-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
robot_account.go
101 lines (84 loc) · 2.64 KB
/
robot_account.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package harbor
import (
"context"
"errors"
"fmt"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
const (
harborRobotAccountType = "robot_account"
)
// harborToken defines a secret to store for a given role
// and how it should be revoked or renewed.
func (b *harborBackend) harborToken() *framework.Secret {
return &framework.Secret{
Type: harborRobotAccountType,
Fields: map[string]*framework.FieldSchema{
"robot_account": {
Type: framework.TypeString,
Description: "Harbor Robot account",
},
},
Revoke: b.robotAccountRevoke,
Renew: b.robotAccountRenew,
}
}
// tokenRevoke removes the token from the Vault storage API and calls the client to revoke the robot account
func (b *harborBackend) robotAccountRevoke(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
client, err := b.getClient(ctx, req.Storage)
if err != nil {
return nil, err
}
if client == nil {
return nil, fmt.Errorf("error getting Harbor client")
}
var account string
// We passed the account using InternalData from when we first created
// the secret. This is because the Harbor API uses the exact robot account name
// for revocation.
accountRaw, ok := req.Secret.InternalData["robot_account_name"]
if !ok {
return nil, fmt.Errorf("robot_account_name is missing on the lease")
}
account, ok = accountRaw.(string)
if !ok {
return nil, fmt.Errorf("unable convert robot_account_name")
}
if err := deleteRobotAccount(ctx, client, account); err != nil {
return nil, fmt.Errorf("error revoking robot account: %w", err)
}
return nil, nil
}
// deleteToken calls the Harbor client to delete the robot account
func deleteRobotAccount(ctx context.Context, c *harborClient, robotAccountName string) error {
err := c.RESTClient.DeleteRobotAccountByName(ctx, robotAccountName)
if err != nil {
return err
}
return nil
}
// robotAccountRenew
func (b *harborBackend) robotAccountRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
roleRaw, ok := req.Secret.InternalData["role"]
if !ok {
return nil, fmt.Errorf("secret is missing role internal data")
}
// get the role entry
role := roleRaw.(string)
roleEntry, err := b.getRole(ctx, req.Storage, role)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %w", err)
}
if roleEntry == nil {
return nil, errors.New("error retrieving role: role is nil")
}
resp := &logical.Response{Secret: req.Secret}
if roleEntry.TTL > 0 {
resp.Secret.TTL = roleEntry.TTL
}
if roleEntry.MaxTTL > 0 {
resp.Secret.MaxTTL = roleEntry.MaxTTL
}
return resp, nil
}