mirror of https://github.com/hashicorp/boundary
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
294 lines
9.5 KiB
294 lines
9.5 KiB
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package credentiallibrariescmd
|
|
|
|
import (
|
|
"fmt"
|
|
"strconv"
|
|
|
|
"github.com/hashicorp/boundary/api/credentiallibraries"
|
|
"github.com/hashicorp/boundary/internal/cmd/base"
|
|
"github.com/hashicorp/boundary/internal/cmd/common"
|
|
)
|
|
|
|
func init() {
|
|
extraVaultSshCertificateFlagsFunc = extraVaultSshCertificateFlagsFuncImpl
|
|
extraVaultSshCertificateActionsFlagsMapFunc = extraVaultSshCertificateActionsFlagsMapFuncImpl
|
|
extraVaultSshCertificateFlagsHandlingFunc = extraVaultSshCertificateFlagHandlingFuncImpl
|
|
}
|
|
|
|
const (
|
|
usernameName = "username"
|
|
keyTypeName = "key-type"
|
|
keyBitsName = "key-bits"
|
|
ttlName = "ttl"
|
|
keyIdName = "key-id"
|
|
criticalOptionsName = "critical-options"
|
|
piecewiseCriticalOptionsName = "critical-option"
|
|
extensionsName = "extensions"
|
|
piecewiseExtensionName = "extension"
|
|
additionalValidPrincipalsName = "additional-valid-principal"
|
|
)
|
|
|
|
type extraVaultSshCertificateCmdVars struct {
|
|
flagPath string
|
|
flagUsername string
|
|
flagKeyType string
|
|
flagKeyBits string
|
|
flagTtl string
|
|
flagKeyId string
|
|
flagCriticalOptions string
|
|
flagCriticalOpts []base.CombinedSliceFlagValue
|
|
flagExtensions string
|
|
flagExtens []base.CombinedSliceFlagValue
|
|
flagAdditionalValidPrincipals []base.CombinedSliceFlagValue
|
|
}
|
|
|
|
func extraVaultSshCertificateActionsFlagsMapFuncImpl() map[string][]string {
|
|
flags := map[string][]string{
|
|
"create": {
|
|
pathFlagName,
|
|
usernameName,
|
|
keyTypeName,
|
|
keyBitsName,
|
|
ttlName,
|
|
keyIdName,
|
|
criticalOptionsName,
|
|
piecewiseCriticalOptionsName,
|
|
extensionsName,
|
|
piecewiseExtensionName,
|
|
additionalValidPrincipalsName,
|
|
},
|
|
"update": {
|
|
pathFlagName,
|
|
usernameName,
|
|
keyTypeName,
|
|
keyBitsName,
|
|
ttlName,
|
|
keyIdName,
|
|
criticalOptionsName,
|
|
piecewiseCriticalOptionsName,
|
|
extensionsName,
|
|
piecewiseExtensionName,
|
|
additionalValidPrincipalsName,
|
|
},
|
|
}
|
|
return flags
|
|
}
|
|
|
|
func extraVaultSshCertificateFlagsFuncImpl(c *VaultSshCertificateCommand, set *base.FlagSets, _ *base.FlagSet) {
|
|
f := set.NewFlagSet("Vault SSH Certificate Credential Library Options")
|
|
|
|
for _, name := range flagsVaultSshCertificateMap[c.Func] {
|
|
switch name {
|
|
case pathFlagName:
|
|
f.StringVar(&base.StringVar{
|
|
Name: pathFlagName,
|
|
Target: &c.flagPath,
|
|
Usage: "The path in vault to request credentials from.",
|
|
})
|
|
case usernameName:
|
|
f.StringVar(&base.StringVar{
|
|
Name: usernameName,
|
|
Target: &c.flagUsername,
|
|
Usage: "The username to use with the ssh certificate.",
|
|
})
|
|
case keyTypeName:
|
|
f.StringVar(&base.StringVar{
|
|
Name: keyTypeName,
|
|
Target: &c.flagKeyType,
|
|
Usage: "The key type for the generated ssh private key. One of: ed25519, ecdsa, rsa.",
|
|
})
|
|
case keyBitsName:
|
|
f.StringVar(&base.StringVar{
|
|
Name: keyBitsName,
|
|
Target: &c.flagKeyBits,
|
|
Usage: "The number of bits when generating the ssh private key. Depends on key_type. If ed25519 this should not be set, or set to 0, if ecdsa one of 256, 384, 521, if rsa one of 2048, 3072, 4096.",
|
|
})
|
|
case ttlName:
|
|
f.StringVar(&base.StringVar{
|
|
Name: ttlName,
|
|
Target: &c.flagTtl,
|
|
Usage: "The time-to-live for the generated certificate.",
|
|
})
|
|
case keyIdName:
|
|
f.StringVar(&base.StringVar{
|
|
Name: keyIdName,
|
|
Target: &c.flagKeyId,
|
|
Usage: "The key id that the created certificate should have.",
|
|
})
|
|
case additionalValidPrincipalsName:
|
|
f.CombinationSliceVar(&base.CombinationSliceVar{
|
|
Name: additionalValidPrincipalsName,
|
|
Target: &c.flagAdditionalValidPrincipals,
|
|
Usage: "Principals to be signed as \"valid_principles\" in addition to username.",
|
|
})
|
|
}
|
|
}
|
|
criticalOptsInput := common.CombinedSliceFlagValuePopulationInput{
|
|
FlagSet: f,
|
|
FlagNames: flagsVaultSshCertificateMap[c.Func],
|
|
FullPopulationFlag: &c.flagCriticalOptions,
|
|
FullPopulationInputName: criticalOptionsName,
|
|
PiecewisePopulationFlag: &c.flagCriticalOpts,
|
|
PiecewisePopulationInputBaseName: piecewiseCriticalOptionsName,
|
|
PiecewiseNoProtoCompat: true,
|
|
}
|
|
common.PopulateCombinedSliceFlagValue(criticalOptsInput)
|
|
|
|
extensionsInput := common.CombinedSliceFlagValuePopulationInput{
|
|
FlagSet: f,
|
|
FlagNames: flagsVaultSshCertificateMap[c.Func],
|
|
FullPopulationFlag: &c.flagExtensions,
|
|
FullPopulationInputName: extensionsName,
|
|
PiecewisePopulationFlag: &c.flagExtens,
|
|
PiecewisePopulationInputBaseName: piecewiseExtensionName,
|
|
PiecewiseNoProtoCompat: true,
|
|
}
|
|
common.PopulateCombinedSliceFlagValue(extensionsInput)
|
|
}
|
|
|
|
func extraVaultSshCertificateFlagHandlingFuncImpl(c *VaultSshCertificateCommand, _ *base.FlagSets, opts *[]credentiallibraries.Option) bool {
|
|
switch c.flagPath {
|
|
case "":
|
|
default:
|
|
*opts = append(*opts, credentiallibraries.WithVaultCredentialLibraryPath(c.flagPath))
|
|
}
|
|
switch c.flagUsername {
|
|
case "":
|
|
default:
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryUsername(c.flagUsername))
|
|
}
|
|
switch c.flagKeyType {
|
|
case "":
|
|
case "null":
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryKeyType())
|
|
default:
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryKeyType(c.flagKeyType))
|
|
}
|
|
switch c.flagKeyBits {
|
|
case "":
|
|
case "0", "null":
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryKeyBits())
|
|
default:
|
|
var final uint32
|
|
keyBits, err := strconv.ParseUint(c.flagKeyBits, 10, 32)
|
|
if err != nil {
|
|
c.UI.Error(fmt.Sprintf("Error parsing %q: %s", c.flagKeyBits, err))
|
|
return false
|
|
}
|
|
final = uint32(keyBits)
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryKeyBits(final))
|
|
}
|
|
switch c.flagTtl {
|
|
case "":
|
|
case "null":
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryTtl())
|
|
default:
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryTtl(c.flagTtl))
|
|
}
|
|
switch c.flagKeyId {
|
|
case "":
|
|
case "null":
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryKeyId())
|
|
default:
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryKeyId(c.flagKeyId))
|
|
}
|
|
// the weird formatting of this switch is to determine if there was only 0 or 1 principals passed, and if that signifies using default (nil)
|
|
switch len(c.flagAdditionalValidPrincipals) {
|
|
case 0:
|
|
case 1:
|
|
if len(c.flagAdditionalValidPrincipals[0].Keys) == 1 && c.flagAdditionalValidPrincipals[0].Keys[0] == "null" && c.flagAdditionalValidPrincipals[0].Value == nil {
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals())
|
|
break
|
|
}
|
|
fallthrough
|
|
default:
|
|
avp := make([]string, len(c.flagAdditionalValidPrincipals))
|
|
for i, p := range c.flagAdditionalValidPrincipals {
|
|
avp[i] = p.Value.GetValue()
|
|
}
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryAdditionalValidPrincipals(avp))
|
|
}
|
|
|
|
if err := common.HandleAttributeFlags(
|
|
c.Command,
|
|
piecewiseCriticalOptionsName,
|
|
c.flagCriticalOptions,
|
|
c.flagCriticalOpts,
|
|
func() {
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryCriticalOptions())
|
|
},
|
|
func(in map[string]any) {
|
|
inn := make(map[string]string, len(in))
|
|
for k, v := range in {
|
|
switch vv := v.(type) {
|
|
case nil:
|
|
inn[k] = ""
|
|
case string:
|
|
inn[k] = vv
|
|
default:
|
|
continue
|
|
}
|
|
}
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryCriticalOptions(inn))
|
|
}); err != nil {
|
|
return false
|
|
}
|
|
if err := common.HandleAttributeFlags(
|
|
c.Command,
|
|
piecewiseExtensionName,
|
|
c.flagExtensions,
|
|
c.flagExtens,
|
|
func() {
|
|
*opts = append(*opts, credentiallibraries.DefaultVaultSSHCertificateCredentialLibraryExtensions())
|
|
},
|
|
func(in map[string]any) {
|
|
inn := make(map[string]string, len(in))
|
|
for k, v := range in {
|
|
switch vv := v.(type) {
|
|
case nil:
|
|
inn[k] = ""
|
|
case string:
|
|
inn[k] = vv
|
|
default:
|
|
continue
|
|
}
|
|
}
|
|
*opts = append(*opts, credentiallibraries.WithVaultSSHCertificateCredentialLibraryExtensions(inn))
|
|
}); err != nil {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func (c *VaultSshCertificateCommand) extraVaultSshCertificateHelpFunc(_ map[string]func() string) string {
|
|
var helpStr string
|
|
switch c.Func {
|
|
case "create":
|
|
helpStr = base.WrapForHelpText([]string{
|
|
"Usage: boundary credential-libraries create vault-ssh-certificate -credential-store-id [options] [args]",
|
|
"",
|
|
" Create a vault-ssh-certificate-type credential library. Example:",
|
|
"",
|
|
` $ boundary credential-libraries create vault-ssh-certificate -credential-store-id csvlt_1234567890 -vault-path "/ssh/sign/role" -username user`,
|
|
"",
|
|
"",
|
|
})
|
|
|
|
case "update":
|
|
helpStr = base.WrapForHelpText([]string{
|
|
"Usage: boundary credential-libraries update vault-ssh-certificate [options] [args]",
|
|
"",
|
|
" Update a vault-ssh-certificate-type credential library given its ID. Example:",
|
|
"",
|
|
` $ boundary credential-libraries update vault-ssh-certificate -id clvsclt_1234567890 -name devops -description "For DevOps usage"`,
|
|
"",
|
|
"",
|
|
})
|
|
}
|
|
return helpStr + c.Flags().Help()
|
|
}
|