From 45944fce1d26fc72753a8fda98403fa7423c06ac Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 1 Jul 2019 13:13:40 -0400 Subject: [PATCH] Tokenutilize radius --- builtin/credential/radius/path_config.go | 38 ++++++++++++++++-------- builtin/credential/radius/path_login.go | 38 +++++++++++++++++++----- 2 files changed, 55 insertions(+), 21 deletions(-) diff --git a/builtin/credential/radius/path_config.go b/builtin/credential/radius/path_config.go index 585cf6564da5..28476e337a2f 100644 --- a/builtin/credential/radius/path_config.go +++ b/builtin/credential/radius/path_config.go @@ -5,11 +5,12 @@ import ( "strings" "github.com/hashicorp/vault/sdk/framework" + "github.com/hashicorp/vault/sdk/helper/tokenutil" "github.com/hashicorp/vault/sdk/logical" ) func pathConfig(b *backend) *framework.Path { - return &framework.Path{ + p := &framework.Path{ Pattern: "config", Fields: map[string]*framework.FieldSchema{ "host": &framework.FieldSchema{ @@ -19,7 +20,6 @@ func pathConfig(b *backend) *framework.Path { Name: "Host", }, }, - "port": &framework.FieldSchema{ Type: framework.TypeInt, Default: 1812, @@ -86,6 +86,10 @@ func pathConfig(b *backend) *framework.Path { HelpSynopsis: pathConfigHelpSyn, HelpDescription: pathConfigHelpDesc, } + + tokenutil.AddTokenFields(p.Fields) + p.Fields["token_policies"].Description += ". This will apply to all tokens generated by this auth method, in addition to any configured for specific users." + return p } // Establishes dichotomy of request operation between CreateOperation and UpdateOperation. @@ -129,18 +133,20 @@ func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, d *f return nil, nil } - resp := &logical.Response{ - Data: map[string]interface{}{ - "host": cfg.Host, - "port": cfg.Port, - "unregistered_user_policies": cfg.UnregisteredUserPolicies, - "dial_timeout": cfg.DialTimeout, - "read_timeout": cfg.ReadTimeout, - "nas_port": cfg.NasPort, - "nas_identifier": cfg.NasIdentifier, - }, + data := map[string]interface{}{ + "host": cfg.Host, + "port": cfg.Port, + "unregistered_user_policies": cfg.UnregisteredUserPolicies, + "dial_timeout": cfg.DialTimeout, + "read_timeout": cfg.ReadTimeout, + "nas_port": cfg.NasPort, + "nas_identifier": cfg.NasIdentifier, } - return resp, nil + cfg.PopulateTokenData(data) + + return &logical.Response{ + Data: data, + }, nil } func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { @@ -153,6 +159,10 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque cfg = &ConfigEntry{} } + if err := cfg.ParseTokenFields(req, d); err != nil { + return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest + } + host, ok := d.GetOk("host") if ok { cfg.Host = strings.ToLower(host.(string)) @@ -237,6 +247,8 @@ func (b *backend) pathConfigCreateUpdate(ctx context.Context, req *logical.Reque } type ConfigEntry struct { + tokenutil.TokenParams + Host string `json:"host" structs:"host" mapstructure:"host"` Port int `json:"port" structs:"port" mapstructure:"port"` Secret string `json:"secret" structs:"secret" mapstructure:"secret"` diff --git a/builtin/credential/radius/path_login.go b/builtin/credential/radius/path_login.go index 4351e555d557..be07e335f492 100644 --- a/builtin/credential/radius/path_login.go +++ b/builtin/credential/radius/path_login.go @@ -62,6 +62,14 @@ func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Requ } func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { + cfg, err := b.Config(ctx, req) + if err != nil { + return nil, err + } + if cfg == nil { + return logical.ErrorResponse("radius backend not configured"), nil + } + username := d.Get("username").(string) password := d.Get("password").(string) @@ -88,8 +96,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew } } - resp.Auth = &logical.Auth{ - Policies: policies, + auth := &logical.Auth{ Metadata: map[string]string{ "username": username, "policies": strings.Join(policies, ","), @@ -98,18 +105,28 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew "password": password, }, DisplayName: username, - LeaseOptions: logical.LeaseOptions{ - Renewable: true, - }, Alias: &logical.Alias{ Name: username, }, } + cfg.PopulateTokenAuth(auth) + + if policies != nil { + resp.Auth.Policies = append(resp.Auth.Policies, policies...) + } + + resp.Auth = auth return resp, nil } func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - var err error + cfg, err := b.Config(ctx, req) + if err != nil { + return nil, err + } + if cfg == nil { + return logical.ErrorResponse("radius backend not configured"), nil + } username := req.Auth.Metadata["username"] password := req.Auth.InternalData["password"].(string) @@ -121,16 +138,21 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f if err != nil || (resp != nil && resp.IsError()) { return resp, err } + finalPolicies := cfg.TokenPolicies + if loginPolicies != nil { + finalPolicies = append(finalPolicies, loginPolicies...) + } - if !policyutil.EquivalentPolicies(loginPolicies, req.Auth.TokenPolicies) { + if !policyutil.EquivalentPolicies(finalPolicies, req.Auth.TokenPolicies) { return nil, fmt.Errorf("policies have changed, not renewing") } + req.Auth.TTL = cfg.TokenTTL + req.Auth.MaxTTL = cfg.TokenMaxTTL return &logical.Response{Auth: req.Auth}, nil } func (b *backend) RadiusLogin(ctx context.Context, req *logical.Request, username string, password string) ([]string, *logical.Response, error) { - cfg, err := b.Config(ctx, req) if err != nil { return nil, nil, err