From b632ef58e44fda3305e8cdad565f1f6643b0fd93 Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Fri, 1 Jul 2016 14:31:37 -0400
Subject: [PATCH] Add allowed_roles to ssh-helper-config and return role name
 from verify call

---
 api/ssh_agent.go                            | 11 ++++++++---
 builtin/logical/ssh/linux_install_script.go |  2 +-
 builtin/logical/ssh/path_creds_create.go    | 18 ++++++++++--------
 builtin/logical/ssh/path_verify.go          |  5 +++--
 4 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/api/ssh_agent.go b/api/ssh_agent.go
index 2dd85d14f9..5a8192ae95 100644
--- a/api/ssh_agent.go
+++ b/api/ssh_agent.go
@@ -41,13 +41,16 @@ type SSHHelper struct {
 type SSHVerifyResponse struct {
 	// Usually empty. If the request OTP is echo request message, this will
 	// be set to the corresponding echo response message.
-	Message string `mapstructure:"message"`
+	Message string `json:"message" structs:"message" mapstructure:"message"`
 
 	// Username associated with the OTP
-	Username string `mapstructure:"username"`
+	Username string `json:"username" structs:"username" mapstructure:"username"`
 
 	// IP associated with the OTP
-	IP string `mapstructure:"ip"`
+	IP string `json:"ip" structs:"ip" mapstructure:"ip"`
+
+	// Name of the role against which the OTP was issued
+	RoleName string `json:"role_name" structs:"role_name" mapstructure:"role_name"`
 }
 
 // SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.
@@ -57,6 +60,7 @@ type SSHHelperConfig struct {
 	CACert          string `hcl:"ca_cert"`
 	CAPath          string `hcl:"ca_path"`
 	AllowedCidrList string `hcl:"allowed_cidr_list"`
+	AllowedRoles    string `hcl:"allowed_roles"`
 	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
 }
 
@@ -139,6 +143,7 @@ func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
 		"ca_cert",
 		"ca_path",
 		"allowed_cidr_list",
+		"allowed_roles",
 		"tls_skip_verify",
 	}
 	if err := checkHCLKeys(list, valid); err != nil {
diff --git a/builtin/logical/ssh/linux_install_script.go b/builtin/logical/ssh/linux_install_script.go
index 7322020b1d..b7c18428ec 100644
--- a/builtin/logical/ssh/linux_install_script.go
+++ b/builtin/logical/ssh/linux_install_script.go
@@ -10,7 +10,7 @@ const (
 # authoried_keys file in a typical linux machine. 
 # 
 # If the platform differs or if the binaries used in this script are not available
-# in targer machine, use the 'install_script' parameter with 'roles/' endpoint to
+# in target machine, use the 'install_script' parameter with 'roles/' endpoint to
 # register a custom script (applicable for Dynamic type only).
 #
 # Vault server runs this script on the target machine with the following params:
diff --git a/builtin/logical/ssh/path_creds_create.go b/builtin/logical/ssh/path_creds_create.go
index 5b7f48f3df..9e414ffc21 100644
--- a/builtin/logical/ssh/path_creds_create.go
+++ b/builtin/logical/ssh/path_creds_create.go
@@ -11,8 +11,9 @@ import (
 )
 
 type sshOTP struct {
-	Username string `json:"username"`
-	IP       string `json:"ip"`
+	Username string `json:"username" structs:"username" mapstructure:"username"`
+	IP       string `json:"ip" structs:"ip" mapstructure:"ip"`
+	RoleName string `json:"role_name" structs:"role_name" mapstructure:"role_name"`
 }
 
 func pathCredsCreate(b *backend) *framework.Path {
@@ -111,7 +112,11 @@ func (b *backend) pathCredsCreateWrite(
 	var result *logical.Response
 	if role.KeyType == KeyTypeOTP {
 		// Generate an OTP
-		otp, err := b.GenerateOTPCredential(req, username, ip)
+		otp, err := b.GenerateOTPCredential(req, &sshOTP{
+			Username: username,
+			IP:       ip,
+			RoleName: roleName,
+		})
 		if err != nil {
 			return nil, err
 		}
@@ -206,7 +211,7 @@ func (b *backend) GenerateSaltedOTP() (string, string, error) {
 }
 
 // Generates an UUID OTP and creates an entry for the same in storage backend with its salted string.
-func (b *backend) GenerateOTPCredential(req *logical.Request, username, ip string) (string, error) {
+func (b *backend) GenerateOTPCredential(req *logical.Request, sshOTPEntry *sshOTP) (string, error) {
 	otp, otpSalted, err := b.GenerateSaltedOTP()
 	if err != nil {
 		return "", err
@@ -231,10 +236,7 @@ func (b *backend) GenerateOTPCredential(req *logical.Request, username, ip strin
 	}
 
 	// Store an entry for the salt of OTP.
-	newEntry, err := logical.StorageEntryJSON("otp/"+otpSalted, sshOTP{
-		Username: username,
-		IP:       ip,
-	})
+	newEntry, err := logical.StorageEntryJSON("otp/"+otpSalted, sshOTPEntry)
 	if err != nil {
 		return "", err
 	}
diff --git a/builtin/logical/ssh/path_verify.go b/builtin/logical/ssh/path_verify.go
index 4b392fa499..9cb98ade83 100644
--- a/builtin/logical/ssh/path_verify.go
+++ b/builtin/logical/ssh/path_verify.go
@@ -77,8 +77,9 @@ func (b *backend) pathVerifyWrite(req *logical.Request, d *framework.FieldData)
 	// Return username and IP only if there were no problems uptill this point.
 	return &logical.Response{
 		Data: map[string]interface{}{
-			"username": otpEntry.Username,
-			"ip":       otpEntry.IP,
+			"username":  otpEntry.Username,
+			"ip":        otpEntry.IP,
+			"role_name": otpEntry.RoleName,
 		},
 	}, nil
 }