github.com/hashicorp/vault/sdk@v0.13.0/logical/system_view.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 package logical 5 6 import ( 7 "context" 8 "errors" 9 "fmt" 10 "io" 11 "time" 12 13 "github.com/hashicorp/vault/sdk/helper/consts" 14 "github.com/hashicorp/vault/sdk/helper/license" 15 "github.com/hashicorp/vault/sdk/helper/pluginutil" 16 "github.com/hashicorp/vault/sdk/helper/wrapping" 17 ) 18 19 // SystemView exposes system configuration information in a safe way 20 // for logical backends to consume 21 type SystemView interface { 22 // DefaultLeaseTTL returns the default lease TTL set in Vault configuration 23 DefaultLeaseTTL() time.Duration 24 25 // MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend 26 // authors should take care not to issue credentials that last longer than 27 // this value, as Vault will revoke them 28 MaxLeaseTTL() time.Duration 29 30 // Returns true if the mount is tainted. A mount is tainted if it is in the 31 // process of being unmounted. This should only be used in special 32 // circumstances; a primary use-case is as a guard in revocation functions. 33 // If revocation of a backend's leases fails it can keep the unmounting 34 // process from being successful. If the reason for this failure is not 35 // relevant when the mount is tainted (for instance, saving a CRL to disk 36 // when the stored CRL will be removed during the unmounting process 37 // anyways), we can ignore the errors to allow unmounting to complete. 38 Tainted() bool 39 40 // Returns true if caching is disabled. If true, no caches should be used, 41 // despite known slowdowns. 42 CachingDisabled() bool 43 44 // When run from a system view attached to a request, indicates whether the 45 // request is affecting a local mount or not 46 LocalMount() bool 47 48 // ReplicationState indicates the state of cluster replication 49 ReplicationState() consts.ReplicationState 50 51 // HasFeature returns true if the feature is currently enabled 52 HasFeature(feature license.Features) bool 53 54 // ResponseWrapData wraps the given data in a cubbyhole and returns the 55 // token used to unwrap. 56 ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) 57 58 // LookupPlugin looks into the plugin catalog for a plugin with the given 59 // name. Returns a PluginRunner or an error if a plugin can not be found. 60 LookupPlugin(ctx context.Context, pluginName string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error) 61 62 // LookupPluginVersion looks into the plugin catalog for a plugin with the given 63 // name and version. Returns a PluginRunner or an error if a plugin can not be found. 64 LookupPluginVersion(ctx context.Context, pluginName string, pluginType consts.PluginType, version string) (*pluginutil.PluginRunner, error) 65 66 // ListVersionedPlugins returns information about all plugins of a certain 67 // type in the catalog, including any versioning information stored for them. 68 ListVersionedPlugins(ctx context.Context, pluginType consts.PluginType) ([]pluginutil.VersionedPlugin, error) 69 70 // NewPluginClient returns a client for managing the lifecycle of plugin 71 // processes 72 NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) 73 74 // MlockEnabled returns the configuration setting for enabling mlock on 75 // plugins. 76 MlockEnabled() bool 77 78 // EntityInfo returns a subset of information related to the identity entity 79 // for the given entity id 80 EntityInfo(entityID string) (*Entity, error) 81 82 // GroupsForEntity returns the group membership information for the provided 83 // entity id 84 GroupsForEntity(entityID string) ([]*Group, error) 85 86 // PluginEnv returns Vault environment information used by plugins 87 PluginEnv(context.Context) (*PluginEnvironment, error) 88 89 // VaultVersion returns the version string for the currently running Vault. 90 VaultVersion(context.Context) (string, error) 91 92 // GeneratePasswordFromPolicy generates a password from the policy referenced. 93 // If the policy does not exist, this will return an error. 94 GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) 95 96 // ClusterID returns the replication ClusterID, for use with path-based 97 // write forwarding (WriteForwardedPaths). This value will be templated 98 // in for the {{cluterId}} sentinel. 99 ClusterID(ctx context.Context) (string, error) 100 101 // GenerateIdentityToken returns an identity token for the requesting plugin. 102 GenerateIdentityToken(ctx context.Context, req *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error) 103 } 104 105 type PasswordPolicy interface { 106 // Generate a random password 107 Generate(context.Context, io.Reader) (string, error) 108 } 109 110 type WellKnownSystemView interface { 111 // RequestWellKnownRedirect registers a redirect from .well-known/src 112 // to dest, where dest is a sub-path of the mount. An error 113 // is returned if that source path is already taken 114 RequestWellKnownRedirect(ctx context.Context, src, dest string) error 115 116 // DeregisterWellKnownRedirect unregisters a specific redirect. Returns 117 // true if that redirect source was found 118 DeregisterWellKnownRedirect(ctx context.Context, src string) bool 119 } 120 121 type ExtendedSystemView interface { 122 WellKnownSystemView 123 124 Auditor() Auditor 125 ForwardGenericRequest(context.Context, *Request) (*Response, error) 126 127 // APILockShouldBlockRequest returns whether a namespace for the requested 128 // mount is locked and should be blocked 129 APILockShouldBlockRequest() (bool, error) 130 131 // GetPinnedPluginVersion returns the pinned version for the given plugin, if any. 132 GetPinnedPluginVersion(ctx context.Context, pluginType consts.PluginType, pluginName string) (*pluginutil.PinnedVersion, error) 133 } 134 135 type PasswordGenerator func() (password string, err error) 136 137 type StaticSystemView struct { 138 DefaultLeaseTTLVal time.Duration 139 MaxLeaseTTLVal time.Duration 140 SudoPrivilegeVal bool 141 TaintedVal bool 142 CachingDisabledVal bool 143 Primary bool 144 EnableMlock bool 145 LocalMountVal bool 146 ReplicationStateVal consts.ReplicationState 147 EntityVal *Entity 148 GroupsVal []*Group 149 Features license.Features 150 PluginEnvironment *PluginEnvironment 151 PasswordPolicies map[string]PasswordGenerator 152 VersionString string 153 ClusterUUID string 154 APILockShouldBlockRequestVal bool 155 } 156 157 type noopAuditor struct{} 158 159 func (a noopAuditor) AuditRequest(ctx context.Context, input *LogInput) error { 160 return nil 161 } 162 163 func (a noopAuditor) AuditResponse(ctx context.Context, input *LogInput) error { 164 return nil 165 } 166 167 func (d StaticSystemView) Auditor() Auditor { 168 return noopAuditor{} 169 } 170 171 func (d StaticSystemView) ForwardGenericRequest(ctx context.Context, req *Request) (*Response, error) { 172 return nil, errors.New("ForwardGenericRequest is not implemented in StaticSystemView") 173 } 174 175 func (d StaticSystemView) DefaultLeaseTTL() time.Duration { 176 return d.DefaultLeaseTTLVal 177 } 178 179 func (d StaticSystemView) MaxLeaseTTL() time.Duration { 180 return d.MaxLeaseTTLVal 181 } 182 183 func (d StaticSystemView) SudoPrivilege(_ context.Context, path string, token string) bool { 184 return d.SudoPrivilegeVal 185 } 186 187 func (d StaticSystemView) Tainted() bool { 188 return d.TaintedVal 189 } 190 191 func (d StaticSystemView) CachingDisabled() bool { 192 return d.CachingDisabledVal 193 } 194 195 func (d StaticSystemView) LocalMount() bool { 196 return d.LocalMountVal 197 } 198 199 func (d StaticSystemView) ReplicationState() consts.ReplicationState { 200 return d.ReplicationStateVal 201 } 202 203 func (d StaticSystemView) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) { 204 return nil, errors.New("NewPluginClient is not implemented in StaticSystemView") 205 } 206 207 func (d StaticSystemView) ResponseWrapData(_ context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) { 208 return nil, errors.New("ResponseWrapData is not implemented in StaticSystemView") 209 } 210 211 func (d StaticSystemView) LookupPlugin(_ context.Context, _ string, _ consts.PluginType) (*pluginutil.PluginRunner, error) { 212 return nil, errors.New("LookupPlugin is not implemented in StaticSystemView") 213 } 214 215 func (d StaticSystemView) LookupPluginVersion(_ context.Context, _ string, _ consts.PluginType, _ string) (*pluginutil.PluginRunner, error) { 216 return nil, errors.New("LookupPluginVersion is not implemented in StaticSystemView") 217 } 218 219 func (d StaticSystemView) ListVersionedPlugins(_ context.Context, _ consts.PluginType) ([]pluginutil.VersionedPlugin, error) { 220 return nil, errors.New("ListVersionedPlugins is not implemented in StaticSystemView") 221 } 222 223 func (d StaticSystemView) MlockEnabled() bool { 224 return d.EnableMlock 225 } 226 227 func (d StaticSystemView) EntityInfo(entityID string) (*Entity, error) { 228 return d.EntityVal, nil 229 } 230 231 func (d StaticSystemView) GroupsForEntity(entityID string) ([]*Group, error) { 232 return d.GroupsVal, nil 233 } 234 235 func (d StaticSystemView) HasFeature(feature license.Features) bool { 236 return d.Features.HasFeature(feature) 237 } 238 239 func (d StaticSystemView) PluginEnv(_ context.Context) (*PluginEnvironment, error) { 240 return d.PluginEnvironment, nil 241 } 242 243 func (d StaticSystemView) VaultVersion(_ context.Context) (string, error) { 244 return d.VersionString, nil 245 } 246 247 func (d StaticSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) { 248 select { 249 case <-ctx.Done(): 250 return "", fmt.Errorf("context timed out") 251 default: 252 } 253 254 if d.PasswordPolicies == nil { 255 return "", fmt.Errorf("password policy not found") 256 } 257 policy, exists := d.PasswordPolicies[policyName] 258 if !exists { 259 return "", fmt.Errorf("password policy not found") 260 } 261 return policy() 262 } 263 264 func (d *StaticSystemView) SetPasswordPolicy(name string, generator PasswordGenerator) { 265 if d.PasswordPolicies == nil { 266 d.PasswordPolicies = map[string]PasswordGenerator{} 267 } 268 d.PasswordPolicies[name] = generator 269 } 270 271 func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool) { 272 _, existed = d.PasswordPolicies[name] 273 delete(d.PasswordPolicies, name) 274 return existed 275 } 276 277 func (d StaticSystemView) ClusterID(ctx context.Context) (string, error) { 278 return d.ClusterUUID, nil 279 } 280 281 func (d StaticSystemView) GenerateIdentityToken(_ context.Context, _ *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error) { 282 return nil, errors.New("GenerateIdentityToken is not implemented in StaticSystemView") 283 } 284 285 func (d StaticSystemView) APILockShouldBlockRequest() (bool, error) { 286 return d.APILockShouldBlockRequestVal, nil 287 }