errorf("system view core is nil")
|
|
}
|
|
if d.core.identityStore == nil {
|
|
return nil, fmt.Errorf("system view identity store is nil")
|
|
}
|
|
|
|
// Retrieve the entity from MemDB
|
|
entity, err := d.core.identityStore.MemDBEntityByID(entityID, false)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if entity == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
// Return a subset of the data
|
|
ret := &logical.Entity{
|
|
ID: entity.ID,
|
|
Name: entity.Name,
|
|
Disabled: entity.Disabled,
|
|
}
|
|
|
|
if entity.Metadata != nil {
|
|
ret.Metadata = make(map[string]string, len(entity.Metadata))
|
|
for k, v := range entity.Metadata {
|
|
ret.Metadata[k] = v
|
|
}
|
|
}
|
|
|
|
aliases := make([]*logical.Alias, 0, len(entity.Aliases))
|
|
for _, a := range entity.Aliases {
|
|
|
|
// Don't return aliases from other namespaces
|
|
if a.NamespaceID != d.mountEntry.NamespaceID {
|
|
continue
|
|
}
|
|
|
|
alias := identity.ToSDKAlias(a)
|
|
|
|
// MountType is not stored with the entity and must be looked up
|
|
if mount := d.core.router.validateMountByAccessor(a.MountAccessor); mount != nil {
|
|
alias.MountType = mount.MountType
|
|
}
|
|
|
|
aliases = append(aliases, alias)
|
|
}
|
|
ret.Aliases = aliases
|
|
|
|
return ret, nil
|
|
}
|
|
|
|
func (d dynamicSystemView) GroupsForEntity(entityID string) ([]*logical.Group, error) {
|
|
// Requests from token created from the token backend will not have entity information.
|
|
// Return missing entity instead of error when requesting from MemDB.
|
|
if entityID == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
if d.core == nil {
|
|
return nil, fmt.Errorf("system view core is nil")
|
|
}
|
|
if d.core.identityStore == nil {
|
|
return nil, fmt.Errorf("system view identity store is nil")
|
|
}
|
|
|
|
groups, inheritedGroups, err := d.core.identityStore.groupsByEntityID(entityID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
groups = append(groups, inheritedGroups...)
|
|
|
|
logicalGroups := make([]*logical.Group, 0, len(groups))
|
|
for _, g := range groups {
|
|
// Don't return groups from other namespaces
|
|
if g.NamespaceID != d.mountEntry.NamespaceID {
|
|
continue
|
|
}
|
|
|
|
logicalGroups = append(logicalGroups, identity.ToSDKGroup(g))
|
|
}
|
|
|
|
return logicalGroups, nil
|
|
}
|
|
|
|
func (d dynamicSystemView) PluginEnv(_ context.Context) (*logical.PluginEnvironment, error) {
|
|
return &logical.PluginEnvironment{
|
|
VaultVersion: version.GetVersion().Version,
|
|
}, nil
|
|
}
|
|
|
|
func (d dynamicSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) {
|
|
if policyName == "" {
|
|
return "", fmt.Errorf("missing password policy name")
|
|
}
|
|
|
|
// Ensure there's a timeout on the context of some sort
|
|
if _, hasTimeout := ctx.Deadline(); !hasTimeout {
|
|
var cancel func()
|
|
ctx, cancel = context.WithTimeout(context.Background(), 1*time.Second)
|
|
defer cancel()
|
|
}
|
|
|
|
policyCfg, err := retrievePasswordPolicy(ctx, d.core.systemBarrierView, policyName)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to retrieve password policy: %w", err)
|
|
}
|
|
|
|
if policyCfg == nil {
|
|
return "", fmt.Errorf("no password policy found")
|
|
}
|
|
|
|
passPolicy, err := random.ParsePolicy(policyCfg.HCLPolicy)
|
|
if err != nil {
|
|
return "", fmt.Errorf("stored password policy is invalid: %w", err)
|
|
}
|
|
|
|
return passPolicy.Generate(ctx, nil)
|
|
}
|