本文整理汇总了Golang中github.com/hashicorp/vault/logical/framework.FieldData.GetOk方法的典型用法代码示例。如果您正苦于以下问题:Golang FieldData.GetOk方法的具体用法?Golang FieldData.GetOk怎么用?Golang FieldData.GetOk使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类github.com/hashicorp/vault/logical/framework.FieldData
的用法示例。
在下文中一共展示了FieldData.GetOk方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: pathConfigCertificateCreateUpdate
// pathConfigCertificateCreateUpdate is used to register an AWS Public Key that is
// used to verify the PKCS#7 signature of the instance identity document.
func (b *backend) pathConfigCertificateCreateUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
certName := data.Get("cert_name").(string)
if certName == "" {
return logical.ErrorResponse("missing cert_name"), nil
}
b.configMutex.Lock()
defer b.configMutex.Unlock()
// Check if there is already a certificate entry registered.
certEntry, err := b.nonLockedAWSPublicCertificateEntry(req.Storage, certName)
if err != nil {
return nil, err
}
if certEntry == nil {
certEntry = &awsPublicCert{}
}
// Check if the value is provided by the client.
certStrData, ok := data.GetOk("aws_public_cert")
if ok {
if certBytes, err := base64.StdEncoding.DecodeString(certStrData.(string)); err == nil {
certEntry.AWSPublicCert = string(certBytes)
} else {
certEntry.AWSPublicCert = certStrData.(string)
}
} else {
// aws_public_cert should be supplied for both create and update operations.
// If it is not provided, throw an error.
return logical.ErrorResponse("missing aws_public_cert"), nil
}
// If explicitly set to empty string, error out.
if certEntry.AWSPublicCert == "" {
return logical.ErrorResponse("invalid aws_public_cert"), nil
}
// Verify the certificate by decoding it and parsing it.
publicCert, err := decodePEMAndParseCertificate(certEntry.AWSPublicCert)
if err != nil {
return nil, err
}
if publicCert == nil {
return logical.ErrorResponse("invalid certificate; failed to decode and parse certificate"), nil
}
// Ensure that we have not
// If none of the checks fail, save the provided certificate.
entry, err := logical.StorageEntryJSON("config/certificate/"+certName, certEntry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(entry); err != nil {
return nil, err
}
return nil, nil
}
示例2: pathConfigTidyRoletagBlacklistCreateUpdate
func (b *backend) pathConfigTidyRoletagBlacklistCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
configEntry, err := b.nonLockedConfigTidyRoleTags(req.Storage)
if err != nil {
return nil, err
}
if configEntry == nil {
configEntry = &tidyBlacklistRoleTagConfig{}
}
safetyBufferInt, ok := data.GetOk("safety_buffer")
if ok {
configEntry.SafetyBuffer = safetyBufferInt.(int)
} else if req.Operation == logical.CreateOperation {
configEntry.SafetyBuffer = data.Get("safety_buffer").(int)
}
disablePeriodicTidyBool, ok := data.GetOk("disable_periodic_tidy")
if ok {
configEntry.DisablePeriodicTidy = disablePeriodicTidyBool.(bool)
} else if req.Operation == logical.CreateOperation {
configEntry.DisablePeriodicTidy = data.Get("disable_periodic_tidy").(bool)
}
entry, err := logical.StorageEntryJSON(roletagBlacklistConfigPath, configEntry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(entry); err != nil {
return nil, err
}
return nil, nil
}
示例3: handleMountTune
// handleMountTune is used to set config settings on a backend
func (b *SystemBackend) handleMountTune(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
path := data.Get("path").(string)
if path == "" {
return logical.ErrorResponse(
"path must be specified as a string"),
logical.ErrInvalidRequest
}
if !strings.HasSuffix(path, "/") {
path += "/"
}
// Prevent protected paths from being changed
for _, p := range untunableMounts {
if strings.HasPrefix(path, p) {
err := fmt.Errorf("[ERR] core: cannot tune '%s'", path)
b.Backend.Logger().Print(err)
return handleError(err)
}
}
mountEntry := b.Core.router.MatchingMountEntry(path)
if mountEntry == nil {
err := fmt.Errorf("[ERR] sys: tune of path '%s' failed: no mount entry found", path)
b.Backend.Logger().Print(err)
return handleError(err)
}
newMountConfig := mountEntry.Config
// Timing configuration parameters
{
var needTTLTune bool
defTTLInt, ok := data.GetOk("default_lease_ttl")
if ok {
newMountConfig.DefaultLeaseTTL = time.Duration(defTTLInt.(int))
needTTLTune = true
}
maxTTLInt, ok := data.GetOk("max_lease_ttl")
if ok {
newMountConfig.MaxLeaseTTL = time.Duration(maxTTLInt.(int))
needTTLTune = true
}
if needTTLTune {
if err := b.tuneMountTTLs(path, &mountEntry.Config, &newMountConfig); err != nil {
b.Backend.Logger().Printf("[ERR] sys: tune of path '%s' failed: %v", path, err)
return handleError(err)
}
}
}
return nil, nil
}
示例4: pathConfigWrite
func (b *backend) pathConfigWrite(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
organization := data.Get("organization").(string)
baseURL := data.Get("base_url").(string)
if len(baseURL) != 0 {
_, err := url.Parse(baseURL)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Error parsing given base_url: %s", err)), nil
}
}
var ttl time.Duration
var err error
ttlRaw, ok := data.GetOk("ttl")
if !ok || len(ttlRaw.(string)) == 0 {
ttl = 0
} else {
ttl, err = time.ParseDuration(ttlRaw.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Invalid 'ttl':%s", err)), nil
}
}
var maxTTL time.Duration
maxTTLRaw, ok := data.GetOk("max_ttl")
if !ok || len(maxTTLRaw.(string)) == 0 {
maxTTL = 0
} else {
maxTTL, err = time.ParseDuration(maxTTLRaw.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Invalid 'max_ttl':%s", err)), nil
}
}
entry, err := logical.StorageEntryJSON("config", config{
Org: organization,
BaseURL: baseURL,
TTL: ttl,
MaxTTL: maxTTL,
})
if err != nil {
return nil, err
}
if err := req.Storage.Put(entry); err != nil {
return nil, err
}
return nil, nil
}
示例5: pathConfigWrite
func pathConfigWrite(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
// Check if the policy already exists
policy, err := getPolicy(req, name)
if err != nil {
return nil, err
}
if policy == nil {
return logical.ErrorResponse(
fmt.Sprintf("no existing role named %s could be found", name)),
logical.ErrInvalidRequest
}
persistNeeded := false
minDecryptionVersion := d.Get("min_decryption_version").(int)
if minDecryptionVersion != 0 &&
minDecryptionVersion != policy.MinDecryptionVersion {
policy.MinDecryptionVersion = minDecryptionVersion
persistNeeded = true
}
allowDeletionInt, ok := d.GetOk("deletion_allowed")
if ok {
allowDeletion := allowDeletionInt.(bool)
if allowDeletion != policy.DeletionAllowed {
policy.DeletionAllowed = allowDeletion
persistNeeded = true
}
}
if !persistNeeded {
return nil, nil
}
return nil, policy.Persist(req.Storage, name)
}
示例6: userCreateUpdate
func (b *backend) userCreateUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
username := strings.ToLower(d.Get("username").(string))
userEntry, err := b.user(req.Storage, username)
if err != nil {
return nil, err
}
// Due to existence check, user will only be nil if it's a create operation
if userEntry == nil {
userEntry = &UserEntry{}
}
if _, ok := d.GetOk("password"); ok {
userErr, intErr := b.updateUserPassword(req, d, userEntry)
if intErr != nil {
return nil, err
}
if userErr != nil {
return logical.ErrorResponse(userErr.Error()), logical.ErrInvalidRequest
}
}
if policiesRaw, ok := d.GetOk("policies"); ok {
userEntry.Policies = policyutil.ParsePolicies(policiesRaw.(string))
}
ttlStr := userEntry.TTL.String()
if ttlStrRaw, ok := d.GetOk("ttl"); ok {
ttlStr = ttlStrRaw.(string)
}
maxTTLStr := userEntry.MaxTTL.String()
if maxTTLStrRaw, ok := d.GetOk("max_ttl"); ok {
maxTTLStr = maxTTLStrRaw.(string)
}
userEntry.TTL, userEntry.MaxTTL, err = b.SanitizeTTLStr(ttlStr, maxTTLStr)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("err: %s", err)), nil
}
return nil, b.setUser(req.Storage, username, userEntry)
}
示例7: pathWriteURL
func (b *backend) pathWriteURL(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
entries, err := getURLs(req)
if err != nil {
return nil, err
}
if entries == nil {
entries = &urlEntries{
IssuingCertificates: []string{},
CRLDistributionPoints: []string{},
OCSPServers: []string{},
}
}
if urlsInt, ok := data.GetOk("issuing_certificates"); ok {
splitURLs := strings.Split(urlsInt.(string), ",")
entries.IssuingCertificates = splitURLs
if badUrl := validateURLs(entries.IssuingCertificates); badUrl != "" {
return logical.ErrorResponse(fmt.Sprintf(
"invalid URL found in issuing certificates: %s", badUrl)), nil
}
}
if urlsInt, ok := data.GetOk("crl_distribution_points"); ok {
splitURLs := strings.Split(urlsInt.(string), ",")
entries.CRLDistributionPoints = splitURLs
if badUrl := validateURLs(entries.CRLDistributionPoints); badUrl != "" {
return logical.ErrorResponse(fmt.Sprintf(
"invalid URL found in CRL distribution points: %s", badUrl)), nil
}
}
if urlsInt, ok := data.GetOk("ocsp_servers"); ok {
splitURLs := strings.Split(urlsInt.(string), ",")
entries.OCSPServers = splitURLs
if badUrl := validateURLs(entries.OCSPServers); badUrl != "" {
return logical.ErrorResponse(fmt.Sprintf(
"invalid URL found in OCSP servers: %s", badUrl)), nil
}
}
return nil, writeURLs(req, entries)
}
示例8: pathEncryptWrite
func (b *backend) pathEncryptWrite(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
name := d.Get("name").(string)
valueRaw, ok := d.GetOk("plaintext")
if !ok {
return logical.ErrorResponse("missing plaintext to encrypt"), logical.ErrInvalidRequest
}
value := valueRaw.(string)
// Decode the context if any
contextRaw := d.Get("context").(string)
var context []byte
var err error
if len(contextRaw) != 0 {
context, err = base64.StdEncoding.DecodeString(contextRaw)
if err != nil {
return logical.ErrorResponse("failed to base64-decode context"), logical.ErrInvalidRequest
}
}
// Decode the nonce if any
nonceRaw := d.Get("nonce").(string)
var nonce []byte
if len(nonceRaw) != 0 {
nonce, err = base64.StdEncoding.DecodeString(nonceRaw)
if err != nil {
return logical.ErrorResponse("failed to base64-decode nonce"), logical.ErrInvalidRequest
}
}
// Get the policy
var p *policy
var lock *sync.RWMutex
var upserted bool
if req.Operation == logical.CreateOperation {
convergent := d.Get("convergent_encryption").(bool)
if convergent && len(context) == 0 {
return logical.ErrorResponse("convergent encryption requires derivation to be enabled, so context is required"), nil
}
polReq := policyRequest{
storage: req.Storage,
name: name,
derived: len(context) != 0,
convergent: convergent,
}
keyType := d.Get("type").(string)
switch keyType {
case "aes256-gcm96":
polReq.keyType = keyType_AES256_GCM96
case "ecdsa-p256":
return logical.ErrorResponse(fmt.Sprintf("key type %v not supported for this operation", keyType)), logical.ErrInvalidRequest
default:
return logical.ErrorResponse(fmt.Sprintf("unknown key type %v", keyType)), logical.ErrInvalidRequest
}
p, lock, upserted, err = b.lm.GetPolicyUpsert(polReq)
} else {
p, lock, err = b.lm.GetPolicyShared(req.Storage, name)
}
if lock != nil {
defer lock.RUnlock()
}
if err != nil {
return nil, err
}
if p == nil {
return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest
}
ciphertext, err := p.Encrypt(context, nonce, value)
if err != nil {
switch err.(type) {
case errutil.UserError:
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
case errutil.InternalError:
return nil, err
default:
return nil, err
}
}
if ciphertext == "" {
return nil, fmt.Errorf("empty ciphertext returned")
}
// Generate the response
resp := &logical.Response{
Data: map[string]interface{}{
"ciphertext": ciphertext,
},
}
if req.Operation == logical.CreateOperation && !upserted {
resp.AddWarning("Attempted creation of the key during the encrypt operation, but it was created beforehand")
}
//.........这里部分代码省略.........
示例9: pathConfigClientCreateUpdate
// pathConfigClientCreateUpdate is used to register the 'aws_secret_key' and 'aws_access_key'
// that can be used to interact with AWS EC2 API.
func (b *backend) pathConfigClientCreateUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
configEntry, err := b.nonLockedClientConfigEntry(req.Storage)
if err != nil {
return nil, err
}
if configEntry == nil {
configEntry = &clientConfig{}
}
changedCreds := false
accessKeyStr, ok := data.GetOk("access_key")
if ok {
if configEntry.AccessKey != accessKeyStr.(string) {
changedCreds = true
configEntry.AccessKey = accessKeyStr.(string)
}
} else if req.Operation == logical.CreateOperation {
// Use the default
configEntry.AccessKey = data.Get("access_key").(string)
}
secretKeyStr, ok := data.GetOk("secret_key")
if ok {
if configEntry.SecretKey != secretKeyStr.(string) {
changedCreds = true
configEntry.SecretKey = secretKeyStr.(string)
}
} else if req.Operation == logical.CreateOperation {
configEntry.SecretKey = data.Get("secret_key").(string)
}
endpointStr, ok := data.GetOk("endpoint")
if ok {
if configEntry.Endpoint != endpointStr.(string) {
changedCreds = true
configEntry.Endpoint = endpointStr.(string)
}
} else if req.Operation == logical.CreateOperation {
configEntry.Endpoint = data.Get("endpoint").(string)
}
// Since this endpoint supports both create operation and update operation,
// the error checks for access_key and secret_key not being set are not present.
// This allows calling this endpoint multiple times to provide the values.
// Hence, the readers of this endpoint should do the validation on
// the validation of keys before using them.
entry, err := logical.StorageEntryJSON("config/client", configEntry)
if err != nil {
return nil, err
}
if err := req.Storage.Put(entry); err != nil {
return nil, err
}
if changedCreds {
b.flushCachedEC2Clients()
b.flushCachedIAMClients()
}
return nil, nil
}
示例10: tokenStoreRoleCreateUpdate
func (ts *TokenStore) tokenStoreRoleCreateUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
name := data.Get("role_name").(string)
if name == "" {
return logical.ErrorResponse("role name cannot be empty"), nil
}
entry, err := ts.tokenStoreRole(name)
if err != nil {
return nil, err
}
// Due to the existence check, entry will only be nil if it's a create
// operation, so just create a new one
if entry == nil {
entry = &tsRoleEntry{
Name: name,
}
}
// In this series of blocks, if we do not find a user-provided value and
// it's a creation operation, we call data.Get to get the appropriate
// default
orphanInt, ok := data.GetOk("orphan")
if ok {
entry.Orphan = orphanInt.(bool)
} else if req.Operation == logical.CreateOperation {
entry.Orphan = data.Get("orphan").(bool)
}
periodInt, ok := data.GetOk("period")
if ok {
entry.Period = time.Second * time.Duration(periodInt.(int))
} else if req.Operation == logical.CreateOperation {
entry.Period = time.Second * time.Duration(data.Get("period").(int))
}
pathSuffixInt, ok := data.GetOk("path_suffix")
if ok {
pathSuffix := pathSuffixInt.(string)
if pathSuffix != "" {
matched := pathSuffixSanitize.MatchString(pathSuffix)
if !matched {
return logical.ErrorResponse(fmt.Sprintf("given role path suffix contains invalid characters; must match %s", pathSuffixSanitize.String())), nil
}
entry.PathSuffix = pathSuffix
}
} else if req.Operation == logical.CreateOperation {
entry.PathSuffix = data.Get("path_suffix").(string)
}
allowedPoliciesInt, ok := data.GetOk("allowed_policies")
if ok {
allowedPolicies := allowedPoliciesInt.(string)
if allowedPolicies != "" {
entry.AllowedPolicies = strings.Split(allowedPolicies, ",")
}
} else if req.Operation == logical.CreateOperation {
entry.AllowedPolicies = strings.Split(data.Get("allowed_policies").(string), ",")
}
// Store it
jsonEntry, err := logical.StorageEntryJSON(fmt.Sprintf("%s%s", rolesPrefix, name), entry)
if err != nil {
return nil, err
}
if err := ts.view.Put(jsonEntry); err != nil {
return nil, err
}
return nil, nil
}
示例11: pathRoleCreateUpdate
// pathRoleCreateUpdate is used to associate Vault policies to a given AMI ID.
func (b *backend) pathRoleCreateUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
roleName := strings.ToLower(data.Get("role").(string))
if roleName == "" {
return logical.ErrorResponse("missing role"), nil
}
b.roleMutex.Lock()
defer b.roleMutex.Unlock()
roleEntry, err := b.nonLockedAWSRole(req.Storage, roleName)
if err != nil {
return nil, err
}
if roleEntry == nil {
roleEntry = &awsRoleEntry{}
}
// Fetch and set the bound parameters. There can't be default values
// for these.
if boundAmiIDRaw, ok := data.GetOk("bound_ami_id"); ok {
roleEntry.BoundAmiID = boundAmiIDRaw.(string)
}
if boundAccountIDRaw, ok := data.GetOk("bound_account_id"); ok {
roleEntry.BoundAccountID = boundAccountIDRaw.(string)
}
if boundIamRoleARNRaw, ok := data.GetOk("bound_iam_role_arn"); ok {
roleEntry.BoundIamRoleARN = boundIamRoleARNRaw.(string)
}
if boundIamInstanceProfileARNRaw, ok := data.GetOk("bound_iam_instance_profile_arn"); ok {
roleEntry.BoundIamInstanceProfileARN = boundIamInstanceProfileARNRaw.(string)
}
// Ensure that at least one bound is set on the role
switch {
case roleEntry.BoundAccountID != "":
case roleEntry.BoundAmiID != "":
case roleEntry.BoundIamInstanceProfileARN != "":
case roleEntry.BoundIamRoleARN != "":
default:
return logical.ErrorResponse("at least be one bound parameter should be specified on the role"), nil
}
policiesStr, ok := data.GetOk("policies")
if ok {
roleEntry.Policies = policyutil.ParsePolicies(policiesStr.(string))
} else if req.Operation == logical.CreateOperation {
roleEntry.Policies = []string{"default"}
}
disallowReauthenticationBool, ok := data.GetOk("disallow_reauthentication")
if ok {
roleEntry.DisallowReauthentication = disallowReauthenticationBool.(bool)
} else if req.Operation == logical.CreateOperation {
roleEntry.DisallowReauthentication = data.Get("disallow_reauthentication").(bool)
}
allowInstanceMigrationBool, ok := data.GetOk("allow_instance_migration")
if ok {
roleEntry.AllowInstanceMigration = allowInstanceMigrationBool.(bool)
} else if req.Operation == logical.CreateOperation {
roleEntry.AllowInstanceMigration = data.Get("allow_instance_migration").(bool)
}
var resp logical.Response
ttlRaw, ok := data.GetOk("ttl")
if ok {
ttl := time.Duration(ttlRaw.(int)) * time.Second
defaultLeaseTTL := b.System().DefaultLeaseTTL()
if ttl > defaultLeaseTTL {
resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds greater than current mount/system default of %d seconds; ttl will be capped at login time", ttl/time.Second, defaultLeaseTTL/time.Second))
}
roleEntry.TTL = ttl
} else if req.Operation == logical.CreateOperation {
roleEntry.TTL = time.Duration(data.Get("ttl").(int)) * time.Second
}
maxTTLInt, ok := data.GetOk("max_ttl")
if ok {
maxTTL := time.Duration(maxTTLInt.(int)) * time.Second
systemMaxTTL := b.System().MaxLeaseTTL()
if maxTTL > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds greater than current mount/system default of %d seconds; max_ttl will be capped at login time", maxTTL/time.Second, systemMaxTTL/time.Second))
}
if maxTTL < time.Duration(0) {
return logical.ErrorResponse("max_ttl cannot be negative"), nil
}
roleEntry.MaxTTL = maxTTL
} else if req.Operation == logical.CreateOperation {
roleEntry.MaxTTL = time.Duration(data.Get("max_ttl").(int)) * time.Second
}
//.........这里部分代码省略.........
示例12: pathConfigCertificateCreateUpdate
// pathConfigCertificateCreateUpdate is used to register an AWS Public Key that
// is used to verify the PKCS#7 signature of the instance identity document.
func (b *backend) pathConfigCertificateCreateUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
certName := data.Get("cert_name").(string)
if certName == "" {
return logical.ErrorResponse("missing certificate name"), nil
}
b.configMutex.Lock()
defer b.configMutex.Unlock()
// Check if there is already a certificate entry registered
certEntry, err := b.nonLockedAWSPublicCertificateEntry(req.Storage, certName)
if err != nil {
return nil, err
}
if certEntry == nil {
certEntry = &awsPublicCert{}
}
// Check if type information is provided
certTypeRaw, ok := data.GetOk("type")
if ok {
certEntry.Type = strings.ToLower(certTypeRaw.(string))
} else if req.Operation == logical.CreateOperation {
certEntry.Type = data.Get("type").(string)
}
switch certEntry.Type {
case "pkcs7":
case "identity":
default:
return logical.ErrorResponse(fmt.Sprintf("invalid certificate type %q", certEntry.Type)), nil
}
// Check if the value is provided by the client
certStrData, ok := data.GetOk("aws_public_cert")
if ok {
if certBytes, err := base64.StdEncoding.DecodeString(certStrData.(string)); err == nil {
certEntry.AWSPublicCert = string(certBytes)
} else {
certEntry.AWSPublicCert = certStrData.(string)
}
} else {
// aws_public_cert should be supplied for both create and update operations.
// If it is not provided, throw an error.
return logical.ErrorResponse("missing aws_public_cert"), nil
}
// If explicitly set to empty string, error out
if certEntry.AWSPublicCert == "" {
return logical.ErrorResponse("invalid aws_public_cert"), nil
}
// Verify the certificate by decoding it and parsing it
publicCert, err := decodePEMAndParseCertificate(certEntry.AWSPublicCert)
if err != nil {
return nil, err
}
if publicCert == nil {
return logical.ErrorResponse("invalid certificate; failed to decode and parse certificate"), nil
}
// If none of the checks fail, save the provided certificate
if err := b.nonLockedSetAWSPublicCertificateEntry(req.Storage, certName, certEntry); err != nil {
return nil, err
}
return nil, nil
}
示例13: generateCreationBundle
// generateCreationBundle is a shared function that reads parameters supplied
// from the various endpoints and generates a creationBundle with the
// parameters that can be used to issue or sign
func generateCreationBundle(b *backend,
role *roleEntry,
signingBundle *caInfoBundle,
csr *x509.CertificateRequest,
req *logical.Request,
data *framework.FieldData) (*creationBundle, error) {
var err error
var ok bool
// Get the common name
var cn string
{
if csr != nil {
if role.UseCSRCommonName {
cn = csr.Subject.CommonName
}
}
if cn == "" {
cn = data.Get("common_name").(string)
if cn == "" {
return nil, errutil.UserError{Err: `the common_name field is required, or must be provided in a CSR with "use_csr_common_name" set to true`}
}
}
}
// Read in alternate names -- DNS and email addresses
dnsNames := []string{}
emailAddresses := []string{}
{
if !data.Get("exclude_cn_from_sans").(bool) {
if strings.Contains(cn, "@") {
// Note: emails are not disallowed if the role's email protection
// flag is false, because they may well be included for
// informational purposes; it is up to the verifying party to
// ensure that email addresses in a subject alternate name can be
// used for the purpose for which they are presented
emailAddresses = append(emailAddresses, cn)
} else {
dnsNames = append(dnsNames, cn)
}
}
cnAltInt, ok := data.GetOk("alt_names")
if ok {
cnAlt := cnAltInt.(string)
if len(cnAlt) != 0 {
for _, v := range strings.Split(cnAlt, ",") {
if strings.Contains(v, "@") {
emailAddresses = append(emailAddresses, v)
} else {
dnsNames = append(dnsNames, v)
}
}
}
}
// Check for bad email and/or DNS names
badName, err := validateNames(req, dnsNames, role)
if len(badName) != 0 {
return nil, errutil.UserError{Err: fmt.Sprintf(
"name %s not allowed by this role", badName)}
} else if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf(
"error validating name %s: %s", badName, err)}
}
badName, err = validateNames(req, emailAddresses, role)
if len(badName) != 0 {
return nil, errutil.UserError{Err: fmt.Sprintf(
"email %s not allowed by this role", badName)}
} else if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf(
"error validating name %s: %s", badName, err)}
}
}
// Get and verify any IP SANs
ipAddresses := []net.IP{}
var ipAltInt interface{}
{
ipAltInt, ok = data.GetOk("ip_sans")
if ok {
ipAlt := ipAltInt.(string)
if len(ipAlt) != 0 {
if !role.AllowIPSANs {
return nil, errutil.UserError{Err: fmt.Sprintf(
"IP Subject Alternative Names are not allowed in this role, but was provided %s", ipAlt)}
}
for _, v := range strings.Split(ipAlt, ",") {
parsedIP := net.ParseIP(v)
if parsedIP == nil {
return nil, errutil.UserError{Err: fmt.Sprintf(
"the value '%s' is not a valid IP address", v)}
}
ipAddresses = append(ipAddresses, parsedIP)
}
}
}
//.........这里部分代码省略.........
示例14: pathCASignIntermediate
func (b *backend) pathCASignIntermediate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var err error
format := getFormat(data)
if format == "" {
return logical.ErrorResponse(
`The "format" path parameter must be "pem" or "der"`,
), nil
}
role := &roleEntry{
TTL: data.Get("ttl").(string),
AllowLocalhost: true,
AllowAnyName: true,
AllowIPSANs: true,
EnforceHostnames: false,
KeyType: "any",
}
if cn := data.Get("common_name").(string); len(cn) == 0 {
role.UseCSRCommonName = true
}
var caErr error
signingBundle, caErr := fetchCAInfo(req)
switch caErr.(type) {
case certutil.UserError:
return nil, certutil.UserError{Err: fmt.Sprintf(
"could not fetch the CA certificate (was one set?): %s", caErr)}
case certutil.InternalError:
return nil, certutil.InternalError{Err: fmt.Sprintf(
"error fetching CA certificate: %s", caErr)}
}
useCSRValues := data.Get("use_csr_values").(bool)
maxPathLengthIface, ok := data.GetOk("max_path_length")
if ok {
maxPathLength := maxPathLengthIface.(int)
role.MaxPathLength = &maxPathLength
}
parsedBundle, err := signCert(b, role, signingBundle, true, useCSRValues, req, data)
if err != nil {
switch err.(type) {
case certutil.UserError:
return logical.ErrorResponse(err.Error()), nil
case certutil.InternalError:
return nil, err
}
}
cb, err := parsedBundle.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("Error converting raw cert bundle to cert bundle: %s", err)
}
resp := &logical.Response{
Data: map[string]interface{}{
"expiration": int64(parsedBundle.Certificate.NotAfter.Unix()),
"serial_number": cb.SerialNumber,
},
}
switch format {
case "pem":
resp.Data["certificate"] = cb.Certificate
resp.Data["issuing_ca"] = cb.IssuingCA
case "pem_bundle":
resp.Data["certificate"] = fmt.Sprintf("%s\n%s", cb.Certificate, cb.IssuingCA)
resp.Data["issuing_ca"] = cb.IssuingCA
case "der":
resp.Data["certificate"] = base64.StdEncoding.EncodeToString(parsedBundle.CertificateBytes)
resp.Data["issuing_ca"] = base64.StdEncoding.EncodeToString(parsedBundle.IssuingCABytes)
}
err = req.Storage.Put(&logical.StorageEntry{
Key: "certs/" + cb.SerialNumber,
Value: parsedBundle.CertificateBytes,
})
if err != nil {
return nil, fmt.Errorf("Unable to store certificate locally")
}
if parsedBundle.Certificate.MaxPathLen == 0 {
resp.AddWarning("Max path length of the signed certificate is zero. This certificate cannot be used to issue intermediate CA certificates.")
}
return resp, nil
}
示例15: pathRoleCreateUpdate
// pathRoleCreateUpdate is used to associate Vault policies to a given AMI ID.
func (b *backend) pathRoleCreateUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
roleName := strings.ToLower(data.Get("role").(string))
if roleName == "" {
return logical.ErrorResponse("missing role"), nil
}
b.roleMutex.Lock()
defer b.roleMutex.Unlock()
roleEntry, err := b.nonLockedAWSRole(req.Storage, roleName)
if err != nil {
return nil, err
}
if roleEntry == nil {
roleEntry = &awsRoleEntry{}
}
// Set the bound parameters only if they are supplied.
// There are no default values for bound parameters.
boundAmiIDStr, ok := data.GetOk("bound_ami_id")
if ok {
roleEntry.BoundAmiID = boundAmiIDStr.(string)
}
boundIamARNStr, ok := data.GetOk("bound_iam_role_arn")
if ok {
roleEntry.BoundIamARN = boundIamARNStr.(string)
}
// At least one bound parameter should be set. Currently, only
// 'bound_ami_id' and 'bound_iam_role_arn' are supported. Check if one of them is set.
if roleEntry.BoundAmiID == "" {
// check if an IAM Role ARN was provided instead of an AMI ID
if roleEntry.BoundIamARN == "" {
return logical.ErrorResponse("role is not bounded to any resource; set bound_ami_id or bount_iam_role_arn"), nil
}
}
policiesStr, ok := data.GetOk("policies")
if ok {
roleEntry.Policies = policyutil.ParsePolicies(policiesStr.(string))
} else if req.Operation == logical.CreateOperation {
roleEntry.Policies = []string{"default"}
}
disallowReauthenticationBool, ok := data.GetOk("disallow_reauthentication")
if ok {
roleEntry.DisallowReauthentication = disallowReauthenticationBool.(bool)
} else if req.Operation == logical.CreateOperation {
roleEntry.DisallowReauthentication = data.Get("disallow_reauthentication").(bool)
}
allowInstanceMigrationBool, ok := data.GetOk("allow_instance_migration")
if ok {
roleEntry.AllowInstanceMigration = allowInstanceMigrationBool.(bool)
} else if req.Operation == logical.CreateOperation {
roleEntry.AllowInstanceMigration = data.Get("allow_instance_migration").(bool)
}
var resp logical.Response
maxTTLInt, ok := data.GetOk("max_ttl")
if ok {
maxTTL := time.Duration(maxTTLInt.(int)) * time.Second
systemMaxTTL := b.System().MaxLeaseTTL()
if maxTTL > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given TTL of %d seconds greater than current mount/system default of %d seconds; TTL will be capped at login time", maxTTL/time.Second, systemMaxTTL/time.Second))
}
if maxTTL < time.Duration(0) {
return logical.ErrorResponse("max_ttl cannot be negative"), nil
}
roleEntry.MaxTTL = maxTTL
} else if req.Operation == logical.CreateOperation {
roleEntry.MaxTTL = time.Duration(data.Get("max_ttl").(int)) * time.Second
}
roleTagStr, ok := data.GetOk("role_tag")
if ok {
roleEntry.RoleTag = roleTagStr.(string)
// There is a limit of 127 characters on the tag key for AWS EC2 instances.
// Complying to that requirement, do not allow the value of 'key' to be more than that.
if len(roleEntry.RoleTag) > 127 {
return logical.ErrorResponse("length of role tag exceeds the EC2 key limit of 127 characters"), nil
}
} else if req.Operation == logical.CreateOperation {
roleEntry.RoleTag = data.Get("role_tag").(string)
}
if roleEntry.HMACKey == "" {
roleEntry.HMACKey, err = uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("failed to generate role HMAC key: %v", err)
}
}
//.........这里部分代码省略.........