forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
path_identity_whitelist.go
157 lines (131 loc) · 5.67 KB
/
path_identity_whitelist.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
package awsauth
import (
"context"
"time"
"github.com/fatih/structs"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
func pathIdentityWhitelist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "identity-whitelist/" + framework.GenericNameRegex("instance_id"),
Fields: map[string]*framework.FieldSchema{
"instance_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: `EC2 instance ID. A successful login operation from an EC2 instance
gets cached in this whitelist, keyed off of instance ID.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathIdentityWhitelistRead,
logical.DeleteOperation: b.pathIdentityWhitelistDelete,
},
HelpSynopsis: pathIdentityWhitelistSyn,
HelpDescription: pathIdentityWhitelistDesc,
}
}
func pathListIdentityWhitelist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "identity-whitelist/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathWhitelistIdentitiesList,
},
HelpSynopsis: pathListIdentityWhitelistHelpSyn,
HelpDescription: pathListIdentityWhitelistHelpDesc,
}
}
// pathWhitelistIdentitiesList is used to list all the instance IDs that are present
// in the identity whitelist. This will list both valid and expired entries.
func (b *backend) pathWhitelistIdentitiesList(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
identities, err := req.Storage.List(ctx, "whitelist/identity/")
if err != nil {
return nil, err
}
return logical.ListResponse(identities), nil
}
// Fetch an item from the whitelist given an instance ID.
func whitelistIdentityEntry(ctx context.Context, s logical.Storage, instanceID string) (*whitelistIdentity, error) {
entry, err := s.Get(ctx, "whitelist/identity/"+instanceID)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result whitelistIdentity
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
return &result, nil
}
// Stores an instance ID and the information required to validate further login/renewal attempts from
// the same instance ID.
func setWhitelistIdentityEntry(ctx context.Context, s logical.Storage, instanceID string, identity *whitelistIdentity) error {
entry, err := logical.StorageEntryJSON("whitelist/identity/"+instanceID, identity)
if err != nil {
return err
}
if err := s.Put(ctx, entry); err != nil {
return err
}
return nil
}
// pathIdentityWhitelistDelete is used to delete an entry from the identity whitelist given an instance ID.
func (b *backend) pathIdentityWhitelistDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
instanceID := data.Get("instance_id").(string)
if instanceID == "" {
return logical.ErrorResponse("missing instance_id"), nil
}
return nil, req.Storage.Delete(ctx, "whitelist/identity/"+instanceID)
}
// pathIdentityWhitelistRead is used to view an entry in the identity whitelist given an instance ID.
func (b *backend) pathIdentityWhitelistRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
instanceID := data.Get("instance_id").(string)
if instanceID == "" {
return logical.ErrorResponse("missing instance_id"), nil
}
entry, err := whitelistIdentityEntry(ctx, req.Storage, instanceID)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
resp := &logical.Response{
Data: structs.New(entry).Map(),
}
resp.Data["creation_time"] = entry.CreationTime.Format(time.RFC3339Nano)
resp.Data["expiration_time"] = entry.ExpirationTime.Format(time.RFC3339Nano)
resp.Data["last_updated_time"] = entry.LastUpdatedTime.Format(time.RFC3339Nano)
return resp, nil
}
// Struct to represent each item in the identity whitelist.
type whitelistIdentity struct {
Role string `json:"role" structs:"role" mapstructure:"role"`
ClientNonce string `json:"client_nonce" structs:"client_nonce" mapstructure:"client_nonce"`
CreationTime time.Time `json:"creation_time" structs:"creation_time" mapstructure:"creation_time"`
DisallowReauthentication bool `json:"disallow_reauthentication" structs:"disallow_reauthentication" mapstructure:"disallow_reauthentication"`
PendingTime string `json:"pending_time" structs:"pending_time" mapstructure:"pending_time"`
ExpirationTime time.Time `json:"expiration_time" structs:"expiration_time" mapstructure:"expiration_time"`
LastUpdatedTime time.Time `json:"last_updated_time" structs:"last_updated_time" mapstructure:"last_updated_time"`
}
const pathIdentityWhitelistSyn = `
Read or delete entries in the identity whitelist.
`
const pathIdentityWhitelistDesc = `
Each login from an EC2 instance creates/updates an entry in the identity whitelist.
Entries in this list can be viewed or deleted using this endpoint.
By default, a cron task will periodically look for expired entries in the whitelist
and deletes them. The duration to periodically run this, is one hour by default.
However, this can be configured using the 'config/tidy/identities' endpoint. This tidy
action can be triggered via the API as well, using the 'tidy/identities' endpoint.
`
const pathListIdentityWhitelistHelpSyn = `
Lists the items present in the identity whitelist.
`
const pathListIdentityWhitelistHelpDesc = `
The entries in the identity whitelist is keyed off of the EC2 instance IDs.
This endpoint lists all the entries present in the identity whitelist, both
expired and un-expired entries. Use 'tidy/identities' endpoint to clean-up
the whitelist of identities.
`