-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathpath_token_create.go
193 lines (164 loc) · 6.12 KB
/
path_token_create.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
package artifactory
import (
"context"
"errors"
"regexp"
"time"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
var GroupPermissionScopeRegex = regexp.MustCompile(`^applied-permissions\/groups:.+$`)
func (b *backend) pathTokenCreate() *framework.Path {
return &framework.Path{
Pattern: "token/" + framework.GenericNameWithAtRegex("role"),
Fields: map[string]*framework.FieldSchema{
"role": {
Type: framework.TypeString,
Description: `Use the configuration of the specified role.`,
},
"ttl": {
Type: framework.TypeDurationSecond,
Description: `Override the default TTL when issuing this access token. Cannot exceed smallest (system, backend, role, this request) maximum TTL.`,
},
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: `Override the maximum TTL for this access token. Cannot exceed smallest (system, backend) maximum TTL.`,
},
"scope": {
Type: framework.TypeString,
Description: `Override the scope for this access token. Limited to group scope only: 'applied-permissions/groups:<group-name>[,<group-name>...]'. Only applicable when config field 'allow_scope_override' is set to 'true'.`,
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathTokenCreatePerform,
},
},
HelpSynopsis: `Create an Artifactory access token for the specified role.`,
HelpDescription: `
Create an Artifactory access token using paramters from the specified role.
An optional 'ttl' parameter will override the role's 'default_ttl' parameter.
An optional 'max_ttl' parameter will override the role's 'max_ttl' parameter.
`,
}
}
type systemVersionResponse struct {
Version string `json:"version"`
Revision string `json:"revision"`
}
type createTokenResponse struct {
TokenId string `json:"token_id"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresIn int `json:"expires_in"`
Scope string `json:"scope"`
TokenType string `json:"token_type"`
ReferenceToken string `json:"reference_token"`
}
func (b *backend) pathTokenCreatePerform(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.rolesMutex.RLock()
b.configMutex.RLock()
defer b.configMutex.RUnlock()
defer b.rolesMutex.RUnlock()
config, err := b.fetchAdminConfiguration(ctx, req.Storage)
if err != nil {
return nil, err
}
if config == nil {
return logical.ErrorResponse("backend not configured"), nil
}
if config.AccessToken == "" {
return logical.ErrorResponse("missing access token"), errors.New("missing access token")
}
go b.sendUsage(config.baseConfiguration, "pathTokenCreatePerform")
// Read in the requested role
roleName := data.Get("role").(string)
role, err := b.Role(ctx, req.Storage, roleName)
if err != nil {
return nil, err
}
if role == nil {
return logical.ErrorResponse("no such role: %s", roleName), nil
}
// Define username for token by template if a static one is not set
if len(role.Username) == 0 {
role.Username, err = b.usernameProducer.Generate(UsernameMetadata{
RoleName: roleName,
DisplayName: req.DisplayName,
})
if err != nil {
return logical.ErrorResponse("error generating username from template"), err
}
}
logger := b.Logger().With("func", "pathTokenCreatePerform")
maxLeaseTTL := b.Backend.System().MaxLeaseTTL()
logger.Debug("initialize maxLeaseTTL to system value", "maxLeaseTTL", maxLeaseTTL.Seconds())
if value, ok := data.GetOk("max_ttl"); ok && value.(int) > 0 {
logger.Debug("max_ttl is set", "max_ttl", value)
maxTTL := time.Second * time.Duration(value.(int))
// use override max TTL if set and less than maxLeaseTTL
if maxTTL > 0 || maxTTL < maxLeaseTTL {
maxLeaseTTL = maxTTL
}
} else if role.MaxTTL > 0 && role.MaxTTL < maxLeaseTTL {
logger.Debug("using role MaxTTL", "role.MaxTTL", role.MaxTTL.Seconds())
maxLeaseTTL = role.MaxTTL
}
logger.Debug("Max lease TTL (sec)", "maxLeaseTTL", maxLeaseTTL.Seconds())
ttl := b.Backend.System().DefaultLeaseTTL()
if value, ok := data.GetOk("ttl"); ok && value.(int) > 0 {
logger.Debug("ttl is set", "ttl", value)
ttl = time.Second * time.Duration(value.(int))
} else if role.DefaultTTL != 0 {
logger.Debug("using role DefaultTTL", "role.DefaultTTL", role.DefaultTTL.Seconds())
ttl = role.DefaultTTL
}
// cap ttl to maxLeaseTTL
if ttl > maxLeaseTTL {
logger.Debug("ttl is longer than maxLeaseTTL", "ttl", ttl, "maxLeaseTTL", maxLeaseTTL.Seconds())
ttl = maxLeaseTTL
}
logger.Debug("TTL (sec)", "ttl", ttl.Seconds())
// Set the role.ExpiresIn based on maxLeaseTTL if use_expiring_tokens is set to tru in config
// - This value will be passed to createToken and used as expires_in for versions of Artifactory 7.50.3 or higher
if config.UseExpiringTokens {
role.ExpiresIn = maxLeaseTTL
}
if config.AllowScopeOverride {
scope := data.Get("scope").(string)
if len(scope) != 0 {
match := GroupPermissionScopeRegex.MatchString(scope)
if !match {
return logical.ErrorResponse("provided scope is invalid"), errors.New("provided scope is invalid")
}
//use the overridden scope rather than role default
role.Scope = scope
}
}
resp, err := b.CreateToken(config.baseConfiguration, *role)
if err != nil {
return nil, err
}
response := b.Secret(SecretArtifactoryAccessTokenType).Response(map[string]interface{}{
"access_token": resp.AccessToken,
"refresh_token": resp.RefreshToken,
"role": roleName,
"expires_in": resp.ExpiresIn,
"scope": resp.Scope,
"token_id": resp.TokenId,
"username": role.Username,
"reference_token": resp.ReferenceToken,
}, map[string]interface{}{
"role": roleName,
"access_token": resp.AccessToken,
"refresh_token": resp.RefreshToken,
"expires_in": resp.ExpiresIn,
"scope": resp.Scope,
"token_id": resp.TokenId,
"username": role.Username,
"reference_token": resp.ReferenceToken,
})
response.Secret.TTL = ttl
response.Secret.MaxTTL = maxLeaseTTL
return response, nil
}