forked from pachyderm/pachyderm
/
login.go
126 lines (113 loc) · 3.54 KB
/
login.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package pachyderm
import (
"context"
"errors"
"fmt"
"time"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
pclient "github.com/pachyderm/pachyderm/src/client"
"github.com/pachyderm/pachyderm/src/client/auth"
)
func (b *backend) loginPath() *framework.Path {
return &framework.Path{
// Pattern uses modified version of framework.GenericNameRegex which
// requires a single colon
Pattern: "login/(?P<username>\\w[\\w-]*:[\\w-]*\\w)",
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
Type: framework.TypeString,
},
"ttl": &framework.FieldSchema{
Type: framework.TypeString,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathAuthLogin,
},
}
}
func (b *backend) pathAuthLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (resp *logical.Response, retErr error) {
b.Logger().Debug(fmt.Sprintf("(%s) %s received at %s", req.ID, req.Operation, req.Path))
defer func() {
b.Logger().Debug(fmt.Sprintf("(%s) %s finished at %s (success=%t)", req.ID, req.Operation, req.Path, retErr == nil && !resp.IsError()))
}()
username, errResp := getStringField(d, "username")
if errResp != nil {
return errResp, nil
}
var ttlArg string
ttlArgIface, ok, err := d.GetOkErr("ttl")
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("%v: could not extract 'ttl' from request", err)), nil
}
if ok {
ttlArg, ok = ttlArgIface.(string)
if !ok {
return logical.ErrorResponse(fmt.Sprintf("invalid type for param 'ttl' (expected string but got %T)", ttlArgIface)), nil
}
}
config, err := getConfig(ctx, req.Storage)
if err != nil {
return nil, err
}
if len(config.AdminToken) == 0 {
return nil, errors.New("plugin is missing admin_token")
}
if len(config.PachdAddress) == 0 {
return nil, errors.New("plugin is missing pachd_address")
}
if len(config.TTL) == 0 {
return nil, errors.New("plugin is missing ttl")
}
var ttl time.Duration
if ttlArg != "" {
ttl, _, err = b.SanitizeTTLStr(ttlArg, b.System().MaxLeaseTTL().String())
} else {
ttl, _, err = b.SanitizeTTLStr(config.TTL, b.System().MaxLeaseTTL().String())
}
if err != nil {
return nil, err
}
userToken, err := generateUserCredentials(ctx, config.PachdAddress, config.AdminToken, username, ttl)
if err != nil {
return nil, err
}
return &logical.Response{
Secret: &logical.Secret{
InternalData: map[string]interface{}{
"user_token": userToken,
"secret_type": "pachyderm_tokens",
},
LeaseOptions: logical.LeaseOptions{
TTL: ttl,
Renewable: true,
},
},
Data: map[string]interface{}{
"user_token": userToken,
"pachd_address": config.PachdAddress,
},
}, nil
}
// generateUserCredentials uses the vault plugin's Admin credentials to generate
// a new Pachyderm authentication token for 'username' (i.e. the user who is
// currently requesting a Pachyderm token from Vault).
func generateUserCredentials(ctx context.Context, pachdAddress string, adminToken string, username string, ttl time.Duration) (string, error) {
// Setup a single use client w the given admin token / address
client, err := pclient.NewFromAddress(pachdAddress)
if err != nil {
return "", err
}
defer client.Close() // avoid leaking connections
client = client.WithCtx(ctx)
client.SetAuthToken(adminToken)
resp, err := client.AuthAPIClient.GetAuthToken(client.Ctx(), &auth.GetAuthTokenRequest{
Subject: username,
TTL: int64(ttl.Seconds()),
})
if err != nil {
return "", err
}
return resp.Token, nil
}