forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
path_roles.go
196 lines (159 loc) · 5.72 KB
/
path_roles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
package cassandra
import (
"context"
"fmt"
"time"
"github.com/fatih/structs"
"github.com/gocql/gocql"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
const (
defaultCreationCQL = `CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;`
defaultRollbackCQL = `DROP USER '{{username}}';`
)
func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Name of the role",
},
"creation_cql": &framework.FieldSchema{
Type: framework.TypeString,
Default: defaultCreationCQL,
Description: `CQL to create a user and optionally grant
authorization. If not supplied, a default that
creates non-superuser accounts with the built-in
password authenticator will be used; no
authorization grants will be configured. Separate
statements by semicolons; use @file to load from a
file. Valid template values are '{{username}}' and
'{{password}}' -- the single quotes are important!`,
},
"rollback_cql": &framework.FieldSchema{
Type: framework.TypeString,
Default: defaultRollbackCQL,
Description: `CQL to roll back an account operation. This will
be used if there is an error during execution of a
statement passed in via the "creation_cql" parameter
parameter. The default simply drops the user, which
should generally be sufficient. Separate statements
by semicolons; use @file to load from a file. Valid
template values are '{{username}}' and
'{{password}}' -- the single quotes are important!`,
},
"lease": &framework.FieldSchema{
Type: framework.TypeString,
Default: "4h",
Description: "The lease length; defaults to 4 hours",
},
"consistency": &framework.FieldSchema{
Type: framework.TypeString,
Default: "Quorum",
Description: "The consistency level for the operations; defaults to Quorum.",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathRoleRead,
logical.UpdateOperation: b.pathRoleCreate,
logical.DeleteOperation: b.pathRoleDelete,
},
HelpSynopsis: pathRoleHelpSyn,
HelpDescription: pathRoleHelpDesc,
}
}
func getRole(ctx context.Context, s logical.Storage, n string) (*roleEntry, error) {
entry, err := s.Get(ctx, "role/"+n)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result roleEntry
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
return &result, nil
}
func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
err := req.Storage.Delete(ctx, "role/"+data.Get("name").(string))
if err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
role, err := getRole(ctx, req.Storage, data.Get("name").(string))
if err != nil {
return nil, err
}
if role == nil {
return nil, nil
}
return &logical.Response{
Data: structs.New(role).Map(),
}, nil
}
func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
name := data.Get("name").(string)
creationCQL := data.Get("creation_cql").(string)
rollbackCQL := data.Get("rollback_cql").(string)
leaseRaw := data.Get("lease").(string)
lease, err := time.ParseDuration(leaseRaw)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf(
"Error parsing lease value of %s: %s", leaseRaw, err)), nil
}
consistencyStr := data.Get("consistency").(string)
_, err = gocql.ParseConsistencyWrapper(consistencyStr)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf(
"Error parsing consistency value of %q: %v", consistencyStr, err)), nil
}
entry := &roleEntry{
Lease: lease,
CreationCQL: creationCQL,
RollbackCQL: rollbackCQL,
Consistency: consistencyStr,
}
// Store it
entryJSON, err := logical.StorageEntryJSON("role/"+name, entry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(ctx, entryJSON); err != nil {
return nil, err
}
return nil, nil
}
type roleEntry struct {
CreationCQL string `json:"creation_cql" structs:"creation_cql"`
Lease time.Duration `json:"lease" structs:"lease"`
RollbackCQL string `json:"rollback_cql" structs:"rollback_cql"`
Consistency string `json:"consistency" structs:"consistency"`
}
const pathRoleHelpSyn = `
Manage the roles that can be created with this backend.
`
const pathRoleHelpDesc = `
This path lets you manage the roles that can be created with this backend.
The "creation_cql" parameter customizes the CQL string used to create users
and assign them grants. This can be a sequence of CQL queries separated by
semicolons. Some substitution will be done to the CQL string for certain keys.
The names of the variables must be surrounded by '{{' and '}}' to be replaced.
Note that it is important that single quotes are used, not double quotes.
* "username" - The random username generated for the DB user.
* "password" - The random password generated for the DB user.
If no "creation_cql" parameter is given, a default will be used:
` + defaultCreationCQL + `
This default should be suitable for Cassandra installations using the password
authenticator but not configured to use authorization.
Similarly, the "rollback_cql" is used if user creation fails, in the absence of
Cassandra transactions. The default should be suitable for almost any
instance of Cassandra:
` + defaultRollbackCQL + `
"lease" the lease time; if not set the mount/system defaults are used.
`