forked from jfrog/vault-plugin-secrets-artifactory
-
Notifications
You must be signed in to change notification settings - Fork 0
/
path_token_create.go
132 lines (110 loc) · 3.52 KB
/
path_token_create.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package artifactory
import (
"context"
"time"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func (b *backend) pathTokenCreate() *framework.Path {
return &framework.Path{
Pattern: "token/" + framework.GenericNameWithAtRegex("role"),
Fields: map[string]*framework.FieldSchema{
"role": {
Type: framework.TypeString,
Description: `Use the configuration of the specified role.`,
},
"ttl": {
Type: framework.TypeDurationSecond,
Description: `Override the default TTL when issuing this access token. Cannot exceed smallest (system, backend, role, this request) maximum TTL.`,
},
"max_ttl": {
Type: framework.TypeDurationSecond,
Description: `Override the maximum TTL for this access token. Cannot exceed smallest (system, backend) maximum TTL.`,
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathTokenCreatePerform,
},
},
HelpSynopsis: `Create an Artifactory access token for the specified role.`,
}
}
type systemVersionResponse struct {
Version string `json:"version"`
Revision string `json:"revision"`
}
type createTokenResponse struct {
TokenId string `json:"token_id"`
AccessToken string `json:"access_token"`
ExpiresIn int `json:"expires_in"`
Scope string `json:"scope"`
TokenType string `json:"token_type"`
}
func (b *backend) pathTokenCreatePerform(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.rolesMutex.RLock()
b.configMutex.RLock()
defer b.configMutex.RUnlock()
defer b.rolesMutex.RUnlock()
config, err := b.fetchAdminConfiguration(ctx, req.Storage)
if err != nil {
return nil, err
}
if config == nil {
return logical.ErrorResponse("backend not configured"), nil
}
go b.sendUsage(*config, "pathTokenCreatePerform")
// Read in the requested role
roleName := data.Get("role").(string)
role, err := b.Role(ctx, req.Storage, roleName)
if err != nil {
return nil, err
}
if role == nil {
return logical.ErrorResponse("no such role"), nil
}
// Define username for token by template if a static one is not set
if len(role.Username) == 0 {
role.Username, err = b.usernameProducer.Generate(UsernameMetadata{
RoleName: roleName,
DisplayName: req.DisplayName,
})
if err != nil {
return logical.ErrorResponse("error generating username from template"), err
}
}
var ttl time.Duration
if value, ok := data.GetOk("ttl"); ok {
ttl = time.Second * time.Duration(value.(int))
} else {
ttl = role.DefaultTTL
}
maxLeaseTTL := b.Backend.System().MaxLeaseTTL()
// Set the role.MaxTTL based on maxLeaseTTL
// - This value will be passed to createToken and used as expires_in for versions of Artifactory 7.50.3 or higher
if role.MaxTTL == 0 || role.MaxTTL > maxLeaseTTL {
role.MaxTTL = maxLeaseTTL
}
if role.MaxTTL > 0 && ttl > role.MaxTTL {
ttl = role.MaxTTL
}
resp, err := b.CreateToken(*config, *role)
if err != nil {
return nil, err
}
response := b.Secret(SecretArtifactoryAccessTokenType).Response(map[string]interface{}{
"access_token": resp.AccessToken,
"role": roleName,
"scope": resp.Scope,
"token_id": resp.TokenId,
"username": role.Username,
}, map[string]interface{}{
"role": roleName,
"access_token": resp.AccessToken,
"token_id": resp.TokenId,
"username": role.Username,
})
response.Secret.TTL = ttl
response.Secret.MaxTTL = role.MaxTTL
return response, nil
}