-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathpath_creds_create.go
More file actions
executable file
·96 lines (85 loc) · 2.96 KB
/
path_creds_create.go
File metadata and controls
executable file
·96 lines (85 loc) · 2.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package openstack
import (
"context"
"fmt"
"time"
"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func pathCreateCreds(b *backend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role set",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathTokenRead,
},
}
}
func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
// Determine if we have a lease configuration
leaseConfig, err := b.LeaseConfig(ctx, req.Storage)
if err != nil {
b.Logger().Warn("get leaseconfig", "error", err)
return nil, err
}
if leaseConfig == nil {
leaseConfig = &configLease{}
}
role, err := b.Role(ctx, req.Storage, name)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %w", err)
}
if role == nil {
return logical.ErrorResponse(fmt.Sprintf("role %q not found", name)), nil
}
cfg, err := b.readConfigAccess(ctx, req.Storage)
if err != nil {
return nil, fmt.Errorf("error reading access config: %w", err)
}
if cfg == nil {
return logical.ErrorResponse("access config not found"), nil
}
// Validate: app credentials cannot be used with project-scoped rolesets
if cfg.UsesApplicationCredential() && role.HasProject() {
return logical.ErrorResponse(
"cannot use application credential authentication with project-scoped rolesets; " +
"application credentials are bound to their original project. " +
"Use username/password authentication for multi-project support, " +
"or remove project fields from the roleset",
), nil
}
identityClient, err := client(ctx, cfg, role)
if err != nil {
return nil, fmt.Errorf("error creating identity client: %w", err)
}
// Create application credential
tokenName := fmt.Sprintf("vault-%s-%s-%d", name, req.DisplayName, time.Now().UnixMilli())
expireTime := time.Now().Add(leaseConfig.TTL)
credential, err := applicationcredentials.Create(ctx, identityClient, cfg.UserID, applicationcredentials.CreateOpts{
Name: tokenName,
Description: fmt.Sprintf("Created by Vault at %s", time.Now().Format(time.RFC3339)),
Roles: role.Roles,
ExpiresAt: &expireTime,
}).Extract()
if err != nil {
b.Logger().Warn("Create applicationcredential", "error", err)
return nil, err
}
// Use the helper to create the secret
resp := b.Secret(SecretTokenType).Response(map[string]interface{}{
"application_credential_id": credential.ID,
"application_credential_secret": credential.Secret,
}, map[string]interface{}{
"application_credential_id": credential.ID,
"roleset": name,
})
resp.Secret.TTL = leaseConfig.TTL
return resp, nil
}