Add support for creating ephemeral users for multi-node Splunk deployments

Amey Bhide · Amey Bhide · commit 55aa79216d62 · 2019-11-21T17:21:15.000-08:00
diff --git a/backend.go b/backend.go
@@ -41,6 +41,7 @@ func newBackend() logical.Backend {
 			b.pathRolesList(),
 			b.pathRoles(),
 			b.pathCredsCreate(),
+			b.pathCredsCreateMulti(),
 		},
 		Secrets: []*framework.Secret{
 			b.pathSecretCreds(),
diff --git a/path_config_connection.go b/path_config_connection.go
@@ -170,6 +170,10 @@ func (b *backend) connectionWriteHandler(ctx context.Context, req *logical.Reque
 	if config.URL == "" {
 		return logical.ErrorResponse("empty URL"), nil
 	}
+	if isStandalone, ok := getValue(data, req.Operation, "is_standalone"); ok {
+		config.IsStandalone = isStandalone.(bool)
+	}
+
 	if verifyRaw, ok := getValue(data, req.Operation, "verify"); ok {
 		config.Verify = verifyRaw.(bool)
 	}
diff --git a/path_creds_create.go b/path_creds_create.go
@@ -9,13 +9,18 @@ import (
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"github.com/splunk/vault-plugin-splunk/clients/splunk"
+	"strings"
 )
 
+const (
+	SEARCHHEAD = "search_head"
+	INDEXER = "indexer"
+)
 func (b *backend) pathCredsCreate() *framework.Path {
 	return &framework.Path{
 		Pattern: "creds/" + framework.GenericNameRegex("name"),
 		Fields: map[string]*framework.FieldSchema{
-			"name": &framework.FieldSchema{
+			"name": {
 				Type:        framework.TypeString,
 				Description: "Name of the role",
 			},
@@ -30,7 +35,30 @@ func (b *backend) pathCredsCreate() *framework.Path {
 	}
 }
 
-func (b *backend) credsReadHandler(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathCredsCreateMulti() *framework.Path {
+	return &framework.Path{
+		Pattern: "creds/" + framework.GenericNameRegex("name") + "/" + framework.GenericNameRegex("node_fqdn"),
+		Fields: map[string]*framework.FieldSchema{
+			"name": {
+				Type:        framework.TypeString,
+				Description: "Name of the role",
+			},
+			"node_fqdn": {
+				Type:        framework.TypeString,
+				Description: "FQDN for the Splunk Stack node",
+			},
+		},
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.ReadOperation: b.credsReadHandler,
+		},
+
+		HelpSynopsis:    pathCredsCreateHelpSyn,
+		HelpDescription: pathCredsCreateHelpDesc,
+	}
+}
+
+func (b *backend) credsReadHandlerStandalone(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	name := d.Get("name").(string)
 	role, err := roleConfigLoad(ctx, req.Storage, name)
 	if err != nil {
@@ -100,6 +128,122 @@ func (b *backend) credsReadHandler(ctx context.Context, req *logical.Request, d
 	return resp, nil
 }
 
+func findNode(nodeFQDN string, hosts []splunk.ServerInfoEntry) (bool, error) {
+	for _, host := range hosts {
+		// check if node_fqdn is in either of HostFQDN or Host. User might not always the FQDN on the cli input
+		if strings.Contains(host.Content.HostFQDN, nodeFQDN) || strings.Contains(host.Content.Host, nodeFQDN) {
+			// Return true if the requested node is a search head
+			for _, role := range host.Content.Roles {
+				if role == SEARCHHEAD {
+					return true, nil
+				}
+			}
+			return false, fmt.Errorf("host: %s isn't search head; creating ephemeral creds is only supported for search heads", nodeFQDN)
+		}
+	}
+	return false, fmt.Errorf("host: %s not found", nodeFQDN)
+}
+
+func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	name := d.Get("name").(string)
+	node, _ := d.GetOk("node_fqdn")
+	nodeFQDN := node.(string)
+	role, err := roleConfigLoad(ctx, req.Storage, name)
+	if err != nil {
+		return nil, err
+	}
+	if role == nil {
+		return logical.ErrorResponse(fmt.Sprintf("role not found: %q", name)), nil
+	}
+
+	config, err := connectionConfigLoad(ctx, req.Storage, role.Connection)
+	if err != nil {
+		return nil, err
+	}
+	// Check if isStandalone is set
+	if config.IsStandalone {
+		return nil, fmt.Errorf("expected is_standalone to be set for connection: %q", role.Connection)
+	}
+
+	// If role name isn't in allowed roles, send back a permission denied.
+	if !strutil.StrListContains(config.AllowedRoles, "*") && !strutil.StrListContainsGlob(config.AllowedRoles, name) {
+		return nil, fmt.Errorf("%q is not an allowed role for connection %q", name, role.Connection)
+	}
+
+	conn, err := b.ensureConnection(ctx, role.Connection, config)
+	if err != nil {
+		return nil, err
+	}
+
+	nodes, _, err := conn.Deployment.GetSearchPeers()
+	if err != nil {
+		b.Logger().Error("Error while reading SearchPeers from cluster master", err)
+		return nil, fmt.Errorf("unable to read searchpeers from cluster master")
+	}
+	_, err = findNode(nodeFQDN, nodes)
+	if err != nil {
+		return nil, err
+	}
+
+	/*
+	// Generate credentials
+	userUUID, err := uuid.GenerateUUID()
+	if err != nil {
+		return nil, err
+	}
+	userPrefix := role.UserPrefix
+	if role.UserPrefix == defaultUserPrefix {
+		userPrefix = fmt.Sprintf("%s_%s", role.UserPrefix, req.DisplayName)
+	}
+	username := fmt.Sprintf("%s_%s", userPrefix, userUUID)
+	passwd, err := uuid.GenerateUUID()
+	if err != nil {
+		return nil, errwrap.Wrapf("error generating new password {{err}}", err)
+	}
+	opts := splunk.CreateUserOptions{
+		Name:       username,
+		Password:   passwd,
+		Roles:      role.Roles,
+		DefaultApp: role.DefaultApp,
+		Email:      role.Email,
+		TZ:         role.TZ,
+	}
+	if _, _, err := conn.AccessControl.Authentication.Users.Create(&opts); err != nil {
+		return nil, err
+	}
+
+	resp := b.Secret(secretCredsType).Response(map[string]interface{}{
+		// return to user
+		"username":   username,
+		"password":   passwd,
+		"roles":      role.Roles,
+		"connection": role.Connection,
+		"url":        conn.Params().BaseURL,
+	}, map[string]interface{}{
+		// store (with lease)
+		"username":   username,
+		"role":       name,
+		"connection": role.Connection,
+	})
+	resp.Secret.TTL = role.DefaultTTL
+	resp.Secret.MaxTTL = role.MaxTTL
+
+	return resp, nil
+	*/
+	return nil, fmt.Errorf("XXX")
+}
+func (b *backend) credsReadHandler(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	name := d.Get("name").(string)
+	node_fqdn, present := d.GetOk("node_fqdn")
+	// if node_fqdn is specified then the treat the request for a multi-node deployment
+	if present {
+		b.Logger().Debug(fmt.Sprintf("node_fqdn: [%s] specified for role: [%s]. using clustered mode getting temporary creds", node_fqdn.(string), name))
+		return b.credsReadHandlerMulti(ctx, req, d)
+	}
+	b.Logger().Debug(fmt.Sprintf("node_fqdn not specified for role: [%s]. using standalone mode getting temporary creds", name))
+	return b.credsReadHandlerStandalone(ctx, req, d)
+}
+
 const pathCredsCreateHelpSyn = `
 Request Splunk credentials for a certain role.
 `

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,10 @@ func (b backend) connectionWriteHandler(ctx context.Context, req logical.Reque`
`170`	`170`	`if config.URL == "" {`
`171`	`171`	`return logical.ErrorResponse("empty URL"), nil`
`172`	`172`	`}`
	`173`	`+ if isStandalone, ok := getValue(data, req.Operation, "is_standalone"); ok {`
	`174`	`+ config.IsStandalone = isStandalone.(bool)`
	`175`	`+ }`
	`176`	`+`
`173`	`177`	`if verifyRaw, ok := getValue(data, req.Operation, "verify"); ok {`
`174`	`178`	`config.Verify = verifyRaw.(bool)`
`175`	`179`	`}`