1package logical 2 3import ( 4 "time" 5 6 sockaddr "github.com/hashicorp/go-sockaddr" 7) 8 9type TokenType uint8 10 11const ( 12 // TokenTypeDefault means "use the default, if any, that is currently set 13 // on the mount". If not set, results in a Service token. 14 TokenTypeDefault TokenType = iota 15 16 // TokenTypeService is a "normal" Vault token for long-lived services 17 TokenTypeService 18 19 // TokenTypeBatch is a batch token 20 TokenTypeBatch 21 22 // TokenTypeDefaultService, configured on a mount, means that if 23 // TokenTypeDefault is sent back by the mount, create Service tokens 24 TokenTypeDefaultService 25 26 // TokenTypeDefaultBatch, configured on a mount, means that if 27 // TokenTypeDefault is sent back by the mount, create Batch tokens 28 TokenTypeDefaultBatch 29) 30 31func (t TokenType) String() string { 32 switch t { 33 case TokenTypeDefault: 34 return "default" 35 case TokenTypeService: 36 return "service" 37 case TokenTypeBatch: 38 return "batch" 39 case TokenTypeDefaultService: 40 return "default-service" 41 case TokenTypeDefaultBatch: 42 return "default-batch" 43 default: 44 panic("unreachable") 45 } 46} 47 48// TokenEntry is used to represent a given token 49type TokenEntry struct { 50 Type TokenType `json:"type" mapstructure:"type" structs:"type" sentinel:""` 51 52 // ID of this entry, generally a random UUID 53 ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""` 54 55 // Accessor for this token, a random UUID 56 Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""` 57 58 // Parent token, used for revocation trees 59 Parent string `json:"parent" mapstructure:"parent" structs:"parent" sentinel:""` 60 61 // Which named policies should be used 62 Policies []string `json:"policies" mapstructure:"policies" structs:"policies"` 63 64 // Used for audit trails, this is something like "auth/user/login" 65 Path string `json:"path" mapstructure:"path" structs:"path"` 66 67 // Used for auditing. This could include things like "source", "user", "ip" 68 Meta map[string]string `json:"meta" mapstructure:"meta" structs:"meta" sentinel:"meta"` 69 70 // Used for operators to be able to associate with the source 71 DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"` 72 73 // Used to restrict the number of uses (zero is unlimited). This is to 74 // support one-time-tokens (generalized). There are a few special values: 75 // if it's -1 it has run through its use counts and is executing its final 76 // use; if it's -2 it is tainted, which means revocation is currently 77 // running on it; and if it's -3 it's also tainted but revocation 78 // previously ran and failed, so this hints the tidy function to try it 79 // again. 80 NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"` 81 82 // Time of token creation 83 CreationTime int64 `json:"creation_time" mapstructure:"creation_time" structs:"creation_time" sentinel:""` 84 85 // Duration set when token was created 86 TTL time.Duration `json:"ttl" mapstructure:"ttl" structs:"ttl" sentinel:""` 87 88 // Explicit maximum TTL on the token 89 ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl" sentinel:""` 90 91 // If set, the role that was used for parameters at creation time 92 Role string `json:"role" mapstructure:"role" structs:"role"` 93 94 // If set, the period of the token. This is only used when created directly 95 // through the create endpoint; periods managed by roles or other auth 96 // backends are subject to those renewal rules. 97 Period time.Duration `json:"period" mapstructure:"period" structs:"period" sentinel:""` 98 99 // These are the deprecated fields 100 DisplayNameDeprecated string `json:"DisplayName" mapstructure:"DisplayName" structs:"DisplayName" sentinel:""` 101 NumUsesDeprecated int `json:"NumUses" mapstructure:"NumUses" structs:"NumUses" sentinel:""` 102 CreationTimeDeprecated int64 `json:"CreationTime" mapstructure:"CreationTime" structs:"CreationTime" sentinel:""` 103 ExplicitMaxTTLDeprecated time.Duration `json:"ExplicitMaxTTL" mapstructure:"ExplicitMaxTTL" structs:"ExplicitMaxTTL" sentinel:""` 104 105 EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"` 106 107 // The set of CIDRs that this token can be used with 108 BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs" sentinel:""` 109 110 // NamespaceID is the identifier of the namespace to which this token is 111 // confined to. Do not return this value over the API when the token is 112 // being looked up. 113 NamespaceID string `json:"namespace_id" mapstructure:"namespace_id" structs:"namespace_id" sentinel:""` 114 115 // CubbyholeID is the identifier of the cubbyhole storage belonging to this 116 // token 117 CubbyholeID string `json:"cubbyhole_id" mapstructure:"cubbyhole_id" structs:"cubbyhole_id" sentinel:""` 118} 119 120func (te *TokenEntry) SentinelGet(key string) (interface{}, error) { 121 if te == nil { 122 return nil, nil 123 } 124 switch key { 125 case "policies": 126 return te.Policies, nil 127 128 case "path": 129 return te.Path, nil 130 131 case "display_name": 132 return te.DisplayName, nil 133 134 case "num_uses": 135 return te.NumUses, nil 136 137 case "role": 138 return te.Role, nil 139 140 case "entity_id": 141 return te.EntityID, nil 142 143 case "period": 144 return te.Period, nil 145 146 case "period_seconds": 147 return int64(te.Period.Seconds()), nil 148 149 case "explicit_max_ttl": 150 return te.ExplicitMaxTTL, nil 151 152 case "explicit_max_ttl_seconds": 153 return int64(te.ExplicitMaxTTL.Seconds()), nil 154 155 case "creation_ttl": 156 return te.TTL, nil 157 158 case "creation_ttl_seconds": 159 return int64(te.TTL.Seconds()), nil 160 161 case "creation_time": 162 return time.Unix(te.CreationTime, 0).Format(time.RFC3339Nano), nil 163 164 case "creation_time_unix": 165 return time.Unix(te.CreationTime, 0), nil 166 167 case "meta", "metadata": 168 return te.Meta, nil 169 170 case "type": 171 teType := te.Type 172 switch teType { 173 case TokenTypeBatch, TokenTypeService: 174 case TokenTypeDefault: 175 teType = TokenTypeService 176 default: 177 return "unknown", nil 178 } 179 return teType.String(), nil 180 } 181 182 return nil, nil 183} 184 185func (te *TokenEntry) SentinelKeys() []string { 186 return []string{ 187 "period", 188 "period_seconds", 189 "explicit_max_ttl", 190 "explicit_max_ttl_seconds", 191 "creation_ttl", 192 "creation_ttl_seconds", 193 "creation_time", 194 "creation_time_unix", 195 "meta", 196 "metadata", 197 "type", 198 } 199} 200