-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathpath_roles.go
149 lines (124 loc) · 3.72 KB
/
path_roles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package vsphere
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/policyutil"
"github.com/hashicorp/vault/sdk/logical"
)
func pathListRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathRoleList,
},
HelpSynopsis: pathUserHelpSyn,
HelpDescription: pathUserHelpDesc,
}
}
func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "role/" + framework.GenericNameRegex("role"),
Fields: map[string]*framework.FieldSchema{
"role": {
Type: framework.TypeString,
Description: "Role associated with the virtual machine.",
},
"policies": {
Type: framework.TypeCommaStringSlice,
Description: "Comma-separated list of policies associated to the vm.",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.DeleteOperation: b.pathRoleDelete,
logical.ReadOperation: b.pathRoleRead,
logical.UpdateOperation: b.pathRoleWrite,
logical.CreateOperation: b.pathRoleWrite,
},
HelpSynopsis: pathUserHelpSyn,
HelpDescription: pathUserHelpDesc,
}
}
func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
err := req.Storage.Delete(ctx, "role/"+d.Get("role").(string))
if err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) role(ctx context.Context, s logical.Storage, role string) (*RoleEntry, error) {
if role == "" {
return nil, fmt.Errorf("missing role")
}
entry, err := s.Get(ctx, "role/"+strings.ToLower(role))
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result RoleEntry
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
return &result, nil
}
func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
role, err := b.role(ctx, req.Storage, d.Get("role").(string))
if err != nil {
return nil, err
}
if role == nil {
return nil, nil
}
return &logical.Response{
Data: map[string]interface{}{
"policies": role.Policies,
},
}, nil
}
func (b *backend) pathRoleWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
role := strings.ToLower(d.Get("role").(string))
var policies = policyutil.ParsePolicies(d.Get("policies"))
for _, policy := range policies {
if policy == "root" {
return logical.ErrorResponse("root policy cannot be granted by an auth method"), nil
}
}
// Store it
entry, err := logical.StorageEntryJSON("role/"+d.Get("role").(string), &RoleEntry{
Role: role,
Policies: policies,
})
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
roles, err := req.Storage.List(ctx, "role/")
if err != nil {
return nil, err
}
return logical.ListResponse(roles), nil
}
// RoleEntry stores all the options that are set on a VM
type RoleEntry struct {
Role string
Policies []string
}
const pathUserHelpSyn = `
Manage users allowed to authenticate.
`
const pathUserHelpDesc = `
This endpoint allows you to create, read, update, and delete users
that are allowed to authenticate.
Deleting a role will not revoke auth for prior authenticated virtual machines
with that name. To do this, do a revoke on "login/<username>" for
the username you want revoked. If you don't need to revoke login immediately,
then the next renew will cause the lease to expire.
`