v1.14.6/builtin/credential/ldap/path_login.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package ldap

 import (
 	"context"
 	"fmt"

 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )

 func pathLogin(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: `login/(?P<username>.+)`,

 		DisplayAttrs: &framework.DisplayAttributes{
 			OperationPrefix: operationPrefixLDAP,
 			OperationVerb:   "login",
 		},

 		Fields: map[string]*framework.FieldSchema{
 			"username": {
 				Type:        framework.TypeString,
 				Description: "DN (distinguished name) to be used for login.",
 			},

 			"password": {
 				Type:        framework.TypeString,
 				Description: "Password for this user.",
 			},
 		},

 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.UpdateOperation:         b.pathLogin,
 			logical.AliasLookaheadOperation: b.pathLoginAliasLookahead,
 		},

 		HelpSynopsis:    pathLoginSyn,
 		HelpDescription: pathLoginDesc,
 	}
 }

 func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	username := d.Get("username").(string)
 	if username == "" {
 		return nil, fmt.Errorf("missing username")
 	}

 	return &logical.Response{
 		Auth: &logical.Auth{
 			Alias: &logical.Alias{
 				Name: username,
 			},
 		},
 	}, nil
 }

 func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	cfg, err := b.Config(ctx, req)
 	if err != nil {
 		return nil, err
 	}
 	if cfg == nil {
 		return logical.ErrorResponse("auth method not configured"), nil
 	}

 	// Check for a CIDR match.
 	if len(cfg.TokenBoundCIDRs) > 0 {
 		if req.Connection == nil {
 			b.Logger().Warn("token bound CIDRs found but no connection information available for validation")
 			return nil, logical.ErrPermissionDenied
 		}
 		if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
 			return nil, logical.ErrPermissionDenied
 		}
 	}

 	username := d.Get("username").(string)
 	password := d.Get("password").(string)

 	effectiveUsername, policies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
 	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}

 	auth := &logical.Auth{
 		Metadata: map[string]string{
 			"username": username,
 		},
 		InternalData: map[string]interface{}{
 			"password": password,
 		},
 		DisplayName: username,
 		Alias: &logical.Alias{
 			Name: effectiveUsername,
 			Metadata: map[string]string{
 				"name": username,
 			},
 		},
 	}

 	cfg.PopulateTokenAuth(auth)

 	// Add in configured policies from mappings
 	if len(policies) > 0 {
 		auth.Policies = append(auth.Policies, policies...)
 	}

 	resp.Auth = auth

 	for _, groupName := range groupNames {
 		if groupName == "" {
 			continue
 		}
 		resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
 			Name: groupName,
 		})
 	}
 	return resp, nil
 }

 func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	cfg, err := b.Config(ctx, req)
 	if err != nil {
 		return nil, err
 	}
 	if cfg == nil {
 		return logical.ErrorResponse("auth method not configured"), nil
 	}

 	username := req.Auth.Metadata["username"]
 	password := req.Auth.InternalData["password"].(string)

 	_, loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
 	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}

 	finalPolicies := cfg.TokenPolicies
 	if len(loginPolicies) > 0 {
 		finalPolicies = append(finalPolicies, loginPolicies...)
 	}

 	if !policyutil.EquivalentPolicies(finalPolicies, req.Auth.TokenPolicies) {
 		return nil, fmt.Errorf("policies have changed, not renewing")
 	}

 	resp.Auth = req.Auth
 	resp.Auth.Period = cfg.TokenPeriod
 	resp.Auth.TTL = cfg.TokenTTL
 	resp.Auth.MaxTTL = cfg.TokenMaxTTL

 	// Remove old aliases
 	resp.Auth.GroupAliases = nil

 	for _, groupName := range groupNames {
 		resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
 			Name: groupName,
 		})
 	}

 	return resp, nil
 }

 const pathLoginSyn = `
 Log in with a username and password.
 `

 const pathLoginDesc = `
 This endpoint authenticates using a username and password. Please be sure to
 read the note on escaping from the path-help for the 'config' endpoint.
 `
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package ldap

	import (
	"context"
	"fmt"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/cidrutil"
	"github.com/hashicorp/vault/sdk/helper/policyutil"
	"github.com/hashicorp/vault/sdk/logical"
	)

	func pathLogin(b backend) framework.Path {
	return &framework.Path{
	Pattern: `login/(?P<username>.+)`,

	DisplayAttrs: &framework.DisplayAttributes{
	OperationPrefix: operationPrefixLDAP,
	OperationVerb: "login",
	},

	Fields: map[string]*framework.FieldSchema{
	"username": {
	Type: framework.TypeString,
	Description: "DN (distinguished name) to be used for login.",
	},

	"password": {
	Type: framework.TypeString,
	Description: "Password for this user.",
	},
	},

	Callbacks: map[logical.Operation]framework.OperationFunc{
	logical.UpdateOperation: b.pathLogin,
	logical.AliasLookaheadOperation: b.pathLoginAliasLookahead,
	},

	HelpSynopsis: pathLoginSyn,
	HelpDescription: pathLoginDesc,
	}
	}

	func (b backend) pathLoginAliasLookahead(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {
	username := d.Get("username").(string)
	if username == "" {
	return nil, fmt.Errorf("missing username")
	}

	return &logical.Response{
	Auth: &logical.Auth{
	Alias: &logical.Alias{
	Name: username,
	},
	},
	}, nil
	}

	func (b backend) pathLogin(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {
	cfg, err := b.Config(ctx, req)
	if err != nil {
	return nil, err
	}
	if cfg == nil {
	return logical.ErrorResponse("auth method not configured"), nil
	}

	// Check for a CIDR match.
	if len(cfg.TokenBoundCIDRs) > 0 {
	if req.Connection == nil {
	b.Logger().Warn("token bound CIDRs found but no connection information available for validation")
	return nil, logical.ErrPermissionDenied
	}
	if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
	return nil, logical.ErrPermissionDenied
	}
	}

	username := d.Get("username").(string)
	password := d.Get("password").(string)

	effectiveUsername, policies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
	if err != nil \|\| (resp != nil && resp.IsError()) {
	return resp, err
	}

	auth := &logical.Auth{
	Metadata: map[string]string{
	"username": username,
	},
	InternalData: map[string]interface{}{
	"password": password,
	},
	DisplayName: username,
	Alias: &logical.Alias{
	Name: effectiveUsername,
	Metadata: map[string]string{
	"name": username,
	},
	},
	}

	cfg.PopulateTokenAuth(auth)

	// Add in configured policies from mappings
	if len(policies) > 0 {
	auth.Policies = append(auth.Policies, policies...)
	}

	resp.Auth = auth

	for _, groupName := range groupNames {
	if groupName == "" {
	continue
	}
	resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
	Name: groupName,
	})
	}
	return resp, nil
	}

	func (b backend) pathLoginRenew(ctx context.Context, req logical.Request, d framework.FieldData) (logical.Response, error) {
	cfg, err := b.Config(ctx, req)
	if err != nil {
	return nil, err
	}
	if cfg == nil {
	return logical.ErrorResponse("auth method not configured"), nil
	}

	username := req.Auth.Metadata["username"]
	password := req.Auth.InternalData["password"].(string)

	_, loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
	if err != nil \|\| (resp != nil && resp.IsError()) {
	return resp, err
	}

	finalPolicies := cfg.TokenPolicies
	if len(loginPolicies) > 0 {
	finalPolicies = append(finalPolicies, loginPolicies...)
	}

	if !policyutil.EquivalentPolicies(finalPolicies, req.Auth.TokenPolicies) {
	return nil, fmt.Errorf("policies have changed, not renewing")
	}

	resp.Auth = req.Auth
	resp.Auth.Period = cfg.TokenPeriod
	resp.Auth.TTL = cfg.TokenTTL
	resp.Auth.MaxTTL = cfg.TokenMaxTTL

	// Remove old aliases
	resp.Auth.GroupAliases = nil

	for _, groupName := range groupNames {
	resp.Auth.GroupAliases = append(resp.Auth.GroupAliases, &logical.Alias{
	Name: groupName,
	})
	}

	return resp, nil
	}

	const pathLoginSyn = `
	Log in with a username and password.
	`

	const pathLoginDesc = `
	This endpoint authenticates using a username and password. Please be sure to
	read the note on escaping from the path-help for the 'config' endpoint.
	`