v1.14.6/sdk/logical/auth.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package logical

 import (
 	"fmt"
 	"time"

 	sockaddr "github.com/hashicorp/go-sockaddr"
 )

 // Auth is the resulting authentication information that is part of
 // Response for credential backends. It's also attached to Request objects and
 // defines the authentication used for the request. This value is audit logged.
 type Auth struct {
 	LeaseOptions

 	// InternalData is JSON-encodable data that is stored with the auth struct.
 	// This will be sent back during a Renew/Revoke for storing internal data
 	// used for those operations.
 	InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`

 	// DisplayName is a non-security sensitive identifier that is
 	// applicable to this Auth. It is used for logging and prefixing
 	// of dynamic secrets. For example, DisplayName may be "armon" for
 	// the github credential backend. If the client token is used to
 	// generate a SQL credential, the user may be "github-armon-uuid".
 	// This is to help identify the source without using audit tables.
 	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`

 	// Policies is the list of policies that the authenticated user
 	// is associated with.
 	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`

 	// TokenPolicies and IdentityPolicies break down the list in Policies to
 	// help determine where a policy was sourced
 	TokenPolicies    []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"`
 	IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"`

 	// ExternalNamespacePolicies represent the policies authorized from
 	// different namespaces indexed by respective namespace identifiers
 	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`

 	// Indicates that the default policy should not be added by core when
 	// creating a token. The default policy will still be added if it's
 	// explicitly defined.
 	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`

 	// Metadata is used to attach arbitrary string-type metadata to
 	// an authenticated user. This metadata will be outputted into the
 	// audit log.
 	Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`

 	// ClientToken is the token that is generated for the authentication.
 	// This will be filled in by Vault core when an auth structure is
 	// returned. Setting this manually will have no effect.
 	ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`

 	// Accessor is the identifier for the ClientToken. This can be used
 	// to perform management functionalities (especially revocation) when
 	// ClientToken in the audit logs are obfuscated. Accessor can be used
 	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
 	// both without actually knowing the ClientToken.
 	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`

 	// Period indicates that the token generated using this Auth object
 	// should never expire. The token should be renewed within the duration
 	// specified by this period.
 	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`

 	// ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal
 	// tokens, this value is constrained by the configured max ttl.
 	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`

 	// Number of allowed uses of the issued token
 	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`

 	// EntityID is the identifier of the entity in identity store to which the
 	// identity of the authenticating client belongs to.
 	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`

 	// Alias is the information about the authenticated client returned by
 	// the auth backend
 	Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`

 	// GroupAliases are the informational mappings of external groups which an
 	// authenticated user belongs to. This is used to check if there are
 	// mappings groups for the group aliases in identity store. For all the
 	// matching groups, the entity ID of the user will be added.
 	GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`

 	// The set of CIDRs that this token can be used with
 	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`

 	// CreationPath is a path that the backend can return to use in the lease.
 	// This is currently only supported for the token store where roles may
 	// change the perceived path of the lease, even though they don't change
 	// the request path itself.
 	CreationPath string `json:"creation_path"`

 	// TokenType is the type of token being requested
 	TokenType TokenType `json:"token_type"`

 	// Orphan is set if the token does not have a parent
 	Orphan bool `json:"orphan"`

 	// PolicyResults is the set of policies that grant the token access to the
 	// requesting path.
 	PolicyResults *PolicyResults `json:"policy_results"`

 	// MFARequirement
 	MFARequirement *MFARequirement `json:"mfa_requirement"`

 	// EntityCreated is set to true if an entity is created as part of a login request
 	EntityCreated bool `json:"entity_created"`
 }

 func (a *Auth) GoString() string {
 	return fmt.Sprintf("*%#v", *a)
 }

 type PolicyResults struct {
 	Allowed          bool         `json:"allowed"`
 	GrantingPolicies []PolicyInfo `json:"granting_policies"`
 }

 type PolicyInfo struct {
 	Name          string `json:"name"`
 	NamespaceId   string `json:"namespace_id"`
 	NamespacePath string `json:"namespace_path"`
 	Type          string `json:"type"`
 }
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package logical

	import (
	"fmt"
	"time"

	sockaddr "github.com/hashicorp/go-sockaddr"
	)

	// Auth is the resulting authentication information that is part of
	// Response for credential backends. It's also attached to Request objects and
	// defines the authentication used for the request. This value is audit logged.
	type Auth struct {
	LeaseOptions

	// InternalData is JSON-encodable data that is stored with the auth struct.
	// This will be sent back during a Renew/Revoke for storing internal data
	// used for those operations.
	InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`

	// DisplayName is a non-security sensitive identifier that is
	// applicable to this Auth. It is used for logging and prefixing
	// of dynamic secrets. For example, DisplayName may be "armon" for
	// the github credential backend. If the client token is used to
	// generate a SQL credential, the user may be "github-armon-uuid".
	// This is to help identify the source without using audit tables.
	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`

	// Policies is the list of policies that the authenticated user
	// is associated with.
	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`

	// TokenPolicies and IdentityPolicies break down the list in Policies to
	// help determine where a policy was sourced
	TokenPolicies []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"`
	IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"`

	// ExternalNamespacePolicies represent the policies authorized from
	// different namespaces indexed by respective namespace identifiers
	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`

	// Indicates that the default policy should not be added by core when
	// creating a token. The default policy will still be added if it's
	// explicitly defined.
	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`

	// Metadata is used to attach arbitrary string-type metadata to
	// an authenticated user. This metadata will be outputted into the
	// audit log.
	Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`

	// ClientToken is the token that is generated for the authentication.
	// This will be filled in by Vault core when an auth structure is
	// returned. Setting this manually will have no effect.
	ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`

	// Accessor is the identifier for the ClientToken. This can be used
	// to perform management functionalities (especially revocation) when
	// ClientToken in the audit logs are obfuscated. Accessor can be used
	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
	// both without actually knowing the ClientToken.
	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`

	// Period indicates that the token generated using this Auth object
	// should never expire. The token should be renewed within the duration
	// specified by this period.
	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`

	// ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal
	// tokens, this value is constrained by the configured max ttl.
	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`

	// Number of allowed uses of the issued token
	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`

	// EntityID is the identifier of the entity in identity store to which the
	// identity of the authenticating client belongs to.
	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`

	// Alias is the information about the authenticated client returned by
	// the auth backend
	Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`

	// GroupAliases are the informational mappings of external groups which an
	// authenticated user belongs to. This is used to check if there are
	// mappings groups for the group aliases in identity store. For all the
	// matching groups, the entity ID of the user will be added.
	GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`

	// The set of CIDRs that this token can be used with
	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`

	// CreationPath is a path that the backend can return to use in the lease.
	// This is currently only supported for the token store where roles may
	// change the perceived path of the lease, even though they don't change
	// the request path itself.
	CreationPath string `json:"creation_path"`

	// TokenType is the type of token being requested
	TokenType TokenType `json:"token_type"`

	// Orphan is set if the token does not have a parent
	Orphan bool `json:"orphan"`

	// PolicyResults is the set of policies that grant the token access to the
	// requesting path.
	PolicyResults *PolicyResults `json:"policy_results"`

	// MFARequirement
	MFARequirement *MFARequirement `json:"mfa_requirement"`

	// EntityCreated is set to true if an entity is created as part of a login request
	EntityCreated bool `json:"entity_created"`
	}

	func (a *Auth) GoString() string {
	return fmt.Sprintf("%#v", a)
	}

	type PolicyResults struct {
	Allowed bool `json:"allowed"`
	GrantingPolicies []PolicyInfo `json:"granting_policies"`
	}

	type PolicyInfo struct {
	Name string `json:"name"`
	NamespaceId string `json:"namespace_id"`
	NamespacePath string `json:"namespace_path"`
	Type string `json:"type"`
	}