-
Notifications
You must be signed in to change notification settings - Fork 3
/
backend.go
113 lines (89 loc) · 2.5 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package u2fauth
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
"github.com/ryankurte/go-u2f"
)
const appID = "https://lxc1:3483"
var trustedFacets = []string{appID}
type DeviceData struct {
Name string `json:"name" mapstructure:"name" structs:"name"`
RegistrationData string `json:"registration_data"`
ClientData string `json:"client_data"`
Version string `json:"version"`
AppID string `json:app_id`
Registration []u2f.Registration `json:"registration"`
Challenge *u2f.Challenge `json: challenge`
RoleName string `json:"role_name"`
}
// Factory returns a configured instance of the backend.
func Factory(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error) {
b := Backend()
if err := b.Setup(ctx, c); err != nil {
return nil, err
}
return b, nil
}
func Backend() *backend {
var b backend
b.Backend = &framework.Backend{
BackendType: logical.TypeCredential,
//AuthRenew: b.pathLoginRenew,
Help: backendHelp,
PathsSpecial: &logical.Paths{
Unauthenticated: []string{
"signRequest/*",
"signResponse/*",
},
},
Paths: append([]*framework.Path{
pathRoles(&b),
pathRolesList(&b),
pathRegistrationRequest(&b),
pathRegistrationResponse(&b),
pathSignRequest(&b),
pathSignResponse(&b),
}),
}
return &b
}
type backend struct {
*framework.Backend
}
const backendHelp = `
The "u2f" credential provider allows authentication using
a u2f enabled device. No additional factors are supported.
The device is configured using the "device/" and "roles/"
endpoints by a user with the correct access.
Authentication is then done by suppying the fields for "requestSign" and "responseSign" endpoints.
`
func (b *backend) device(ctx context.Context, s logical.Storage, name string) (*DeviceData, error) {
if name == "" {
return nil, fmt.Errorf("missing name")
}
entry, err := s.Get(ctx, "devices/"+strings.ToLower(name))
//b.Logger().Debug("device", "entry", entry)
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result DeviceData
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
//b.Logger().Debug("device", "result", result)
return &result, nil
}
func (b *backend) setDevice(ctx context.Context, s logical.Storage, name string, dEntry *DeviceData) error {
entry, err := logical.StorageEntryJSON("devices/"+name, dEntry)
//b.Logger().Debug("setDevice", "entry", entry)
if err != nil {
return err
}
return s.Put(ctx, entry)
}