forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
path_user.go
174 lines (150 loc) · 4.05 KB
/
path_user.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
package aws
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
"github.com/mitchellh/mapstructure"
)
func pathUser(b *backend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the role",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathUserRead,
},
HelpSynopsis: pathUserHelpSyn,
HelpDescription: pathUserHelpDesc,
}
}
func (b *backend) pathUserRead(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
policyName := d.Get("name").(string)
// Read the policy
policy, err := req.Storage.Get("policy/" + policyName)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err)
}
if policy == nil {
return logical.ErrorResponse(fmt.Sprintf(
"Role '%s' not found", policyName)), nil
}
// Use the helper to create the secret
return b.secretAccessKeysCreate(
req.Storage, req.DisplayName, policyName, string(policy.Value))
}
func pathUserRollback(req *logical.Request, _kind string, data interface{}) error {
var entry walUser
if err := mapstructure.Decode(data, &entry); err != nil {
return err
}
username := entry.UserName
// Get the client
client, err := clientIAM(req.Storage)
if err != nil {
return err
}
// Get information about this user
groupsResp, err := client.ListGroupsForUser(&iam.ListGroupsForUserInput{
UserName: aws.String(username),
MaxItems: aws.Int64(1000),
})
if err != nil {
return err
}
groups := groupsResp.Groups
// Inline (user) policies
policiesResp, err := client.ListUserPolicies(&iam.ListUserPoliciesInput{
UserName: aws.String(username),
MaxItems: aws.Int64(1000),
})
if err != nil {
return err
}
policies := policiesResp.PolicyNames
// Attached managed policies
manPoliciesResp, err := client.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
UserName: aws.String(username),
MaxItems: aws.Int64(1000),
})
if err != nil {
return err
}
manPolicies := manPoliciesResp.AttachedPolicies
keysResp, err := client.ListAccessKeys(&iam.ListAccessKeysInput{
UserName: aws.String(username),
MaxItems: aws.Int64(1000),
})
if err != nil {
return err
}
keys := keysResp.AccessKeyMetadata
// Revoke all keys
for _, k := range keys {
_, err = client.DeleteAccessKey(&iam.DeleteAccessKeyInput{
AccessKeyId: k.AccessKeyId,
UserName: aws.String(username),
})
if err != nil {
return err
}
}
// Detach managed policies
for _, p := range manPolicies {
_, err = client.DetachUserPolicy(&iam.DetachUserPolicyInput{
UserName: aws.String(username),
PolicyArn: p.PolicyArn,
})
if err != nil {
return err
}
}
// Delete any inline (user) policies
for _, p := range policies {
_, err = client.DeleteUserPolicy(&iam.DeleteUserPolicyInput{
UserName: aws.String(username),
PolicyName: p,
})
if err != nil {
return err
}
}
// Remove the user from all their groups
for _, g := range groups {
_, err = client.RemoveUserFromGroup(&iam.RemoveUserFromGroupInput{
GroupName: g.GroupName,
UserName: aws.String(username),
})
if err != nil {
return err
}
}
// Delete the user
_, err = client.DeleteUser(&iam.DeleteUserInput{
UserName: aws.String(username),
})
if err != nil {
return err
}
return nil
}
type walUser struct {
UserName string
}
const pathUserHelpSyn = `
Generate an access key pair for a specific role.
`
const pathUserHelpDesc = `
This path will generate a new, never before used key pair for
accessing AWS. The IAM policy used to back this key pair will be
the "name" parameter. For example, if this backend is mounted at "aws",
then "aws/creds/deploy" would generate access keys for the "deploy" role.
The access keys will have a lease associated with them. The access keys
can be revoked by using the lease ID.
`