Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add fields 'ttl' and 'num_uses' to SecretID generation. #14474

Merged
Merged
Show file tree
Hide file tree
Changes from 20 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
3e0e7a8
Add fields 'ttl' and 'num_uses' to SecretID generation.
RemcoBuddelmeijer Mar 12, 2022
8aeca35
Add secret_id_num_uses response field to generating SecretID
RemcoBuddelmeijer Mar 12, 2022
491e879
Add tests for new ttl and num_uses SecretID generation fields
RemcoBuddelmeijer Mar 12, 2022
44cfaab
Patch up test for ttl and num_uses fields
RemcoBuddelmeijer Mar 12, 2022
0f1c941
Add changelog entry for auth/approle 'ttl' and 'num_uses' fields
RemcoBuddelmeijer Mar 12, 2022
689e8c6
Add fields to API Docs and AppRole Auth Docs example
RemcoBuddelmeijer Mar 14, 2022
6b33aeb
Correct error message for failing test on missing field.
RemcoBuddelmeijer Apr 8, 2022
bd138f9
Remove unnecessary int cast to int "secret_id_num_uses" field.
RemcoBuddelmeijer Apr 8, 2022
00d8c0d
Move numUses field check to after assignment.
RemcoBuddelmeijer Apr 8, 2022
f72834e
Remove metadata entry in sample payload to limit change to changes made.
RemcoBuddelmeijer Apr 8, 2022
645e480
Bind fields 'ttl' and 'num_uses' to role's configuration.
RemcoBuddelmeijer May 31, 2022
0e6902a
Merge branch 'hashicorp:main' into feature/numuses-and-ttl-appsecret
RemcoBuddelmeijer May 31, 2022
772adde
Update changelog 14474 with a more detailed description.
RemcoBuddelmeijer May 31, 2022
59a7fed
Elaborate more on the bounds of the 'ttl' and 'num_uses' field.
RemcoBuddelmeijer May 31, 2022
5c2f6b5
Upper bound ttl with role secret id ttl
RemcoBuddelmeijer Jun 3, 2022
cba46ac
Formatting issues. Removed unnecessary newline
Jun 3, 2022
e4c9bfe
Update documentation for AppRole Secret ID and Role
RemcoBuddelmeijer Jun 3, 2022
d01dc76
Cleanup approle secret ID test and impl
RemcoBuddelmeijer Jun 3, 2022
ad0b5a5
Define ttl and num_uses in every test
RemcoBuddelmeijer Jun 3, 2022
364f714
Rename test RoleSecretID -> RoleSecretIDWithoutFields
RemcoBuddelmeijer Jun 3, 2022
376040b
Test secret id generation defaults to Role's config
RemcoBuddelmeijer Jun 23, 2022
dfc5b45
Change finit -> finite
RemcoBuddelmeijer Jun 23, 2022
ee219ec
Rephrase comments to the correct validation check
RemcoBuddelmeijer Jun 23, 2022
700e77d
Rephrase role-secret-id option description
RemcoBuddelmeijer Jun 30, 2022
5f34b69
Remove "default" incorrect statement about ttl
RemcoBuddelmeijer Jun 30, 2022
a9b4fac
Remove "default" incorrect statement about ttl for custom secret id
RemcoBuddelmeijer Jun 30, 2022
0f32504
Touch up approle.mdx to align more with path_role documentation
RemcoBuddelmeijer Jun 30, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 68 additions & 15 deletions builtin/credential/approle/path_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,16 @@ the role.`,
Type: framework.TypeCommaStringSlice,
Description: defTokenFields["token_bound_cidrs"].Description,
},
"num_uses": {
Type: framework.TypeInt,
Description: `Number of times this SecretID can be used, after which the SecretID expires.
Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses.`,
},
"ttl": {
Type: framework.TypeDurationSecond,
Description: `Duration in seconds after which this SecretID expires. Defaults to 0, meaning no expiration.
Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathRoleSecretIDUpdate,
Expand Down Expand Up @@ -591,6 +601,16 @@ the role.`,
Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.`,
},
"num_uses": {
Type: framework.TypeInt,
Description: `Number of times this SecretID can be used, after which the SecretID expires.
Overrides secret_id_num_uses role option when supplied. May not be higher than role's secret_id_num_uses.`,
},
"ttl": {
Type: framework.TypeDurationSecond,
Description: `Duration in seconds after which this SecretID expires. Defaults to 0, meaning no expiration.
Overrides secret_id_ttl role option when supplied. May not be longer than role's secret_id_ttl.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathRoleCustomSecretIDUpdate,
Expand Down Expand Up @@ -1497,7 +1517,7 @@ func (b *backend) pathRoleFieldRead(ctx context.Context, req *logical.Request, d
"bound_cidr_list": role.BoundCIDRList,
},
}
resp.AddWarning(`The "bound_cidr_list" parameter is deprecated and will be removed. Please use "secret_id_bound_cidrs" instead.`)
resp.AddWarning(`The "bound_cidr_list" field is deprecated and will be removed. Please use "secret_id_bound_cidrs" instead.`)
return resp, nil
default:
// shouldn't occur IRL
Expand Down Expand Up @@ -2355,9 +2375,38 @@ func (b *backend) handleRoleSecretIDCommon(ctx context.Context, req *logical.Req
return nil, err
}

var numUses int
// Check whether or not num_uses is defined, otherwise fallback to secret_id_num_uses
if numUsesRaw, ok := data.GetOk("num_uses"); ok {
numUses = numUsesRaw.(int)
if numUses < 0 {
raskchanky marked this conversation as resolved.
Show resolved Hide resolved
return logical.ErrorResponse("num_uses cannot be negative"), nil
}

// If the role's secret_id_num_uses is higher than the specified num_uses, throw an error rather than implicitly overriding
if (numUses == 0 && role.SecretIDNumUses > 0) || (role.SecretIDNumUses > 0 && numUses > role.SecretIDNumUses) {
return logical.ErrorResponse("num_uses cannot be higher than the role's secret_id_num_uses"), nil
RemcoBuddelmeijer marked this conversation as resolved.
Show resolved Hide resolved
}
} else {
numUses = role.SecretIDNumUses
}

var ttl time.Duration
// Check whether or not ttl is defined, otherwise fallback to secret_id_ttl
if ttlRaw, ok := data.GetOk("ttl"); ok {
ttl = time.Second * time.Duration(ttlRaw.(int))
RemcoBuddelmeijer marked this conversation as resolved.
Show resolved Hide resolved

// If the ttl is more than the role's secret_id_ttl, throw an error rather than implicitly overriding
if (ttl == 0 && role.SecretIDTTL > 0) || (role.SecretIDTTL > 0 && ttl > role.SecretIDTTL) {
return logical.ErrorResponse("ttl cannot be longer than the role's secret_id_ttl"), nil
raskchanky marked this conversation as resolved.
Show resolved Hide resolved
}
} else {
ttl = role.SecretIDTTL
}

secretIDStorage := &secretIDStorageEntry{
SecretIDNumUses: role.SecretIDNumUses,
SecretIDTTL: role.SecretIDTTL,
SecretIDNumUses: numUses,
SecretIDTTL: ttl,
Metadata: make(map[string]string),
CIDRList: secretIDCIDRs,
TokenBoundCIDRs: secretIDTokenCIDRs,
Expand All @@ -2376,6 +2425,7 @@ func (b *backend) handleRoleSecretIDCommon(ctx context.Context, req *logical.Req
"secret_id": secretID,
"secret_id_accessor": secretIDStorage.SecretIDAccessor,
"secret_id_ttl": int64(b.deriveSecretIDTTL(secretIDStorage.SecretIDTTL).Seconds()),
"secret_id_num_uses": secretIDStorage.SecretIDNumUses,
},
}

Expand Down Expand Up @@ -2476,11 +2526,11 @@ to be generated against only this specific role, it can be done via
'role/<role_name>/secret-id' and 'role/<role_name>/custom-secret-id' endpoints.
The properties of the SecretID created against the role and the properties
of the token issued with the SecretID generated against the role, can be
configured using the parameters of this endpoint.`,
configured using the fields of this endpoint.`,
},
"role-bind-secret-id": {
"Impose secret_id to be presented during login using this role.",
`By setting this to 'true', during login the parameter 'secret_id' becomes a mandatory argument.
`By setting this to 'true', during login the field 'secret_id' becomes a mandatory argument.
The value of 'secret_id' can be retrieved using 'role/<role_name>/secret-id' endpoint.`,
},
"role-bound-cidr-list": {
Expand Down Expand Up @@ -2514,14 +2564,17 @@ defined on the role, can access the role.`,
"Use limit of the SecretID generated against the role.",
`If the SecretIDs are generated/assigned against the role using the
'role/<role_name>/secret-id' or 'role/<role_name>/custom-secret-id' endpoints,
then the number of times that SecretID can access the role is defined by
this option.`,
then the number of times that SecretID can access the role is by default defined by this option.
Can be overriden by the 'num_uses' field on either of the two endpoints,
but is still the highest possible num_uses.`,
RemcoBuddelmeijer marked this conversation as resolved.
Show resolved Hide resolved
},
"role-secret-id-ttl": {
`Duration in seconds, representing the lifetime of the SecretIDs
that are generated against the role using 'role/<role_name>/secret-id' or
'role/<role_name>/custom-secret-id' endpoints.`,
``,
"Duration in seconds of the SecretID generated against the role.",
`If the SecretIDs are generated/assigned against the role using the
'role/<role_name>/secret-id' or 'role/<role_name>/custom-secret-id' endpoints,
then the lifetime of the SecretID is by default defined by this option.
Can be overriden by the 'ttl' field on either of the two endpoints,
but is still the longest possible ttl.`,
RemcoBuddelmeijer marked this conversation as resolved.
Show resolved Hide resolved
},
"role-secret-id-lookup": {
"Read the properties of an issued secret_id",
Expand Down Expand Up @@ -2584,17 +2637,17 @@ this endpoint.`,
`The SecretID generated using this endpoint will be scoped to access
just this role and none else. The properties of this SecretID will be
based on the options set on the role. It will expire after a period
defined by the 'secret_id_ttl' option on the role and/or the backend
mount's maximum TTL value.`,
defined by the 'ttl' field or 'secret_id_ttl' option on the role,
and/or the backend mount's maximum TTL value.`,
},
"role-custom-secret-id": {
"Assign a SecretID of choice against the role.",
`This option is not recommended unless there is a specific need
to do so. This will assign a client supplied SecretID to be used to access
the role. This SecretID will behave similarly to the SecretIDs generated by
the backend. The properties of this SecretID will be based on the options
set on the role. It will expire after a period defined by the 'secret_id_ttl'
option on the role and/or the backend mount's maximum TTL value.`,
set on the role. It will expire after a period defined by the 'ttl' field
or 'secret_id_ttl' option on the role, and/or the backend mount's maximum TTL value.`,
},
"role-period": {
"Updates the value of 'period' on the role",
Expand Down
Loading