bb54e9c131
* Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
236 lines
6.3 KiB
Go
236 lines
6.3 KiB
Go
package vault
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/vault/helper/jsonutil"
|
|
"github.com/hashicorp/vault/helper/parseutil"
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
)
|
|
|
|
// PassthroughBackendFactory returns a PassthroughBackend
|
|
// with leases switched off
|
|
func PassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error) {
|
|
return LeaseSwitchedPassthroughBackend(conf, false)
|
|
}
|
|
|
|
// LeasedPassthroughBackendFactory returns a PassthroughBackend
|
|
// with leases switched on
|
|
func LeasedPassthroughBackendFactory(conf *logical.BackendConfig) (logical.Backend, error) {
|
|
return LeaseSwitchedPassthroughBackend(conf, true)
|
|
}
|
|
|
|
// LeaseSwitchedPassthroughBackend returns a PassthroughBackend
|
|
// with leases switched on or off
|
|
func LeaseSwitchedPassthroughBackend(conf *logical.BackendConfig, leases bool) (logical.Backend, error) {
|
|
var b PassthroughBackend
|
|
b.generateLeases = leases
|
|
b.Backend = &framework.Backend{
|
|
Help: strings.TrimSpace(passthroughHelp),
|
|
|
|
Paths: []*framework.Path{
|
|
&framework.Path{
|
|
Pattern: ".*",
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.ReadOperation: b.handleRead,
|
|
logical.CreateOperation: b.handleWrite,
|
|
logical.UpdateOperation: b.handleWrite,
|
|
logical.DeleteOperation: b.handleDelete,
|
|
logical.ListOperation: b.handleList,
|
|
},
|
|
|
|
ExistenceCheck: b.handleExistenceCheck,
|
|
|
|
HelpSynopsis: strings.TrimSpace(passthroughHelpSynopsis),
|
|
HelpDescription: strings.TrimSpace(passthroughHelpDescription),
|
|
},
|
|
},
|
|
}
|
|
|
|
b.Backend.Secrets = []*framework.Secret{
|
|
&framework.Secret{
|
|
Type: "generic",
|
|
|
|
Renew: b.handleRead,
|
|
Revoke: b.handleRevoke,
|
|
},
|
|
}
|
|
|
|
if conf == nil {
|
|
return nil, fmt.Errorf("Configuation passed into backend is nil")
|
|
}
|
|
b.Backend.Setup(conf)
|
|
|
|
return &b, nil
|
|
}
|
|
|
|
// PassthroughBackend is used storing secrets directly into the physical
|
|
// backend. The secrets are encrypted in the durable storage and custom TTL
|
|
// information can be specified, but otherwise this backend doesn't do anything
|
|
// fancy.
|
|
type PassthroughBackend struct {
|
|
*framework.Backend
|
|
generateLeases bool
|
|
}
|
|
|
|
func (b *PassthroughBackend) handleRevoke(
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
// This is a no-op
|
|
return nil, nil
|
|
}
|
|
|
|
func (b *PassthroughBackend) handleExistenceCheck(
|
|
req *logical.Request, data *framework.FieldData) (bool, error) {
|
|
out, err := req.Storage.Get(req.Path)
|
|
if err != nil {
|
|
return false, fmt.Errorf("existence check failed: %v", err)
|
|
}
|
|
|
|
return out != nil, nil
|
|
}
|
|
|
|
func (b *PassthroughBackend) handleRead(
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
// Read the path
|
|
out, err := req.Storage.Get(req.Path)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read failed: %v", err)
|
|
}
|
|
|
|
// Fast-path the no data case
|
|
if out == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
// Decode the data
|
|
var rawData map[string]interface{}
|
|
|
|
if err := jsonutil.DecodeJSON(out.Value, &rawData); err != nil {
|
|
return nil, fmt.Errorf("json decoding failed: %v", err)
|
|
}
|
|
|
|
var resp *logical.Response
|
|
if b.generateLeases {
|
|
// Generate the response
|
|
resp = b.Secret("generic").Response(rawData, nil)
|
|
resp.Secret.Renewable = false
|
|
} else {
|
|
resp = &logical.Response{
|
|
Secret: &logical.Secret{},
|
|
Data: rawData,
|
|
}
|
|
}
|
|
|
|
// Check if there is a ttl key
|
|
ttlDuration := b.System().DefaultLeaseTTL()
|
|
ttlRaw, ok := rawData["ttl"]
|
|
if !ok {
|
|
ttlRaw, ok = rawData["lease"]
|
|
}
|
|
if ok {
|
|
dur, err := parseutil.ParseDurationSecond(ttlRaw)
|
|
if err == nil {
|
|
ttlDuration = dur
|
|
}
|
|
|
|
if b.generateLeases {
|
|
resp.Secret.Renewable = true
|
|
}
|
|
}
|
|
|
|
resp.Secret.TTL = ttlDuration
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func (b *PassthroughBackend) GeneratesLeases() bool {
|
|
return b.generateLeases
|
|
}
|
|
|
|
func (b *PassthroughBackend) handleWrite(
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
// Check that some fields are given
|
|
if len(req.Data) == 0 {
|
|
return logical.ErrorResponse("missing data fields"), nil
|
|
}
|
|
|
|
// JSON encode the data
|
|
buf, err := json.Marshal(req.Data)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("json encoding failed: %v", err)
|
|
}
|
|
|
|
// Write out a new key
|
|
entry := &logical.StorageEntry{
|
|
Key: req.Path,
|
|
Value: buf,
|
|
}
|
|
if err := req.Storage.Put(entry); err != nil {
|
|
return nil, fmt.Errorf("failed to write: %v", err)
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func (b *PassthroughBackend) handleDelete(
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
// Delete the key at the request path
|
|
if err := req.Storage.Delete(req.Path); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func (b *PassthroughBackend) handleList(
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
// Right now we only handle directories, so ensure it ends with /; however,
|
|
// some physical backends may not handle the "/" case properly, so only add
|
|
// it if we're not listing the root
|
|
path := req.Path
|
|
if path != "" && !strings.HasSuffix(path, "/") {
|
|
path = path + "/"
|
|
}
|
|
|
|
// List the keys at the prefix given by the request
|
|
keys, err := req.Storage.List(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Generate the response
|
|
return logical.ListResponse(keys), nil
|
|
}
|
|
|
|
const passthroughHelp = `
|
|
The generic backend reads and writes arbitrary secrets to the backend.
|
|
The secrets are encrypted/decrypted by Vault: they are never stored
|
|
unencrypted in the backend and the backend never has an opportunity to
|
|
see the unencrypted value.
|
|
|
|
TTLs can be set on a per-secret basis. These TTLs will be sent down
|
|
when that secret is read, and it is assumed that some outside process will
|
|
revoke and/or replace the secret at that path.
|
|
`
|
|
|
|
const passthroughHelpSynopsis = `
|
|
Pass-through secret storage to the storage backend, allowing you to
|
|
read/write arbitrary data into secret storage.
|
|
`
|
|
|
|
const passthroughHelpDescription = `
|
|
The pass-through backend reads and writes arbitrary data into secret storage,
|
|
encrypting it along the way.
|
|
|
|
A TTL can be specified when writing with the "ttl" field. If given, the
|
|
duration of leases returned by this backend will be set to this value. This
|
|
can be used as a hint from the writer of a secret to the consumer of a secret
|
|
that the consumer should re-read the value before the TTL has expired.
|
|
However, any revocation must be handled by the user of this backend; the lease
|
|
duration does not affect the provided data in any way.
|
|
`
|