-
Notifications
You must be signed in to change notification settings - Fork 290
/
Copy pathusernamepassword_credential.go
123 lines (110 loc) · 3.98 KB
/
usernamepassword_credential.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package static
import (
"context"
"github.com/hashicorp/boundary/internal/credential"
"github.com/hashicorp/boundary/internal/credential/static/store"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/boundary/internal/libs/crypto"
"github.com/hashicorp/boundary/internal/oplog"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-kms-wrapping/v2/extras/structwrapping"
"google.golang.org/protobuf/proto"
)
var _ credential.Static = (*UsernamePasswordCredential)(nil)
// A UsernamePasswordCredential contains the credential with a username and password.
// It is owned by a credential store.
type UsernamePasswordCredential struct {
*store.UsernamePasswordCredential
tableName string `gorm:"-"`
}
// NewUsernamePasswordCredential creates a new in memory static Credential containing a
// username and password that is assigned to storeId. Name and description are the only
// valid options. All other options are ignored.
func NewUsernamePasswordCredential(
storeId string,
username string,
password credential.Password,
opt ...Option,
) (*UsernamePasswordCredential, error) {
opts := getOpts(opt...)
l := &UsernamePasswordCredential{
UsernamePasswordCredential: &store.UsernamePasswordCredential{
StoreId: storeId,
Name: opts.withName,
Description: opts.withDescription,
Username: username,
Password: []byte(password),
},
}
return l, nil
}
func allocUsernamePasswordCredential() *UsernamePasswordCredential {
return &UsernamePasswordCredential{
UsernamePasswordCredential: &store.UsernamePasswordCredential{},
}
}
func (c *UsernamePasswordCredential) clone() *UsernamePasswordCredential {
cp := proto.Clone(c.UsernamePasswordCredential)
return &UsernamePasswordCredential{
UsernamePasswordCredential: cp.(*store.UsernamePasswordCredential),
}
}
// TableName returns the table name.
func (c *UsernamePasswordCredential) TableName() string {
if c.tableName != "" {
return c.tableName
}
return "credential_static_username_password_credential"
}
// SetTableName sets the table name.
func (c *UsernamePasswordCredential) SetTableName(n string) {
c.tableName = n
}
func (c *UsernamePasswordCredential) oplog(op oplog.OpType) oplog.Metadata {
metadata := oplog.Metadata{
"resource-public-id": []string{c.PublicId},
"resource-type": []string{"credential-static-username-password"},
"op-type": []string{op.String()},
}
if c.StoreId != "" {
metadata["store-id"] = []string{c.StoreId}
}
return metadata
}
func (c *UsernamePasswordCredential) encrypt(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "static.(UsernamePasswordCredential).encrypt"
if len(c.Password) == 0 {
return errors.New(ctx, errors.InvalidParameter, op, "no password defined")
}
if err := structwrapping.WrapStruct(ctx, cipher, c.UsernamePasswordCredential, nil); err != nil {
return errors.Wrap(ctx, err, op, errors.WithCode(errors.Encrypt))
}
keyId, err := cipher.KeyId(ctx)
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithCode(errors.Encrypt), errors.WithMsg("error reading cipher key id"))
}
c.KeyId = keyId
if err := c.hmacPassword(ctx, cipher); err != nil {
return errors.Wrap(ctx, err, op)
}
return nil
}
func (c *UsernamePasswordCredential) decrypt(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "static.(UsernamePasswordCredential).decrypt"
if err := structwrapping.UnwrapStruct(ctx, cipher, c.UsernamePasswordCredential, nil); err != nil {
return errors.Wrap(ctx, err, op, errors.WithCode(errors.Decrypt))
}
return nil
}
func (c *UsernamePasswordCredential) hmacPassword(ctx context.Context, cipher wrapping.Wrapper) error {
const op = "static.(UsernamePasswordCredential).hmacPassword"
if cipher == nil {
return errors.New(ctx, errors.InvalidParameter, op, "missing cipher")
}
hm, err := crypto.HmacSha256(ctx, c.Password, cipher, []byte(c.StoreId), nil, crypto.WithEd25519())
if err != nil {
return errors.Wrap(ctx, err, op)
}
c.PasswordHmac = []byte(hm)
return nil
}