forked from GoogleCloudPlatform/vault-plugin-secrets-gcppca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpath_config.go
154 lines (133 loc) · 5.02 KB
/
path_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package gcppca
import (
"context"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
// pathConfig defines the gcppca/config base path on the backend.
func (b *backend) pathConfig() *framework.Path {
return &framework.Path{
Pattern: "config",
HelpSynopsis: "Configure the GCP CA Service secrets engine",
HelpDescription: "Configure the GCP CA Service secrets engine credentials",
Fields: map[string]*framework.FieldSchema{
"credentials": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
The credentials to use for authenticating to Google Cloud. Leave this blank to
use the Default Application Credentials or instance metadata authentication.
`,
},
"scopes": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Default: []string{"https://www.googleapis.com/auth/cloud-platform"},
Description: `
The list of full-URL scopes to request when authenticating. By default, this
requests https://www.googleapis.com/auth/cloud-platform.
`,
},
"issuer": &framework.FieldSchema{
Type: framework.TypeString,
Description: `Issuer or CA Service or Subordinate should apply to`,
},
"location": &framework.FieldSchema{
Type: framework.TypeString,
// AllowedValues is currently not enforced by the framework..
//AllowedValues: []interface{}{"europe-west1", "us-central1", "us-east1", "us-west1"},
Description: `Location of the CA Service or`,
},
"project": &framework.FieldSchema{
Type: framework.TypeString,
Description: `GCP ProjectID for the CA Service`,
},
},
ExistenceCheck: b.pathConfigExists,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.CreateOperation: withFieldValidator(b.pathConfigWrite),
logical.ReadOperation: withFieldValidator(b.pathConfigRead),
logical.UpdateOperation: withFieldValidator(b.pathConfigWrite),
logical.DeleteOperation: withFieldValidator(b.pathConfigDelete),
},
}
}
// pathConfigExists checks if the configuration exists.
func (b *backend) pathConfigExists(ctx context.Context, req *logical.Request, _ *framework.FieldData) (bool, error) {
entry, err := req.Storage.Get(ctx, "config")
if err != nil {
return false, errwrap.Wrapf("failed to get configuration from storage: {{err}}", err)
}
if entry == nil || len(entry.Value) == 0 {
return false, nil
}
return true, nil
}
// pathConfigRead corresponds to READ gcppca/config and is used to
// read the current configuration.
func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
c, err := b.Config(ctx, req.Storage)
if err != nil {
return nil, err
}
// dont' return credentials, they may show svc account JSON info!
return &logical.Response{
Data: map[string]interface{}{
"project": c.Project,
"location": c.Location,
"issuer": c.Issuer,
"scopes": c.Scopes,
},
}, nil
}
// pathConfigWrite corresponds to both CREATE and UPDATE gcppca/config and is
// used to create or update the current configuration.
func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the current configuration, if it exists
c, err := b.Config(ctx, req.Storage)
if err != nil {
return nil, err
}
// Update the configuration
changed, err := c.Update(d)
if err != nil {
return nil, logical.CodedError(400, err.Error())
}
// Only do the following if the config is different
if changed {
// Generate a new storage entry
entry, err := logical.StorageEntryJSON("config", c)
if err != nil {
return nil, errwrap.Wrapf("failed to generate JSON configuration: {{err}}", err)
}
// Save the storage entry
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, errwrap.Wrapf("failed to persist configuration to storage: {{err}}", err)
}
// Invalidate existing client so it reads the new configuration
b.ResetClient()
}
return nil, nil
}
// pathConfigDelete corresponds to DELETE gcppca/config and is used to delete
// all the configuration.
func (b *backend) pathConfigDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
if err := req.Storage.Delete(ctx, "config"); err != nil {
return nil, errwrap.Wrapf("failed to delete from storage: {{err}}", err)
}
// Invalidate existing client so it reads the new configuration
b.ResetClient()
return nil, nil
}