Tokenhelper v2

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 CHANGES:
 
+ * auth/token: Token store roles use new, common token fields for the values
+   that overlap with other auth backends. `period`, `explicit_max_ttl`, and
+   `bound_cidrs` will continue to work, with priority being given to the
+   `token_` prefixed versions of those parameters. They will also be returned
+   when doing a read on the role if they were used to provide values initially;
+   however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
+   longer be returned. (`explicit_max_ttl` was already not returned if empty.)
  * Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now
    stricter about what characters it will accept in path names. Whereas before
    it would filter out unprintable characters (and this could be turned off),

audit/format.go

@@ -153,6 +153,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
 			TokenPolicies:             auth.TokenPolicies,
 			IdentityPolicies:          auth.IdentityPolicies,
 			ExternalNamespacePolicies: auth.ExternalNamespacePolicies,
+			NoDefaultPolicy:           auth.NoDefaultPolicy,
 			Metadata:                  auth.Metadata,
 			EntityID:                  auth.EntityID,
 			RemainingUses:             req.ClientTokenRemainingUses,
@@ -352,6 +353,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			TokenPolicies:             resp.Auth.TokenPolicies,
 			IdentityPolicies:          resp.Auth.IdentityPolicies,
 			ExternalNamespacePolicies: resp.Auth.ExternalNamespacePolicies,
+			NoDefaultPolicy:           resp.Auth.NoDefaultPolicy,
 			Metadata:                  resp.Auth.Metadata,
 			NumUses:                   resp.Auth.NumUses,
 			EntityID:                  resp.Auth.EntityID,
@@ -397,6 +399,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			TokenPolicies:             auth.TokenPolicies,
 			IdentityPolicies:          auth.IdentityPolicies,
 			ExternalNamespacePolicies: auth.ExternalNamespacePolicies,
+			NoDefaultPolicy:           auth.NoDefaultPolicy,
 			Metadata:                  auth.Metadata,
 			RemainingUses:             req.ClientTokenRemainingUses,
 			EntityID:                  auth.EntityID,
@@ -496,6 +499,7 @@ type AuditAuth struct {
 	TokenPolicies             []string            `json:"token_policies,omitempty"`
 	IdentityPolicies          []string            `json:"identity_policies,omitempty"`
 	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
+	NoDefaultPolicy           bool                `json:"no_default_policy,omitempty"`
 	Metadata                  map[string]string   `json:"metadata,omitempty"`
 	NumUses                   int                 `json:"num_uses,omitempty"`
 	RemainingUses             int                 `json:"remaining_uses,omitempty"`

audit/format_json_test.go

@@ -38,12 +38,13 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 	}{
 		"auth, request": {
 			&logical.Auth{
-				ClientToken: "foo",
-				Accessor:    "bar",
-				EntityID:    "foobarentity",
-				DisplayName: "testtoken",
-				Policies:    []string{"root"},
-				TokenType:   logical.TokenTypeService,
+				ClientToken:     "foo",
+				Accessor:        "bar",
+				DisplayName:     "testtoken",
+				EntityID:        "foobarentity",
+				NoDefaultPolicy: true,
+				Policies:        []string{"root"},
+				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				Operation: logical.UpdateOperation,
@@ -64,12 +65,13 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 		},
 		"auth, request with prefix": {
 			&logical.Auth{
-				ClientToken: "foo",
-				Accessor:    "bar",
-				EntityID:    "foobarentity",
-				DisplayName: "testtoken",
-				Policies:    []string{"root"},
-				TokenType:   logical.TokenTypeService,
+				ClientToken:     "foo",
+				Accessor:        "bar",
+				EntityID:        "foobarentity",
+				DisplayName:     "testtoken",
+				NoDefaultPolicy: true,
+				Policies:        []string{"root"},
+				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				Operation: logical.UpdateOperation,
@@ -141,5 +143,5 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 	}
 }
 
-const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"foobarentity","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
+const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"no_default_policy":true,"metadata":null,"entity_id":"foobarentity","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
 `

audit/format_jsonx_test.go

@@ -37,12 +37,13 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 	}{
 		"auth, request": {
 			&logical.Auth{
-				ClientToken: "foo",
-				Accessor:    "bar",
-				EntityID:    "foobarentity",
-				DisplayName: "testtoken",
-				Policies:    []string{"root"},
-				TokenType:   logical.TokenTypeService,
+				ClientToken:     "foo",
+				Accessor:        "bar",
+				DisplayName:     "testtoken",
+				EntityID:        "foobarentity",
+				NoDefaultPolicy: true,
+				Policies:        []string{"root"},
+				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				ID:                  "request",
@@ -64,17 +65,18 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 			errors.New("this is an error"),
 			"",
 			"",
-			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
+			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:boolean name="no_default_policy">true</json:boolean><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
 				fooSalted, fooSalted),
 		},
 		"auth, request with prefix": {
 			&logical.Auth{
-				ClientToken: "foo",
-				Accessor:    "bar",
-				EntityID:    "foobarentity",
-				DisplayName: "testtoken",
-				Policies:    []string{"root"},
-				TokenType:   logical.TokenTypeService,
+				ClientToken:     "foo",
+				Accessor:        "bar",
+				DisplayName:     "testtoken",
+				NoDefaultPolicy: true,
+				EntityID:        "foobarentity",
+				Policies:        []string{"root"},
+				TokenType:       logical.TokenTypeService,
 			},
 			&logical.Request{
 				ID:                  "request",
@@ -96,7 +98,7 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 			errors.New("this is an error"),
 			"",
 			"@cee: ",
-			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
+			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:boolean name="no_default_policy">true</json:boolean><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
 				fooSalted, fooSalted),
 		},
 	}

sdk/go.sum

@@ -52,6 +52,7 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/vault v1.1.2 h1:NDaWEwrTwjg3VKrKQmQykuiq4UqMUlbqloRvIX5fhns=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=

sdk/helper/tokenhelper/tokenhelper.go

@@ -0,0 +1,207 @@
+package tokenhelper
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	sockaddr "github.com/hashicorp/go-sockaddr"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/parseutil"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+type TokenParams struct {
+	// The set of CIDRs that tokens generated using this role will be bound to
+	TokenBoundCIDRs []*sockaddr.SockAddrMarshaler `json:"token_bound_cidrs"`
+
+	// If set, the token entry will have an explicit maximum TTL set, rather
+	// than deferring to role/mount values
+	TokenExplicitMaxTTL time.Duration `json:"token_explicit_max_ttl" mapstructure:"token_explicit_max_ttl"`
+
+	// The max TTL to use for the token
+	TokenMaxTTL time.Duration `json:"token_max_ttl" mapstructure:"token_max_ttl"`
+
+	// If set, core will not automatically add default to the policy list
+	TokenNoDefaultPolicy bool `json:"token_no_default_policy" mapstructure:"token_no_default_policy"`
+
+	// If non-zero, tokens created using this role will be able to be renewed
+	// forever, but will have a fixed renewal period of this value
+	TokenPeriod time.Duration `json:"token_period" mapstructure:"token_period"`
+
+	// The policies to set
+	TokenPolicies []string `json:"token_policies" mapstructure:"token_policies"`
+
+	// The type of token this role should issue
+	TokenType logical.TokenType `json:"token_type" mapstructure:"token_type"`
+
+	// The TTL to user for the token
+	TokenTTL time.Duration `json:"token_ttl" mapstructure:"token_ttl"`
+}
+
+// AddTokenFields adds fields to an existing role. It panics if it would
+// overwrite an existing field.
+func AddTokenFields(m map[string]*framework.FieldSchema) {
+	AddTokenFieldsWithAllowList(m, nil)
+}
+
+func AddTokenFieldsWithAllowList(m map[string]*framework.FieldSchema, allowed []string) {
+	r := TokenFields()
+	for k, v := range r {
+		if len(allowed) > 0 && !strutil.StrListContains(allowed, k) {
+			continue
+		}
+		if _, has := m[k]; has {
+			panic(fmt.Sprintf("adding role field %s would overwrite existing field", k))
+		}
+		m[k] = v
+	}
+}
+
+func TokenFields() map[string]*framework.FieldSchema {
+	return map[string]*framework.FieldSchema{
+		"token_bound_cidrs": &framework.FieldSchema{
+			Type:        framework.TypeCommaStringSlice,
+			Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
+		},
+
+		"token_explicit_max_ttl": &framework.FieldSchema{
+			Type:        framework.TypeDurationSecond,
+			Description: tokenExplicitMaxTTLHelp,
+		},
+
+		"token_max_ttl": &framework.FieldSchema{
+			Type:        framework.TypeDurationSecond,
+			Description: "The maximum lifetime of the generated token",
+		},
+
+		"token_no_default_policy": &framework.FieldSchema{
+			Type:        framework.TypeBool,
+			Description: "If true, the 'default' policy will not automatically be added to generated tokens",
+		},
+
+		"token_period": &framework.FieldSchema{
+			Type:        framework.TypeDurationSecond,
+			Description: tokenPeriodHelp,
+		},
+
+		"token_policies": &framework.FieldSchema{
+			Type:        framework.TypeCommaStringSlice,
+			Description: "Comma-separated list of policies",
+		},
+
+		"token_type": &framework.FieldSchema{
+			Type:        framework.TypeString,
+			Default:     "default-service",
+			Description: "The type of token to generate, service or batch",
+		},
+
+		"token_ttl": &framework.FieldSchema{
+			Type:        framework.TypeDurationSecond,
+			Description: "The initial ttl of the token to generate",
+		},
+	}
+}
+
+func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldData) error {
+	if boundCIDRsRaw, ok := d.GetOk("token_bound_cidrs"); ok {
+		boundCIDRs, err := parseutil.ParseAddrs(boundCIDRsRaw.([]string))
+		if err != nil {
+			return err
+		}
+		t.TokenBoundCIDRs = boundCIDRs
+	}
+
+	if explicitMaxTTLRaw, ok := d.GetOk("token_explicit_max_ttl"); ok {
+		t.TokenExplicitMaxTTL = time.Duration(explicitMaxTTLRaw.(int)) * time.Second
+	}
+
+	if maxTTLRaw, ok := d.GetOk("token_max_ttl"); ok {
+		t.TokenMaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
+	}
+	if t.TokenMaxTTL < 0 {
+		return errors.New("'token_max_ttl' cannot be negative")
+	}
+
+	if noDefaultRaw, ok := d.GetOk("token_no_default_policy"); ok {
+		t.TokenNoDefaultPolicy = noDefaultRaw.(bool)
+	}
+
+	if periodRaw, ok := d.GetOk("token_period"); ok {
+		t.TokenPeriod = time.Duration(periodRaw.(int)) * time.Second
+	}
+	if t.TokenPeriod < 0 {
+		return errors.New("'token_period' cannot be negative")
+	}
+
+	if policiesRaw, ok := d.GetOk("token_policies"); ok {
+		t.TokenPolicies = policiesRaw.([]string)
+	}
+
+	if tokenTypeRaw, ok := d.GetOk("token_type"); ok {
+		var tokenType logical.TokenType
+		tokenTypeStr := tokenTypeRaw.(string)
+		switch tokenTypeStr {
+		case "service":
+			tokenType = logical.TokenTypeService
+		case "batch":
+			tokenType = logical.TokenTypeBatch
+		case "", "default", "default-service":
+			tokenType = logical.TokenTypeDefaultService
+		case "default-batch":
+			tokenType = logical.TokenTypeDefaultBatch
+		default:
+			return fmt.Errorf("invalid 'token_type' value %q", tokenTypeStr)
+		}
+		t.TokenType = tokenType
+	}
+
+	if ttlRaw, ok := d.GetOk("token_ttl"); ok {
+		t.TokenTTL = time.Duration(ttlRaw.(int)) * time.Second
+	}
+	if t.TokenTTL < 0 {
+		return errors.New("'token_ttl' cannot be negative")
+	}
+	if t.TokenTTL > 0 && t.TokenMaxTTL > 0 && t.TokenTTL > t.TokenMaxTTL {
+		return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'")
+	}
+
+	return nil
+}
+
+func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
+	m["token_bound_cidrs"] = t.TokenBoundCIDRs
+	m["token_explicit_max_ttl"] = t.TokenExplicitMaxTTL.Seconds()
+	m["token_max_ttl"] = t.TokenMaxTTL.Seconds()
+	m["token_no_default_policy"] = t.TokenNoDefaultPolicy
+	m["token_period"] = t.TokenPeriod.Seconds()
+	m["token_policies"] = t.TokenPolicies
+	m["token_type"] = t.TokenType.String()
+	m["token_ttl"] = t.TokenTTL.Seconds()
+}
+
+func (t *TokenParams) PopulateTokenAuth(auth *logical.Auth) {
+	auth.BoundCIDRs = t.TokenBoundCIDRs
+	auth.ExplicitMaxTTL = t.TokenExplicitMaxTTL
+	auth.MaxTTL = t.TokenMaxTTL
+	auth.NoDefaultPolicy = t.TokenNoDefaultPolicy
+	auth.Period = t.TokenPeriod
+	auth.Policies = t.TokenPolicies
+	auth.TokenType = t.TokenType
+	auth.TTL = t.TokenTTL
+}
+
+const (
+	tokenPeriodHelp = `If set, tokens created via this role
+will have no max lifetime; instead, their
+renewal period will be fixed to this value.
+This takes an integer number of seconds,
+or a string duration (e.g. "24h").`
+	tokenExplicitMaxTTLHelp = `If set, tokens created via this role
+carry an explicit maximum TTL. During renewal,
+the current maximum TTL values of the role
+and the mount are not checked for changes,
+and any updates to these values will have
+no effect on the token being renewed.`
+)

sdk/logical/auth.go

@@ -38,6 +38,11 @@ type Auth struct {
 	// different namespaces indexed by respective namespace identifiers
 	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`
 
+	// Indicates that the default policy should not be added by core when
+	// creating a token. The default policy will still be added if it's
+	// explicitly defined.
+	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`
+
 	// Metadata is used to attach arbitrary string-type metadata to
 	// an authenticated user. This metadata will be outputted into the
 	// audit log.