From e6e243b4cafc1fd900535db4e2cbe100fc332bf9 Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Wed, 1 Jul 2015 21:05:52 -0400 Subject: [PATCH] Vault SSH: Regex supports hypen in key name and role names --- builtin/logical/ssh/path_config_lease.go | 4 ++-- builtin/logical/ssh/path_keys.go | 7 ++----- builtin/logical/ssh/path_lookup.go | 4 ++-- builtin/logical/ssh/path_role_create.go | 14 +++++++------- builtin/logical/ssh/path_roles.go | 2 +- builtin/logical/ssh/secret_ssh_key.go | 10 +++++----- builtin/logical/ssh/util.go | 12 ++++++------ 7 files changed, 25 insertions(+), 28 deletions(-) diff --git a/builtin/logical/ssh/path_config_lease.go b/builtin/logical/ssh/path_config_lease.go index 3ccaea68e2..d1bb0b991a 100644 --- a/builtin/logical/ssh/path_config_lease.go +++ b/builtin/logical/ssh/path_config_lease.go @@ -57,10 +57,10 @@ func (b *backend) pathConfigLeaseWrite(req *logical.Request, d *framework.FieldD LeaseMax: leaseMax, }) if err != nil { - return nil, fmt.Errorf("Could not create storage entry JSON: %s", err) + return nil, fmt.Errorf("could not create storage entry JSON: %s", err) } if err := req.Storage.Put(entry); err != nil { - return nil, fmt.Errorf("Could not store JSON: %s", err) + return nil, fmt.Errorf("could not store JSON: %s", err) } return nil, nil diff --git a/builtin/logical/ssh/path_keys.go b/builtin/logical/ssh/path_keys.go index 9a6f49150a..238c23e399 100644 --- a/builtin/logical/ssh/path_keys.go +++ b/builtin/logical/ssh/path_keys.go @@ -2,7 +2,6 @@ package ssh import ( "fmt" - "log" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -10,7 +9,7 @@ import ( func pathKeys(b *backend) *framework.Path { return &framework.Path{ - Pattern: "keys/(?P\\w+)", + Pattern: "keys/(?P[-\\w]+)", Fields: map[string]*framework.FieldSchema{ "name": &framework.FieldSchema{ Type: framework.TypeString, @@ -60,13 +59,11 @@ func (b *backend) pathKeysDelete(req *logical.Request, d *framework.FieldData) ( } func (b *backend) pathKeysWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - log.SetFlags(log.LstdFlags | log.Lshortfile) - keyName := d.Get("name").(string) keyString := d.Get("key").(string) if keyString == "" { - return nil, fmt.Errorf("Invalid 'key'") + return nil, fmt.Errorf("invalid 'key'") } keyPath := fmt.Sprintf("keys/%s", keyName) diff --git a/builtin/logical/ssh/path_lookup.go b/builtin/logical/ssh/path_lookup.go index 8aa72c28e9..78f74c2783 100644 --- a/builtin/logical/ssh/path_lookup.go +++ b/builtin/logical/ssh/path_lookup.go @@ -29,7 +29,7 @@ func pathLookup(b *backend) *framework.Path { func (b *backend) pathLookupWrite(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { ipAddr := d.Get("ip").(string) if ipAddr == "" { - return logical.ErrorResponse("Missing 'ip'"), nil + return logical.ErrorResponse("Invalid 'ip'"), nil } ip := net.ParseIP(ipAddr) if ip == nil { @@ -80,7 +80,7 @@ func containsIP(s logical.Storage, roleName string, ip string) (bool, error) { for _, item := range strings.Split(role.CIDR, ",") { _, cidrIPNet, err := net.ParseCIDR(item) if err != nil { - return false, fmt.Errorf("Invalid cidr entry '%s'", item) + return false, fmt.Errorf("invalid cidr entry '%s'", item) } ipMatched = cidrIPNet.Contains(net.ParseIP(ip)) if ipMatched { diff --git a/builtin/logical/ssh/path_role_create.go b/builtin/logical/ssh/path_role_create.go index ea881a50a4..1fc3de77b8 100644 --- a/builtin/logical/ssh/path_role_create.go +++ b/builtin/logical/ssh/path_role_create.go @@ -12,7 +12,7 @@ import ( func pathRoleCreate(b *backend) *framework.Path { return &framework.Path{ - Pattern: "creds/(?P\\w+)", + Pattern: "creds/(?P[-\\w]+)", Fields: map[string]*framework.FieldSchema{ "name": &framework.FieldSchema{ Type: framework.TypeString, @@ -89,11 +89,11 @@ func (b *backend) pathRoleCreateWrite( //fetch the host key to be used for installation keyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", role.KeyName)) if err != nil { - return nil, fmt.Errorf("Key '%s' not found error:%s", role.KeyName, err) + return nil, fmt.Errorf("key '%s' not found error:%s", role.KeyName, err) } var hostKey sshHostKey if err := keyEntry.DecodeJSON(&hostKey); err != nil { - return nil, fmt.Errorf("Error reading the host key: %s", err) + return nil, fmt.Errorf("error reading the host key: %s", err) } //store the host key to file. Use it as parameter for scp command @@ -106,11 +106,11 @@ func (b *backend) pathRoleCreateWrite( //delete the temporary files if they are already present err = removeFile(dynamicPrivateKeyFileName) if err != nil { - return nil, fmt.Errorf("Error removing dynamic private key file: '%s'", err) + return nil, fmt.Errorf("error removing dynamic private key file: '%s'", err) } err = removeFile(dynamicPublicKeyFileName) if err != nil { - return nil, fmt.Errorf("Error removing dynamic private key file: '%s'", err) + return nil, fmt.Errorf("error removing dynamic private key file: '%s'", err) } //generate RSA key pair @@ -128,10 +128,10 @@ func (b *backend) pathRoleCreateWrite( //connect to target machine session, err := createSSHPublicKeysSession(username, ip, hostKey.Key) if err != nil { - return nil, fmt.Errorf("Unable to create SSH Session using public keys: %s", err) + return nil, fmt.Errorf("unable to create SSH Session using public keys: %s", err) } if session == nil { - return nil, fmt.Errorf("Invalid session object") + return nil, fmt.Errorf("invalid session object") } authKeysFileName := fmt.Sprintf("/home/%s/.ssh/authorized_keys", username) diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go index 2a93c8d5ee..4631f21491 100644 --- a/builtin/logical/ssh/path_roles.go +++ b/builtin/logical/ssh/path_roles.go @@ -11,7 +11,7 @@ import ( func pathRoles(b *backend) *framework.Path { return &framework.Path{ - Pattern: "roles/(?P\\w+)", + Pattern: "roles/(?P[-\\w]+)", Fields: map[string]*framework.FieldSchema{ "name": &framework.FieldSchema{ Type: framework.TypeString, diff --git a/builtin/logical/ssh/secret_ssh_key.go b/builtin/logical/ssh/secret_ssh_key.go index 899448f5dc..4520a531aa 100644 --- a/builtin/logical/ssh/secret_ssh_key.go +++ b/builtin/logical/ssh/secret_ssh_key.go @@ -80,11 +80,11 @@ func (b *backend) secretSSHKeyRevoke(req *logical.Request, d *framework.FieldDat //fetch the host key using the key name hostKeyEntry, err := req.Storage.Get(fmt.Sprintf("keys/%s", hostKeyName)) if err != nil { - return nil, fmt.Errorf("Key '%s' not found error:%s", hostKeyName, err) + return nil, fmt.Errorf("key '%s' not found error:%s", hostKeyName, err) } var hostKey sshHostKey if err := hostKeyEntry.DecodeJSON(&hostKey); err != nil { - return nil, fmt.Errorf("Error reading the host key: %s", err) + return nil, fmt.Errorf("error reading the host key: %s", err) } //write host key to file and use it as argument to scp command @@ -98,16 +98,16 @@ func (b *backend) secretSSHKeyRevoke(req *logical.Request, d *framework.FieldDat //transfer the dynamic public key to target machine and use it to remove the entry from authorized_keys file err = uploadFileScp(dynamicPublicKeyFileName, username, ip, hostKey.Key) if err != nil { - return nil, fmt.Errorf("Public key transfer failed: %s", err) + return nil, fmt.Errorf("public key transfer failed: %s", err) } //connect to target machine session, err := createSSHPublicKeysSession(username, ip, hostKey.Key) if err != nil { - return nil, fmt.Errorf("Unable to create SSH Session using public keys: %s", err) + return nil, fmt.Errorf("unable to create SSH Session using public keys: %s", err) } if session == nil { - return nil, fmt.Errorf("Invalid session object") + return nil, fmt.Errorf("invalid session object") } authKeysFileName := "/home/" + username + "/.ssh/authorized_keys" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 4d86ba3ee6..fe270e01c9 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -41,14 +41,14 @@ func uploadFileScp(fileName, username, ip, key string) error { } stat, err := file.Stat() if os.IsNotExist(err) { - return fmt.Errorf("File does not exist") + return fmt.Errorf("file does not exist") } session, err := createSSHPublicKeysSession(username, ip, key) if err != nil { return err } if session == nil { - return fmt.Errorf("Invalid session object") + return fmt.Errorf("invalid session object") } defer session.Close() go func() { @@ -70,11 +70,11 @@ The session will use public key authentication method with port 22. */ func createSSHPublicKeysSession(username, ipAddr, hostKey string) (*ssh.Session, error) { if username == "" || ipAddr == "" || hostKey == "" { - return nil, fmt.Errorf("Invalid parameters") + return nil, fmt.Errorf("invalid parameters") } signer, err := ssh.ParsePrivateKey([]byte(hostKey)) if err != nil { - return nil, fmt.Errorf("Parsing Private Key failed: %s", err) + return nil, fmt.Errorf("parsing Private Key failed: %s", err) } config := &ssh.ClientConfig{ @@ -89,7 +89,7 @@ func createSSHPublicKeysSession(username, ipAddr, hostKey string) (*ssh.Session, return nil, err } if client == nil { - return nil, fmt.Errorf("Invalid client object: %s", err) + return nil, fmt.Errorf("invalid client object: %s", err) } session, err := client.NewSession() @@ -105,7 +105,7 @@ The parameter is just the name of the file and not a path. */ func removeFile(fileName string) error { if fileName == "" { - return fmt.Errorf("Invalid file name") + return fmt.Errorf("invalid file name") } wd, err := os.Getwd() if err != nil {