-
Notifications
You must be signed in to change notification settings - Fork 24
/
path_static_account_secrets.go
106 lines (95 loc) · 3.67 KB
/
path_static_account_secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package gcpsecrets
import (
"context"
"fmt"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func pathStaticAccountSecretServiceAccountKey(b *backend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("%s/%s/key", staticAccountPathPrefix, framework.GenericNameRegex("name")),
Fields: map[string]*framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Required. Name of the static account.",
},
"key_algorithm": {
Type: framework.TypeString,
Description: fmt.Sprintf(`Private key algorithm for service account key. Defaults to %s."`, keyAlgorithmRSA2k),
Default: keyAlgorithmRSA2k,
},
"key_type": {
Type: framework.TypeString,
Description: fmt.Sprintf(`Private key type for service account key. Defaults to %s."`, privateKeyTypeJson),
Default: privateKeyTypeJson,
},
"ttl": {
Type: framework.TypeDurationSecond,
Description: "Lifetime of the service account key",
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{Callback: b.pathStaticAccountSecretKey},
logical.UpdateOperation: &framework.PathOperation{Callback: b.pathStaticAccountSecretKey},
},
HelpSynopsis: pathServiceAccountKeySyn,
HelpDescription: pathServiceAccountKeyDesc,
}
}
func pathStaticAccountSecretAccessToken(b *backend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("%s/%s/token", staticAccountPathPrefix, framework.GenericNameRegex("name")),
Fields: map[string]*framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Required. Name of the static account.",
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{Callback: b.pathStaticAccountAccessToken},
logical.UpdateOperation: &framework.PathOperation{Callback: b.pathStaticAccountAccessToken},
},
HelpSynopsis: pathTokenHelpSyn,
HelpDescription: pathTokenHelpDesc,
}
}
func (b *backend) pathStaticAccountSecretKey(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
acctName := d.Get("name").(string)
keyType := d.Get("key_type").(string)
keyAlg := d.Get("key_algorithm").(string)
ttl := d.Get("ttl").(int)
acct, err := b.getStaticAccount(acctName, ctx, req.Storage)
if err != nil {
return nil, err
}
if acct == nil {
return logical.ErrorResponse("static account %q does not exists", acctName), nil
}
if acct.SecretType != SecretTypeKey {
return logical.ErrorResponse("static account %q cannot generate service account keys (has secret type %s)", acctName, acct.SecretType), nil
}
params := secretKeyParams{
keyType: keyType,
keyAlgorithm: keyAlg,
ttl: ttl,
extraInternalData: map[string]interface{}{
"static_account": acct.Name,
"static_account_bindings": acct.bindingHash(),
},
}
return b.createServiceAccountKeySecret(ctx, req.Storage, &acct.ServiceAccountId, params)
}
func (b *backend) pathStaticAccountAccessToken(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
acctName := d.Get("name").(string)
acct, err := b.getStaticAccount(acctName, ctx, req.Storage)
if err != nil {
return nil, err
}
if acct == nil {
return logical.ErrorResponse("static account %q does not exists", acctName), nil
}
if acct.SecretType != SecretTypeAccessToken {
return logical.ErrorResponse("static account %q cannot generate access tokens (has secret type %s)", acctName, acct.SecretType), nil
}
return b.secretAccessTokenResponse(ctx, req.Storage, acct.TokenGen)
}