-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathpath_config.go
177 lines (147 loc) · 5.63 KB
/
path_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
package artifactory
import (
"context"
"crypto/sha256"
"fmt"
"time"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func (b *backend) pathConfig() *framework.Path {
return &framework.Path{
Pattern: "config/admin",
Fields: map[string]*framework.FieldSchema{
"access_token": {
Type: framework.TypeString,
Required: true,
Description: "Administrator token to access Artifactory",
},
"url": {
Type: framework.TypeString,
Required: true,
Description: "Address of the Artifactory instance",
},
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: "Maximum duration any lease issued by this backend can be.",
},
"default_ttl": {
Type: framework.TypeDurationSecond,
Description: "Default TTL when no other TTL is specified",
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathConfigUpdate,
Summary: "Configure the Artifactory secrets backend.",
},
logical.DeleteOperation: &framework.PathOperation{
Callback: b.pathConfigDelete,
Summary: "Delete the Artifactory secrets configuration.",
},
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathConfigRead,
Summary: "Examine the Artifactory secrets configuration.",
},
},
HelpSynopsis: `Interact with the Artifactory secrets configuration.`,
HelpDescription: `
Configure the parameters used to connect to the Artifactory server integrated with this backend. The two main
parameters are "url" which is the absolute URL to the Artifactory server. Note that "/api" is prepended by the
individual calls, so do not include it in the URL here.
The second is "access_token" which must be an access token powerful enough to generate the other access tokens you'll
be using. This value is stored seal wrapped when available. Once set, the access token cannot be retrieved, but the backend
will send a sha256 hash of the token so you can compare it to your notes.
There are two TTL related parameters. The ultimate maximum lifetime that a token can live is controlled by "max_ttl", the
backend will refuse to renew/refresh tokens beyond max_ttl. The second is "default_ttl" which is used when a role does
not also specify a TTL. Default TTL must not be greater than Max TTL, and Max TTL must not be greater than the system-wide
Max TTL defined in Vault's configuration.
Note that ultimately the maximum TTL is calculated as the time of issuing the access token.
No renewals or new tokens will be issued if the backend configuration (config/admin) is deleted.
`,
}
}
type adminConfiguration struct {
AccessToken string `json:"access_token"`
ArtifactoryURL string `json:"artifactory_url"`
MaxTTL time.Duration `json:"max_ttl"`
DefaultTTL time.Duration `json:"default_ttl"`
}
func (b *backend) pathConfigUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
var warning string
config := &adminConfiguration{}
config.AccessToken = data.Get("access_token").(string)
config.ArtifactoryURL = data.Get("url").(string)
config.MaxTTL = time.Second * time.Duration(data.Get("max_ttl").(int))
config.DefaultTTL = time.Second * time.Duration(data.Get("default_ttl").(int))
if config.AccessToken == "" {
return logical.ErrorResponse("access_token is required"), nil
}
if config.ArtifactoryURL == "" {
return logical.ErrorResponse("url is required"), nil
}
if config.MaxTTL > 0 && config.DefaultTTL > config.MaxTTL {
warning = fmt.Sprintf("default_ttl (%v) lowered to max_ttl (%v)", config.DefaultTTL, config.MaxTTL)
config.DefaultTTL = config.MaxTTL
}
if b.Backend.System().MaxLeaseTTL() > 0 {
if config.MaxTTL > b.Backend.System().MaxLeaseTTL() {
return logical.ErrorResponse("max_ttl exceeds system max_ttl"), nil
}
if config.DefaultTTL > b.Backend.System().MaxLeaseTTL() {
warning = fmt.Sprintf("default_ttl (%v) lowered to system max_ttl (%v)", config.DefaultTTL, b.Backend.System().MaxLeaseTTL())
config.DefaultTTL = b.Backend.System().MaxLeaseTTL()
}
}
entry, err := logical.StorageEntryJSON("config/admin", config)
if err != nil {
return nil, err
}
err = req.Storage.Put(ctx, entry)
if err != nil {
return nil, err
}
if warning != "" {
resp := &logical.Response{}
resp.AddWarning(warning)
return resp, nil
} else {
return nil, nil
}
}
func (b *backend) pathConfigDelete(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
if err := req.Storage.Delete(ctx, "config/admin"); err != nil {
return nil, err
}
return nil, nil
}
func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
b.configMutex.RLock()
defer b.configMutex.RUnlock()
config, err := b.fetchAdminConfiguration(ctx, req.Storage)
if err != nil {
return nil, err
}
if config == nil {
return logical.ErrorResponse("backend not configured"), nil
}
// I'm not sure if I should be returning the access token, so I'll hash it.
accessTokenHash := sha256.Sum256([]byte(config.AccessToken))
configMap := map[string]interface{}{
"access_token_sha256": fmt.Sprintf("%x", accessTokenHash[:]),
"url": config.ArtifactoryURL,
}
if config.MaxTTL != 0 {
configMap["max_ttl"] = config.MaxTTL.Seconds()
}
if config.DefaultTTL != 0 {
configMap["default_ttl"] = config.DefaultTTL.Seconds()
}
return &logical.Response{
Data: configMap,
}, nil
}