-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathpath_config.go
More file actions
156 lines (127 loc) · 4.28 KB
/
path_config.go
File metadata and controls
156 lines (127 loc) · 4.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
package cognito
import (
"context"
"errors"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
const (
configStoragePath = "config"
)
// cognitoConfig contains values to configure cognito clients and
// defaults for roles. The zero value is useful and results in
// environments variable and system defaults being used.
type cognitoConfig struct {
AwsAccessKeyId string `json:"aws_access_key_id"`
AwsAssumeRoleArn string `json:"aws_assume_role_arn"`
AwsSecretAccessKey string `json:"aws_secret_access_key"`
AwsSessionToken string `json:"aws_session_token"`
}
func pathConfig(b *cognitoSecretBackend) *framework.Path {
return &framework.Path{
Pattern: "config",
Fields: map[string]*framework.FieldSchema{
"aws_access_key_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: `The AWS access key for accessing the AWS API (Optional).`,
},
"aws_assume_role_arn": &framework.FieldSchema{
Type: framework.TypeString,
Description: `An iam role to assume when accessing the AWS API (Optional).`,
},
"aws_secret_access_key": &framework.FieldSchema{
Type: framework.TypeString,
Description: `The AWS secret access key for accessing the AWS API (Optional).`,
},
"aws_session_token": &framework.FieldSchema{
Type: framework.TypeString,
Description: `The AWS session token for accessing the AWS API (Optional).`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.CreateOperation: b.pathConfigWrite,
logical.UpdateOperation: b.pathConfigWrite,
logical.DeleteOperation: b.pathConfigDelete,
},
ExistenceCheck: b.pathConfigExistenceCheck,
HelpSynopsis: confHelpSyn,
HelpDescription: confHelpDesc,
}
}
func (b *cognitoSecretBackend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
var merr *multierror.Error
config, err := b.getConfig(ctx, req.Storage)
if err != nil {
return nil, err
}
if config == nil {
if req.Operation == logical.UpdateOperation {
return nil, errors.New("config not found during update operation")
}
config = new(cognitoConfig)
}
if awsAccessKeyId, ok := data.GetOk("aws_access_key_id"); ok {
config.AwsAccessKeyId = awsAccessKeyId.(string)
}
if awsAssumeRoleArn, ok := data.GetOk("aws_assume_role_arn"); ok {
config.AwsAssumeRoleArn = awsAssumeRoleArn.(string)
}
if awsSecretAccessKey, ok := data.GetOk("aws_secret_access_key"); ok {
config.AwsSecretAccessKey = awsSecretAccessKey.(string)
}
if awsSessionToken, ok := data.GetOk("aws_session_token"); ok {
config.AwsSessionToken = awsSessionToken.(string)
}
if merr.ErrorOrNil() != nil {
return logical.ErrorResponse(merr.Error()), nil
}
err = b.saveConfig(ctx, config, req.Storage)
return nil, err
}
func (b *cognitoSecretBackend) pathConfigDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
err := req.Storage.Delete(ctx, configStoragePath)
if err == nil {
b.reset()
}
return nil, err
}
func (b *cognitoSecretBackend) pathConfigExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) {
config, err := b.getConfig(ctx, req.Storage)
if err != nil {
return false, err
}
return config != nil, err
}
func (b *cognitoSecretBackend) getConfig(ctx context.Context, s logical.Storage) (*cognitoConfig, error) {
entry, err := s.Get(ctx, configStoragePath)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
config := new(cognitoConfig)
if err := entry.DecodeJSON(config); err != nil {
return nil, err
}
return config, nil
}
func (b *cognitoSecretBackend) saveConfig(ctx context.Context, config *cognitoConfig, s logical.Storage) error {
entry, err := logical.StorageEntryJSON(configStoragePath, config)
if err != nil {
return err
}
err = s.Put(ctx, entry)
if err != nil {
return err
}
// reset the backend since the client and provider will have been
// built using old versions of this data
b.reset()
return nil
}
const confHelpSyn = `Configure the Cognito Secret backend.`
const confHelpDesc = `
The Cognito secret backend requires AWS credentials for managing users in the a user pool.
`