diff --git a/helper/identity/types.pb.go b/helper/identity/types.pb.go index 386e7e2ed022..9a4aa54eb5d5 100644 --- a/helper/identity/types.pb.go +++ b/helper/identity/types.pb.go @@ -200,6 +200,9 @@ type Entity struct { // the entities belonging to a particular bucket during invalidation of the // storage key. BucketKeyHash string `sentinel:"" protobuf:"bytes,9,opt,name=bucket_key_hash,json=bucketKeyHash" json:"bucket_key_hash,omitempty"` + // Disabled indicates whether tokens associated with the account should not + // be able to be used + Disabled bool `sentinel:"" protobuf:"varint,11,opt,name=disabled" json:"disabled,omitempty"` } func (m *Entity) Reset() { *m = Entity{} } @@ -270,6 +273,13 @@ func (m *Entity) GetBucketKeyHash() string { return "" } +func (m *Entity) GetDisabled() bool { + if m != nil { + return m.Disabled + } + return false +} + // Alias represents the alias that gets stored inside of the // entity object in storage and also represents in an in-memory index of an // alias object. @@ -392,43 +402,44 @@ func init() { func init() { proto.RegisterFile("types.proto", fileDescriptor0) } var fileDescriptor0 = []byte{ - // 603 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x93, 0xdd, 0x6e, 0xd3, 0x30, - 0x14, 0xc7, 0xd5, 0xa6, 0x9f, 0x27, 0x5d, 0x37, 0x2c, 0x84, 0x4c, 0xa5, 0x41, 0x37, 0x69, 0x28, - 0x70, 0x91, 0x49, 0xe3, 0x86, 0x8d, 0x0b, 0x34, 0xc1, 0x80, 0x09, 0x21, 0xa1, 0x68, 0x5c, 0x47, - 0x6e, 0xe2, 0xb5, 0xd6, 0x92, 0x38, 0x8a, 0x1d, 0x44, 0x5e, 0x87, 0x97, 0xe1, 0x69, 0x78, 0x07, - 0xe4, 0xe3, 0xa6, 0x0d, 0x74, 0x7c, 0x4c, 0xdb, 0x9d, 0xf3, 0x3f, 0xc7, 0xc7, 0x27, 0xe7, 0xff, - 0x3b, 0xe0, 0xea, 0x2a, 0xe7, 0xca, 0xcf, 0x0b, 0xa9, 0x25, 0x19, 0x88, 0x98, 0x67, 0x5a, 0xe8, - 0x6a, 0xf2, 0x78, 0x2e, 0xe5, 0x3c, 0xe1, 0x87, 0xa8, 0xcf, 0xca, 0xcb, 0x43, 0x2d, 0x52, 0xae, - 0x34, 0x4b, 0x73, 0x9b, 0xba, 0xff, 0xad, 0x03, 0xdd, 0x77, 0x85, 0x2c, 0x73, 0x32, 0x86, 0xb6, - 0x88, 0x69, 0x6b, 0xda, 0xf2, 0x86, 0x41, 0x5b, 0xc4, 0x84, 0x40, 0x27, 0x63, 0x29, 0xa7, 0x6d, - 0x54, 0xf0, 0x4c, 0x26, 0x30, 0xc8, 0x65, 0x22, 0x22, 0xc1, 0x15, 0x75, 0xa6, 0x8e, 0x37, 0x0c, - 0x56, 0xdf, 0xc4, 0x83, 0x9d, 0x9c, 0x15, 0x3c, 0xd3, 0xe1, 0xdc, 0xd4, 0x0b, 0x45, 0xac, 0x68, - 0x07, 0x73, 0xc6, 0x56, 0xc7, 0x67, 0xce, 0x63, 0x45, 0x9e, 0xc1, 0xbd, 0x94, 0xa7, 0x33, 0x5e, - 0x84, 0xb6, 0x4b, 0x4c, 0xed, 0x62, 0xea, 0xb6, 0x0d, 0x9c, 0xa1, 0x6e, 0x72, 0x8f, 0x61, 0x90, - 0x72, 0xcd, 0x62, 0xa6, 0x19, 0xed, 0x4d, 0x1d, 0xcf, 0x3d, 0xda, 0xf5, 0xeb, 0xbf, 0xf3, 0xb1, - 0xa2, 0xff, 0x71, 0x19, 0x3f, 0xcb, 0x74, 0x51, 0x05, 0xab, 0x74, 0xf2, 0x0a, 0xb6, 0xa2, 0x82, - 0x33, 0x2d, 0x64, 0x16, 0x9a, 0xdf, 0xa6, 0xfd, 0x69, 0xcb, 0x73, 0x8f, 0x26, 0xbe, 0x9d, 0x89, - 0x5f, 0xcf, 0xc4, 0xbf, 0xa8, 0x67, 0x12, 0x8c, 0xea, 0x0b, 0x46, 0x22, 0x6f, 0x60, 0x27, 0x61, - 0x4a, 0x87, 0x65, 0x1e, 0x33, 0xcd, 0x6d, 0x8d, 0xc1, 0x3f, 0x6b, 0x8c, 0xcd, 0x9d, 0xcf, 0x78, - 0x05, 0xab, 0xec, 0xc1, 0x28, 0x95, 0xb1, 0xb8, 0xac, 0x42, 0x91, 0xc5, 0xfc, 0x2b, 0x1d, 0x4e, - 0x5b, 0x5e, 0x27, 0x70, 0xad, 0x76, 0x6e, 0x24, 0xf2, 0x04, 0xb6, 0x67, 0x65, 0x74, 0xc5, 0x75, - 0x78, 0xc5, 0xab, 0x70, 0xc1, 0xd4, 0x82, 0x02, 0x4e, 0x7d, 0xcb, 0xca, 0x1f, 0x78, 0xf5, 0x9e, - 0xa9, 0x05, 0x39, 0x80, 0x2e, 0x4b, 0x04, 0x53, 0xd4, 0xc5, 0x2e, 0xb6, 0xd7, 0x93, 0x38, 0x35, - 0x72, 0x60, 0xa3, 0xc6, 0x39, 0x43, 0x03, 0x1d, 0x59, 0xe7, 0xcc, 0x79, 0xf2, 0x12, 0xb6, 0x7e, - 0x99, 0x13, 0xd9, 0x01, 0xe7, 0x8a, 0x57, 0x4b, 0xbf, 0xcd, 0x91, 0xdc, 0x87, 0xee, 0x17, 0x96, - 0x94, 0xb5, 0xe3, 0xf6, 0xe3, 0xa4, 0xfd, 0xa2, 0xb5, 0xff, 0xdd, 0x81, 0x9e, 0xb5, 0x84, 0x3c, - 0x85, 0x3e, 0x3e, 0xc2, 0x15, 0x6d, 0xa1, 0x1d, 0x1b, 0x4d, 0xd4, 0xf1, 0x25, 0x50, 0xed, 0x0d, - 0xa0, 0x9c, 0x06, 0x50, 0x27, 0x0d, 0x7b, 0x3b, 0x58, 0xef, 0xd1, 0xba, 0x9e, 0x7d, 0xf2, 0xff, - 0xfd, 0xed, 0xde, 0x81, 0xbf, 0xbd, 0x1b, 0xfb, 0x8b, 0x34, 0x17, 0x73, 0x1e, 0x37, 0x69, 0xee, - 0xd7, 0x34, 0x9b, 0xc0, 0x9a, 0xe6, 0xe6, 0xfe, 0x0c, 0x7e, 0xdb, 0x9f, 0x6b, 0x20, 0x18, 0x5e, - 0x03, 0xc1, 0xed, 0x9c, 0xfc, 0xe1, 0x40, 0x17, 0x6d, 0xda, 0x58, 0xf7, 0x3d, 0x18, 0x45, 0x2c, - 0x93, 0x99, 0x88, 0x58, 0x12, 0xae, 0x7c, 0x73, 0x57, 0xda, 0x79, 0x4c, 0x76, 0x01, 0x52, 0x59, - 0x66, 0x3a, 0x44, 0xba, 0xac, 0x8d, 0x43, 0x54, 0x2e, 0xaa, 0x9c, 0x93, 0x03, 0x18, 0xdb, 0x30, - 0x8b, 0x22, 0xae, 0x94, 0x2c, 0x68, 0xc7, 0xf6, 0x8f, 0xea, 0xe9, 0x52, 0x5c, 0x57, 0xc9, 0x99, - 0x5e, 0xa0, 0x67, 0x75, 0x95, 0x4f, 0x4c, 0x2f, 0xfe, 0xbe, 0xf0, 0xd8, 0xfa, 0x1f, 0x81, 0xa8, - 0x01, 0xeb, 0x37, 0x00, 0xdb, 0x80, 0x64, 0x70, 0x07, 0x90, 0x0c, 0x6f, 0x0c, 0xc9, 0x31, 0x3c, - 0x5c, 0x42, 0x72, 0x59, 0xc8, 0x34, 0x6c, 0x4e, 0x5a, 0x51, 0x40, 0x12, 0x1e, 0xd8, 0x84, 0xb7, - 0x85, 0x4c, 0x5f, 0xaf, 0x87, 0xae, 0x6e, 0xe5, 0xf7, 0xac, 0x87, 0xbd, 0x3d, 0xff, 0x19, 0x00, - 0x00, 0xff, 0xff, 0x8e, 0x4a, 0xc5, 0xdb, 0x1f, 0x06, 0x00, 0x00, + // 617 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x94, 0xdd, 0x6e, 0xd3, 0x30, + 0x14, 0xc7, 0xd5, 0xa6, 0x1f, 0xe9, 0x69, 0xd7, 0x0d, 0x0b, 0x21, 0x53, 0x69, 0xd0, 0x4d, 0x1a, + 0x2a, 0x5c, 0x64, 0xd2, 0xb8, 0x61, 0xe3, 0x02, 0x4d, 0x30, 0x60, 0x42, 0x48, 0x28, 0x1a, 0xd7, + 0x91, 0x1b, 0x7b, 0xad, 0xb5, 0x24, 0x8e, 0x62, 0x17, 0x91, 0xd7, 0xe1, 0xd5, 0xb8, 0xe6, 0x1d, + 0x90, 0x8f, 0x9b, 0x36, 0xd0, 0xf1, 0x31, 0x6d, 0x77, 0xf6, 0xff, 0x1c, 0x1f, 0x1f, 0x9f, 0xff, + 0x2f, 0x81, 0xbe, 0x29, 0x73, 0xa1, 0x83, 0xbc, 0x50, 0x46, 0x11, 0x5f, 0x72, 0x91, 0x19, 0x69, + 0xca, 0xd1, 0xe3, 0x99, 0x52, 0xb3, 0x44, 0x1c, 0xa2, 0x3e, 0x5d, 0x5c, 0x1e, 0x1a, 0x99, 0x0a, + 0x6d, 0x58, 0x9a, 0xbb, 0xd4, 0xfd, 0x6f, 0x2d, 0x68, 0xbf, 0x2b, 0xd4, 0x22, 0x27, 0x43, 0x68, + 0x4a, 0x4e, 0x1b, 0xe3, 0xc6, 0xa4, 0x17, 0x36, 0x25, 0x27, 0x04, 0x5a, 0x19, 0x4b, 0x05, 0x6d, + 0xa2, 0x82, 0x6b, 0x32, 0x02, 0x3f, 0x57, 0x89, 0x8c, 0xa5, 0xd0, 0xd4, 0x1b, 0x7b, 0x93, 0x5e, + 0xb8, 0xda, 0x93, 0x09, 0xec, 0xe4, 0xac, 0x10, 0x99, 0x89, 0x66, 0xb6, 0x5e, 0x24, 0xb9, 0xa6, + 0x2d, 0xcc, 0x19, 0x3a, 0x1d, 0xaf, 0x39, 0xe7, 0x9a, 0x3c, 0x83, 0x7b, 0xa9, 0x48, 0xa7, 0xa2, + 0x88, 0x5c, 0x97, 0x98, 0xda, 0xc6, 0xd4, 0x6d, 0x17, 0x38, 0x43, 0xdd, 0xe6, 0x1e, 0x83, 0x9f, + 0x0a, 0xc3, 0x38, 0x33, 0x8c, 0x76, 0xc6, 0xde, 0xa4, 0x7f, 0xb4, 0x1b, 0x54, 0xaf, 0x0b, 0xb0, + 0x62, 0xf0, 0x71, 0x19, 0x3f, 0xcb, 0x4c, 0x51, 0x86, 0xab, 0x74, 0xf2, 0x0a, 0xb6, 0xe2, 0x42, + 0x30, 0x23, 0x55, 0x16, 0xd9, 0x67, 0xd3, 0xee, 0xb8, 0x31, 0xe9, 0x1f, 0x8d, 0x02, 0x37, 0x93, + 0xa0, 0x9a, 0x49, 0x70, 0x51, 0xcd, 0x24, 0x1c, 0x54, 0x07, 0xac, 0x44, 0xde, 0xc0, 0x4e, 0xc2, + 0xb4, 0x89, 0x16, 0x39, 0x67, 0x46, 0xb8, 0x1a, 0xfe, 0x3f, 0x6b, 0x0c, 0xed, 0x99, 0xcf, 0x78, + 0x04, 0xab, 0xec, 0xc1, 0x20, 0x55, 0x5c, 0x5e, 0x96, 0x91, 0xcc, 0xb8, 0xf8, 0x4a, 0x7b, 0xe3, + 0xc6, 0xa4, 0x15, 0xf6, 0x9d, 0x76, 0x6e, 0x25, 0xf2, 0x04, 0xb6, 0xa7, 0x8b, 0xf8, 0x4a, 0x98, + 0xe8, 0x4a, 0x94, 0xd1, 0x9c, 0xe9, 0x39, 0x05, 0x9c, 0xfa, 0x96, 0x93, 0x3f, 0x88, 0xf2, 0x3d, + 0xd3, 0x73, 0x72, 0x00, 0x6d, 0x96, 0x48, 0xa6, 0x69, 0x1f, 0xbb, 0xd8, 0x5e, 0x4f, 0xe2, 0xd4, + 0xca, 0xa1, 0x8b, 0x5a, 0xe7, 0x2c, 0x0d, 0x74, 0xe0, 0x9c, 0xb3, 0xeb, 0xd1, 0x4b, 0xd8, 0xfa, + 0x65, 0x4e, 0x64, 0x07, 0xbc, 0x2b, 0x51, 0x2e, 0xfd, 0xb6, 0x4b, 0x72, 0x1f, 0xda, 0x5f, 0x58, + 0xb2, 0xa8, 0x1c, 0x77, 0x9b, 0x93, 0xe6, 0x8b, 0xc6, 0xfe, 0x77, 0x0f, 0x3a, 0xce, 0x12, 0xf2, + 0x14, 0xba, 0x78, 0x89, 0xd0, 0xb4, 0x81, 0x76, 0x6c, 0x34, 0x51, 0xc5, 0x97, 0x40, 0x35, 0x37, + 0x80, 0xf2, 0x6a, 0x40, 0x9d, 0xd4, 0xec, 0x6d, 0x61, 0xbd, 0x47, 0xeb, 0x7a, 0xee, 0xca, 0xff, + 0xf7, 0xb7, 0x7d, 0x07, 0xfe, 0x76, 0x6e, 0xec, 0x2f, 0xd2, 0x5c, 0xcc, 0x04, 0xaf, 0xd3, 0xdc, + 0xad, 0x68, 0xb6, 0x81, 0x35, 0xcd, 0xf5, 0xef, 0xc7, 0xff, 0xed, 0xfb, 0xb9, 0x06, 0x82, 0xde, + 0x75, 0x10, 0x8c, 0xc0, 0xe7, 0x52, 0xb3, 0x69, 0x22, 0x38, 0x72, 0xe0, 0x87, 0xab, 0xfd, 0xed, + 0x5c, 0xfe, 0xe1, 0x41, 0x1b, 0x2d, 0xdc, 0xf8, 0x15, 0xec, 0xc1, 0x20, 0x66, 0x99, 0xca, 0x64, + 0xcc, 0x92, 0x68, 0xe5, 0x69, 0x7f, 0xa5, 0x9d, 0x73, 0xb2, 0x0b, 0x90, 0xaa, 0x45, 0x66, 0x22, + 0x24, 0xcf, 0x59, 0xdc, 0x43, 0xe5, 0xa2, 0xcc, 0x05, 0x39, 0x80, 0xa1, 0x0b, 0xb3, 0x38, 0x16, + 0x5a, 0xab, 0x82, 0xb6, 0xdc, 0xdb, 0x50, 0x3d, 0x5d, 0x8a, 0xeb, 0x2a, 0x39, 0x33, 0x73, 0xf4, + 0xb3, 0xaa, 0xf2, 0x89, 0x99, 0xf9, 0xdf, 0x7f, 0x06, 0xd8, 0xfa, 0x1f, 0x61, 0xa9, 0xe0, 0xeb, + 0xd6, 0xe0, 0xdb, 0x00, 0xc8, 0xbf, 0x03, 0x80, 0x7a, 0x37, 0x06, 0xe8, 0x18, 0x1e, 0x2e, 0x01, + 0xba, 0x2c, 0x54, 0x1a, 0xd5, 0x27, 0xad, 0x29, 0x20, 0x25, 0x0f, 0x5c, 0xc2, 0xdb, 0x42, 0xa5, + 0xaf, 0xd7, 0x43, 0xd7, 0xb7, 0xf2, 0x7b, 0xda, 0xc1, 0xde, 0x9e, 0xff, 0x0c, 0x00, 0x00, 0xff, + 0xff, 0x60, 0x0b, 0xc9, 0x74, 0x3b, 0x06, 0x00, 0x00, } diff --git a/helper/identity/types.proto b/helper/identity/types.proto index 65385712fb29..5f9f2465b3e0 100644 --- a/helper/identity/types.proto +++ b/helper/identity/types.proto @@ -110,6 +110,10 @@ message Entity { // MFASecrets holds the MFA secrets indexed by the identifier of the MFA // method configuration. //map mfa_secrets = 10; + + // Disabled indicates whether tokens associated with the account should not + // be able to be used + bool disabled = 11; } // Alias represents the alias that gets stored inside of the diff --git a/logical/request.go b/logical/request.go index 7bff6f0804db..27996bb83177 100644 --- a/logical/request.go +++ b/logical/request.go @@ -273,6 +273,10 @@ var ( // ErrPermissionDenied is returned if the client is not authorized ErrPermissionDenied = errors.New("permission denied") + // ErrDisabledEntity is returned if the entity tied to a token is marked as + // disabled + ErrEntityDisabled = errors.New("entity associated with token is disabled") + // ErrMultiAuthzPending is returned if the the request needs more // authorizations ErrMultiAuthzPending = errors.New("request needs further approval") diff --git a/vault/core.go b/vault/core.go index d82d61d8295e..e5f6b7f32091 100644 --- a/vault/core.go +++ b/vault/core.go @@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool } } + if entity != nil && entity.Disabled { + return nil, te, logical.ErrEntityDisabled + } + // Check if this is a root protected path rootPath := c.router.RootPath(req.Path) @@ -1319,20 +1323,21 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr return retErr } + // Since there is no token store in standby nodes, sealing cannot be done. + // Ideally, the request has to be forwarded to leader node for validation + // and the operation should be performed. But for now, just returning with + // an error and recommending a vault restart, which essentially does the + // same thing. + if c.standby { + c.logger.Error("vault cannot seal when in standby mode; please restart instead") + retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead")) + c.stateLock.RUnlock() + return retErr + } + // Validate the token is a root token acl, te, entity, err := c.fetchACLTokenEntryAndEntity(req.ClientToken) if err != nil { - // Since there is no token store in standby nodes, sealing cannot - // be done. Ideally, the request has to be forwarded to leader node - // for validation and the operation should be performed. But for now, - // just returning with an error and recommending a vault restart, which - // essentially does the same thing. - if c.standby { - c.logger.Error("vault cannot seal when in standby mode; please restart instead") - retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead")) - c.stateLock.RUnlock() - return retErr - } retErr = multierror.Append(retErr, err) c.stateLock.RUnlock() return retErr @@ -1341,10 +1346,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr // Audit-log the request before going any further auth := &logical.Auth{ ClientToken: req.ClientToken, - Policies: te.Policies, - Metadata: te.Meta, - DisplayName: te.DisplayName, - EntityID: te.EntityID, + } + if te != nil { + auth.Policies = te.Policies + auth.Metadata = te.Meta + auth.DisplayName = te.DisplayName + auth.EntityID = te.EntityID } logInput := &audit.LogInput{ @@ -1358,6 +1365,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr return retErr } + if entity != nil && entity.Disabled { + retErr = multierror.Append(retErr, logical.ErrEntityDisabled) + c.stateLock.RUnlock() + return retErr + } + // Attempt to use the token (decrement num_uses) // On error bail out; if the token has been revoked, bail out too if te != nil { @@ -1450,10 +1463,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) { // Audit-log the request before going any further auth := &logical.Auth{ ClientToken: req.ClientToken, - Policies: te.Policies, - Metadata: te.Meta, - DisplayName: te.DisplayName, - EntityID: te.EntityID, + } + if te != nil { + auth.Policies = te.Policies + auth.Metadata = te.Meta + auth.DisplayName = te.DisplayName + auth.EntityID = te.EntityID } logInput := &audit.LogInput{ @@ -1466,6 +1481,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) { return retErr } + if entity != nil && entity.Disabled { + retErr = multierror.Append(retErr, logical.ErrEntityDisabled) + c.stateLock.RUnlock() + return retErr + } + // Attempt to use the token (decrement num_uses) if te != nil { te, err = c.tokenStore.UseToken(ctx, te) diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go index 920a417ee631..fccb5d3eb08a 100644 --- a/vault/identity_store_entities.go +++ b/vault/identity_store_entities.go @@ -45,6 +45,10 @@ vault metadata=key1=value1 metadata=key2=value2 Type: framework.TypeCommaStringSlice, Description: "Policies to be tied to the entity.", }, + "disabled": { + Type: framework.TypeBool, + Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).", + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: i.pathEntityRegister(), @@ -76,6 +80,10 @@ vault metadata=key1=value1 metadata=key2=value2 Type: framework.TypeCommaStringSlice, Description: "Policies to be tied to the entity.", }, + "disabled": { + Type: framework.TypeBool, + Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).", + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: i.pathEntityIDUpdate(), @@ -354,6 +362,11 @@ func (i *IdentityStore) handleEntityUpdateCommon(req *logical.Request, d *framew entity.Policies = entityPoliciesRaw.([]string) } + disabledRaw, ok := d.GetOk("disabled") + if ok { + entity.Disabled = disabledRaw.(bool) + } + // Get the name entityName := d.Get("name").(string) if entityName != "" { @@ -434,6 +447,7 @@ func (i *IdentityStore) handleEntityReadCommon(entity *identity.Entity) (*logica respData["metadata"] = entity.Metadata respData["merged_entity_ids"] = entity.MergedEntityIDs respData["policies"] = entity.Policies + respData["disabled"] = entity.Disabled // Convert protobuf timestamp into RFC3339 format respData["creation_time"] = ptypes.TimestampString(entity.CreationTime) diff --git a/vault/identity_store_entities_ext_test.go b/vault/identity_store_entities_ext_test.go new file mode 100644 index 000000000000..f0a9147ea871 --- /dev/null +++ b/vault/identity_store_entities_ext_test.go @@ -0,0 +1,176 @@ +package vault_test + +import ( + "strings" + "testing" + + "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/builtin/credential/approle" + vaulthttp "github.com/hashicorp/vault/http" + "github.com/hashicorp/vault/logical" + "github.com/hashicorp/vault/vault" +) + +func TestIdentityStore_EntityDisabled(t *testing.T) { + // Use a TestCluster and the approle backend to get a token and entity for testing + coreConfig := &vault.CoreConfig{ + CredentialBackends: map[string]logical.Factory{ + "approle": approle.Factory, + }, + } + cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ + HandlerFunc: vaulthttp.Handler, + }) + cluster.Start() + defer cluster.Cleanup() + + core := cluster.Cores[0].Core + vault.TestWaitActive(t, core) + client := cluster.Cores[0].Client + + // Mount the auth backend + err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{ + Type: "approle", + }) + if err != nil { + t.Fatal(err) + } + + // Tune the mount + err = client.Sys().TuneMount("auth/approle", api.MountConfigInput{ + DefaultLeaseTTL: "5m", + MaxLeaseTTL: "5m", + }) + if err != nil { + t.Fatal(err) + } + + // Create role + resp, err := client.Logical().Write("auth/approle/role/role-period", map[string]interface{}{ + "period": "5m", + }) + if err != nil { + t.Fatal(err) + } + + // Get role_id + resp, err = client.Logical().Read("auth/approle/role/role-period/role-id") + if err != nil { + t.Fatal(err) + } + if resp == nil { + t.Fatal("expected a response for fetching the role-id") + } + roleID := resp.Data["role_id"] + + // Get secret_id + resp, err = client.Logical().Write("auth/approle/role/role-period/secret-id", map[string]interface{}{}) + if err != nil { + t.Fatal(err) + } + if resp == nil { + t.Fatal("expected a response for fetching the secret-id") + } + secretID := resp.Data["secret_id"] + + // Login + resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{ + "role_id": roleID, + "secret_id": secretID, + }) + if err != nil { + t.Fatal(err) + } + if resp == nil { + t.Fatal("expected a response for login") + } + if resp.Auth == nil { + t.Fatal("expected auth object from response") + } + if resp.Auth.ClientToken == "" { + t.Fatal("expected a client token") + } + + roleToken := resp.Auth.ClientToken + + client.SetToken(roleToken) + resp, err = client.Auth().Token().LookupSelf() + if err != nil { + t.Fatal(err) + } + if resp == nil { + t.Fatal("expected a response for token lookup") + } + entityIDRaw, ok := resp.Data["entity_id"] + if !ok { + t.Fatal("expected an entity ID") + } + entityID, ok := entityIDRaw.(string) + if !ok { + t.Fatal("entity_id not a string") + } + + client.SetToken(cluster.RootToken) + resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{ + "disabled": true, + }) + if err != nil { + t.Fatal(err) + } + + // This call should now fail + client.SetToken(roleToken) + resp, err = client.Auth().Token().LookupSelf() + if err == nil { + t.Fatalf("expected error, got %#v", *resp) + } + if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) { + t.Fatalf("expected to see entity disabled error, got %v", err) + } + + // Attempting to get a new token should also now fail + client.SetToken("") + resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{ + "role_id": roleID, + "secret_id": secretID, + }) + if err == nil { + t.Fatalf("expected error, got %#v", *resp) + } + if !strings.Contains(err.Error(), logical.ErrEntityDisabled.Error()) { + t.Fatalf("expected to see entity disabled error, got %v", err) + } + + client.SetToken(cluster.RootToken) + resp, err = client.Logical().Write("identity/entity/id/"+entityID, map[string]interface{}{ + "disabled": false, + }) + if err != nil { + t.Fatal(err) + } + + client.SetToken(roleToken) + resp, err = client.Auth().Token().LookupSelf() + if err != nil { + t.Fatal(err) + } + + // Getting a new token should now work again too + client.SetToken("") + resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{ + "role_id": roleID, + "secret_id": secretID, + }) + if err != nil { + t.Fatal(err) + } + if resp == nil { + t.Fatal("expected a response for login") + } + if resp.Auth == nil { + t.Fatal("expected auth object from response") + } + if resp.Auth.ClientToken == "" { + t.Fatal("expected a client token") + } +} diff --git a/vault/request_handling.go b/vault/request_handling.go index 7bdce5e0763b..1431d041dd56 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -204,7 +204,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp // return invalid request so that the status codes can be correct errType := logical.ErrInvalidRequest switch ctErr { - case ErrInternalError, logical.ErrPermissionDenied: + case ErrInternalError, logical.ErrPermissionDenied, logical.ErrEntityDisabled: errType = ctErr } @@ -519,6 +519,10 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re return nil, nil, fmt.Errorf("failed to create an entity for the authenticated alias") } + if entity.Disabled { + return nil, nil, logical.ErrEntityDisabled + } + auth.EntityID = entity.ID if auth.GroupAliases != nil { err = c.identityStore.refreshExternalGroupMembershipsByEntityID(auth.EntityID, auth.GroupAliases) diff --git a/website/source/api/secret/identity/entity.html.md b/website/source/api/secret/identity/entity.html.md index 15431ee68bf8..7dc4d5e4a7e4 100644 --- a/website/source/api/secret/identity/entity.html.md +++ b/website/source/api/secret/identity/entity.html.md @@ -26,6 +26,9 @@ This endpoint creates or updates an Entity. - `policies` `(list of strings: [])` – Policies to be tied to the entity. +- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled + entities' associated tokens cannot be used, but are not revoked. + ### Sample Payload ```json @@ -86,6 +89,7 @@ $ curl \ "data": { "bucket_key_hash": "177553e4c58987f4cc5d7e530136c642", "creation_time": "2017-07-25T20:29:22.614756844Z", + "disabled": false, "id": "8d6a45e5-572f-8f13-d226-cd0d1ec57297", "last_update_time": "2017-07-25T20:29:22.614756844Z", "metadata": { @@ -120,6 +124,8 @@ This endpoint is used to update an existing entity. - `policies` `(list of strings: [])` – Policies to be tied to the entity. +- `disabled` `(bool: false)` – Whether the entity is disabled. Disabled + entities' associated tokens cannot be used, but are not revoked. ### Sample Payload