vault-sidekick/vault_resource.go

/*
Copyright 2015 Home Office All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
	"fmt"
	"regexp"
	"time"
)

const (
	// optionFilename option to set the filename of the resource
	optionFilename = "file"
	// optionFormat set the output format (yaml, xml, json)
	optionFormat = "fmt"
	// optionTemplatePath is the full path to a template
	optionTemplatePath = "tpl"
	// optionRenewal sets the duration to renew the resource
	optionRenewal = "renew"
	// optionRevoke revokes an old lease when retrieving a new one
	optionRevoke = "revoke"
	// optionRevokeDelay
	optionsRevokeDelay = "delay"
	// optionUpdate overrides the lease of the resource
	optionUpdate = "update"
)

var (
	resourceFormatRegex = regexp.MustCompile("^(yaml|json|env|ini|txt|cert|bundle|csv)$")

	// a map of valid resource to retrieve from vault
	validResources = map[string]bool{
		"raw":       true,
		"pki":       true,
		"aws":       true,
		"secret":    true,
		"mysql":     true,
		"tpl":       true,
		"postgres":  true,
		"transit":   true,
		"cubbyhole": true,
		"cassandra": true,
	}
)

func defaultVaultResource() *VaultResource {
	return &VaultResource{
		format:    "yaml",
		renewable: false,
		revoked:   false,
		options:   make(map[string]string, 0),
	}
}

// VaultResource is the structure which defined a resource set from vault
type VaultResource struct {
	// the namespace of the resource
	resource string
	// the name of the resource
	path string
	// the format of the resource
	format string
	// whether the resource should be renewed?
	renewable bool
	// whether the resource should be revoked?
	revoked bool
	// the revoke delay
	revokeDelay time.Duration
	// the lease duration
	update time.Duration
	// the filename to save the secret
	filename string
	// the template file
	templateFile string
	// additional options to the resource
	options map[string]string
}

// GetFilename generates a resource filename by default the resource name and resource type, which
// can override by the OPTION_FILENAME option
func (r VaultResource) GetFilename() string {
	if r.filename != "" {
		return r.filename
	}

	return fmt.Sprintf("%s.%s", r.path, r.resource)
}

// IsValid checks to see if the resource is valid
func (r *VaultResource) IsValid() error {
	// step: check the resource type
	if _, found := validResources[r.resource]; !found {
		return fmt.Errorf("unsupported resource type: %s", r.resource)
	}

	// step: check is have all the required options to this resource type
	if err := r.isValidResource(); err != nil {
		return fmt.Errorf("invalid resource: %s, %s", r, err)
	}

	return nil
}

// isValidResource validates the resource meets the requirements
func (r *VaultResource) isValidResource() error {
	switch r.resource {
	case "pki":
		if _, found := r.options["common_name"]; !found {
			return fmt.Errorf("pki resource requires a common name specified")
		}
	case "transit":
		if _, found := r.options["ciphertext"]; !found {
			return fmt.Errorf("transit requires a ciphertext option")
		}
	case "tpl":
		if _, found := r.options[optionTemplatePath]; !found {
			return fmt.Errorf("template resource requires a template path option")
		}
	}

	return nil
}

// String returns a string representation of the struct
func (r VaultResource) String() string {
	return fmt.Sprintf("type: %s, path:%s", r.resource, r.path)
}
- adding the initial commit 2015-09-18 05:14:15 -04:00			`/*`
			`Copyright 2015 Home Office All rights reserved.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package main`

			`import (`
			`"fmt"`
			`"regexp"`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`"time"`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`)`

			`const (`
- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`// optionFilename option to set the filename of the resource`
- changing the resource options to full names rather than shortcuts, make its more obvious - adding a delay in the revoke option 2015-10-14 09:17:17 -04:00			`optionFilename = "file"`
			`// optionFormat set the output format (yaml, xml, json)`
- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`optionFormat = "fmt"`
- changing the resource options to full names rather than shortcuts, make its more obvious - adding a delay in the revoke option 2015-10-14 09:17:17 -04:00			`// optionTemplatePath is the full path to a template`
- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`optionTemplatePath = "tpl"`
- changing the resource options to full names rather than shortcuts, make its more obvious - adding a delay in the revoke option 2015-10-14 09:17:17 -04:00			`// optionRenewal sets the duration to renew the resource`
			`optionRenewal = "renew"`
			`// optionRevoke revokes an old lease when retrieving a new one`
			`optionRevoke = "revoke"`
			`// optionRevokeDelay`
- adding some extra debugging - performing a gofmt on the code, should probably place this into the tests 2015-10-15 12:28:12 -04:00			`optionsRevokeDelay = "delay"`
- changing the resource options to full names rather than shortcuts, make its more obvious - adding a delay in the revoke option 2015-10-14 09:17:17 -04:00			`// optionUpdate overrides the lease of the resource`
			`optionUpdate = "update"`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`)`

			`var (`
- fixing the durationWithIn method, which causes a invalid renewel time - added a env format which will generate enviroment variables - added the postgres, cubbyhole and transit backend - fixed a number of bugs - shifting to version v0.0.5 2016-03-12 13:49:57 -05:00			`resourceFormatRegex = regexp.MustCompile("^(yaml\|json\|env\|ini\|txt\|cert\|bundle\|csv)$")`
- adding the initial commit 2015-09-18 05:14:15 -04:00
			`// a map of valid resource to retrieve from vault`
			`validResources = map[string]bool{`
- adding the ability to perform raw queries to vault 2016-03-16 12:20:46 -04:00			`"raw": true,`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`"pki": true,`
			`"aws": true,`
			`"secret": true,`
			`"mysql": true,`
			`"tpl": true,`
			`"postgres": true,`
- fixing the durationWithIn method, which causes a invalid renewel time - added a env format which will generate enviroment variables - added the postgres, cubbyhole and transit backend - fixed a number of bugs - shifting to version v0.0.5 2016-03-12 13:49:57 -05:00			`"transit": true,`
			`"cubbyhole": true,`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`"cassandra": true,`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`}`
			`)`

- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`func defaultVaultResource() *VaultResource {`
			`return &VaultResource{`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`format: "yaml",`
- fixed up the renewal and revoking of secrets - shifting between states for the resources - added the default behavior to stop renewing a sereat and instead retrieving a new lease - added the revoking method ; 2015-09-18 12:18:17 -04:00			`renewable: false,`
- fixed up the formatting - fixing up the imports 2015-09-18 12:58:52 -04:00			`revoked: false,`
			`options: make(map[string]string, 0),`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`}`
			`}`

- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`// VaultResource is the structure which defined a resource set from vault`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`type VaultResource struct {`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`// the namespace of the resource`
			`resource string`
			`// the name of the resource`
summary: the initial version did not support path, we need to remove the helper and allow the user to specify the entire path 2015-10-21 09:40:06 -04:00			`path string`
- fixed up the renewal and revoking of secrets - shifting between states for the resources - added the default behavior to stop renewing a sereat and instead retrieving a new lease - added the revoking method ; 2015-09-18 12:18:17 -04:00			`// the format of the resource`
			`format string`
			`// whether the resource should be renewed?`
			`renewable bool`
			`// whether the resource should be revoked?`
			`revoked bool`
- changing the resource options to full names rather than shortcuts, make its more obvious - adding a delay in the revoke option 2015-10-14 09:17:17 -04:00			`// the revoke delay`
			`revokeDelay time.Duration`
- fixed up the renewal and revoking of secrets - shifting between states for the resources - added the default behavior to stop renewing a sereat and instead retrieving a new lease - added the revoking method ; 2015-09-18 12:18:17 -04:00			`// the lease duration`
			`update time.Duration`
- extracting the options completelt - passing all the options into the write, effectivly allowing you to pass all options - fixed the format of the content - added a changelog - shifting to version v0.0.6 2016-03-16 08:55:16 -04:00			`// the filename to save the secret`
			`filename string`
			`// the template file`
			`templateFile string`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`// additional options to the resource`
			`options map[string]string`
			`}`

- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`// GetFilename generates a resource filename by default the resource name and resource type, which`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`// can override by the OPTION_FILENAME option`
			`func (r VaultResource) GetFilename() string {`
- extracting the options completelt - passing all the options into the write, effectivly allowing you to pass all options - fixed the format of the content - added a changelog - shifting to version v0.0.6 2016-03-16 08:55:16 -04:00			`if r.filename != "" {`
			`return r.filename`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`}`

summary: the initial version did not support path, we need to remove the helper and allow the user to specify the entire path 2015-10-21 09:40:06 -04:00			`return fmt.Sprintf("%s.%s", r.path, r.resource)`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`}`

- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`// IsValid checks to see if the resource is valid`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`func (r *VaultResource) IsValid() error {`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`// step: check the resource type`
			`if _, found := validResources[r.resource]; !found {`
			`return fmt.Errorf("unsupported resource type: %s", r.resource)`
			`}`

			`// step: check is have all the required options to this resource type`
			`if err := r.isValidResource(); err != nil {`
			`return fmt.Errorf("invalid resource: %s, %s", r, err)`
			`}`

			`return nil`
			`}`

- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`// isValidResource validates the resource meets the requirements`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`func (r *VaultResource) isValidResource() error {`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`switch r.resource {`
			`case "pki":`
- extracting the options completelt - passing all the options into the write, effectivly allowing you to pass all options - fixed the format of the content - added a changelog - shifting to version v0.0.6 2016-03-16 08:55:16 -04:00			`if _, found := r.options["common_name"]; !found {`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`return fmt.Errorf("pki resource requires a common name specified")`
			`}`
- fixing the durationWithIn method, which causes a invalid renewel time - added a env format which will generate enviroment variables - added the postgres, cubbyhole and transit backend - fixed a number of bugs - shifting to version v0.0.5 2016-03-12 13:49:57 -05:00			`case "transit":`
- extracting the options completelt - passing all the options into the write, effectivly allowing you to pass all options - fixed the format of the content - added a changelog - shifting to version v0.0.6 2016-03-16 08:55:16 -04:00			`if _, found := r.options["ciphertext"]; !found {`
- fixing the durationWithIn method, which causes a invalid renewel time - added a env format which will generate enviroment variables - added the postgres, cubbyhole and transit backend - fixed a number of bugs - shifting to version v0.0.5 2016-03-12 13:49:57 -05:00			`return fmt.Errorf("transit requires a ciphertext option")`
			`}`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`case "tpl":`
- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`if _, found := r.options[optionTemplatePath]; !found {`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`return fmt.Errorf("template resource requires a template path option")`
			`}`
			`}`

			`return nil`
			`}`

- fixing up the docmentation and anything highlighted by the linter 2015-10-12 06:14:50 -04:00			`// String returns a string representation of the struct`
- updated the readme - standardize the authentication interface - required the unrequire - first draft cleanup and reduction of code 2015-09-23 17:39:50 -04:00			`func (r VaultResource) String() string {`
summary: the initial version did not support path, we need to remove the helper and allow the user to specify the entire path 2015-10-21 09:40:06 -04:00			`return fmt.Sprintf("type: %s, path:%s", r.resource, r.path)`
- adding the initial commit 2015-09-18 05:14:15 -04:00			`}`