-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
path_config.go
217 lines (176 loc) · 6.11 KB
/
path_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
package ldap
import (
"context"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/ldaputil"
"github.com/hashicorp/vault/sdk/helper/tokenutil"
"github.com/hashicorp/vault/sdk/logical"
)
func pathConfig(b *backend) *framework.Path {
p := &framework.Path{
Pattern: `config`,
Fields: ldaputil.ConfigFields(),
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathConfigRead,
logical.UpdateOperation: b.pathConfigWrite,
},
HelpSynopsis: pathConfigHelpSyn,
HelpDescription: pathConfigHelpDesc,
DisplayAttrs: &framework.DisplayAttributes{
Action: "Configure",
},
}
tokenutil.AddTokenFields(p.Fields)
p.Fields["token_policies"].Description += ". This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups."
return p
}
/*
* Construct ConfigEntry struct using stored configuration.
*/
func (b *backend) Config(ctx context.Context, req *logical.Request) (*ldapConfigEntry, error) {
storedConfig, err := req.Storage.Get(ctx, "config")
if err != nil {
return nil, err
}
if storedConfig == nil {
// Create a new ConfigEntry, filling in defaults where appropriate
fd, err := b.getConfigFieldData()
if err != nil {
return nil, err
}
result, err := ldaputil.NewConfigEntry(nil, fd)
if err != nil {
return nil, err
}
// No user overrides, return default configuration
result.CaseSensitiveNames = new(bool)
*result.CaseSensitiveNames = false
result.UsePre111GroupCNBehavior = new(bool)
*result.UsePre111GroupCNBehavior = false
return &ldapConfigEntry{ConfigEntry: result}, nil
}
// Deserialize stored configuration.
// Fields not specified in storedConfig will retain their defaults.
result := new(ldapConfigEntry)
result.ConfigEntry = new(ldaputil.ConfigEntry)
if err := storedConfig.DecodeJSON(result); err != nil {
return nil, err
}
var persistNeeded bool
if result.CaseSensitiveNames == nil {
// Upgrade from before switching to case-insensitive
result.CaseSensitiveNames = new(bool)
*result.CaseSensitiveNames = true
persistNeeded = true
}
if result.UsePre111GroupCNBehavior == nil {
result.UsePre111GroupCNBehavior = new(bool)
*result.UsePre111GroupCNBehavior = true
persistNeeded = true
}
if persistNeeded && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby)) {
entry, err := logical.StorageEntryJSON("config", result)
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, err
}
}
return result, nil
}
func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, err
}
if cfg == nil {
return nil, nil
}
data := cfg.PasswordlessMap()
cfg.PopulateTokenData(data)
return &logical.Response{
Data: data,
}, nil
}
func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, err
}
if cfg == nil {
return nil, nil
}
// Build a ConfigEntry struct out of the supplied FieldData
cfg.ConfigEntry, err = ldaputil.NewConfigEntry(cfg.ConfigEntry, d)
if err != nil {
return logical.ErrorResponse(err.Error()), nil
}
// On write, if not specified, use false. We do this here so upgrade logic
// works since it calls the same newConfigEntry function
if cfg.CaseSensitiveNames == nil {
cfg.CaseSensitiveNames = new(bool)
*cfg.CaseSensitiveNames = false
}
if cfg.UsePre111GroupCNBehavior == nil {
cfg.UsePre111GroupCNBehavior = new(bool)
*cfg.UsePre111GroupCNBehavior = false
}
if err := cfg.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
entry, err := logical.StorageEntryJSON("config", cfg)
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, err
}
return nil, nil
}
/*
* Returns FieldData describing our ConfigEntry struct schema
*/
func (b *backend) getConfigFieldData() (*framework.FieldData, error) {
configPath := b.Route("config")
if configPath == nil {
return nil, logical.ErrUnsupportedPath
}
raw := make(map[string]interface{}, len(configPath.Fields))
fd := framework.FieldData{
Raw: raw,
Schema: configPath.Fields,
}
return &fd, nil
}
type ldapConfigEntry struct {
tokenutil.TokenParams
*ldaputil.ConfigEntry
}
const pathConfigHelpSyn = `
Configure the LDAP server to connect to, along with its options.
`
const pathConfigHelpDesc = `
This endpoint allows you to configure the LDAP server to connect to and its
configuration options.
The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former
case, an unencrypted connection will be made with a default port of 389, unless
the "starttls" parameter is set to true, in which case TLS will be used. In the
latter case, a SSL connection will be established with a default port of 636.
## A NOTE ON ESCAPING
It is up to the administrator to provide properly escaped DNs. This includes
the user DN, bind DN for search, and so on.
The only DN escaping performed by this backend is on usernames given at login
time when they are inserted into the final bind DN, and uses escaping rules
defined in RFC 4514.
Additionally, Active Directory has escaping rules that differ slightly from the
RFC; in particular it requires escaping of '#' regardless of position in the DN
(the RFC only requires it to be escaped when it is the first character), and
'=', which the RFC indicates can be escaped with a backslash, but does not
contain in its set of required escapes. If you are using Active Directory and
these appear in your usernames, please ensure that they are escaped, in
addition to being properly escaped in your configured DNs.
For reference, see https://www.ietf.org/rfc/rfc4514.txt and
http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
`