Tokenutilize radius (#7034)

hashicorp · Jul 1, 2019 · e6f7c5a · e6f7c5a
1 parent cafee24
commit e6f7c5a
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 21 deletions.
diff --git a/builtin/credential/radius/path_config.go b/builtin/credential/radius/path_config.go
@@ -5,11 +5,12 @@ import (
 	"strings"
 
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/tokenutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func pathConfig(b *backend) *framework.Path {
-	return &framework.Path{
+	p := &framework.Path{
 		Pattern: "config",
 		Fields: map[string]*framework.FieldSchema{
 			"host": &framework.FieldSchema{
@@ -19,7 +20,6 @@ func pathConfig(b *backend) *framework.Path {
 					Name: "Host",
 				},
 			},
-
 			"port": &framework.FieldSchema{
 				Type:        framework.TypeInt,
 				Default:     1812,
@@ -86,6 +86,10 @@ func pathConfig(b *backend) *framework.Path {
 		HelpSynopsis:    pathConfigHelpSyn,
 		HelpDescription: pathConfigHelpDesc,
 	}
+
+	tokenutil.AddTokenFields(p.Fields)
+	p.Fields["token_policies"].Description += ". This will apply to all tokens generated by this auth method, in addition to any configured for specific users."
+	return p
 }
 
 // Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
@@ -129,18 +133,20 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f
 		return nil, nil
 	}
 
-	resp := &logical.Response{
-		Data: map[string]interface{}{
-			"host":                       cfg.Host,
-			"port":                       cfg.Port,
-			"unregistered_user_policies": cfg.UnregisteredUserPolicies,
-			"dial_timeout":               cfg.DialTimeout,
-			"read_timeout":               cfg.ReadTimeout,
-			"nas_port":                   cfg.NasPort,
-			"nas_identifier":             cfg.NasIdentifier,
-		},
+	data := map[string]interface{}{
+		"host":                       cfg.Host,
+		"port":                       cfg.Port,
+		"unregistered_user_policies": cfg.UnregisteredUserPolicies,
+		"dial_timeout":               cfg.DialTimeout,
+		"read_timeout":               cfg.ReadTimeout,
+		"nas_port":                   cfg.NasPort,
+		"nas_identifier":             cfg.NasIdentifier,
 	}
-	return resp, nil
+	cfg.PopulateTokenData(data)
+
+	return &logical.Response{
+		Data: data,
+	}, nil
 }
 
 func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@@ -153,6 +159,10 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque
 		cfg = &ConfigEntry{}
 	}
 
+	if err := cfg.ParseTokenFields(req, d); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
 	host, ok := d.GetOk("host")
 	if ok {
 		cfg.Host = strings.ToLower(host.(string))
@@ -237,6 +247,8 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque
 }
 
 type ConfigEntry struct {
+	tokenutil.TokenParams
+
 	Host                     string   `json:"host" structs:"host" mapstructure:"host"`
 	Port                     int      `json:"port" structs:"port" mapstructure:"port"`
 	Secret                   string   `json:"secret" structs:"secret" mapstructure:"secret"`

diff --git a/builtin/credential/radius/path_login.go b/builtin/credential/radius/path_login.go
@@ -62,6 +62,14 @@ func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Requ
 }
 
 func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return logical.ErrorResponse("radius backend not configured"), nil
+	}
+
 	username := d.Get("username").(string)
 	password := d.Get("password").(string)
 
@@ -88,8 +96,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		}
 	}
 
-	resp.Auth = &logical.Auth{
-		Policies: policies,
+	auth := &logical.Auth{
 		Metadata: map[string]string{
 			"username": username,
 			"policies": strings.Join(policies, ","),
@@ -98,18 +105,28 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 			"password": password,
 		},
 		DisplayName: username,
-		LeaseOptions: logical.LeaseOptions{
-			Renewable: true,
-		},
 		Alias: &logical.Alias{
 			Name: username,
 		},
 	}
+	cfg.PopulateTokenAuth(auth)
+
+	if policies != nil {
+		resp.Auth.Policies = append(resp.Auth.Policies, policies...)
+	}
+
+	resp.Auth = auth
 	return resp, nil
 }
 
 func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	var err error
+	cfg, err := b.Config(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if cfg == nil {
+		return logical.ErrorResponse("radius backend not configured"), nil
+	}
 
 	username := req.Auth.Metadata["username"]
 	password := req.Auth.InternalData["password"].(string)
@@ -121,16 +138,21 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}
+	finalPolicies := cfg.TokenPolicies
+	if loginPolicies != nil {
+		finalPolicies = append(finalPolicies, loginPolicies...)
+	}
 
-	if !policyutil.EquivalentPolicies(loginPolicies, req.Auth.TokenPolicies) {
+	if !policyutil.EquivalentPolicies(finalPolicies, req.Auth.TokenPolicies) {
 		return nil, fmt.Errorf("policies have changed, not renewing")
 	}
 
+	req.Auth.TTL = cfg.TokenTTL
+	req.Auth.MaxTTL = cfg.TokenMaxTTL
 	return &logical.Response{Auth: req.Auth}, nil
 }
 
 func (b *backend) RadiusLogin(ctx context.Context, req *logical.Request, username string, password string) ([]string, *logical.Response, error) {
-
 	cfg, err := b.Config(ctx, req)
 	if err != nil {
 		return nil, nil, err