-
Notifications
You must be signed in to change notification settings - Fork 2
/
path_rotate_root.go
78 lines (72 loc) · 2.45 KB
/
path_rotate_root.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package buddysecrets
import (
"context"
"fmt"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
"time"
)
func pathRotateConfig(b *buddySecretBackend) *framework.Path {
return &framework.Path{
Pattern: "rotate-root",
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathRotateRoot,
ForwardPerformanceSecondary: true,
ForwardPerformanceStandby: true,
},
},
HelpSynopsis: rotateHelpSyn,
HelpDescription: rotateHelpDesc,
}
}
func (b *buddySecretBackend) rotateRootToken(ctx context.Context, sys *logical.Request) error {
config, err := b.getConfig(ctx, sys.Storage)
if err != nil {
return err
}
if config == nil || config.Token == "" {
return fmt.Errorf("root token not provided through config")
}
client, err := b.getNewClient(config)
if err != nil {
return err
}
token, err := client.CreateToken("vault root token", config.TokenTtlInDays, config.TokenIpRestrictions, config.TokenWorkspaceRestrictions, config.TokenScopes)
if err != nil {
return err
}
expiresAt, err := time.Parse(time.RFC3339, token.ExpiresAt)
if err != nil {
return err
}
oldTokenId := config.TokenId
config.Token = token.Token
config.TokenId = token.Id
config.TokenExpiresAt = expiresAt
config.TokenNoExpiration = false
config.TokenScopes = token.Scopes
config.TokenIpRestrictions = token.IpRestrictions
config.TokenWorkspaceRestrictions = token.WorkspaceRestrictions
if config.TokenAutoRotate {
config.TokenAutoRotateAt = time.Date(expiresAt.Year(), expiresAt.Month(), expiresAt.Day()-1, expiresAt.Hour(), expiresAt.Minute(), expiresAt.Second(), expiresAt.Nanosecond(), expiresAt.Location())
}
err = b.saveConfig(ctx, config, sys.Storage)
if err != nil {
_ = client.DeleteToken(token.Id)
return err
}
_ = client.DeleteToken(oldTokenId)
return nil
}
func (b *buddySecretBackend) pathRotateRoot(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
err := b.rotateRootToken(ctx, req)
return nil, err
}
const rotateHelpSyn = "Attempt to rotate the root credentials used to communicate with Buddy"
const rotateHelpDesc = `
This path will attempt to generate a new root token for the user.
The new token will have the sames scopes and filters as the old one.
The old token will be removed if possible.
The new token will not be returned from this endpoint or by reading the config.
`