v0.0.1

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2017, Nokia
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -0,0 +1,17 @@
+EXTERNAL_TOOLS=\
+               github.com/mitchellh/gox \
+               github.com/kardianos/govendor
+
+GOFMT_FILES?=$$(find . -name '*.go' | grep -v vendor)
+
+# bootstrap the build by downloading additional tools
+bootstrap:
+	@for tool in  $(EXTERNAL_TOOLS) ; do \
+		echo "Installing/Updating $$tool" ; \
+		go get -u $$tool;
+	done
+
+fmt:
+	gofmt -w $(GOFMT_FILES)
+
+dev:

README.md

@@ -0,0 +1,148 @@
+# Openstack Keystone plugin
+
+This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault). This plugin provides the functionality to generate users in Openstack Keystone.
+
+
+
+## Getting Started
+
+This is a [Vault plugin](https://www.vaultproject.io/docs/internals/plugins.html)
+and is meant to work with Vault. This guide assumes you have already installed Vault
+and have a basic understanding of how Vault works.
+
+Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html).
+
+To learn specifically about how plugins work, see documentation on [Vault plugins](https://www.vaultproject.io/docs/internals/plugins.html).
+
+### Build
+
+- `go get github.com/parnurzeal/gorequest`
+- `go get github.com/hashicorp/vault/plugins`
+- `go get github.com/hashicorp/go-plugin`
+- `go get github.com/fatih/structs`
+- `go get github.com/google/gofuzz`
+- `go build -o vault_keystone_plugin .``
+
+### Installation
+
+Build the plugin.
+
+Put the plugin binary into a location of your choice. This directory
+will be specified as the [`plugin_directory`](https://www.vaultproject.io/docs/configuration/index.html#plugin_directory)
+in the Vault config used to start the server.
+
+```json
+...
+plugin_directory = "path/to/plugin/directory"
+...
+```
+
+Start a Vault server with this config file:
+```sh
+$ vault server -config=path/to/config.json ...
+...
+```
+
+`sha256sum vault_keystone_plugin`
+
+`vault write sys/plugins/catalog/vault_keystone_plugin sha_256="<SHA from the previous step>" command="keystone"`
+
+`vault mount -path=keystone -plugin-name=vault_keystone_plugin plugin`
+
+### Routes
+
+## keystone/config/connection
+
+CLI write / API POST - set connection configuration
+
+Parameters:
+-  `connection_url` : URL of your Keystone instance, formatted like `keystoneip:port/v3/`
+-  `admin_auth_token` : admin user token
+
+## keystone/users
+
+CLI write / API POST
+CLI read / API GET - generate new user
+
+Parameters:
+-  `name`
+-  `default_project_id` (_optional_)
+-  `domain_id` (_optional_)
+-  `enabled` (_optional_)
+-  `password` (_optional_)
+
+## keystone/projects
+
+CLI write / API POST
+CLI read / API GET - generate new project
+
+Parameters:
+-  `name`
+-  `is_domain` (_optional_)
+-  `description` (_optional_)
+-  `domain_id` (_optional_)
+-  `enabled` (_optional_)
+-  `parent_id` (_optional_)
+
+## keystone/domains
+
+CLI write / API POST
+CLI read / API GET - generate new domain
+
+Parameters:
+-  `name`
+-  `description` (_optional_)
+-  `enabled` (_optional_)
+
+## keystone/roles
+
+CLI write / API POST
+CLI read / API GET - generate new role
+
+Parameters:
+-  `name`
+-  `domain_id` (_optional_)
+
+## keystone/roles/*role*/groups/*group*/domains/*domain* action="grant"
+
+CLI write / API POST - Assign role to group on domain
+
+Parameters:
+-  `domain_id`
+-  `group_id`
+-  `role_id`
+
+## keystone/roles/*role*/users/*user*/domains/*domain* action="grant"
+
+CLI write / API POST - Assign role to user on domain
+
+Parameters:
+-  `domain_id`
+-  `user_id`
+-  `role_id`
+
+## keystone/roles/*role*/groups/*group*/projects/*project* action="grant"
+
+CLI write / API POST - Assign role to group on project
+
+Parameters:
+-  `project_id`
+-  `group_id`
+-  `role_id`
+
+## keystone/roles/*role*/users/*user*/projects/*project* action="grant"
+
+CLI write / API POST - Assign role to user on project
+
+Parameters:
+-  `project_id`
+-  `user_id`
+-  `role_id`
+
+### TODO:
+
+- Keystone EC2 Extensions
+- Credentials
+- Groups
+- Policies
+- Regions

main.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"log"
+	"os"
+
+	keystonebackend "gitlabe1.ext.net.nokia.com/ava/vault_keystone_plugin/plugin"
+	"github.com/hashicorp/vault/helper/pluginutil"
+	"github.com/hashicorp/vault/logical/plugin"
+)
+
+func main() {
+
+	apiClientMeta := &pluginutil.APIClientMeta{}
+	flags := apiClientMeta.FlagSet()
+	flags.Parse(os.Args)
+
+	tlsConfig := apiClientMeta.GetTLSConfig()
+	tlsProviderFunc := pluginutil.VaultPluginTLSProvider(tlsConfig)
+
+	err := plugin.Serve(&plugin.ServeOpts{
+		BackendFactoryFunc: keystonebackend.Factory,
+		TLSProviderFunc:    tlsProviderFunc,
+	})
+	if err != nil {
+		log.Println(err)
+		os.Exit(1)
+	}
+}

plugin/backend.go

@@ -0,0 +1,79 @@
+package keystoneauth
+
+import (
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+)
+
+// New returns a new backend as an interface. This func
+// is only necessary for builtin backend plugins.
+func New() (interface{}, error) {
+	return Backend(), nil
+}
+
+// Factory returns a new backend as logical.Backend.
+func Factory(conf *logical.BackendConfig) (logical.Backend, error) {
+	b := Backend()
+	if err := b.Setup(conf); err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+// FactoryType is a wrapper func that allows the Factory func to specify
+// the backend type for the mock backend plugin instance.
+func FactoryType(backendType logical.BackendType) func(*logical.BackendConfig) (logical.Backend, error) {
+	return func(conf *logical.BackendConfig) (logical.Backend, error) {
+		b := Backend()
+		b.BackendType = backendType
+		if err := b.Setup(conf); err != nil {
+			return nil, err
+		}
+		return b, nil
+	}
+}
+
+// Backend returns a private embedded struct of framework.Backend.
+func Backend() *backend {
+	var b backend
+	b.Backend = &framework.Backend{
+		Help:        "",
+		BackendType: logical.TypeLogical,
+		Paths: []*framework.Path{
+			pathInternal(&b),
+			pathConfig(&b),
+			pathUsers(&b),
+			pathListUsers(&b),
+			pathRoles(&b),
+			pathListRoles(&b),
+			pathRolesGroupOnDomain(&b),
+			pathDomains(&b),
+			pathListDomains(&b),
+			pathProjects(&b),
+			pathListProjects(&b),
+		},
+		PathsSpecial: &logical.Paths{
+			Unauthenticated: []string{
+				"special",
+			},
+		},
+		Secrets:    []*framework.Secret{},
+		Invalidate: b.invalidate,
+	}
+	b.internal = "bar"
+	return &b
+}
+
+type backend struct {
+	*framework.Backend
+
+	// internal is used to test invalidate
+	internal string
+}
+
+func (b *backend) invalidate(key string) {
+	switch key {
+	case "internal":
+		b.internal = ""
+	}
+}

plugin/backend_test.go

@@ -0,0 +1,11 @@
+package keystoneauth
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/logical"
+)
+
+func TestMockBackend_impl(t *testing.T) {
+	var _ logical.Backend = new(backend)
+}