/
sentinel.go
129 lines (101 loc) · 3.21 KB
/
sentinel.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
package vault
import (
"context"
"errors"
"fmt"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/vault/api"
"log"
)
func readSentinelPolicy(client *api.Client, policyType string, name string) (map[string]interface{}, error) {
r := client.NewRequest("GET", fmt.Sprintf("/v1/sys/policies/%s/%s", policyType, name))
ctx, cancelFunc := context.WithCancel(context.Background())
defer cancelFunc()
resp, err := client.RawRequestWithContext(ctx, r)
if resp != nil {
defer resp.Body.Close()
if resp.StatusCode == 404 {
return nil, nil
}
}
if err != nil {
return nil, err
}
secret, err := api.ParseSecret(resp.Body)
if err != nil {
return nil, err
}
if secret == nil || secret.Data == nil {
return nil, errors.New("data from server response is empty")
}
return secret.Data, nil
}
func PutSentinelPolicy(client *api.Client, policyType string, name string, body map[string]interface{}) error {
r := client.NewRequest("PUT", fmt.Sprintf("/v1/sys/policies/%s/%s", policyType, name))
if err := r.SetJSONBody(body); err != nil {
return err
}
ctx, cancelFunc := context.WithCancel(context.Background())
defer cancelFunc()
resp, err := client.RawRequestWithContext(ctx, r)
if err != nil {
return err
}
defer resp.Body.Close()
return nil
}
func DeleteSentinelPolicy(client *api.Client, policyType string, name string) error {
r := client.NewRequest("DELETE", fmt.Sprintf("/v1/sys/policies/%s/%s", policyType, name))
ctx, cancelFunc := context.WithCancel(context.Background())
defer cancelFunc()
resp, err := client.RawRequestWithContext(ctx, r)
if err == nil {
defer resp.Body.Close()
}
return err
}
func ValidateSentinelEnforcementLevel(v interface{}, k string) (ws []string, errs []error) {
value := v.(string)
if value != "advisory" && value != "soft-mandatory" && value != "hard-mandatory" {
errs = append(errs, fmt.Errorf("unexpected value %s", value))
}
return
}
func sentinelPolicyDelete(policyType string, d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
name := d.Id()
log.Printf("[DEBUG] Deleting %s policy %s from Vault", policyType, name)
err := DeleteSentinelPolicy(client, policyType, name)
if err != nil {
return fmt.Errorf("error deleting from Vault: %s", err)
}
return nil
}
func sentinelPolicyRead(policyType string, attributes []string, d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
name := d.Id()
policy, err := readSentinelPolicy(client, policyType, name)
if err != nil {
return fmt.Errorf("error reading from Vault: %s", err)
}
for _, value := range attributes {
d.Set(value, policy[value])
}
d.Set("name", name)
return nil
}
func sentinelPolicyWrite(policyType string, attributes []string, d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
name := d.Get("name").(string)
log.Printf("[DEBUG] Writing %s policy %s to Vault", policyType, name)
body := map[string]interface{}{}
for _, value := range attributes {
body[value] = d.Get(value)
}
err := PutSentinelPolicy(client, policyType, name, body)
if err != nil {
return fmt.Errorf("error writing to Vault: %s", err)
}
d.SetId(name)
return sentinelPolicyRead(policyType, attributes, d, meta)
}