From 6814b0d63e558476855f9a62a59d665fbdb22d74 Mon Sep 17 00:00:00 2001 From: Jonathan Sokolowski Date: Tue, 26 May 2015 10:33:31 +1000 Subject: [PATCH 1/3] logical/consul: custom lease time for roles --- builtin/logical/consul/backend_test.go | 35 ++++++++++++++++++++++---- builtin/logical/consul/path_roles.go | 32 ++++++++++++++++++++++- builtin/logical/consul/path_token.go | 26 +++++++++++++------ builtin/logical/consul/secret_token.go | 10 +++++--- 4 files changed, 86 insertions(+), 17 deletions(-) diff --git a/builtin/logical/consul/backend_test.go b/builtin/logical/consul/backend_test.go index 8d601edcc0..351fbbc9dc 100644 --- a/builtin/logical/consul/backend_test.go +++ b/builtin/logical/consul/backend_test.go @@ -26,7 +26,7 @@ func TestBackend_basic(t *testing.T) { Backend: Backend(), Steps: []logicaltest.TestStep{ testAccStepConfig(t, config), - testAccStepWritePolicy(t, "test", testPolicy), + testAccStepWritePolicy(t, "test", testPolicy, ""), testAccStepReadToken(t, "test", config), }, }) @@ -40,8 +40,23 @@ func TestBackend_crud(t *testing.T) { PreCheck: func() { testAccPreCheck(t) }, Backend: Backend(), Steps: []logicaltest.TestStep{ - testAccStepWritePolicy(t, "test", testPolicy), - testAccStepReadPolicy(t, "test", testPolicy), + testAccStepWritePolicy(t, "test", testPolicy, ""), + testAccStepReadPolicy(t, "test", testPolicy, DefaultLeaseDuration), + testAccStepDeletePolicy(t, "test"), + }, + }) +} + +func TestBackend_role_lease(t *testing.T) { + _, process := testStartConsulServer(t) + defer testStopConsulServer(t, process) + + logicaltest.Test(t, logicaltest.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Backend: Backend(), + Steps: []logicaltest.TestStep{ + testAccStepWritePolicy(t, "test", testPolicy, "6h"), + testAccStepReadPolicy(t, "test", testPolicy, 6*time.Hour), testAccStepDeletePolicy(t, "test"), }, }) @@ -142,17 +157,18 @@ func testAccStepReadToken( } } -func testAccStepWritePolicy(t *testing.T, name string, policy string) logicaltest.TestStep { +func testAccStepWritePolicy(t *testing.T, name string, policy string, lease string) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.WriteOperation, Path: "roles/" + name, Data: map[string]interface{}{ "policy": base64.StdEncoding.EncodeToString([]byte(policy)), + "lease": lease, }, } } -func testAccStepReadPolicy(t *testing.T, name string, policy string) logicaltest.TestStep { +func testAccStepReadPolicy(t *testing.T, name string, policy string, lease time.Duration) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.ReadOperation, Path: "roles/" + name, @@ -165,6 +181,15 @@ func testAccStepReadPolicy(t *testing.T, name string, policy string) logicaltest if string(out) != policy { return fmt.Errorf("mismatch: %s %s", out, policy) } + + leaseRaw := resp.Data["lease"].(string) + l, err := time.ParseDuration(leaseRaw) + if err != nil { + return err + } + if l != lease { + return fmt.Errorf("mismatch: %v %v", l, lease) + } return nil }, } diff --git a/builtin/logical/consul/path_roles.go b/builtin/logical/consul/path_roles.go index 32ed89e687..3115f6e93d 100644 --- a/builtin/logical/consul/path_roles.go +++ b/builtin/logical/consul/path_roles.go @@ -3,6 +3,7 @@ package consul import ( "encoding/base64" "fmt" + "time" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -21,6 +22,11 @@ func pathRoles() *framework.Path { Type: framework.TypeString, Description: "Policy document, base64 encoded.", }, + + "lease": &framework.FieldSchema{ + Type: framework.TypeString, + Description: "Lease time of the role.", + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ @@ -45,10 +51,20 @@ func pathRolesRead( "Role '%s' not found", name)), nil } + leaseRaw, err := req.Storage.Get("policy/" + name + "/lease") + if err != nil { + return nil, fmt.Errorf("error retrieving lease: %s", err) + } + lease, err := time.ParseDuration(string(leaseRaw.Value)) + if err != nil { + return nil, fmt.Errorf("error retrieving lease: %s", err) + } + // Generate the response resp := &logical.Response{ Data: map[string]interface{}{ "policy": base64.StdEncoding.EncodeToString(policy.Value), + "lease": lease.String(), }, } return resp, nil @@ -56,6 +72,7 @@ func pathRolesRead( func pathRolesWrite( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { + name := d.Get("name").(string) policyRaw, err := base64.StdEncoding.DecodeString(d.Get("policy").(string)) if err != nil { return logical.ErrorResponse(fmt.Sprintf( @@ -64,13 +81,26 @@ func pathRolesWrite( // Write the policy into storage err = req.Storage.Put(&logical.StorageEntry{ - Key: "policy/" + d.Get("name").(string), + Key: "policy/" + name, Value: policyRaw, }) if err != nil { return nil, err } + // Write the policy lease into storage + lease, err := time.ParseDuration(d.Get("lease").(string)) + if err != nil || lease == time.Duration(0) { + lease = DefaultLeaseDuration + } + err = req.Storage.Put(&logical.StorageEntry{ + Key: "policy/" + name + "/lease", + Value: []byte(lease.String()), + }) + if err != nil { + return nil, err + } + return nil, nil } diff --git a/builtin/logical/consul/path_token.go b/builtin/logical/consul/path_token.go index 9a87b15b62..5af73c6247 100644 --- a/builtin/logical/consul/path_token.go +++ b/builtin/logical/consul/path_token.go @@ -27,19 +27,20 @@ func pathToken(b *backend) *framework.Path { func (b *backend) pathTokenRead( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - policyName := d.Get("name").(string) - - // Generate a random name for the token - name := fmt.Sprintf("Vault %s %d", req.DisplayName, time.Now().Unix()) + name := d.Get("name").(string) // Read the policy - policy, err := req.Storage.Get("policy/" + policyName) + policy, err := req.Storage.Get("policy/" + name) if err != nil { return nil, fmt.Errorf("error retrieving role: %s", err) } if policy == nil { return logical.ErrorResponse(fmt.Sprintf( - "Role '%s' not found", policyName)), nil + "Role '%s' not found", name)), nil + } + leaseRaw, err := req.Storage.Get("policy/" + name + "/lease") + if err != nil { + return nil, fmt.Errorf("error retrieving lease: %s", err) } // Get the consul client @@ -48,9 +49,11 @@ func (b *backend) pathTokenRead( return logical.ErrorResponse(err.Error()), nil } + // Generate a random name for the token + tokenName := fmt.Sprintf("Vault %s %d", req.DisplayName, time.Now().Unix()) // Create it token, _, err := c.ACL().Create(&api.ACLEntry{ - Name: name, + Name: tokenName, Type: "client", Rules: string(policy.Value), }, nil) @@ -59,7 +62,14 @@ func (b *backend) pathTokenRead( } // Use the helper to create the secret - return b.Secret(SecretTokenType).Response(map[string]interface{}{ + s := b.Secret(SecretTokenType) + if leaseRaw != nil { + lease, err := time.ParseDuration(string(leaseRaw.Value)) + if err == nil { + s.DefaultDuration = lease + } + } + return s.Response(map[string]interface{}{ "token": token, }, nil), nil } diff --git a/builtin/logical/consul/secret_token.go b/builtin/logical/consul/secret_token.go index 17aa8f3ed3..06679b1313 100644 --- a/builtin/logical/consul/secret_token.go +++ b/builtin/logical/consul/secret_token.go @@ -7,7 +7,11 @@ import ( "github.com/hashicorp/vault/logical/framework" ) -const SecretTokenType = "token" +const ( + SecretTokenType = "token" + DefaultLeaseDuration = 1 * time.Hour + DefaultGracePeriod = 10 * time.Minute +) func secretToken() *framework.Secret { return &framework.Secret{ @@ -19,8 +23,8 @@ func secretToken() *framework.Secret { }, }, - DefaultDuration: 1 * time.Hour, - DefaultGracePeriod: 10 * time.Minute, + DefaultDuration: DefaultLeaseDuration, + DefaultGracePeriod: DefaultGracePeriod, Renew: framework.LeaseExtend(1*time.Hour, 0), Revoke: secretTokenRevoke, From b872babb7b692defefd3dc4186ab8ab1578c4a82 Mon Sep 17 00:00:00 2001 From: Jonathan Sokolowski Date: Wed, 27 May 2015 09:54:15 +1000 Subject: [PATCH 2/3] website: Update /consul/roles/ parameters --- website/source/docs/secrets/consul/index.html.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/website/source/docs/secrets/consul/index.html.md b/website/source/docs/secrets/consul/index.html.md index 4f8d45df3f..48259d5a5d 100644 --- a/website/source/docs/secrets/consul/index.html.md +++ b/website/source/docs/secrets/consul/index.html.md @@ -143,6 +143,11 @@ Permission denied required The base64 encoded Consul ACL policy. This is documented in [more detail here](https://consul.io/docs/internals/acl.html). +
  • + lease + optional + The lease value provided as a string duration with time suffix. Hour is the largest suffix. +
    • From dd7d64dd804c29b5e7f5e051caa49d70e397d457 Mon Sep 17 00:00:00 2001 From: Jonathan Sokolowski Date: Thu, 28 May 2015 09:36:23 +1000 Subject: [PATCH 3/3] logical/consul: Combine policy and lease into single storage struct --- builtin/logical/consul/path_roles.go | 51 ++++++++++++---------------- builtin/logical/consul/path_token.go | 24 +++++-------- 2 files changed, 31 insertions(+), 44 deletions(-) diff --git a/builtin/logical/consul/path_roles.go b/builtin/logical/consul/path_roles.go index 3115f6e93d..6985f6a35a 100644 --- a/builtin/logical/consul/path_roles.go +++ b/builtin/logical/consul/path_roles.go @@ -41,30 +41,24 @@ func pathRolesRead( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { name := d.Get("name").(string) - // Read the policy - policy, err := req.Storage.Get("policy/" + name) + entry, err := req.Storage.Get("policy/" + name) if err != nil { - return nil, fmt.Errorf("error retrieving role: %s", err) + return nil, err } - if policy == nil { - return logical.ErrorResponse(fmt.Sprintf( - "Role '%s' not found", name)), nil + if entry == nil { + return nil, nil } - leaseRaw, err := req.Storage.Get("policy/" + name + "/lease") - if err != nil { - return nil, fmt.Errorf("error retrieving lease: %s", err) - } - lease, err := time.ParseDuration(string(leaseRaw.Value)) - if err != nil { - return nil, fmt.Errorf("error retrieving lease: %s", err) + var result roleConfig + if err := entry.DecodeJSON(&result); err != nil { + return nil, err } // Generate the response resp := &logical.Response{ Data: map[string]interface{}{ - "policy": base64.StdEncoding.EncodeToString(policy.Value), - "lease": lease.String(), + "policy": base64.StdEncoding.EncodeToString([]byte(result.Policy)), + "lease": result.Lease.String(), }, } return resp, nil @@ -78,26 +72,20 @@ func pathRolesWrite( return logical.ErrorResponse(fmt.Sprintf( "Error decoding policy base64: %s", err)), nil } + lease, err := time.ParseDuration(d.Get("lease").(string)) + if err != nil || lease == time.Duration(0) { + lease = DefaultLeaseDuration + } - // Write the policy into storage - err = req.Storage.Put(&logical.StorageEntry{ - Key: "policy/" + name, - Value: policyRaw, + entry, err := logical.StorageEntryJSON("policy/"+name, roleConfig{ + Policy: string(policyRaw), + Lease: lease, }) if err != nil { return nil, err } - // Write the policy lease into storage - lease, err := time.ParseDuration(d.Get("lease").(string)) - if err != nil || lease == time.Duration(0) { - lease = DefaultLeaseDuration - } - err = req.Storage.Put(&logical.StorageEntry{ - Key: "policy/" + name + "/lease", - Value: []byte(lease.String()), - }) - if err != nil { + if err := req.Storage.Put(entry); err != nil { return nil, err } @@ -112,3 +100,8 @@ func pathRolesDelete( } return nil, nil } + +type roleConfig struct { + Policy string `json:"policy"` + Lease time.Duration `json:"lease"` +} diff --git a/builtin/logical/consul/path_token.go b/builtin/logical/consul/path_token.go index 5af73c6247..bab2d98872 100644 --- a/builtin/logical/consul/path_token.go +++ b/builtin/logical/consul/path_token.go @@ -29,18 +29,17 @@ func (b *backend) pathTokenRead( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { name := d.Get("name").(string) - // Read the policy - policy, err := req.Storage.Get("policy/" + name) + entry, err := req.Storage.Get("policy/" + name) if err != nil { return nil, fmt.Errorf("error retrieving role: %s", err) } - if policy == nil { - return logical.ErrorResponse(fmt.Sprintf( - "Role '%s' not found", name)), nil + if entry == nil { + return logical.ErrorResponse(fmt.Sprintf("Role '%s' not found", name)), nil } - leaseRaw, err := req.Storage.Get("policy/" + name + "/lease") - if err != nil { - return nil, fmt.Errorf("error retrieving lease: %s", err) + + var result roleConfig + if err := entry.DecodeJSON(&result); err != nil { + return nil, err } // Get the consul client @@ -55,7 +54,7 @@ func (b *backend) pathTokenRead( token, _, err := c.ACL().Create(&api.ACLEntry{ Name: tokenName, Type: "client", - Rules: string(policy.Value), + Rules: result.Policy, }, nil) if err != nil { return logical.ErrorResponse(err.Error()), nil @@ -63,12 +62,7 @@ func (b *backend) pathTokenRead( // Use the helper to create the secret s := b.Secret(SecretTokenType) - if leaseRaw != nil { - lease, err := time.ParseDuration(string(leaseRaw.Value)) - if err == nil { - s.DefaultDuration = lease - } - } + s.DefaultDuration = result.Lease return s.Response(map[string]interface{}{ "token": token, }, nil), nil