scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Run a more strict formatter over the code (#11312)

Browse Source 
* Update tooling

* Run gofumpt

* go mod vendor
This commit is contained in:
Brian Kassouf
2021-04-08 09:43:39 -07:00
committed by GitHub
parent 60f3ba99a4
commit a24653cc5c
658 changed files with 10961 additions and 3671 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@@ -210,7 +210,7 @@ fmtcheck:
#@sh -c "'$(CURDIR)/scripts/gofmtcheck.sh'"
fmt:
goimports -w $(GOFMT_FILES)
find . -name '*.go' | grep -v pb.go | grep -v vendor | xargs gofumpt -w
assetcheck:
@echo "==> Checking compiled UI assets..."

50
api/client.go
View File

@@ -25,26 +25,30 @@ import (
"golang.org/x/time/rate"
)
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultAgentAddr = "VAULT_AGENT_ADDR"
const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
const EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
const EnvVaultSRVLookup = "VAULT_SRV_LOOKUP"
const EnvVaultSkipVerify = "VAULT_SKIP_VERIFY"
const EnvVaultNamespace = "VAULT_NAMESPACE"
const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
const EnvVaultWrapTTL = "VAULT_WRAP_TTL"
const EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
const EnvVaultToken = "VAULT_TOKEN"
const EnvVaultMFA = "VAULT_MFA"
const EnvRateLimit = "VAULT_RATE_LIMIT"
const (
EnvVaultAddress = "VAULT_ADDR"
EnvVaultAgentAddr = "VAULT_AGENT_ADDR"
EnvVaultCACert = "VAULT_CACERT"
EnvVaultCAPath = "VAULT_CAPATH"
EnvVaultClientCert = "VAULT_CLIENT_CERT"
EnvVaultClientKey = "VAULT_CLIENT_KEY"
EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
EnvVaultSRVLookup = "VAULT_SRV_LOOKUP"
EnvVaultSkipVerify = "VAULT_SKIP_VERIFY"
EnvVaultNamespace = "VAULT_NAMESPACE"
EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
EnvVaultWrapTTL = "VAULT_WRAP_TTL"
EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
EnvVaultToken = "VAULT_TOKEN"
EnvVaultMFA = "VAULT_MFA"
EnvRateLimit = "VAULT_RATE_LIMIT"
)
// Deprecated values
const EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
const (
EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
EnvVaultInsecure = "VAULT_SKIP_VERIFY"
)
// WrappingLookupFunc is a function that, given an HTTP verb and a path,
// returns an optional string duration to be used for response wrapping (e.g.
@@ -359,7 +363,6 @@ func (c *Config) ReadEnvironment() error {
}
func parseRateLimit(val string) (rate float64, burst int, err error) {
_, err = fmt.Sscanf(val, "%f:%d", &rate, &burst)
if err != nil {
rate, err = strconv.ParseFloat(val, 64)
@@ -370,7 +373,6 @@ func parseRateLimit(val string) (rate float64, burst int, err error) {
}
return rate, burst, err
}
// Client is the client to the Vault API. Create a client with NewClient.
@@ -793,7 +795,7 @@ func (c *Client) NewRequest(method, requestPath string) *Request {
policyOverride := c.policyOverride
c.modifyLock.RUnlock()
var host = addr.Host
host := addr.Host
// if SRV records exist (see https://tools.ietf.org/html/draft-andrews-http-srv-02), lookup the SRV
// record and take the highest match; this is not designed for high-availability, just discovery
// Internet Draft specifies that the SRV record is ignored if a port is given
@@ -985,8 +987,10 @@ START:
return result, nil
}
type RequestCallback func(*Request)
type ResponseCallback func(*Response)
type (
RequestCallback func(*Request)
ResponseCallback func(*Response)
)
// WithRequestCallbacks makes a shallow clone of Client, modifies it to use
// the given callbacks, and returns it. Each of the callbacks will be invoked

4
api/client_test.go
View File

@@ -369,8 +369,8 @@ func TestParsingRateOnly(t *testing.T) {
}
func TestParsingErrorCase(t *testing.T) {
var incorrectFormat = "foobar"
var _, _, err = parseRateLimit(incorrectFormat)
incorrectFormat := "foobar"
_, _, err := parseRateLimit(incorrectFormat)
if err == nil {
t.Error("Expected error, found no error")
}

6
api/lifetime_watcher.go
View File

@@ -380,5 +380,7 @@ func (r *LifetimeWatcher) calculateGrace(leaseDuration time.Duration) {
r.grace = time.Duration(jitterMax) + time.Duration(uint64(r.random.Int63())%uint64(jitterMax))
}
type Renewer = LifetimeWatcher
type RenewerInput = LifetimeWatcherInput
type (
Renewer = LifetimeWatcher
RenewerInput = LifetimeWatcherInput
)

4
api/output_string.go
View File

@@ -11,9 +11,7 @@ const (
ErrOutputStringRequest = "output a string, please"
)
var (
LastOutputStringError *OutputStringError
)
var LastOutputStringError *OutputStringError
type OutputStringError struct {
*retryablehttp.Request

2
api/plugin_helpers.go
View File

@@ -82,7 +82,7 @@ func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)
return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
}
var allClaims = make(map[string]interface{})
allClaims := make(map[string]interface{})
if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {
return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)
}

5
api/ssh_agent_test.go
View File

@@ -33,7 +33,7 @@ func TestSSH_CreateTLSClient(t *testing.T) {
func TestSSH_CreateTLSClient_tlsServerName(t *testing.T) {
// Ensure that the HTTP client is associated with the configured TLS server name.
var tlsServerName = "tls.server.name"
tlsServerName := "tls.server.name"
config, err := ParseSSHHelperConfig(fmt.Sprintf(`
vault_addr = "1.2.3.4"
@@ -93,13 +93,12 @@ nope = "bad"
}
func TestParseSSHHelperConfig_tlsServerName(t *testing.T) {
var tlsServerName = "tls.server.name"
tlsServerName := "tls.server.name"
config, err := ParseSSHHelperConfig(fmt.Sprintf(`
vault_addr = "1.2.3.4"
tls_server_name = "%s"
`, tlsServerName))
if err != nil {
t.Fatal(err)
}

2
api/sys_audit.go
View File

@@ -52,7 +52,6 @@ func (c *Sys) ListAudit() (map[string]*Audit, error) {
ctx, cancelFunc := context.WithCancel(context.Background())
defer cancelFunc()
resp, err := c.c.RawRequestWithContext(ctx, r)
if err != nil {
return nil, err
}
@@ -94,7 +93,6 @@ func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) e
ctx, cancelFunc := context.WithCancel(context.Background())
defer cancelFunc()
resp, err := c.c.RawRequestWithContext(ctx, r)
if err != nil {
return err
}

10
api/sys_auth.go
View File

@@ -74,7 +74,9 @@ func (c *Sys) DisableAuth(path string) error {
}
// Rather than duplicate, we can use modern Go's type aliasing
type EnableAuthOptions = MountInput
type AuthConfigInput = MountConfigInput
type AuthMount = MountOutput
type AuthConfigOutput = MountConfigOutput
type (
EnableAuthOptions = MountInput
AuthConfigInput = MountConfigInput
AuthMount = MountOutput
AuthConfigOutput = MountConfigOutput
)

2
api/sys_plugins.go
View File

@@ -109,7 +109,6 @@ func (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error) {
for i, nameIfc := range pluginsIfc {
name, ok := nameIfc.(string)
if !ok {
}
plugins[i] = name
}
@@ -323,7 +322,6 @@ func (c *Sys) ReloadPluginStatus(reloadStatusInput *ReloadPluginStatusInput) (*R
return &r, nil
}
return nil, nil
}
// catalogPathByType is a helper to construct the proper API path by plugin type

14
audit/format_json_test.go
View File

@@ -4,14 +4,12 @@ import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"strings"
"testing"
"time"
"errors"
"fmt"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/helper/salt"
@@ -61,7 +59,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
TTL: 60 * time.Second,
},
Headers: map[string][]string{
"foo": []string{"bar"},
"foo": {"bar"},
},
},
errors.New("this is an error"),
@@ -92,7 +90,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
TTL: 60 * time.Second,
},
Headers: map[string][]string{
"foo": []string{"bar"},
"foo": {"bar"},
},
},
errors.New("this is an error"),
@@ -125,14 +123,14 @@ func TestFormatJSON_formatRequest(t *testing.T) {
t.Fatalf("no prefix: %s \n log: %s\nprefix: %s", name, expectedResultStr, tc.Prefix)
}
var expectedjson = new(AuditRequestEntry)
expectedjson := new(AuditRequestEntry)
if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil {
t.Fatalf("bad json: %s", err)
}
expectedjson.Request.Namespace = &AuditNamespace{ID: "root"}
var actualjson = new(AuditRequestEntry)
actualjson := new(AuditRequestEntry)
if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil {
t.Fatalf("bad json: %s", err)
}

10
audit/format_jsonx_test.go
View File

@@ -3,14 +3,12 @@ package audit
import (
"bytes"
"context"
"errors"
"fmt"
"strings"
"testing"
"time"
"errors"
"fmt"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/logical"
@@ -63,7 +61,7 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
TTL: 60 * time.Second,
},
Headers: map[string][]string{
"foo": []string{"bar"},
"foo": {"bar"},
},
PolicyOverride: true,
},
@@ -100,7 +98,7 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
TTL: 60 * time.Second,
},
Headers: map[string][]string{
"foo": []string{"bar"},
"foo": {"bar"},
},
PolicyOverride: true,
},

2
builtin/audit/file/backend.go
View File

@@ -73,7 +73,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
}
// Check if mode is provided
mode := os.FileMode(0600)
mode := os.FileMode(0o600)
if modeRaw, ok := conf.Config["mode"]; ok {
m, err := strconv.ParseUint(modeRaw, 8, 32)
if err != nil {

6
builtin/audit/file/backend_test.go
View File

@@ -61,7 +61,7 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
}
defer os.Remove(f.Name())
err = os.Chmod(f.Name(), 0777)
err = os.Chmod(f.Name(), 0o777)
if err != nil {
t.Fatalf("Failure to chmod temp file for testing.")
}
@@ -88,7 +88,7 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
if err != nil {
t.Fatalf("cannot retrieve file mode from `Stat`")
}
if info.Mode() != os.FileMode(0600) {
if info.Mode() != os.FileMode(0o600) {
t.Fatalf("File mode does not match.")
}
}
@@ -126,7 +126,7 @@ func BenchmarkAuditFile_request(b *testing.B) {
TTL: 60 * time.Second,
},
Headers: map[string][]string{
"foo": []string{"bar"},
"foo": {"bar"},
},
},
}

8
builtin/credential/app-id/backend.go
View File

@@ -26,12 +26,12 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
PathMap: framework.PathMap{
Name: "app-id",
Schema: map[string]*framework.FieldSchema{
"display_name": &framework.FieldSchema{
"display_name": {
Type: framework.TypeString,
Description: "A name to map to this app ID for logs.",
},
"value": &framework.FieldSchema{
"value": {
Type: framework.TypeString,
Description: "Policies for the app ID.",
},
@@ -43,12 +43,12 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
b.MapUserId = &framework.PathMap{
Name: "user-id",
Schema: map[string]*framework.FieldSchema{
"cidr_block": &framework.FieldSchema{
"cidr_block": {
Type: framework.TypeString,
Description: "If not blank, restricts auth by this CIDR block",
},
"value": &framework.FieldSchema{
"value": {
Type: framework.TypeString,
Description: "App IDs that this user associates with.",
},

8
builtin/credential/app-id/path_login.go
View File

@@ -19,12 +19,12 @@ func pathLoginWithAppIDPath(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login/(?P<app_id>.+)",
Fields: map[string]*framework.FieldSchema{
"app_id": &framework.FieldSchema{
"app_id": {
Type: framework.TypeString,
Description: "The unique app ID",
},
"user_id": &framework.FieldSchema{
"user_id": {
Type: framework.TypeString,
Description: "The unique user ID",
},
@@ -43,12 +43,12 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login$",
Fields: map[string]*framework.FieldSchema{
"app_id": &framework.FieldSchema{
"app_id": {
Type: framework.TypeString,
Description: "The unique app ID",
},
"user_id": &framework.FieldSchema{
"user_id": {
Type: framework.TypeString,
Description: "The unique user ID",
},

5
builtin/credential/approle/path_login.go
View File

@@ -17,11 +17,11 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login$",
Fields: map[string]*framework.FieldSchema{
"role_id": &framework.FieldSchema{
"role_id": {
Type: framework.TypeString,
Description: "Unique identifier of the Role. Required to be supplied when the 'bind_secret_id' constraint is set.",
},
"secret_id": &framework.FieldSchema{
"secret_id": {
Type: framework.TypeString,
Default: "",
Description: "SecretID belong to the App role",
@@ -54,7 +54,6 @@ func (b *backend) pathLoginUpdateAliasLookahead(ctx context.Context, req *logica
// Returns the Auth object indicating the authentication and authorization information
// if the credentials provided are validated by the backend.
func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
// RoleID must be supplied during every login
roleID := strings.TrimSpace(data.Get("role_id").(string))
if roleID == "" {

154
builtin/credential/approle/path_role.go
View File

@@ -110,58 +110,58 @@ func rolePaths(b *backend) []*framework.Path {
p := &framework.Path{
Pattern: "role/" + framework.GenericNameRegex("role_name"),
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"bind_secret_id": &framework.FieldSchema{
"bind_secret_id": {
Type: framework.TypeBool,
Default: true,
Description: "Impose secret_id to be presented when logging in using this role. Defaults to 'true'.",
},
"bound_cidr_list": &framework.FieldSchema{
"bound_cidr_list": {
Type: framework.TypeCommaStringSlice,
Description: `Use "secret_id_bound_cidrs" instead.`,
Deprecated: true,
},
"secret_id_bound_cidrs": &framework.FieldSchema{
"secret_id_bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
IP addresses which can perform the login operation.`,
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
},
"secret_id_num_uses": &framework.FieldSchema{
"secret_id_num_uses": {
Type: framework.TypeInt,
Description: `Number of times a SecretID can access the role, after which the SecretID
will expire. Defaults to 0 meaning that the the secret_id is of unlimited use.`,
},
"secret_id_ttl": &framework.FieldSchema{
"secret_id_ttl": {
Type: framework.TypeDurationSecond,
Description: `Duration in seconds after which the issued SecretID should expire. Defaults
to 0, meaning no expiration.`,
},
"period": &framework.FieldSchema{
"period": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_period"),
Deprecated: true,
},
"role_id": &framework.FieldSchema{
"role_id": {
Type: framework.TypeString,
Description: "Identifier of the role. Defaults to a UUID.",
},
"local_secret_ids": &framework.FieldSchema{
"local_secret_ids": {
Type: framework.TypeBool,
Description: `If set, the secret IDs generated using this role will be cluster local. This
can only be set during role creation and once set, it can't be reset later.`,
@@ -182,7 +182,7 @@ can only be set during role creation and once set, it can't be reset later.`,
return []*framework.Path{
p,
&framework.Path{
{
Pattern: "role/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathRoleList,
@@ -190,10 +190,10 @@ can only be set during role creation and once set, it can't be reset later.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-list"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-list"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/local-secret-ids$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
@@ -204,19 +204,19 @@ can only be set during role creation and once set, it can't be reset later.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-local-secret-ids"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-local-secret-ids"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/policies$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
},
"token_policies": &framework.FieldSchema{
"token_policies": {
Type: framework.TypeCommaStringSlice,
Description: defTokenFields["token_policies"].Description,
},
@@ -229,14 +229,14 @@ can only be set during role creation and once set, it can't be reset later.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-policies"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-policies"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/bound-cidr-list$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"bound_cidr_list": &framework.FieldSchema{
"bound_cidr_list": {
Type: framework.TypeCommaStringSlice,
Description: `Deprecated: Please use "secret_id_bound_cidrs" instead. Comma separated string or list
of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.`,
@@ -250,14 +250,14 @@ of CIDR blocks. If set, specifies the blocks of IP addresses which can perform t
HelpSynopsis: strings.TrimSpace(roleHelp["role-bound-cidr-list"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-bound-cidr-list"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id-bound-cidrs$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id_bound_cidrs": &framework.FieldSchema{
"secret_id_bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
IP addresses which can perform the login operation.`,
@@ -271,14 +271,14 @@ IP addresses which can perform the login operation.`,
HelpSynopsis: strings.TrimSpace(roleHelp["secret-id-bound-cidrs"][0]),
HelpDescription: strings.TrimSpace(roleHelp["secret-id-bound-cidrs"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/token-bound-cidrs$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"token_bound_cidrs": &framework.FieldSchema{
"token_bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: defTokenFields["token_bound_cidrs"].Description,
},
@@ -291,14 +291,14 @@ IP addresses which can perform the login operation.`,
HelpSynopsis: strings.TrimSpace(roleHelp["token-bound-cidrs"][0]),
HelpDescription: strings.TrimSpace(roleHelp["token-bound-cidrs"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/bind-secret-id$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"bind_secret_id": &framework.FieldSchema{
"bind_secret_id": {
Type: framework.TypeBool,
Default: true,
Description: "Impose secret_id to be presented when logging in using this role.",
@@ -312,14 +312,14 @@ IP addresses which can perform the login operation.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-bind-secret-id"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-bind-secret-id"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id-num-uses$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id_num_uses": &framework.FieldSchema{
"secret_id_num_uses": {
Type: framework.TypeInt,
Description: "Number of times a SecretID can access the role, after which the SecretID will expire.",
},
@@ -332,14 +332,14 @@ IP addresses which can perform the login operation.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id-num-uses"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id-num-uses"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id-ttl$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id_ttl": &framework.FieldSchema{
"secret_id_ttl": {
Type: framework.TypeDurationSecond,
Description: `Duration in seconds after which the issued SecretID should expire. Defaults
to 0, meaning no expiration.`,
@@ -353,19 +353,19 @@ to 0, meaning no expiration.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id-ttl"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id-ttl"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/period$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"period": &framework.FieldSchema{
"period": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_period"),
Deprecated: true,
},
"token_period": &framework.FieldSchema{
"token_period": {
Type: framework.TypeDurationSecond,
Description: defTokenFields["token_period"].Description,
},
@@ -378,14 +378,14 @@ to 0, meaning no expiration.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-period"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-period"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/token-num-uses$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"token_num_uses": &framework.FieldSchema{
"token_num_uses": {
Type: framework.TypeInt,
Description: defTokenFields["token_num_uses"].Description,
},
@@ -398,14 +398,14 @@ to 0, meaning no expiration.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-token-num-uses"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-token-num-uses"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/token-ttl$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"token_ttl": &framework.FieldSchema{
"token_ttl": {
Type: framework.TypeDurationSecond,
Description: defTokenFields["token_ttl"].Description,
},
@@ -418,14 +418,14 @@ to 0, meaning no expiration.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-token-ttl"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-token-ttl"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/token-max-ttl$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"token_max_ttl": &framework.FieldSchema{
"token_max_ttl": {
Type: framework.TypeDurationSecond,
Description: defTokenFields["token_max_ttl"].Description,
},
@@ -438,14 +438,14 @@ to 0, meaning no expiration.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-token-max-ttl"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-token-max-ttl"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/role-id$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"role_id": &framework.FieldSchema{
"role_id": {
Type: framework.TypeString,
Description: "Identifier of the role. Defaults to a UUID.",
},
@@ -457,26 +457,26 @@ to 0, meaning no expiration.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-id"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-id"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id/?$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"metadata": &framework.FieldSchema{
"metadata": {
Type: framework.TypeString,
Description: `Metadata to be tied to the SecretID. This should be a JSON
formatted string containing the metadata in key value pairs.`,
},
"cidr_list": &framework.FieldSchema{
"cidr_list": {
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks enforcing secret IDs to be used from
specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the
list of CIDR blocks listed here should be a subset of the CIDR blocks listed on
the role.`,
},
"token_bound_cidrs": &framework.FieldSchema{
"token_bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: defTokenFields["token_bound_cidrs"].Description,
},
@@ -488,14 +488,14 @@ the role.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id/lookup/?$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id": &framework.FieldSchema{
"secret_id": {
Type: framework.TypeString,
Description: "SecretID attached to the role.",
},
@@ -506,14 +506,14 @@ the role.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id-lookup"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id-lookup"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id/destroy/?$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id": &framework.FieldSchema{
"secret_id": {
Type: framework.TypeString,
Description: "SecretID attached to the role.",
},
@@ -525,14 +525,14 @@ the role.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id-destroy"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id-destroy"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id-accessor/lookup/?$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id_accessor": &framework.FieldSchema{
"secret_id_accessor": {
Type: framework.TypeString,
Description: "Accessor of the SecretID",
},
@@ -543,14 +543,14 @@ the role.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id-accessor"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id-accessor"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/secret-id-accessor/destroy/?$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id_accessor": &framework.FieldSchema{
"secret_id_accessor": {
Type: framework.TypeString,
Description: "Accessor of the SecretID",
},
@@ -562,30 +562,30 @@ the role.`,
HelpSynopsis: strings.TrimSpace(roleHelp["role-secret-id-accessor"][0]),
HelpDescription: strings.TrimSpace(roleHelp["role-secret-id-accessor"][1]),
},
&framework.Path{
{
Pattern: "role/" + framework.GenericNameRegex("role_name") + "/custom-secret-id$",
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
"role_name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"secret_id": &framework.FieldSchema{
"secret_id": {
Type: framework.TypeString,
Description: "SecretID to be attached to the role.",
},
"metadata": &framework.FieldSchema{
"metadata": {
Type: framework.TypeString,
Description: `Metadata to be tied to the SecretID. This should be a JSON
formatted string containing metadata in key value pairs.`,
},
"cidr_list": &framework.FieldSchema{
"cidr_list": {
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks enforcing secret IDs to be used from
specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the
list of CIDR blocks listed here should be a subset of the CIDR blocks listed on
the role.`,
},
"token_bound_cidrs": &framework.FieldSchema{
"token_bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of
IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any.`,
@@ -2513,11 +2513,13 @@ that are generated against the role using 'role/<role_name>/secret-id' or
"role-secret-id-lookup": {
"Read the properties of an issued secret_id",
`This endpoint is used to read the properties of a secret_id associated to a
role.`},
role.`,
},
"role-secret-id-destroy": {
"Invalidate an issued secret_id",
`This endpoint is used to delete the properties of a secret_id associated to a
role.`},
role.`,
},
"role-secret-id-accessor-lookup": {
"Read an issued secret_id, using its accessor",
`This is particularly useful to lookup the non-expiring 'secret_id's.

1
builtin/credential/approle/path_role_test.go
View File

@@ -1890,7 +1890,6 @@ func TestAppRole_TokenutilUpgrade(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Construct the storage entry object based on our test case.
tokenTypeKV := ""
if !tt.storageValMissing {

9
builtin/credential/approle/path_tidy_user_id.go
View File

@@ -45,7 +45,6 @@ func (b *backend) tidySecretID(ctx context.Context, req *logical.Request) (*logi
resp := &logical.Response{}
resp.AddWarning("Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs.")
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
}
type tidyHelperSecretIDAccessor struct {
@@ -197,7 +196,7 @@ func (b *backend) tidySecretIDinternal(s logical.Storage) {
// roles without having a lock while doing so. Because
// accHashesByLockID was populated previously, at worst this may
// mean that we fail to clean up something we ought to.
var allSecretIDHMACs = make(map[string]struct{})
allSecretIDHMACs := make(map[string]struct{})
for _, roleNameHMAC := range roleNameHMACs {
secretIDHMACs, err := s.List(ctx, secretIDPrefixToUse+roleNameHMAC)
if err != nil {
@@ -265,7 +264,9 @@ func (b *backend) pathTidySecretIDUpdate(ctx context.Context, req *logical.Reque
return b.tidySecretID(ctx, req)
}
const pathTidySecretIDSyn = "Trigger the clean-up of expired SecretID entries."
const pathTidySecretIDDesc = `SecretIDs will have expiration time attached to them. The periodic function
const (
pathTidySecretIDSyn = "Trigger the clean-up of expired SecretID entries."
pathTidySecretIDDesc = `SecretIDs will have expiration time attached to them. The periodic function
of the backend will look for expired entries and delete them. This happens once in a minute. Invoking
this endpoint will trigger the clean-up action, without waiting for the backend's periodic function.`
)

3
builtin/credential/aws/backend.go
View File

@@ -26,7 +26,8 @@ var defaultAllowedSTSRequestHeaders = []string{
"X-Amz-Date",
"X-Amz-Security-Token",
"X-Amz-Signature",
"X-Amz-SignedHeaders"}
"X-Amz-SignedHeaders",
}
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
b, err := Backend(conf)

5
builtin/credential/aws/backend_e2e_test.go
View File

@@ -14,7 +14,6 @@ import (
)
func TestBackend_E2E_Initialize(t *testing.T) {
ctx := context.Background()
// Set up the cluster. This will trigger an Initialize(); we sleep briefly
@@ -62,7 +61,8 @@ func TestBackend_E2E_Initialize(t *testing.T) {
data := map[string]interface{}{
"auth_type": "ec2",
"policies": "default",
"bound_subnet_id": "subnet-abcdef"}
"bound_subnet_id": "subnet-abcdef",
}
if _, err := core.Client.Logical().Write("auth/aws/role/test-role", data); err != nil {
t.Fatal(err)
}
@@ -100,7 +100,6 @@ func TestBackend_E2E_Initialize(t *testing.T) {
}
func setupAwsTestCluster(t *testing.T, _ context.Context) *vault.TestCluster {
// create a cluster with the aws auth backend built-in
logger := logging.NewVaultLogger(hclog.Trace)
coreConfig := &vault.CoreConfig{

23
builtin/credential/aws/backend_test.go
View File

@@ -20,9 +20,11 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)
const testVaultHeaderValue = "VaultAcceptanceTesting"
const testValidRoleName = "valid-role"
const testInvalidRoleName = "invalid-role"
const (
testVaultHeaderValue = "VaultAcceptanceTesting"
testValidRoleName = "valid-role"
testInvalidRoleName = "invalid-role"
)
func TestBackend_CreateParseVerifyRoleTag(t *testing.T) {
// create a backend
@@ -479,7 +481,8 @@ func TestBackend_ConfigClient(t *testing.T) {
t.Fatal(err)
}
data := map[string]interface{}{"access_key": "AKIAJBRHKV6EVTTNXDHA",
data := map[string]interface{}{
"access_key": "AKIAJBRHKV6EVTTNXDHA",
"secret_key": "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",
}
@@ -495,7 +498,8 @@ func TestBackend_ConfigClient(t *testing.T) {
Data: data,
}
data3 := map[string]interface{}{"access_key": "",
data3 := map[string]interface{}{
"access_key": "",
"secret_key": "mCtSM8ZUEQ3mOFVZYPBQkf2sO6F/W7a5TVzrl3Oj",
}
stepInvalidAccessKey := logicaltest.TestStep{
@@ -505,7 +509,8 @@ func TestBackend_ConfigClient(t *testing.T) {
ErrorOk: true,
}
data4 := map[string]interface{}{"access_key": "accesskey",
data4 := map[string]interface{}{
"access_key": "accesskey",
"secret_key": "",
}
stepInvalidSecretKey := logicaltest.TestStep{
@@ -554,7 +559,7 @@ func TestBackend_ConfigClient(t *testing.T) {
t.Fatal(err)
}
//test existence check returning true
// test existence check returning true
checkFound, exists, err = b.HandleExistenceCheck(context.Background(), &logical.Request{
Operation: logical.CreateOperation,
Path: "config/client",
@@ -907,7 +912,6 @@ func TestBackend_PathRoleTag(t *testing.T) {
}
func TestBackend_PathBlacklistRoleTag(t *testing.T) {
for _, path := range []string{"roletag-blacklist/", "roletag-denylist/"} {
// create the backend
storage := &logical.InmemStorage{}
@@ -1483,7 +1487,8 @@ func TestBackendAcc_LoginWithCallerIdentity(t *testing.T) {
// potentially pick up credentials from the ~/.config files), but probably
// good enough rather than having to muck around in the low-level details
for _, envvar := range []string{
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SECURITY_TOKEN", "AWS_SESSION_TOKEN"} {
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SECURITY_TOKEN", "AWS_SESSION_TOKEN",
} {
// Skip test if any of the required env vars are missing
testEnvVar := os.Getenv("TEST_" + envvar)
if testEnvVar == "" {

1
builtin/credential/aws/cli.go
View File

@@ -128,7 +128,6 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
loginData["role"] = role
path := fmt.Sprintf("auth/%s/login", mount)
secret, err := c.Logical().Write(path, loginData)
if err != nil {
return nil, err
}

5
builtin/credential/aws/client.go
View File

@@ -83,7 +83,6 @@ func (b *backend) getRawClientConfig(ctx context.Context, s logical.Storage, reg
// stsRole is a non-empty string, it will use AssumeRole to obtain a set of assumed
// credentials. The credentials will expire after 15 minutes but will auto-refresh.
func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region, stsRole, accountID, clientType string) (*aws.Config, error) {
config, err := b.getRawClientConfig(ctx, s, region, clientType)
if err != nil {
return nil, err
@@ -144,7 +143,7 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
// acquired for write operation before calling this method.
func (b *backend) flushCachedEC2Clients() {
// deleting items in map during iteration is safe
for region, _ := range b.EC2ClientsMap {
for region := range b.EC2ClientsMap {
delete(b.EC2ClientsMap, region)
}
}
@@ -155,7 +154,7 @@ func (b *backend) flushCachedEC2Clients() {
// lock should be acquired for write operation before calling this method.
func (b *backend) flushCachedIAMClients() {
// deleting items in map during iteration is safe
for region, _ := range b.IAMClientsMap {
for region := range b.IAMClientsMap {
delete(b.IAMClientsMap, region)
}
}

2
builtin/credential/aws/path_config_certificate.go
View File

@@ -442,9 +442,11 @@ corresponding regions should be registered using this endpoint. PKCS#7 is verifi
using a collection of certificates containing the default certificate and all the
certificates that are registered using this endpoint.
`
const pathListCertificatesHelpSyn = `
Lists all the AWS public certificates that are registered with the backend.
`
const pathListCertificatesHelpDesc = `
Certificates will be listed by their respective names that were used during registration.
`

12
builtin/credential/aws/path_config_identity.go
View File

@@ -178,11 +178,13 @@ type identityConfig struct {
EC2AuthMetadataHandler *authmetadata.Handler `json:"ec2_auth_metadata_handler"`
}
const identityAliasIAMUniqueID = "unique_id"
const identityAliasIAMFullArn = "full_arn"
const identityAliasEC2InstanceID = "instance_id"
const identityAliasEC2ImageID = "image_id"
const identityAliasRoleID = "role_id"
const (
identityAliasIAMUniqueID = "unique_id"
identityAliasIAMFullArn = "full_arn"
identityAliasEC2InstanceID = "instance_id"
identityAliasEC2ImageID = "image_id"
identityAliasRoleID = "role_id"
)
const pathConfigIdentityHelpSyn = `
Configure the way the AWS auth method interacts with the identity store

1
builtin/credential/aws/path_config_sts.go
View File

@@ -250,6 +250,7 @@ by assumption of these STS roles.
The environment in which the Vault server resides must have access to assume the
given STS roles.
`
const pathListStsHelpSyn = `
List all the AWS account/STS role relationships registered with Vault.
`

3
builtin/credential/aws/path_config_tidy_identity_accesslist.go
View File

@@ -18,7 +18,7 @@ func (b *backend) pathConfigTidyIdentityAccessList() *framework.Path {
Fields: map[string]*framework.FieldSchema{
"safety_buffer": {
Type: framework.TypeDurationSecond,
Default: 259200, //72h
Default: 259200, // 72h
Description: `The amount of extra time that must have passed beyond the identity's
expiration, before it is removed from the backend storage.`,
},
@@ -152,6 +152,7 @@ type tidyWhitelistIdentityConfig struct {
const pathConfigTidyIdentityAccessListHelpSyn = `
Configures the periodic tidying operation of the access list identity entries.
`
const pathConfigTidyIdentityAccessListHelpDesc = `
By default, the expired entries in the access list will be attempted to be removed
periodically. This operation will look for expired items in the list and purges them.

3
builtin/credential/aws/path_config_tidy_roletag_denylist.go
View File

@@ -17,7 +17,7 @@ func (b *backend) pathConfigTidyRoletagDenyList() *framework.Path {
Fields: map[string]*framework.FieldSchema{
"safety_buffer": {
Type: framework.TypeDurationSecond,
Default: 15552000, //180d
Default: 15552000, // 180d
Description: `The amount of extra time that must have passed beyond the roletag
expiration, before it is removed from the backend storage.
Defaults to 4320h (180 days).`,
@@ -152,6 +152,7 @@ type tidyDenyListRoleTagConfig struct {
const pathConfigTidyRoletagDenyListHelpSyn = `
Configures the periodic tidying operation of the deny listed role tag entries.
`
const pathConfigTidyRoletagDenyListHelpDesc = `
By default, the expired entries in the deny list will be attempted to be removed
periodically. This operation will look for expired items in the list and purges them.

2
builtin/credential/aws/path_login.go
View File

@@ -193,7 +193,6 @@ func (b *backend) validateInstance(ctx context.Context, s logical.Storage, insta
}
if len(status.Reservations) == 0 {
return nil, fmt.Errorf("no reservations found in instance description")
}
if len(status.Reservations[0].Instances) == 0 {
return nil, fmt.Errorf("no instance details found in reservations")
@@ -511,7 +510,6 @@ func (b *backend) verifyInstanceMeetsRoleRequirements(ctx context.Context,
// Extract out the instance profile name from the instance
// profile ARN
iamInstanceProfileEntity, err := parseIamArn(iamInstanceProfileARN)
if err != nil {
return nil, errwrap.Wrapf(fmt.Sprintf("failed to parse IAM instance profile ARN %q: {{err}}", iamInstanceProfileARN), err)
}

5
builtin/credential/aws/path_role.go
View File

@@ -16,9 +16,7 @@ import (
"github.com/mitchellh/copystructure"
)
var (
currentRoleStorageVersion = 3
)
var currentRoleStorageVersion = 3
func (b *backend) pathRole() *framework.Path {
p := &framework.Path{
@@ -333,7 +331,6 @@ func (b *backend) setRole(ctx context.Context, s logical.Storage, roleName strin
// initialize is used to initialize the AWS roles
func (b *backend) initialize(ctx context.Context, req *logical.InitializationRequest) error {
// on standbys and DR secondaries we do not want to run any kind of upgrade logic
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby | consts.ReplicationDRSecondary) {
return nil

3
builtin/credential/aws/path_role_test.go
View File

@@ -528,7 +528,6 @@ func TestBackend_pathRoleMixedTypes(t *testing.T) {
if !resp.IsError() {
t.Fatalf("allowed changing resolve_aws_unique_ids from true to false")
}
}
func TestAwsEc2_RoleCrud(t *testing.T) {
@@ -815,7 +814,6 @@ func TestRoleEntryUpgradeV(t *testing.T) {
}
func TestRoleInitialize(t *testing.T) {
config := logical.TestBackendConfig()
storage := &logical.InmemStorage{}
config.StorageView = storage
@@ -970,7 +968,6 @@ func TestRoleInitialize(t *testing.T) {
}
func TestAwsVersion(t *testing.T) {
before := awsVersion{
Version: 42,
}

45
builtin/credential/cert/backend_test.go
View File

@@ -5,31 +5,30 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"io"
"io/ioutil"
"math/big"
mathrand "math/rand"
"net"
"net/http"
"net/url"
"os"
"path/filepath"
"reflect"
"testing"
"time"
"github.com/go-test/deep"
"github.com/hashicorp/go-sockaddr"
"golang.org/x/net/http2"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"io"
"io/ioutil"
"math/big"
"net"
"os"
"reflect"
"testing"
"time"
cleanhttp "github.com/hashicorp/go-cleanhttp"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
@@ -98,7 +97,7 @@ func generateTestCertAndConnState(t *testing.T, template *x509.Certificate) (str
Type: "CERTIFICATE",
Bytes: caBytes,
}
err = ioutil.WriteFile(filepath.Join(tempDir, "ca_cert.pem"), pem.EncodeToMemory(caCertPEMBlock), 0755)
err = ioutil.WriteFile(filepath.Join(tempDir, "ca_cert.pem"), pem.EncodeToMemory(caCertPEMBlock), 0o755)
if err != nil {
t.Fatal(err)
}
@@ -110,7 +109,7 @@ func generateTestCertAndConnState(t *testing.T, template *x509.Certificate) (str
Type: "EC PRIVATE KEY",
Bytes: marshaledCAKey,
}
err = ioutil.WriteFile(filepath.Join(tempDir, "ca_key.pem"), pem.EncodeToMemory(caKeyPEMBlock), 0755)
err = ioutil.WriteFile(filepath.Join(tempDir, "ca_key.pem"), pem.EncodeToMemory(caKeyPEMBlock), 0o755)
if err != nil {
t.Fatal(err)
}
@@ -127,7 +126,7 @@ func generateTestCertAndConnState(t *testing.T, template *x509.Certificate) (str
Type: "CERTIFICATE",
Bytes: certBytes,
}
err = ioutil.WriteFile(filepath.Join(tempDir, "cert.pem"), pem.EncodeToMemory(certPEMBlock), 0755)
err = ioutil.WriteFile(filepath.Join(tempDir, "cert.pem"), pem.EncodeToMemory(certPEMBlock), 0o755)
if err != nil {
t.Fatal(err)
}
@@ -139,7 +138,7 @@ func generateTestCertAndConnState(t *testing.T, template *x509.Certificate) (str
Type: "EC PRIVATE KEY",
Bytes: marshaledKey,
}
err = ioutil.WriteFile(filepath.Join(tempDir, "key.pem"), pem.EncodeToMemory(keyPEMBlock), 0755)
err = ioutil.WriteFile(filepath.Join(tempDir, "key.pem"), pem.EncodeToMemory(keyPEMBlock), 0o755)
if err != nil {
t.Fatal(err)
}
@@ -1580,7 +1579,7 @@ func testAccStepLoginWithNameInvalid(t *testing.T, connState tls.ConnectionState
func testAccStepListCerts(
t *testing.T, certs []string) []logicaltest.TestStep {
return []logicaltest.TestStep{
logicaltest.TestStep{
{
Operation: logical.ListOperation,
Path: "certs",
Check: func(resp *logical.Response) error {
@@ -1599,7 +1598,7 @@ func testAccStepListCerts(
}
return nil
},
}, logicaltest.TestStep{
}, {
Operation: logical.ListOperation,
Path: "certs/",
Check: func(resp *logical.Response) error {
@@ -1973,7 +1972,7 @@ func TestBackend_CertUpgrade(t *testing.T) {
Period: time.Second,
TTL: time.Second,
MaxTTL: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
BoundCIDRs: []*sockaddr.SockAddrMarshaler{{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
}
entry, err := logical.StorageEntryJSON("cert/foo", foo)
@@ -1995,13 +1994,13 @@ func TestBackend_CertUpgrade(t *testing.T) {
Period: time.Second,
TTL: time.Second,
MaxTTL: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
BoundCIDRs: []*sockaddr.SockAddrMarshaler{{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
TokenParams: tokenutil.TokenParams{
TokenPolicies: []string{"foo"},
TokenPeriod: time.Second,
TokenTTL: time.Second,
TokenMaxTTL: time.Second,
TokenBoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
TokenBoundCIDRs: []*sockaddr.SockAddrMarshaler{{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
},
}
if diff := deep.Equal(certEntry, exp); diff != nil {

32
builtin/credential/cert/path_certs.go
View File

@@ -34,12 +34,12 @@ func pathCerts(b *backend) *framework.Path {
p := &framework.Path{
Pattern: "certs/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "The name of the certificate",
},
"certificate": &framework.FieldSchema{
"certificate": {
Type: framework.TypeString,
Description: `The public certificate that should be trusted.
Must be x509 PEM encoded.`,
@@ -48,7 +48,7 @@ Must be x509 PEM encoded.`,
},
},
"allowed_names": &framework.FieldSchema{
"allowed_names": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of names.
At least one must exist in either the Common Name or SANs. Supports globbing.
@@ -59,7 +59,7 @@ allowed_email_sans, allowed_uri_sans.`,
},
},
"allowed_common_names": &framework.FieldSchema{
"allowed_common_names": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of names.
At least one must exist in the Common Name. Supports globbing.`,
@@ -68,7 +68,7 @@ At least one must exist in the Common Name. Supports globbing.`,
},
},
"allowed_dns_sans": &framework.FieldSchema{
"allowed_dns_sans": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of DNS names.
At least one must exist in the SANs. Supports globbing.`,
@@ -78,7 +78,7 @@ At least one must exist in the SANs. Supports globbing.`,
},
},
"allowed_email_sans": &framework.FieldSchema{
"allowed_email_sans": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of Email Addresses.
At least one must exist in the SANs. Supports globbing.`,
@@ -88,7 +88,7 @@ At least one must exist in the SANs. Supports globbing.`,
},
},
"allowed_uri_sans": &framework.FieldSchema{
"allowed_uri_sans": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of URIs.
At least one must exist in the SANs. Supports globbing.`,
@@ -98,7 +98,7 @@ At least one must exist in the SANs. Supports globbing.`,
},
},
"allowed_organizational_units": &framework.FieldSchema{
"allowed_organizational_units": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of Organizational Units names.
At least one must exist in the OU field.`,
@@ -107,50 +107,50 @@ At least one must exist in the OU field.`,
},
},
"required_extensions": &framework.FieldSchema{
"required_extensions": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated string or array of extensions
formatted as "oid:value". Expects the extension value to be some type of ASN1 encoded string.
All values much match. Supports globbing on "value".`,
},
"display_name": &framework.FieldSchema{
"display_name": {
Type: framework.TypeString,
Description: `The display name to use for clients using this
certificate.`,
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
},
"lease": &framework.FieldSchema{
"lease": {
Type: framework.TypeInt,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
},
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
},
"max_ttl": &framework.FieldSchema{
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_max_ttl"),
Deprecated: true,
},
"period": &framework.FieldSchema{
"period": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_period"),
Deprecated: true,
},
"bound_cidrs": &framework.FieldSchema{
"bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_bound_cidrs"),
Deprecated: true,

2
builtin/credential/cert/path_config.go
View File

@@ -12,7 +12,7 @@ func pathConfig(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config",
Fields: map[string]*framework.FieldSchema{
"disable_binding": &framework.FieldSchema{
"disable_binding": {
Type: framework.TypeBool,
Default: false,
Description: `If set, during renewal, skips the matching of presented client identity with the client identity used during login. Defaults to false.`,

7
builtin/credential/cert/path_crls.go
View File

@@ -18,12 +18,12 @@ func pathCRLs(b *backend) *framework.Path {
return &framework.Path{
Pattern: "crls/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "The name of the certificate",
},
"crl": &framework.FieldSchema{
"crl": {
Type: framework.TypeString,
Description: `The public certificate that should be trusted.
May be DER or PEM encoded. Note: the expiration time
@@ -230,8 +230,7 @@ type CRLInfo struct {
Serials map[string]RevokedSerialInfo `json:"serials" structs:"serials" mapstructure:"serials"`
}
type RevokedSerialInfo struct {
}
type RevokedSerialInfo struct{}
const pathCRLsHelpSyn = `
Manage Certificate Revocation Lists checked during authentication.

2
builtin/credential/cert/path_login.go
View File

@@ -31,7 +31,7 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login",
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "The name of the certificate role to authenticate against.",
},

8
builtin/credential/github/path_config.go
View File

@@ -17,12 +17,12 @@ func pathConfig(b *backend) *framework.Path {
p := &framework.Path{
Pattern: "config",
Fields: map[string]*framework.FieldSchema{
"organization": &framework.FieldSchema{
"organization": {
Type: framework.TypeString,
Description: "The organization users must be part of",
},
"base_url": &framework.FieldSchema{
"base_url": {
Type: framework.TypeString,
Description: `The API endpoint to use. Useful if you
are running GitHub Enterprise or an
@@ -32,12 +32,12 @@ API-compatible authentication server.`,
Group: "GitHub Options",
},
},
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
},
"max_ttl": &framework.FieldSchema{
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_max_ttl"),
Deprecated: true,

4
builtin/credential/github/path_login.go
View File

@@ -18,7 +18,7 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
"token": {
Type: framework.TypeString,
Description: "GitHub personal API token",
},
@@ -248,13 +248,11 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, t
}
groupPoliciesList, err := b.TeamMap.Policies(ctx, req.Storage, teamNames...)
if err != nil {
return nil, nil, err
}
userPoliciesList, err := b.UserMap.Policies(ctx, req.Storage, []string{*user.Login}...)
if err != nil {
return nil, nil, err
}

1
builtin/credential/ldap/backend.go
View File

@@ -61,7 +61,6 @@ type backend struct {
}
func (b *backend) Login(ctx context.Context, req *logical.Request, username string, password string) ([]string, *logical.Response, []string, error) {
cfg, err := b.Config(ctx, req)
if err != nil {
return nil, nil, nil, err

5
builtin/credential/ldap/backend_test.go
View File

@@ -617,12 +617,12 @@ func TestBackend_configDefaultsAfterUpdate(t *testing.T) {
logicaltest.Test(t, logicaltest.TestCase{
CredentialBackend: b,
Steps: []logicaltest.TestStep{
logicaltest.TestStep{
{
Operation: logical.UpdateOperation,
Path: "config",
Data: map[string]interface{}{},
},
logicaltest.TestStep{
{
Operation: logical.ReadOperation,
Path: "config",
Check: func(resp *logical.Response) error {
@@ -1032,5 +1032,4 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
if diff := deep.Equal(exp, configEntry); diff != nil {
t.Fatal(diff)
}
}

4
builtin/credential/ldap/path_login.go
View File

@@ -14,12 +14,12 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: `login/(?P<username>.+)`,
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "DN (distinguished name) to be used for login.",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password for this user.",
},

1
builtin/credential/okta/backend_test.go
View File

@@ -171,7 +171,6 @@ func testLoginWrite(t *testing.T, username, password, reason string, expectedTTL
}
} else if reason != "" {
return fmt.Errorf("expected error containing %q, got no error", reason)
}
if resp.Auth != nil {

18
builtin/credential/okta/path_config.go
View File

@@ -25,53 +25,53 @@ func pathConfig(b *backend) *framework.Path {
p := &framework.Path{
Pattern: `config`,
Fields: map[string]*framework.FieldSchema{
"organization": &framework.FieldSchema{
"organization": {
Type: framework.TypeString,
Description: "Use org_name instead.",
Deprecated: true,
},
"org_name": &framework.FieldSchema{
"org_name": {
Type: framework.TypeString,
Description: "Name of the organization to be used in the Okta API.",
DisplayAttrs: &framework.DisplayAttributes{
Name: "Organization Name",
},
},
"token": &framework.FieldSchema{
"token": {
Type: framework.TypeString,
Description: "Use api_token instead.",
Deprecated: true,
},
"api_token": &framework.FieldSchema{
"api_token": {
Type: framework.TypeString,
Description: "Okta API key.",
DisplayAttrs: &framework.DisplayAttributes{
Name: "API Token",
},
},
"base_url": &framework.FieldSchema{
"base_url": {
Type: framework.TypeString,
Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`,
DisplayAttrs: &framework.DisplayAttributes{
Name: "Base URL",
},
},
"production": &framework.FieldSchema{
"production": {
Type: framework.TypeBool,
Description: `Use base_url instead.`,
Deprecated: true,
},
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
},
"max_ttl": &framework.FieldSchema{
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_max_ttl"),
Deprecated: true,
},
"bypass_okta_mfa": &framework.FieldSchema{
"bypass_okta_mfa": {
Type: framework.TypeBool,
Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
DisplayAttrs: &framework.DisplayAttributes{

1
builtin/credential/okta/path_groups.go
View File

@@ -68,7 +68,6 @@ func (b *backend) Group(ctx context.Context, s logical.Storage, n string) (*Grou
entries, err := groupList(ctx, s)
if err != nil {
return nil, "", err
}
for _, groupName := range entries {

2
builtin/credential/okta/path_login.go
View File

@@ -152,11 +152,9 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
}
return resp, nil
}
func (b *backend) getConfig(ctx context.Context, req *logical.Request) (*ConfigEntry, error) {
cfg, err := b.Config(ctx, req.Storage)
if err != nil {
return nil, err

6
builtin/credential/okta/path_users.go
View File

@@ -28,17 +28,17 @@ func pathUsers(b *backend) *framework.Path {
return &framework.Path{
Pattern: `users/(?P<name>.+)`,
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the user.",
},
"groups": &framework.FieldSchema{
"groups": {
Type: framework.TypeCommaStringSlice,
Description: "List of groups associated with the user.",
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: "List of policies associated with the user.",
},

2
builtin/credential/radius/backend_test.go
View File

@@ -296,7 +296,7 @@ func testAccUserLoginPolicy(t *testing.T, user string, data map[string]interface
Data: data,
ErrorOk: expectError,
Unauthenticated: true,
//Check: logicaltest.TestCheckAuth(policies),
// Check: logicaltest.TestCheckAuth(policies),
Check: func(resp *logical.Response) error {
res := logicaltest.TestCheckAuth(policies)(resp)
if res != nil && expectError {

16
builtin/credential/radius/path_config.go
View File

@@ -13,14 +13,14 @@ func pathConfig(b *backend) *framework.Path {
p := &framework.Path{
Pattern: "config",
Fields: map[string]*framework.FieldSchema{
"host": &framework.FieldSchema{
"host": {
Type: framework.TypeString,
Description: "RADIUS server host",
DisplayAttrs: &framework.DisplayAttributes{
Name: "Host",
},
},
"port": &framework.FieldSchema{
"port": {
Type: framework.TypeInt,
Default: 1812,
Description: "RADIUS server port (default: 1812)",
@@ -28,11 +28,11 @@ func pathConfig(b *backend) *framework.Path {
Value: 1812,
},
},
"secret": &framework.FieldSchema{
"secret": {
Type: framework.TypeString,
Description: "Secret shared with the RADIUS server",
},
"unregistered_user_policies": &framework.FieldSchema{
"unregistered_user_policies": {
Type: framework.TypeString,
Default: "",
Description: "Comma-separated list of policies to grant upon successful RADIUS authentication of an unregisted user (default: empty)",
@@ -40,7 +40,7 @@ func pathConfig(b *backend) *framework.Path {
Name: "Policies for unregistered users",
},
},
"dial_timeout": &framework.FieldSchema{
"dial_timeout": {
Type: framework.TypeDurationSecond,
Default: 10,
Description: "Number of seconds before connect times out (default: 10)",
@@ -48,7 +48,7 @@ func pathConfig(b *backend) *framework.Path {
Value: 10,
},
},
"read_timeout": &framework.FieldSchema{
"read_timeout": {
Type: framework.TypeDurationSecond,
Default: 10,
Description: "Number of seconds before response times out (default: 10)",
@@ -56,7 +56,7 @@ func pathConfig(b *backend) *framework.Path {
Value: 10,
},
},
"nas_port": &framework.FieldSchema{
"nas_port": {
Type: framework.TypeInt,
Default: 10,
Description: "RADIUS NAS port field (default: 10)",
@@ -65,7 +65,7 @@ func pathConfig(b *backend) *framework.Path {
Value: 10,
},
},
"nas_identifier": &framework.FieldSchema{
"nas_identifier": {
Type: framework.TypeString,
Default: "",
Description: "RADIUS NAS Identifier field (optional)",

6
builtin/credential/radius/path_login.go
View File

@@ -21,17 +21,17 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login" + framework.OptionalParamRegex("urlusername"),
Fields: map[string]*framework.FieldSchema{
"urlusername": &framework.FieldSchema{
"urlusername": {
Type: framework.TypeString,
Description: "Username to be used for login. (URL parameter)",
},
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username to be used for login. (POST request body)",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password for this user.",
},

7
builtin/credential/radius/path_users.go
View File

@@ -31,12 +31,12 @@ func pathUsers(b *backend) *framework.Path {
return &framework.Path{
Pattern: `users/(?P<name>.+)`,
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the RADIUS user.",
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: "Comma-separated list of policies associated to the user.",
},
@@ -116,8 +116,7 @@ func (b *backend) pathUserRead(ctx context.Context, req *logical.Request, d *fra
}
func (b *backend) pathUserWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
var policies = policyutil.ParsePolicies(d.Get("policies"))
policies := policyutil.ParsePolicies(d.Get("policies"))
for _, policy := range policies {
if policy == "root" {
return logical.ErrorResponse("root policy cannot be granted by an auth method"), nil

1
builtin/credential/token/cli.go
View File

@@ -134,7 +134,6 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
Renewable: renewable,
},
}, nil
}
func (h *CLIHandler) Help() string {

17
builtin/credential/userpass/backend_test.go
View File

@@ -2,13 +2,12 @@ package userpass
import (
"context"
"crypto/tls"
"fmt"
"reflect"
"testing"
"time"
"crypto/tls"
"github.com/go-test/deep"
sockaddr "github.com/hashicorp/go-sockaddr"
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
@@ -78,7 +77,7 @@ func TestBackend_CRUD(t *testing.T) {
if diff := deep.Equal(resp.Data["token_policies"], []string{"foo"}); diff != nil {
t.Fatal(diff)
}
if diff := deep.Equal(resp.Data["token_bound_cidrs"], []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{localhostSockAddr}}); diff != nil {
if diff := deep.Equal(resp.Data["token_bound_cidrs"], []*sockaddr.SockAddrMarshaler{{localhostSockAddr}}); diff != nil {
t.Fatal(diff)
}
@@ -124,10 +123,10 @@ func TestBackend_CRUD(t *testing.T) {
if diff := deep.Equal(resp.Data["token_policies"], []string{"bar"}); diff != nil {
t.Fatal(diff)
}
if diff := deep.Equal(resp.Data["bound_cidrs"], []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{localhostSockAddr}}); diff != nil {
if diff := deep.Equal(resp.Data["bound_cidrs"], []*sockaddr.SockAddrMarshaler{{localhostSockAddr}}); diff != nil {
t.Fatal(diff)
}
if diff := deep.Equal(resp.Data["token_bound_cidrs"], []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{localhostSockAddr}}); diff != nil {
if diff := deep.Equal(resp.Data["token_bound_cidrs"], []*sockaddr.SockAddrMarshaler{{localhostSockAddr}}); diff != nil {
t.Fatal(diff)
}
}
@@ -221,7 +220,6 @@ func TestBackend_passwordUpdate(t *testing.T) {
testAccStepLogin(t, "web", "newpassword", []string{"default", "foo"}),
},
})
}
func TestBackend_policiesUpdate(t *testing.T) {
@@ -247,7 +245,6 @@ func TestBackend_policiesUpdate(t *testing.T) {
testAccStepLogin(t, "web", "password", []string{"bar", "default", "foo"}),
},
})
}
func testUpdatePassword(t *testing.T, user, password string) logicaltest.TestStep {
@@ -382,7 +379,7 @@ func TestBackend_UserUpgrade(t *testing.T) {
Policies: []string{"foo"},
TTL: time.Second,
MaxTTL: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
BoundCIDRs: []*sockaddr.SockAddrMarshaler{{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
}
entry, err := logical.StorageEntryJSON("user/foo", foo)
@@ -403,12 +400,12 @@ func TestBackend_UserUpgrade(t *testing.T) {
Policies: []string{"foo"},
TTL: time.Second,
MaxTTL: time.Second,
BoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
BoundCIDRs: []*sockaddr.SockAddrMarshaler{{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
TokenParams: tokenutil.TokenParams{
TokenPolicies: []string{"foo"},
TokenTTL: time.Second,
TokenMaxTTL: time.Second,
TokenBoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
TokenBoundCIDRs: []*sockaddr.SockAddrMarshaler{{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}},
},
}
if diff := deep.Equal(userEntry, exp); diff != nil {

4
builtin/credential/userpass/path_login.go
View File

@@ -17,12 +17,12 @@ func pathLogin(b *backend) *framework.Path {
return &framework.Path{
Pattern: "login/" + framework.GenericNameRegex("username"),
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username of the user.",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password for this user.",
},

4
builtin/credential/userpass/path_user_password.go
View File

@@ -14,12 +14,12 @@ func pathUserPassword(b *backend) *framework.Path {
return &framework.Path{
Pattern: "users/" + framework.GenericNameRegex("username") + "/password$",
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username for this user.",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password for this user.",
},

6
builtin/credential/userpass/path_user_policies.go
View File

@@ -14,16 +14,16 @@ func pathUserPolicies(b *backend) *framework.Path {
return &framework.Path{
Pattern: "users/" + framework.GenericNameRegex("username") + "/policies$",
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username for this user.",
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
},
"token_policies": &framework.FieldSchema{
"token_policies": {
Type: framework.TypeCommaStringSlice,
Description: "Comma-separated list of policies",
},

12
builtin/credential/userpass/path_users.go
View File

@@ -33,12 +33,12 @@ func pathUsers(b *backend) *framework.Path {
p := &framework.Path{
Pattern: "users/" + framework.GenericNameRegex("username"),
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username for this user.",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password for this user.",
DisplayAttrs: &framework.DisplayAttributes{
@@ -46,25 +46,25 @@ func pathUsers(b *backend) *framework.Path {
},
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
},
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
},
"max_ttl": &framework.FieldSchema{
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_max_ttl"),
Deprecated: true,
},
"bound_cidrs": &framework.FieldSchema{
"bound_cidrs": {
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_bound_cidrs"),
Deprecated: true,

11
builtin/logical/aws/backend_test.go
View File

@@ -216,7 +216,6 @@ func getAccountID() (string, error) {
params := &sts.GetCallerIdentityInput{}
res, err := svc.GetCallerIdentity(params)
if err != nil {
return "", err
}
@@ -912,10 +911,12 @@ const testS3Policy = `{
]
}`
const adminAccessPolicyArn = "arn:aws:iam::aws:policy/AdministratorAccess"
const ec2PolicyArn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
const iamPolicyArn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
const dynamoPolicyArn = "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
const (
adminAccessPolicyArn = "arn:aws:iam::aws:policy/AdministratorAccess"
ec2PolicyArn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
iamPolicyArn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
dynamoPolicyArn = "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
)
func testAccStepWriteRole(t *testing.T, name string, data map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{

2
builtin/logical/aws/iam_policies.go
View File

@@ -113,7 +113,7 @@ func combinePolicyDocuments(policies ...string) (string, error) {
var policy string
var err error
var policyBytes []byte
var newPolicy = PolicyDocument{
newPolicy := PolicyDocument{
// 2012-10-17 is the current version of the AWS policy language:
// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html
Version: "2012-10-17",

5
builtin/logical/aws/path_config_lease.go
View File

@@ -13,12 +13,12 @@ func pathConfigLease(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/lease",
Fields: map[string]*framework.FieldSchema{
"lease": &framework.FieldSchema{
"lease": {
Type: framework.TypeString,
Description: "Default lease for roles.",
},
"lease_max": &framework.FieldSchema{
"lease_max": {
Type: framework.TypeString,
Description: "Maximum time a credential is valid for.",
},
@@ -91,7 +91,6 @@ func (b *backend) pathLeaseWrite(ctx context.Context, req *logical.Request, d *f
func (b *backend) pathLeaseRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
lease, err := b.Lease(ctx, req.Storage)
if err != nil {
return nil, err
}

12
builtin/logical/aws/path_config_root.go
View File

@@ -12,29 +12,29 @@ func pathConfigRoot(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/root",
Fields: map[string]*framework.FieldSchema{
"access_key": &framework.FieldSchema{
"access_key": {
Type: framework.TypeString,
Description: "Access key with permission to create new keys.",
},
"secret_key": &framework.FieldSchema{
"secret_key": {
Type: framework.TypeString,
Description: "Secret key with permission to create new keys.",
},
"region": &framework.FieldSchema{
"region": {
Type: framework.TypeString,
Description: "Region for API calls.",
},
"iam_endpoint": &framework.FieldSchema{
"iam_endpoint": {
Type: framework.TypeString,
Description: "Endpoint to custom IAM server URL",
},
"sts_endpoint": &framework.FieldSchema{
"sts_endpoint": {
Type: framework.TypeString,
Description: "Endpoint to custom STS server URL",
},
"max_retries": &framework.FieldSchema{
"max_retries": {
Type: framework.TypeInt,
Default: aws.UseServiceDefaultRetries,
Description: "Maximum number of retries for recoverable exceptions of AWS APIs",

30
builtin/logical/aws/path_roles.go
View File

@@ -18,9 +18,7 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)
var (
userPathRegex = regexp.MustCompile(`^\/([\x21-\x7F]{0,510}\/)?$`)
)
var userPathRegex = regexp.MustCompile(`^\/([\x21-\x7F]{0,510}\/)?$`)
func pathListRoles(b *backend) *framework.Path {
return &framework.Path{
@@ -39,7 +37,7 @@ func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/" + framework.GenericNameWithAtRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the policy",
DisplayAttrs: &framework.DisplayAttributes{
@@ -47,12 +45,12 @@ func pathRoles(b *backend) *framework.Path {
},
},
"credential_type": &framework.FieldSchema{
"credential_type": {
Type: framework.TypeString,
Description: fmt.Sprintf("Type of credential to retrieve. Must be one of %s, %s, or %s", assumedRoleCred, iamUserCred, federationTokenCred),
},
"role_arns": &framework.FieldSchema{
"role_arns": {
Type: framework.TypeCommaStringSlice,
Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is " + assumedRoleCred,
DisplayAttrs: &framework.DisplayAttributes{
@@ -60,7 +58,7 @@ func pathRoles(b *backend) *framework.Path {
},
},
"policy_arns": &framework.FieldSchema{
"policy_arns": {
Type: framework.TypeCommaStringSlice,
Description: fmt.Sprintf(`ARNs of AWS policies. Behavior varies by credential_type. When credential_type is
%s, then it will attach the specified policies to the generated IAM user.
@@ -71,7 +69,7 @@ PolicyArns parameter, acting as a filter on permissions available.`, iamUserCred
},
},
"policy_document": &framework.FieldSchema{
"policy_document": {
Type: framework.TypeString,
Description: `JSON-encoded IAM policy document. Behavior varies by credential_type. When credential_type is
iam_user, then it will attach the contents of the policy_document to the IAM
@@ -80,7 +78,7 @@ will be passed in as the Policy parameter to the AssumeRole or
GetFederationToken API call, acting as a filter on permissions available.`,
},
"iam_groups": &framework.FieldSchema{
"iam_groups": {
Type: framework.TypeCommaStringSlice,
Description: `Names of IAM groups that generated IAM users will be added to. For a credential
type of assumed_role or federation_token, the policies sent to the
@@ -93,7 +91,7 @@ and policy_arns parameters.`,
},
},
"iam_tags": &framework.FieldSchema{
"iam_tags": {
Type: framework.TypeKVPairs,
Description: `IAM tags to be set for any users created by this role. These must be presented
as Key-Value pairs. This can be represented as a map or a list of equal sign
@@ -104,7 +102,7 @@ delimited key pairs.`,
},
},
"default_sts_ttl": &framework.FieldSchema{
"default_sts_ttl": {
Type: framework.TypeDurationSecond,
Description: fmt.Sprintf("Default TTL for %s and %s credential types when no TTL is explicitly requested with the credentials", assumedRoleCred, federationTokenCred),
DisplayAttrs: &framework.DisplayAttributes{
@@ -112,7 +110,7 @@ delimited key pairs.`,
},
},
"max_sts_ttl": &framework.FieldSchema{
"max_sts_ttl": {
Type: framework.TypeDurationSecond,
Description: fmt.Sprintf("Max allowed TTL for %s and %s credential types", assumedRoleCred, federationTokenCred),
DisplayAttrs: &framework.DisplayAttributes{
@@ -120,7 +118,7 @@ delimited key pairs.`,
},
},
"permissions_boundary_arn": &framework.FieldSchema{
"permissions_boundary_arn": {
Type: framework.TypeString,
Description: "ARN of an IAM policy to attach as a permissions boundary on IAM user credentials; only valid when credential_type is" + iamUserCred,
DisplayAttrs: &framework.DisplayAttributes{
@@ -128,19 +126,19 @@ delimited key pairs.`,
},
},
"arn": &framework.FieldSchema{
"arn": {
Type: framework.TypeString,
Description: `Use role_arns or policy_arns instead.`,
Deprecated: true,
},
"policy": &framework.FieldSchema{
"policy": {
Type: framework.TypeString,
Description: "Use policy_document instead.",
Deprecated: true,
},
"user_path": &framework.FieldSchema{
"user_path": {
Type: framework.TypeString,
Description: "Path for IAM User. Only valid when credential_type is " + iamUserCred,
DisplayAttrs: &framework.DisplayAttributes{

8
builtin/logical/aws/path_roles_test.go
View File

@@ -159,7 +159,6 @@ func TestUpgradeLegacyPolicyEntry(t *testing.T) {
}
func TestUserPathValidity(t *testing.T) {
testCases := []struct {
description string
userPath string
@@ -339,7 +338,7 @@ func TestRoleEntryValidationCredTypes(t *testing.T) {
}
func TestRoleEntryValidationIamUserCred(t *testing.T) {
var allowAllPolicyDocument = `{"Version": "2012-10-17", "Statement": [{"Sid": "AllowAll", "Effect": "Allow", "Action": "*", "Resource": "*"}]}`
allowAllPolicyDocument := `{"Version": "2012-10-17", "Statement": [{"Sid": "AllowAll", "Effect": "Allow", "Action": "*", "Resource": "*"}]}`
roleEntry := awsRoleEntry{
CredentialTypes: []string{iamUserCred},
PolicyArns: []string{adminAccessPolicyARN},
@@ -384,7 +383,7 @@ func TestRoleEntryValidationIamUserCred(t *testing.T) {
}
func TestRoleEntryValidationAssumedRoleCred(t *testing.T) {
var allowAllPolicyDocument = `{"Version": "2012-10-17", "Statement": [{"Sid": "AllowAll", "Effect": "Allow", "Action": "*", "Resource": "*"}]}`
allowAllPolicyDocument := `{"Version": "2012-10-17", "Statement": [{"Sid": "AllowAll", "Effect": "Allow", "Action": "*", "Resource": "*"}]}`
roleEntry := awsRoleEntry{
CredentialTypes: []string{assumedRoleCred},
RoleArns: []string{"arn:aws:iam::123456789012:role/SomeRole"},
@@ -414,7 +413,7 @@ func TestRoleEntryValidationAssumedRoleCred(t *testing.T) {
}
func TestRoleEntryValidationFederationTokenCred(t *testing.T) {
var allowAllPolicyDocument = `{"Version": "2012-10-17", "Statement": [{"Sid": "AllowAll", "Effect": "Allow", "Action": "*", "Resource": "*"}]}`
allowAllPolicyDocument := `{"Version": "2012-10-17", "Statement": [{"Sid": "AllowAll", "Effect": "Allow", "Action": "*", "Resource": "*"}]}`
roleEntry := awsRoleEntry{
CredentialTypes: []string{federationTokenCred},
PolicyDocument: allowAllPolicyDocument,
@@ -446,5 +445,4 @@ func TestRoleEntryValidationFederationTokenCred(t *testing.T) {
if roleEntry.validate() == nil {
t.Errorf("bad: invalid roleEntry with unrecognized PermissionsBoundary %#v passed validation", roleEntry)
}
}

6
builtin/logical/aws/path_user.go
View File

@@ -20,15 +20,15 @@ func pathUser(b *backend) *framework.Path {
return &framework.Path{
Pattern: "(creds|sts)/" + framework.GenericNameWithAtRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role",
},
"role_arn": &framework.FieldSchema{
"role_arn": {
Type: framework.TypeString,
Description: "ARN of role to assume when credential_type is " + assumedRoleCred,
},
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeDurationSecond,
Description: "Lifetime of the returned credentials in seconds",
Default: 3600,

9
builtin/logical/aws/secret_access_keys.go
View File

@@ -23,16 +23,16 @@ func secretAccessKeys(b *backend) *framework.Secret {
return &framework.Secret{
Type: secretAccessKeyType,
Fields: map[string]*framework.FieldSchema{
"access_key": &framework.FieldSchema{
"access_key": {
Type: framework.TypeString,
Description: "Access Key",
},
"secret_key": &framework.FieldSchema{
"secret_key": {
Type: framework.TypeString,
Description: "Secret Key",
},
"security_token": &framework.FieldSchema{
"security_token": {
Type: framework.TypeString,
Description: "Security Token",
},
@@ -112,7 +112,6 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
}
tokenResp, err := stsClient.GetFederationToken(getTokenInput)
if err != nil {
return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
}
@@ -180,7 +179,6 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
assumeRoleInput.SetPolicyArns(convertPolicyARNs(policyARNs))
}
tokenResp, err := stsClient.AssumeRole(assumeRoleInput)
if err != nil {
return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
}
@@ -376,7 +374,6 @@ func (b *backend) secretAccessKeysRenew(ctx context.Context, req *logical.Reques
}
func (b *backend) secretAccessKeysRevoke(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// STS cleans up after itself so we can skip this if is_sts internal data
// element set to true. If is_sts is not set, assumes old version
// and defaults to the IAM approach.

2
builtin/logical/aws/secret_access_keys_test.go
View File

@@ -5,7 +5,6 @@ import (
)
func TestNormalizeDisplayName_NormRequired(t *testing.T) {
invalidNames := map[string]string{
"^#$test name\nshould be normalized)(*": "___test_name_should_be_normalized___",
"^#$test name1 should be normalized)(*": "___test_name1_should_be_normalized___",
@@ -25,7 +24,6 @@ func TestNormalizeDisplayName_NormRequired(t *testing.T) {
}
func TestNormalizeDisplayName_NormNotRequired(t *testing.T) {
validNames := []string{
"test_name_should_normalize_to_itself@example.com",
"test1_name_should_normalize_to_itself@example.com",

1
builtin/logical/cassandra/backend.go
View File

@@ -105,7 +105,6 @@ func (b *backend) DB(ctx context.Context, s logical.Storage) (*gocql.Session, er
b.session = session
return session, err
}
// ResetDB forces a connection next time DB() is called.

20
builtin/logical/cassandra/path_config_connection.go
View File

@@ -14,47 +14,47 @@ func pathConfigConnection(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/connection",
Fields: map[string]*framework.FieldSchema{
"hosts": &framework.FieldSchema{
"hosts": {
Type: framework.TypeString,
Description: "Comma-separated list of hosts",
},
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "The username to use for connecting to the cluster",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "The password to use for connecting to the cluster",
},
"tls": &framework.FieldSchema{
"tls": {
Type: framework.TypeBool,
Description: `Whether to use TLS. If pem_bundle or pem_json are
set, this is automatically set to true`,
},
"insecure_tls": &framework.FieldSchema{
"insecure_tls": {
Type: framework.TypeBool,
Description: `Whether to use TLS but skip verification; has no
effect if a CA certificate is provided`,
},
// TLS 1.3 is not supported as this engine is deprecated. Please switch to the Cassandra database secrets engine
"tls_min_version": &framework.FieldSchema{
"tls_min_version": {
Type: framework.TypeString,
Default: "tls12",
Description: "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
},
"pem_bundle": &framework.FieldSchema{
"pem_bundle": {
Type: framework.TypeString,
Description: `PEM-format, concatenated unencrypted secret key
and certificate, with optional CA certificate`,
},
"pem_json": &framework.FieldSchema{
"pem_json": {
Type: framework.TypeString,
Description: `JSON containing a PEM-format, unencrypted secret
key and certificate, with optional CA certificate.
@@ -64,12 +64,12 @@ If both this and "pem_bundle" are specified, this will
take precedence.`,
},
"protocol_version": &framework.FieldSchema{
"protocol_version": {
Type: framework.TypeInt,
Description: `The protocol version to use. Defaults to 2.`,
},
"connect_timeout": &framework.FieldSchema{
"connect_timeout": {
Type: framework.TypeDurationSecond,
Default: 5,
Description: `The connection timeout to use. Defaults to 5.`,

2
builtin/logical/cassandra/path_creds_create.go
View File

@@ -17,7 +17,7 @@ func pathCredsCreate(b *backend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role",
},

10
builtin/logical/cassandra/path_roles.go
View File

@@ -20,12 +20,12 @@ func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role",
},
"creation_cql": &framework.FieldSchema{
"creation_cql": {
Type: framework.TypeString,
Default: defaultCreationCQL,
Description: `CQL to create a user and optionally grant
@@ -38,7 +38,7 @@ file. Valid template values are '{{username}}' and
'{{password}}' -- the single quotes are important!`,
},
"rollback_cql": &framework.FieldSchema{
"rollback_cql": {
Type: framework.TypeString,
Default: defaultRollbackCQL,
Description: `CQL to roll back an account operation. This will
@@ -51,13 +51,13 @@ template values are '{{username}}' and
'{{password}}' -- the single quotes are important!`,
},
"lease": &framework.FieldSchema{
"lease": {
Type: framework.TypeString,
Default: "4h",
Description: "The lease length; defaults to 4 hours",
},
"consistency": &framework.FieldSchema{
"consistency": {
Type: framework.TypeString,
Default: "Quorum",
Description: "The consistency level for the operations; defaults to Quorum.",

4
builtin/logical/cassandra/secret_creds.go
View File

@@ -16,12 +16,12 @@ func secretCreds(b *backend) *framework.Secret {
return &framework.Secret{
Type: SecretCredsType,
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password",
},

1
builtin/logical/consul/backend_test.go
View File

@@ -198,7 +198,6 @@ func testBackendRenewRevoke(t *testing.T, version string) {
if err == nil {
t.Fatal("expected error")
}
}
func testBackendRenewRevoke14(t *testing.T, version string) {

12
builtin/logical/consul/path_config.go
View File

@@ -13,12 +13,12 @@ func pathConfigAccess(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/access",
Fields: map[string]*framework.FieldSchema{
"address": &framework.FieldSchema{
"address": {
Type: framework.TypeString,
Description: "Consul server address",
},
"scheme": &framework.FieldSchema{
"scheme": {
Type: framework.TypeString,
Description: "URI scheme for the Consul address",
@@ -28,24 +28,24 @@ func pathConfigAccess(b *backend) *framework.Path {
Default: "http",
},
"token": &framework.FieldSchema{
"token": {
Type: framework.TypeString,
Description: "Token for API calls",
},
"ca_cert": &framework.FieldSchema{
"ca_cert": {
Type: framework.TypeString,
Description: `CA certificate to use when verifying Consul server certificate,
must be x509 PEM encoded.`,
},
"client_cert": &framework.FieldSchema{
"client_cert": {
Type: framework.TypeString,
Description: `Client certificate used for Consul's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_key.`,
},
"client_key": &framework.FieldSchema{
"client_key": {
Type: framework.TypeString,
Description: `Client key used for Consul's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_cert.`,

16
builtin/logical/consul/path_roles.go
View File

@@ -24,30 +24,30 @@ func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role",
},
"policy": &framework.FieldSchema{
"policy": {
Type: framework.TypeString,
Description: `Policy document, base64 encoded. Required
for 'client' tokens. Required for Consul pre-1.4.`,
},
"policies": &framework.FieldSchema{
"policies": {
Type: framework.TypeCommaStringSlice,
Description: `List of policies to attach to the token. Required
for Consul 1.4 or above.`,
},
"local": &framework.FieldSchema{
"local": {
Type: framework.TypeBool,
Description: `Indicates that the token should not be replicated globally
and instead be local to the current datacenter. Available in Consul 1.4 and above.`,
},
"token_type": &framework.FieldSchema{
"token_type": {
Type: framework.TypeString,
Default: "client",
Description: `Which type of token to create: 'client'
@@ -56,17 +56,17 @@ the "policy" parameter is not required.
Defaults to 'client'.`,
},
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeDurationSecond,
Description: "TTL for the Consul token created from the role.",
},
"max_ttl": &framework.FieldSchema{
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: "Max TTL for the Consul token created from the role.",
},
"lease": &framework.FieldSchema{
"lease": {
Type: framework.TypeDurationSecond,
Description: "Use ttl instead.",
Deprecated: true,

6
builtin/logical/consul/path_token.go
View File

@@ -19,7 +19,7 @@ func pathToken(b *backend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("role"),
Fields: map[string]*framework.FieldSchema{
"role": &framework.FieldSchema{
"role": {
Type: framework.TypeString,
Description: "Name of the role",
},
@@ -90,8 +90,8 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
return s, nil
}
//Create an ACLToken for Consul 1.4 and above
var policyLink = []*api.ACLTokenPolicyLink{}
// Create an ACLToken for Consul 1.4 and above
policyLink := []*api.ACLTokenPolicyLink{}
for _, policyName := range result.Policies {
policyLink = append(policyLink, &api.ACLTokenPolicyLink{
Name: policyName,

2
builtin/logical/consul/secret_token.go
View File

@@ -17,7 +17,7 @@ func secretToken(b *backend) *framework.Secret {
return &framework.Secret{
Type: SecretTokenType,
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
"token": {
Type: framework.TypeString,
Description: "Request token",
},

4
builtin/logical/database/backend_test.go
View File

@@ -93,7 +93,6 @@ func TestBackend_PluginMain_MongoAtlas(t *testing.T) {
}
func TestBackend_RoleUpgrade(t *testing.T) {
storage := &logical.InmemStorage{}
backend := &databaseBackend{}
@@ -143,7 +142,6 @@ func TestBackend_RoleUpgrade(t *testing.T) {
if !reflect.DeepEqual(role, roleExpected) {
t.Fatalf("bad role %#v, %#v", role, roleExpected)
}
}
func TestBackend_config_connection(t *testing.T) {
@@ -1025,6 +1023,7 @@ func TestBackend_roleCrud(t *testing.T) {
t.Fatal("Expected response to be nil")
}
}
func TestBackend_allowedRoles(t *testing.T) {
cluster, sys := getCluster(t)
defer cluster.Cleanup()
@@ -1334,7 +1333,6 @@ func testCredsExist(t *testing.T, resp *logical.Response, connURL string) bool {
}
log.Printf("[TRACE] Generated credentials: %v", d)
conn, err := pq.ParseURL(connURL)
if err != nil {
t.Fatal(err)
}

6
builtin/logical/database/dbplugin/plugin_test.go
View File

@@ -39,6 +39,7 @@ func (m *mockPlugin) CreateUser(_ context.Context, statements dbplugin.Statement
return usernameConf.DisplayName, "test", nil
}
func (m *mockPlugin) RenewUser(_ context.Context, statements dbplugin.Statements, username string, expiration time.Time) error {
err := errors.New("err")
if username == "" || expiration.IsZero() {
@@ -51,6 +52,7 @@ func (m *mockPlugin) RenewUser(_ context.Context, statements dbplugin.Statements
return nil
}
func (m *mockPlugin) RevokeUser(_ context.Context, statements dbplugin.Statements, username string) error {
err := errors.New("err")
if username == "" {
@@ -64,9 +66,11 @@ func (m *mockPlugin) RevokeUser(_ context.Context, statements dbplugin.Statement
delete(m.users, username)
return nil
}
func (m *mockPlugin) RotateRootCredentials(_ context.Context, statements []string) (map[string]interface{}, error) {
return nil, nil
}
func (m *mockPlugin) Init(_ context.Context, conf map[string]interface{}, _ bool) (map[string]interface{}, error) {
err := errors.New("err")
if len(conf) != 1 {
@@ -75,6 +79,7 @@ func (m *mockPlugin) Init(_ context.Context, conf map[string]interface{}, _ bool
return conf, nil
}
func (m *mockPlugin) Initialize(_ context.Context, conf map[string]interface{}, _ bool) error {
err := errors.New("err")
if len(conf) != 1 {
@@ -83,6 +88,7 @@ func (m *mockPlugin) Initialize(_ context.Context, conf map[string]interface{},
return nil
}
func (m *mockPlugin) Close() error {
m.users = nil
return nil

14
builtin/logical/database/path_config_connection.go
View File

@@ -39,7 +39,7 @@ func pathResetConnection(b *databaseBackend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("reset/%s", framework.GenericNameRegex("name")),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of this database connection",
},
@@ -83,40 +83,40 @@ func pathConfigurePluginConnection(b *databaseBackend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("config/%s", framework.GenericNameRegex("name")),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of this database connection",
},
"plugin_name": &framework.FieldSchema{
"plugin_name": {
Type: framework.TypeString,
Description: `The name of a builtin or previously registered
plugin known to vault. This endpoint will create an instance of
that plugin type.`,
},
"verify_connection": &framework.FieldSchema{
"verify_connection": {
Type: framework.TypeBool,
Default: true,
Description: `If true, the connection details are verified by
actually connecting to the database. Defaults to true.`,
},
"allowed_roles": &framework.FieldSchema{
"allowed_roles": {
Type: framework.TypeCommaStringSlice,
Description: `Comma separated string or array of the role names
allowed to get creds from this database connection. If empty no
roles are allowed. If "*" all roles are allowed.`,
},
"root_rotation_statements": &framework.FieldSchema{
"root_rotation_statements": {
Type: framework.TypeStringSlice,
Description: `Specifies the database statements to be executed
to rotate the root user's credentials. See the plugin's API
page for more information on support and formatting for this
parameter.`,
},
"password_policy": &framework.FieldSchema{
"password_policy": {
Type: framework.TypeString,
Description: `Password policy to use when generating passwords.`,
},

8
builtin/logical/database/path_creds_create.go
View File

@@ -13,10 +13,10 @@ import (
func pathCredsCreate(b *databaseBackend) []*framework.Path {
return []*framework.Path{
&framework.Path{
{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
@@ -29,10 +29,10 @@ func pathCredsCreate(b *databaseBackend) []*framework.Path {
HelpSynopsis: pathCredsCreateReadHelpSyn,
HelpDescription: pathCredsCreateReadHelpDesc,
},
&framework.Path{
{
Pattern: "static-creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the static role.",
},

8
builtin/logical/database/path_roles.go
View File

@@ -16,7 +16,7 @@ import (
func pathListRoles(b *databaseBackend) []*framework.Path {
return []*framework.Path{
&framework.Path{
{
Pattern: "roles/?$",
Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -26,7 +26,7 @@ func pathListRoles(b *databaseBackend) []*framework.Path {
HelpSynopsis: pathRoleHelpSyn,
HelpDescription: pathRoleHelpDesc,
},
&framework.Path{
{
Pattern: "static-roles/?$",
Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -41,7 +41,7 @@ func pathListRoles(b *databaseBackend) []*framework.Path {
func pathRoles(b *databaseBackend) []*framework.Path {
return []*framework.Path{
&framework.Path{
{
Pattern: "roles/" + framework.GenericNameRegex("name"),
Fields: fieldsForType(databaseRolePath),
ExistenceCheck: b.pathRoleExistenceCheck,
@@ -56,7 +56,7 @@ func pathRoles(b *databaseBackend) []*framework.Path {
HelpDescription: pathRoleHelpDesc,
},
&framework.Path{
{
Pattern: "static-roles/" + framework.GenericNameRegex("name"),
Fields: fieldsForType(databaseStaticRolePath),
ExistenceCheck: b.pathStaticRoleExistenceCheck,

9
builtin/logical/database/path_rotate_credentials.go
View File

@@ -13,10 +13,10 @@ import (
func pathRotateRootCredentials(b *databaseBackend) []*framework.Path {
return []*framework.Path{
&framework.Path{
{
Pattern: "rotate-root/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of this database connection",
},
@@ -33,10 +33,10 @@ func pathRotateRootCredentials(b *databaseBackend) []*framework.Path {
HelpSynopsis: pathCredsCreateReadHelpSyn,
HelpDescription: pathCredsCreateReadHelpDesc,
},
&framework.Path{
{
Pattern: "rotate-role/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the static role",
},
@@ -211,6 +211,7 @@ This path attempts to rotate the root credentials for the given database.
const pathRotateRoleCredentialsUpdateHelpSyn = `
Request to rotate the credentials for a static user account.
`
const pathRotateRoleCredentialsUpdateHelpDesc = `
This path attempts to rotate the credentials for the given static user account.
`

4
builtin/logical/database/version_wrapper.go
View File

@@ -237,9 +237,7 @@ type passwordGenerator interface {
GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)
}
var (
defaultPasswordGenerator = random.DefaultStringGenerator
)
var defaultPasswordGenerator = random.DefaultStringGenerator
// GeneratePassword either from the v4 database or by using the provided password policy. If using a v5 database
// and no password policy is specified, this will have a reasonable default password generator.

2
builtin/logical/database/version_wrapper_test.go
View File

@@ -927,9 +927,11 @@ func (f fakeStorage) Put(ctx context.Context, entry *logical.StorageEntry) error
func (f fakeStorage) List(ctx context.Context, s string) ([]string, error) {
panic("list not implemented")
}
func (f fakeStorage) Get(ctx context.Context, s string) (*logical.StorageEntry, error) {
panic("get not implemented")
}
func (f fakeStorage) Delete(ctx context.Context, s string) error {
panic("delete not implemented")
}

11
builtin/logical/mongodb/backend_test.go
View File

@@ -14,9 +14,7 @@ import (
"github.com/mitchellh/mapstructure"
)
var (
testImagePull sync.Once
)
var testImagePull sync.Once
func TestBackend_config_connection(t *testing.T) {
var resp *logical.Response
@@ -123,7 +121,6 @@ func TestBackend_leaseWriteRead(t *testing.T) {
testAccStepReadLease(),
},
})
}
func testAccStepConfig(d map[string]interface{}, expectError bool) logicaltest.TestStep {
@@ -265,5 +262,7 @@ func testAccStepReadLease() logicaltest.TestStep {
}
}
const testDb = "foo"
const testMongoDBRoles = `["readWrite",{"role":"read","db":"bar"}]`
const (
testDb = "foo"
testMongoDBRoles = `["readWrite",{"role":"read","db":"bar"}]`
)

1
builtin/logical/mongodb/path_config_lease.go
View File

@@ -50,7 +50,6 @@ func (b *backend) pathConfigLeaseWrite(ctx context.Context, req *logical.Request
func (b *backend) pathConfigLeaseRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
leaseConfig, err := b.LeaseConfig(ctx, req.Storage)
if err != nil {
return nil, err
}

1
builtin/logical/mssql/backend_test.go
View File

@@ -105,7 +105,6 @@ func TestBackend_leaseWriteRead(t *testing.T) {
testAccStepReadLease(t),
},
})
}
func testAccPreCheckFunc(t *testing.T, connectionURL string) func() {

7
builtin/logical/mssql/path_config_connection.go
View File

@@ -13,15 +13,15 @@ func pathConfigConnection(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/connection",
Fields: map[string]*framework.FieldSchema{
"connection_string": &framework.FieldSchema{
"connection_string": {
Type: framework.TypeString,
Description: "DB connection parameters",
},
"max_open_connections": &framework.FieldSchema{
"max_open_connections": {
Type: framework.TypeInt,
Description: "Maximum number of open connections to database",
},
"verify_connection": &framework.FieldSchema{
"verify_connection": {
Type: framework.TypeBool,
Default: true,
Description: "If set, connection_string is verified by actually connecting to the database",
@@ -74,7 +74,6 @@ func (b *backend) pathConnectionWrite(ctx context.Context, req *logical.Request,
if verifyConnection {
// Verify the string
db, err := sql.Open("mssql", connString)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf(
"Error validating connection info: %s", err)), nil

7
builtin/logical/mssql/path_config_lease.go
View File

@@ -13,18 +13,18 @@ func pathConfigLease(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/lease",
Fields: map[string]*framework.FieldSchema{
"ttl": &framework.FieldSchema{
"ttl": {
Type: framework.TypeString,
Description: "Default ttl for roles.",
},
"ttl_max": &framework.FieldSchema{
"ttl_max": {
Type: framework.TypeString,
Description: `Deprecated: use "max_ttl" instead. Maximum
time a credential is valid for.`,
},
"max_ttl": &framework.FieldSchema{
"max_ttl": {
Type: framework.TypeString,
Description: "Maximum time a credential is valid for.",
},
@@ -75,7 +75,6 @@ func (b *backend) pathConfigLeaseWrite(ctx context.Context, req *logical.Request
func (b *backend) pathConfigLeaseRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
leaseConfig, err := b.LeaseConfig(ctx, req.Storage)
if err != nil {
return nil, err
}

2
builtin/logical/mssql/path_creds_create.go
View File

@@ -16,7 +16,7 @@ func pathCredsCreate(b *backend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role.",
},

4
builtin/logical/mssql/path_roles.go
View File

@@ -27,12 +27,12 @@ func pathRoles(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roles/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role.",
},
"sql": &framework.FieldSchema{
"sql": {
Type: framework.TypeString,
Description: "SQL string to create a role. See help for more info.",
},

5
builtin/logical/mssql/secret_creds.go
View File

@@ -17,12 +17,12 @@ func secretCreds(b *backend) *framework.Secret {
return &framework.Secret{
Type: SecretCredsType,
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password",
},
@@ -132,7 +132,6 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
// many permissions as possible right now
var lastStmtError error
for _, query := range revokeStmts {
if err := dbtxn.ExecuteDBQuery(ctx, db, nil, query); err != nil {
lastStmtError = err
continue

5
builtin/logical/mysql/backend_test.go
View File

@@ -160,7 +160,6 @@ func TestBackend_leaseWriteRead(t *testing.T) {
testAccStepReadLease(t),
},
})
}
func testAccStepConfig(t *testing.T, d map[string]interface{}, expectError bool) logicaltest.TestStep {
@@ -193,7 +192,6 @@ func testAccStepConfig(t *testing.T, d map[string]interface{}, expectError bool)
}
func testAccStepRole(t *testing.T, wildCard bool) logicaltest.TestStep {
pathData := make(map[string]interface{})
if wildCard == true {
pathData = map[string]interface{}{
@@ -211,7 +209,6 @@ func testAccStepRole(t *testing.T, wildCard bool) logicaltest.TestStep {
Path: "roles/web",
Data: pathData,
}
}
func testAccStepDeleteRole(t *testing.T, n string) logicaltest.TestStep {
@@ -298,10 +295,12 @@ const testRoleWildCard = `
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';
`
const testRoleHost = `
CREATE USER '{{name}}'@'10.1.1.2' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'10.1.1.2';
`
const testRevocationSQL = `
REVOKE ALL PRIVILEGES, GRANT OPTION FROM '{{name}}'@'10.1.1.2';
DROP USER '{{name}}'@'10.1.1.2';

11
builtin/logical/mysql/path_config_connection.go
View File

@@ -14,24 +14,24 @@ func pathConfigConnection(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/connection",
Fields: map[string]*framework.FieldSchema{
"connection_url": &framework.FieldSchema{
"connection_url": {
Type: framework.TypeString,
Description: "DB connection string",
},
"value": &framework.FieldSchema{
"value": {
Type: framework.TypeString,
Description: `DB connection string. Use 'connection_url' instead.
This name is deprecated.`,
},
"max_open_connections": &framework.FieldSchema{
"max_open_connections": {
Type: framework.TypeInt,
Description: "Maximum number of open connections to database",
},
"max_idle_connections": &framework.FieldSchema{
"max_idle_connections": {
Type: framework.TypeInt,
Description: "Maximum number of idle connections to the database; a zero uses the value of max_open_connections and a negative value disables idle connections. If larger than max_open_connections it will be reduced to the same size.",
},
"verify_connection": &framework.FieldSchema{
"verify_connection": {
Type: framework.TypeBool,
Default: true,
Description: "If set, connection_url is verified by actually connecting to the database",
@@ -100,7 +100,6 @@ func (b *backend) pathConnectionWrite(ctx context.Context, req *logical.Request,
if verifyConnection {
// Verify the string
db, err := sql.Open("mysql", connURL)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf(
"error validating connection info: %s", err)), nil

5
builtin/logical/mysql/path_config_lease.go
View File

@@ -13,12 +13,12 @@ func pathConfigLease(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/lease",
Fields: map[string]*framework.FieldSchema{
"lease": &framework.FieldSchema{
"lease": {
Type: framework.TypeString,
Description: "Default lease for roles.",
},
"lease_max": &framework.FieldSchema{
"lease_max": {
Type: framework.TypeString,
Description: "Maximum time a credential is valid for.",
},
@@ -66,7 +66,6 @@ func (b *backend) pathLeaseWrite(ctx context.Context, req *logical.Request, d *f
func (b *backend) pathLeaseRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
lease, err := b.Lease(ctx, req.Storage)
if err != nil {
return nil, err
}

2
builtin/logical/mysql/path_role_create.go
View File

@@ -17,7 +17,7 @@ func pathRoleCreate(b *backend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
Fields: map[string]*framework.FieldSchema{
"name": &framework.FieldSchema{
"name": {
Type: framework.TypeString,
Description: "Name of the role.",
},

4
builtin/logical/mysql/secret_creds.go
View File

@@ -26,12 +26,12 @@ func secretCreds(b *backend) *framework.Secret {
return &framework.Secret{
Type: SecretCredsType,
Fields: map[string]*framework.FieldSchema{
"username": &framework.FieldSchema{
"username": {
Type: framework.TypeString,
Description: "Username",
},
"password": &framework.FieldSchema{
"password": {
Type: framework.TypeString,
Description: "Password",
},

1
builtin/logical/nomad/backend_test.go
View File

@@ -103,7 +103,6 @@ func prepareTestContainer(t *testing.T) (func(), *Config) {
Token: nomadToken,
}, nil
})
if err != nil {
t.Fatalf("Could not start docker Nomad: %s", err)
}

12
builtin/logical/nomad/path_config_access.go
View File

@@ -14,31 +14,31 @@ func pathConfigAccess(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/access",
Fields: map[string]*framework.FieldSchema{
"address": &framework.FieldSchema{
"address": {
Type: framework.TypeString,
Description: "Nomad server address",
},
"token": &framework.FieldSchema{
"token": {
Type: framework.TypeString,
Description: "Token for API calls",
},
"max_token_name_length": &framework.FieldSchema{
"max_token_name_length": {
Type: framework.TypeInt,
Description: "Max length for name of generated Nomad tokens",
},
"ca_cert": &framework.FieldSchema{
"ca_cert": {
Type: framework.TypeString,
Description: `CA certificate to use when verifying Nomad server certificate,
must be x509 PEM encoded.`,
},
"client_cert": &framework.FieldSchema{
"client_cert": {
Type: framework.TypeString,
Description: `Client certificate used for Nomad's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_key.`,
},
"client_key": &framework.FieldSchema{
"client_key": {
Type: framework.TypeString,
Description: `Client key used for Nomad's TLS communication,
must be x509 PEM encoded and if this is set you need to also set client_cert.`,

Some files were not shown because too many files have changed in this diff Show More