kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Prefer looking up using self path and remove checking for default policy

Browse Source
This commit is contained in:
Alex Dadgar
2017-01-23 11:46:27 -08:00
parent c9115b89a6
commit e5536acbf5
1 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
nomad/vault.go
View File

@@ -58,6 +58,9 @@ const (
// vaultTokenLookupPath is the path used to lookup a token
vaultTokenLookupPath = "auth/token/lookup"
// vaultTokenLookupSelfPath is the path used to lookup self token
vaultTokenLookupSelfPath = "auth/token/lookup-self"
// vaultTokenRevokePath is the path used to revoke a token
vaultTokenRevokePath = "auth/token/revoke-accessor"
@@ -87,6 +90,11 @@ var (
// the capabilities.
vaultTokenLookupCapability = []string{"update", "root"}
// vaultTokenLookupSelfCapability is the expected capability Nomad's
// Vault token should have on the path. The token must have at least one of
// the capabilities.
vaultTokenLookupSelfCapability = []string{"update", "root"}
// vaultTokenRevokeCapability is the expected capability Nomad's
// Vault token should have on the path. The token must have at least one of
// the capabilities.
@@ -547,10 +555,18 @@ func (v *vaultClient) getWrappingFn() func(operation, path string) string {
func (v *vaultClient) parseSelfToken() error {
// Get the initial lease duration
auth := v.client.Auth().Token()
self, err := auth.Lookup(v.client.Token())
var self *vapi.Secret
// Try looking up the token using the self endpoint
secret, err := auth.LookupSelf()
if err != nil {
return fmt.Errorf("failed to lookup Vault periodic token: %v", err)
// Try looking up our token directly
self, err = auth.Lookup(v.client.Token())
if err != nil {
return fmt.Errorf("failed to lookup Vault periodic token: %v", err)
}
}
self = secret
// Read and parse the fields
var data tokenData
@@ -734,11 +750,10 @@ func (v *vaultClient) validateRole(role string) error {
// Read and parse the fields
var data struct {
ExplicitMaxTtl int `mapstructure:"explicit_max_ttl"`
Orphan bool
Period int
Renewable bool
DisallowedPolicies []string `mapstructure:"disallowed_policies"`
ExplicitMaxTtl int `mapstructure:"explicit_max_ttl"`
Orphan bool
Period int
Renewable bool
}
if err := mapstructure.WeakDecode(rsecret.Data, &data); err != nil {
return fmt.Errorf("failed to parse Vault role's data block: %v", err)
@@ -762,12 +777,6 @@ func (v *vaultClient) validateRole(role string) error {
multierror.Append(&mErr, fmt.Errorf("Role must have a non-zero period to make tokens periodic."))
}
for _, d := range data.DisallowedPolicies {
if d == "default" {
multierror.Append(&mErr, fmt.Errorf("Role can not disallow allow default policy"))
}
}
return mErr.ErrorOrNil()
}