From efaffa8f55df8dbe82b7f1f9d9100b0cf08de1f8 Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Wed, 15 Jun 2016 12:35:30 -0400 Subject: [PATCH] Added 'sys/auth//tune' endpoints. Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods' --- api/sys_auth.go | 10 +- command/auth.go | 17 ++- vault/logical_system.go | 80 +++++++++++++- website/source/docs/http/sys-auth.html.md | 85 +++++++++++++- website/source/docs/http/sys-mounts.html.md | 116 ++++++++++---------- 5 files changed, 239 insertions(+), 69 deletions(-) diff --git a/api/sys_auth.go b/api/sys_auth.go index 8e1cdec390..c8c106c2cf 100644 --- a/api/sys_auth.go +++ b/api/sys_auth.go @@ -51,6 +51,12 @@ func (c *Sys) DisableAuth(path string) error { // documentation. Please refer to that documentation for more details. type AuthMount struct { - Type string - Description string + Type string `json:"type" structs:"type" mapstructure:"type"` + Description string `json:"description" structs:"description" mapstructure:"description"` + Config AuthConfigOutput `json:"config" structs:"config" mapstructure:"config"` +} + +type AuthConfigOutput struct { + DefaultLeaseTTL int `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` + MaxLeaseTTL int `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` } diff --git a/command/auth.go b/command/auth.go index 9b1ae4baf9..8f01370d24 100644 --- a/command/auth.go +++ b/command/auth.go @@ -7,6 +7,7 @@ import ( "io" "os" "sort" + "strconv" "strings" "github.com/hashicorp/vault/api" @@ -266,11 +267,19 @@ func (c *AuthCommand) listMethods() int { } sort.Strings(paths) - columns := []string{"Path | Type | Description"} - for _, k := range paths { - a := auth[k] + columns := []string{"Path | Type | Default TTL | Max TTL | Description"} + for _, path := range paths { + auth := auth[path] + defTTL := "system" + if auth.Config.DefaultLeaseTTL != 0 { + defTTL = strconv.Itoa(auth.Config.DefaultLeaseTTL) + } + maxTTL := "system" + if auth.Config.MaxLeaseTTL != 0 { + maxTTL = strconv.Itoa(auth.Config.MaxLeaseTTL) + } columns = append(columns, fmt.Sprintf( - "%s | %s | %s", k, a.Type, a.Description)) + "%s | %s | %s | %s | %s", path, auth.Type, defTTL, maxTTL, auth.Description)) } c.Ui.Output(columnize.SimpleFormat(columns)) diff --git a/vault/logical_system.go b/vault/logical_system.go index a0784a0680..85de2ad847 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -146,6 +146,30 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend HelpDescription: strings.TrimSpace(sysHelp["rekey_backup"][0]), }, + &framework.Path{ + Pattern: "auth/(?P.+?)/tune$", + Fields: map[string]*framework.FieldSchema{ + "path": &framework.FieldSchema{ + Type: framework.TypeString, + Description: strings.TrimSpace(sysHelp["auth_tune"][0]), + }, + "default_lease_ttl": &framework.FieldSchema{ + Type: framework.TypeString, + Description: strings.TrimSpace(sysHelp["tune_default_lease_ttl"][0]), + }, + "max_lease_ttl": &framework.FieldSchema{ + Type: framework.TypeString, + Description: strings.TrimSpace(sysHelp["tune_max_lease_ttl"][0]), + }, + }, + Callbacks: map[logical.Operation]framework.OperationFunc{ + logical.ReadOperation: b.handleAuthTuneRead, + logical.UpdateOperation: b.handleAuthTuneWrite, + }, + HelpSynopsis: strings.TrimSpace(sysHelp["auth_tune"][0]), + HelpDescription: strings.TrimSpace(sysHelp["auth_tune"][1]), + }, + &framework.Path{ Pattern: "mounts/(?P.+?)/tune$", @@ -790,6 +814,18 @@ func (b *SystemBackend) handleRemount( return nil, nil } +// handleAuthTuneRead is used to get config settings on a auth path +func (b *SystemBackend) handleAuthTuneRead( + req *logical.Request, data *framework.FieldData) (*logical.Response, error) { + path := data.Get("path").(string) + if path == "" { + return logical.ErrorResponse( + "path must be specified as a string"), + logical.ErrInvalidRequest + } + return b.handleTuneReadCommon("auth/" + path) +} + // handleMountTuneRead is used to get config settings on a backend func (b *SystemBackend) handleMountTuneRead( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { @@ -800,6 +836,14 @@ func (b *SystemBackend) handleMountTuneRead( logical.ErrInvalidRequest } + // This call will read both logical backend's configuration as well as auth backends'. + // Retaining this behavior for backward compatibility. If this behavior is not desired, + // an error can be returned if path has a prefix of "auth/". + return b.handleTuneReadCommon(path) +} + +// handleTuneReadCommon returns the config settings of a path +func (b *SystemBackend) handleTuneReadCommon(path string) (*logical.Response, error) { path = sanitizeMountPath(path) sysView := b.Core.router.MatchingSystemView(path) @@ -819,16 +863,34 @@ func (b *SystemBackend) handleMountTuneRead( return resp, nil } +// handleAuthTuneWrite is used to set config settings on an auth path +func (b *SystemBackend) handleAuthTuneWrite( + req *logical.Request, data *framework.FieldData) (*logical.Response, error) { + path := data.Get("path").(string) + if path == "" { + return logical.ErrorResponse("path must be specified as a string"), + logical.ErrInvalidRequest + } + return b.handleTuneWriteCommon("auth/"+path, data) +} + // handleMountTuneWrite is used to set config settings on a backend func (b *SystemBackend) handleMountTuneWrite( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { path := data.Get("path").(string) if path == "" { - return logical.ErrorResponse( - "path must be specified as a string"), + return logical.ErrorResponse("path must be specified as a string"), logical.ErrInvalidRequest } + // This call will write both logical backend's configuration as well as auth backends'. + // Retaining this behavior for backward compatibility. If this behavior is not desired, + // an error can be returned if path has a prefix of "auth/". + return b.handleTuneWriteCommon(path, data) +} +// handleTuneWriteCommon is used to set config settings on a path +func (b *SystemBackend) handleTuneWriteCommon( + path string, data *framework.FieldData) (*logical.Response, error) { path = sanitizeMountPath(path) // Prevent protected paths from being changed @@ -975,9 +1037,13 @@ func (b *SystemBackend) handleAuthTable( Data: make(map[string]interface{}), } for _, entry := range b.Core.auth.Entries { - info := map[string]string{ + info := map[string]interface{}{ "type": entry.Type, "description": entry.Description, + "config": map[string]interface{}{ + "default_lease_ttl": int(entry.Config.DefaultLeaseTTL.Seconds()), + "max_lease_ttl": int(entry.Config.MaxLeaseTTL.Seconds()), + }, } resp.Data[entry.Path] = info } @@ -1467,8 +1533,16 @@ This path responds to the following HTTP methods. `, }, + "auth_tune": { + "Tune the configuration parameters for an auth path.", + `Read and write the 'default-lease-ttl' and 'max-lease-ttl' values of +the auth path.`, + }, + "mount_tune": { "Tune backend configuration parameters for this mount.", + `Read and write the 'default-lease-ttl' and 'max-lease-ttl' values of +the mount.`, }, "renew": { diff --git a/website/source/docs/http/sys-auth.html.md b/website/source/docs/http/sys-auth.html.md index 777095d441..7ccdcb2748 100644 --- a/website/source/docs/http/sys-auth.html.md +++ b/website/source/docs/http/sys-auth.html.md @@ -45,8 +45,8 @@ description: |-
Description
Enable a new auth backend. The auth backend can be accessed - and configured via the mount point specified in the URL. This - mount point will be exposed under the `auth` prefix. For example, + and configured via the auth path specified in the URL. This + auth path will be exposed under the `auth` prefix. For example, enabling with the `/sys/auth/foo` URL will make the backend available at `/auth/foo`.
@@ -55,7 +55,7 @@ description: |-
POST
URL
-
`/sys/auth/`
+
`/sys/auth/`
Parameters
@@ -83,14 +83,14 @@ description: |-
Description
- Disable the auth backend at the given mount point. + Disable the auth backend at the given auth path.
Method
DELETE
URL
-
`/sys/auth/`
+
`/sys/auth/`
Parameters
None @@ -100,3 +100,78 @@ description: |-
`204` response code.
+ +# /sys/auth//tune + +## GET + +
+
Description
+
+ Read the given auth path's configuration. Returns the current time + in seconds for each TTL, which may be the system default or a + auth path specific value. +
+ +
Method
+
GET
+ +
URL
+
`/sys/auth//tune`
+ +
Parameters
+
+ None +
+ +
Returns
+
+ + ```javascript + { + "default_lease_ttl": 3600, + "max_lease_ttl": 7200 + } + ``` + +
+
+ +## POST + +
+
Description
+
+ Tune configuration parameters for a given auth path. +
+ +
Method
+
POST
+ +
URL
+
`/sys/auth//tune`
+ +
Parameters
+
+
    +
  • + default_lease_ttl + optional + The default time-to-live. If set on a specific auth path, + overrides the global default. A value of "system" or "0" + are equivalent and set to the system default TTL. +
    • +
  • + max_lease_ttl + optional + The maximum time-to-live. If set on a specific auth path, + overrides the global default. A value of "system" or "0" + are equivalent and set to the system max TTL. +
    • +
+
+ +
Returns
+
`204` response code. +
+
diff --git a/website/source/docs/http/sys-mounts.html.md b/website/source/docs/http/sys-mounts.html.md index 36b2480e7a..fe3f570999 100644 --- a/website/source/docs/http/sys-mounts.html.md +++ b/website/source/docs/http/sys-mounts.html.md @@ -57,38 +57,6 @@ description: |-
-
-
Description
-
- List the given mount's configuration. Unlike the `mounts` - endpoint, this will return the current time in seconds for each - TTL, which may be the system default or a mount-specific value. -
- -
Method
-
GET
- -
URL
-
`/sys/mounts//tune`
- -
Parameters
-
- None -
- -
Returns
-
- - ```javascript - { - "default_lease_ttl": 3600, - "max_lease_ttl": 7200 - } - ``` - -
-
- ## POST
@@ -134,6 +102,67 @@ description: |-
+## DELETE + +
+
Description
+
+ Unmount the mount point specified in the URL. +
+ +
Method
+
DELETE
+ +
URL
+
`/sys/mounts/`
+ +
Parameters
+
None +
+ +
Returns
+
`204` response code. +
+
+ +# /sys/mounts//tune + +## GET + +
+
Description
+
+ Read the given mount's configuration. Unlike the `mounts` + endpoint, this will return the current time in seconds for each + TTL, which may be the system default or a mount-specific value. +
+ +
Method
+
GET
+ +
URL
+
`/sys/mounts//tune`
+ +
Parameters
+
+ None +
+ +
Returns
+
+ + ```javascript + { + "default_lease_ttl": 3600, + "max_lease_ttl": 7200 + } + ``` + +
+
+ +## POST +
Description
@@ -170,26 +199,3 @@ description: |-
`204` response code.
- -## DELETE - -
-
Description
-
- Unmount the mount point specified in the URL. -
- -
Method
-
DELETE
- -
URL
-
`/sys/mounts/`
- -
Parameters
-
None -
- -
Returns
-
`204` response code. -
-