Add parameter for specific entity to token creation

hashicorp · Feb 20, 2019 · 1194954 · 1194954
1 parent 1e0b6a0
commit 1194954
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/api/auth_token.go b/api/auth_token.go
@@ -272,4 +272,5 @@ type TokenCreateRequest struct {
 	NumUses         int               `json:"num_uses"`
 	Renewable       *bool             `json:"renewable,omitempty"`
 	Type            string            `json:"type"`
+	EntityID        string            `json:"entity_id"`
 }
diff --git a/command/token_create.go b/command/token_create.go
@@ -29,6 +29,7 @@ type TokenCreateCommand struct {
 	flagType            string
 	flagMetadata        map[string]string
 	flagPolicies        []string
+	flagEntityID        string
 }
 
 func (c *TokenCreateCommand) Synopsis() string {
@@ -176,6 +177,14 @@ func (c *TokenCreateCommand) Flags() *FlagSets {
 			"specified multiple times to attach multiple policies.",
 	})
 
+	f.StringVar(&StringVar{
+		Name:    "entity-id",
+		Target:  &c.flagEntityID,
+		Default: "",
+		Usage: "The id of the entity which will be set for this token. " +
+			"If set, parent token entity and group policies are not inherited.",
+	})
+
 	return set
 }
 
@@ -224,6 +233,7 @@ func (c *TokenCreateCommand) Run(args []string) int {
 		ExplicitMaxTTL:  c.flagExplicitMaxTTL.String(),
 		Period:          c.flagPeriod.String(),
 		Type:            c.flagType,
+		EntityID:        c.flagEntityID,
 	}
 
 	var secret *api.Secret

diff --git a/vault/token_store.go b/vault/token_store.go
@@ -2109,6 +2109,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 		NumUses         int    `mapstructure:"num_uses"`
 		Period          string
 		Type            string `mapstructure:"type"`
+		EntityID        string `mapstructure:"entity_id"`
 	}
 	if err := mapstructure.WeakDecode(req.Data, &data); err != nil {
 		return logical.ErrorResponse(fmt.Sprintf(
@@ -2441,6 +2442,24 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 		}
 	}
 
+	// It is allowed to overwrite the corresponding entity of a token.
+	// This is only possible when client token has sudo/root.
+	if data.EntityID != "" && ts.core.identityStore != nil {
+		if !isSudo {
+			return logical.ErrorResponse("root or sudo privileges required to specify entity id "), logical.ErrInvalidRequest
+		}
+		entity, err := ts.core.identityStore.MemDBEntityByID(data.EntityID, false)
+		if err != nil {
+			return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+		}
+		if entity == nil {
+			return logical.ErrorResponse("cannot find entity with given entity id"), logical.ErrInvalidRequest
+		}
+
+		// Entity is valid.
+		te.EntityID = data.EntityID
+	}
+
 	var explicitMaxTTLToUse time.Duration
 	if data.ExplicitMaxTTL != "" {
 		dur, err := parseutil.ParseDurationSecond(data.ExplicitMaxTTL)