-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
path_login.go
176 lines (145 loc) · 4.35 KB
/
path_login.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package ldap
import (
"context"
"fmt"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/cidrutil"
"github.com/hashicorp/vault/sdk/helper/policyutil"
"github.com/hashicorp/vault/sdk/logical"
)
func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: `login/(?P<username>.+)`,
DisplayAttrs: &framework.DisplayAttributes{
OperationPrefix: operationPrefixLDAP,
OperationVerb: "login",
},
Fields: map[string]*framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "DN (distinguished name) to be used for login.",
},
"password": {
Type: framework.TypeString,
Description: "Password for this user.",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathLogin,
logical.AliasLookaheadOperation: b.pathLoginAliasLookahead,
},
HelpSynopsis: pathLoginSyn,
HelpDescription: pathLoginDesc,
}
}
func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
username := d.Get("username").(string)
if username == "" {
return nil, fmt.Errorf("missing username")
}
return &logical.Response{
Auth: &logical.Auth{
Alias: &logical.Alias{
Name: username,
},
},
}, nil
}
func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, err
}
if cfg == nil {
return logical.ErrorResponse("auth method not configured"), nil
}
// Check for a CIDR match.
if len(cfg.TokenBoundCIDRs) > 0 {
if req.Connection == nil {
b.Logger().Warn("token bound CIDRs found but no connection information available for validation")
return nil, logical.ErrPermissionDenied
}
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
return nil, logical.ErrPermissionDenied
}
}
username := d.Get("username").(string)
password := d.Get("password").(string)
effectiveUsername, policies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
if err != nil || (resp != nil && resp.IsError()) {
return resp, err
}
auth := &logical.Auth{
Metadata: map[string]string{
"username": username,
},
InternalData: map[string]interface{}{
"password": password,
},
DisplayName: username,
Alias: &logical.Alias{
Name: effectiveUsername,
Metadata: map[string]string{
"name": username,
},
},
}
cfg.PopulateTokenAuth(auth)
// Add in configured policies from mappings
if len(policies) > 0 {
auth.Policies = append(auth.Policies, policies...)
}
resp.Auth = auth
for _, groupName := range groupNames {
if groupName == "" {
continue
}
resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
Name: groupName,
})
}
return resp, nil
}
func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, err
}
if cfg == nil {
return logical.ErrorResponse("auth method not configured"), nil
}
username := req.Auth.Metadata["username"]
password := req.Auth.InternalData["password"].(string)
_, loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
if err != nil || (resp != nil && resp.IsError()) {
return resp, err
}
finalPolicies := cfg.TokenPolicies
if len(loginPolicies) > 0 {
finalPolicies = append(finalPolicies, loginPolicies...)
}
if !policyutil.EquivalentPolicies(finalPolicies, req.Auth.TokenPolicies) {
return nil, fmt.Errorf("policies have changed, not renewing")
}
resp.Auth = req.Auth
resp.Auth.Period = cfg.TokenPeriod
resp.Auth.TTL = cfg.TokenTTL
resp.Auth.MaxTTL = cfg.TokenMaxTTL
// Remove old aliases
resp.Auth.GroupAliases = nil
for _, groupName := range groupNames {
resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
Name: groupName,
})
}
return resp, nil
}
const pathLoginSyn = `
Log in with a username and password.
`
const pathLoginDesc = `
This endpoint authenticates using a username and password. Please be sure to
read the note on escaping from the path-help for the 'config' endpoint.
`