Add ability to disable an entity (#4353)

hashicorp · Apr 14, 2018 · b65832d · b65832d
1 parent 12fbbaa
commit b65832d
Show file tree

Hide file tree

Showing 8 changed files with 299 additions and 59 deletions.
diff --git a/helper/identity/types.pb.go b/helper/identity/types.pb.go
diff --git a/helper/identity/types.proto b/helper/identity/types.proto
@@ -110,6 +110,10 @@ message Entity {
 	// MFASecrets holds the MFA secrets indexed by the identifier of the MFA
 	// method configuration.
 	//map<string, mfa.Secret> mfa_secrets = 10;
+
+	// Disabled indicates whether tokens associated with the account should not
+	// be able to be used
+	bool disabled = 11;
 }
 
 // Alias represents the alias that gets stored inside of the

diff --git a/logical/request.go b/logical/request.go
@@ -273,6 +273,10 @@ var (
 	// ErrPermissionDenied is returned if the client is not authorized
 	ErrPermissionDenied = errors.New("permission denied")
 
+	// ErrDisabledEntity is returned if the entity tied to a token is marked as
+	// disabled
+	ErrEntityDisabled = errors.New("entity associated with token is disabled")
+
 	// ErrMultiAuthzPending is returned if the the request needs more
 	// authorizations
 	ErrMultiAuthzPending = errors.New("request needs further approval")

diff --git a/vault/core.go b/vault/core.go
@@ -802,6 +802,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
 		}
 	}
 
+	if entity != nil && entity.Disabled {
+		return nil, te, logical.ErrEntityDisabled
+	}
+
 	// Check if this is a root protected path
 	rootPath := c.router.RootPath(req.Path)
 
@@ -1319,20 +1323,21 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		return retErr
 	}
 
+	// Since there is no token store in standby nodes, sealing cannot be done.
+	// Ideally, the request has to be forwarded to leader node for validation
+	// and the operation should be performed. But for now, just returning with
+	// an error and recommending a vault restart, which essentially does the
+	// same thing.
+	if c.standby {
+		c.logger.Error("vault cannot seal when in standby mode; please restart instead")
+		retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
+		c.stateLock.RUnlock()
+		return retErr
+	}
+
 	// Validate the token is a root token
 	acl, te, entity, err := c.fetchACLTokenEntryAndEntity(req.ClientToken)
 	if err != nil {
-		// Since there is no token store in standby nodes, sealing cannot
-		// be done. Ideally, the request has to be forwarded to leader node
-		// for validation and the operation should be performed. But for now,
-		// just returning with an error and recommending a vault restart, which
-		// essentially does the same thing.
-		if c.standby {
-			c.logger.Error("vault cannot seal when in standby mode; please restart instead")
-			retErr = multierror.Append(retErr, errors.New("vault cannot seal when in standby mode; please restart instead"))
-			c.stateLock.RUnlock()
-			return retErr
-		}
 		retErr = multierror.Append(retErr, err)
 		c.stateLock.RUnlock()
 		return retErr
@@ -1341,10 +1346,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 	// Audit-log the request before going any further
 	auth := &logical.Auth{
 		ClientToken: req.ClientToken,
-		Policies:    te.Policies,
-		Metadata:    te.Meta,
-		DisplayName: te.DisplayName,
-		EntityID:    te.EntityID,
+	}
+	if te != nil {
+		auth.Policies = te.Policies
+		auth.Metadata = te.Meta
+		auth.DisplayName = te.DisplayName
+		auth.EntityID = te.EntityID
 	}
 
 	logInput := &audit.LogInput{
@@ -1358,6 +1365,12 @@ func (c *Core) sealInitCommon(ctx context.Context, req *logical.Request) (retErr
 		return retErr
 	}
 
+	if entity != nil && entity.Disabled {
+		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		c.stateLock.RUnlock()
+		return retErr
+	}
+
 	// Attempt to use the token (decrement num_uses)
 	// On error bail out; if the token has been revoked, bail out too
 	if te != nil {
@@ -1450,10 +1463,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 	// Audit-log the request before going any further
 	auth := &logical.Auth{
 		ClientToken: req.ClientToken,
-		Policies:    te.Policies,
-		Metadata:    te.Meta,
-		DisplayName: te.DisplayName,
-		EntityID:    te.EntityID,
+	}
+	if te != nil {
+		auth.Policies = te.Policies
+		auth.Metadata = te.Meta
+		auth.DisplayName = te.DisplayName
+		auth.EntityID = te.EntityID
 	}
 
 	logInput := &audit.LogInput{
@@ -1466,6 +1481,12 @@ func (c *Core) StepDown(req *logical.Request) (retErr error) {
 		return retErr
 	}
 
+	if entity != nil && entity.Disabled {
+		retErr = multierror.Append(retErr, logical.ErrEntityDisabled)
+		c.stateLock.RUnlock()
+		return retErr
+	}
+
 	// Attempt to use the token (decrement num_uses)
 	if te != nil {
 		te, err = c.tokenStore.UseToken(ctx, te)

diff --git a/vault/identity_store_entities.go b/vault/identity_store_entities.go
@@ -45,6 +45,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Policies to be tied to the entity.",
 				},
+				"disabled": {
+					Type:        framework.TypeBool,
+					Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
+				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.pathEntityRegister(),
@@ -76,6 +80,10 @@ vault <command> <path> metadata=key1=value1 metadata=key2=value2
 					Type:        framework.TypeCommaStringSlice,
 					Description: "Policies to be tied to the entity.",
 				},
+				"disabled": {
+					Type:        framework.TypeBool,
+					Description: "If set true, tokens tied to this identity will not be able to be used (but will not be revoked).",
+				},
 			},
 			Callbacks: map[logical.Operation]framework.OperationFunc{
 				logical.UpdateOperation: i.pathEntityIDUpdate(),
@@ -354,6 +362,11 @@ func (i *IdentityStore) handleEntityUpdateCommon(req *logical.Request, d *framew
 		entity.Policies = entityPoliciesRaw.([]string)
 	}
 
+	disabledRaw, ok := d.GetOk("disabled")
+	if ok {
+		entity.Disabled = disabledRaw.(bool)
+	}
+
 	// Get the name
 	entityName := d.Get("name").(string)
 	if entityName != "" {
@@ -434,6 +447,7 @@ func (i *IdentityStore) handleEntityReadCommon(entity *identity.Entity) (*logica
 	respData["metadata"] = entity.Metadata
 	respData["merged_entity_ids"] = entity.MergedEntityIDs
 	respData["policies"] = entity.Policies
+	respData["disabled"] = entity.Disabled
 
 	// Convert protobuf timestamp into RFC3339 format
 	respData["creation_time"] = ptypes.TimestampString(entity.CreationTime)