Use Splunk compatible password scheme

Michael Weber · Michael Weber · commit 44d2232ae142 · 2020-01-27T05:50:27.000-08:00
passwords need to match complexity specified in Splunk

Fixes TE-101
diff --git a/backend_test.go b/backend_test.go
@@ -87,9 +87,11 @@ func TestBackend_RoleCRUD(t *testing.T) {
 	}
 
 	testRoleConfig := roleConfig{
-		Connection: "testconn",
-		Roles:      []string{"admin"},
-		UserPrefix: "my-custom-prefix",
+		Connection:       "testconn",
+		Roles:            []string{"admin"},
+		AllowedNodeTypes: []string{"*"},
+		PasswordSpec:     DefaultPasswordSpec(),
+		UserPrefix:       "my-custom-prefix",
 	}
 
 	logicaltest.Test(t, logicaltest.TestCase{
diff --git a/go.mod b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/elazarl/go-bindata-assetfs v1.0.0 // indirect
 	github.com/fatih/structs v1.1.0
 	github.com/go-sql-driver/mysql v1.4.1 // indirect
+	github.com/go-test/deep v1.0.5 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/google/go-querystring v1.0.0
 	github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
@@ -48,6 +49,7 @@ require (
 	github.com/pierrec/lz4 v2.2.6+incompatible // indirect
 	github.com/prometheus/client_golang v1.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/sethvargo/go-password v0.1.3
 	github.com/sirupsen/logrus v1.4.2 // indirect
 	golang.org/x/net v0.0.0-20190620200207-3b0461eec859 // indirect
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
diff --git a/go.sum b/go.sum
@@ -51,6 +51,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-test/deep v1.0.5 h1:AKODKU3pDH1RzZzm6YZu77YWtEAq6uh1rLIAQlay2qc=
+github.com/go-test/deep v1.0.5/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -185,6 +187,8 @@ github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDa
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/sethvargo/go-password v0.1.3 h1:18KkbGDkw8SuzeohAbWqBLNSfRQblVwEHOLbPa0PvWM=
+github.com/sethvargo/go-password v0.1.3/go.mod h1:2tyaaoHK/AlXwh5WWQDYjqQbHcq4cjPj5qb/ciYvu/Q=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
diff --git a/password.go b/password.go
@@ -0,0 +1,40 @@
+package splunk
+
+import (
+	"github.com/sethvargo/go-password/password"
+)
+
+type PasswordSpec struct {
+	Length      int  `json:"length" structs:"length"`
+	NumDigits   int  `json:"num_digits" structs:"num_digits"`
+	NumSymbols  int  `json:"num_symbols" structs:"num_symbols"`
+	AllowUpper  bool `json:"allow_upper" structs:"allow_upper"`
+	AllowRepeat bool `json:"allow_repeat" structs:"allow_repeat"`
+}
+
+func DefaultPasswordSpec() *PasswordSpec {
+	return &PasswordSpec{
+		Length:      32,
+		NumDigits:   4,
+		NumSymbols:  4,
+		AllowUpper:  true,
+		AllowRepeat: true,
+	}
+}
+
+func GeneratePassword(spec *PasswordSpec) (string, error) {
+	passwdgen, err := password.NewGenerator(&password.GeneratorInput{
+		LowerLetters: password.LowerLetters,
+		UpperLetters: password.UpperLetters,
+		Digits:       password.Digits,
+		Symbols:      "_&^%$#@!", // mostly shell-safe set, TE-101
+	})
+	if err != nil {
+		return "", err
+	}
+
+	if spec == nil {
+		spec = DefaultPasswordSpec()
+	}
+	return passwdgen.Generate(spec.Length, spec.NumDigits, spec.NumSymbols, !spec.AllowUpper, spec.AllowRepeat)
+}
diff --git a/path_creds_create.go b/path_creds_create.go
@@ -3,8 +3,9 @@ package splunk
 import (
 	"context"
 	"fmt"
+
 	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/go-uuid"
+	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -84,7 +85,7 @@ func (b *backend) credsReadHandlerStandalone(ctx context.Context, req *logical.R
 	}
 
 	// Generate credentials
-	userUUID, err := uuid.GenerateUUID()
+	userUUID, err := generateUserID(role)
 	if err != nil {
 		return nil, err
 	}
@@ -93,7 +94,7 @@ func (b *backend) credsReadHandlerStandalone(ctx context.Context, req *logical.R
 		userPrefix = fmt.Sprintf("%s_%s", role.UserPrefix, req.DisplayName)
 	}
 	username := fmt.Sprintf("%s_%s", userPrefix, userUUID)
-	passwd, err := uuid.GenerateUUID()
+	passwd, err := generateUserPassword(role)
 	if err != nil {
 		return nil, errwrap.Wrapf("error generating new password {{err}}", err)
 	}
@@ -193,7 +194,7 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 		return nil, err
 	}
 	// Generate credentials
-	userUUID, err := uuid.GenerateUUID()
+	userUUID, err := generateUserID(role)
 	if err != nil {
 		return nil, err
 	}
@@ -202,7 +203,7 @@ func (b *backend) credsReadHandlerMulti(ctx context.Context, req *logical.Reques
 		userPrefix = fmt.Sprintf("%s_%s", role.UserPrefix, req.DisplayName)
 	}
 	username := fmt.Sprintf("%s_%s", userPrefix, userUUID)
-	passwd, err := uuid.GenerateUUID()
+	passwd, err := generateUserPassword(role)
 	if err != nil {
 		return nil, errwrap.Wrapf("error generating new password: {{err}}", err)
 	}
@@ -251,6 +252,19 @@ func (b *backend) credsReadHandler(ctx context.Context, req *logical.Request, d
 	return b.credsReadHandlerStandalone(ctx, req, d)
 }
 
+func generateUserID(roleConfig *roleConfig) (string, error) {
+	return uuid.GenerateUUID()
+}
+
+func generateUserPassword(roleConfig *roleConfig) (string, error) {
+	passwd, err := GeneratePassword(roleConfig.PasswordSpec)
+	if err == nil {
+		return passwd, nil
+	}
+	// fallback
+	return uuid.GenerateUUID()
+}
+
 const pathCredsCreateHelpSyn = `
 Request Splunk credentials for a certain role.
 `
diff --git a/path_roles.go b/path_roles.go
@@ -114,6 +114,7 @@ func (b *backend) rolesWriteHandler(ctx context.Context, req *logical.Request, d
 	if maxTTLRaw, ok := getValue(data, req.Operation, "max_ttl"); ok {
 		role.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
 	}
+	role.PasswordSpec = DefaultPasswordSpec() // XXX make configurable
 
 	if roles, ok := getValue(data, req.Operation, "roles"); ok {
 		role.Roles = roles.([]string)
diff --git a/role.go b/role.go
@@ -14,6 +14,7 @@ type roleConfig struct {
 	Connection string        `json:"connection" structs:"connection"`
 	DefaultTTL time.Duration `json:"default_ttl" structs:"default_ttl"`
 	MaxTTL     time.Duration `json:"max_ttl" structs:"max_ttl"`
+	PasswordSpec     *PasswordSpec `json:"password_spec" structs:"password_spec"`
 
 	// Splunk user attributes
 	Roles      []string `json:"roles" structs:"roles"`

Original file line number	Diff line number	Diff line change
`@@ -87,9 +87,11 @@ func TestBackend_RoleCRUD(t *testing.T) {`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`testRoleConfig := roleConfig{`
`90`		`- Connection: "testconn",`
`91`		`- Roles: []string{"admin"},`
`92`		`- UserPrefix: "my-custom-prefix",`
	`90`	`+ Connection: "testconn",`
	`91`	`+ Roles: []string{"admin"},`
	`92`	`+ AllowedNodeTypes: []string{"*"},`
	`93`	`+ PasswordSpec: DefaultPasswordSpec(),`
	`94`	`+ UserPrefix: "my-custom-prefix",`
`93`	`95`	`}`
`94`	`96`
`95`	`97`	`logicaltest.Test(t, logicaltest.TestCase{`
Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ func (b backend) rolesWriteHandler(ctx context.Context, req logical.Request, d`
`114`	`114`	`if maxTTLRaw, ok := getValue(data, req.Operation, "max_ttl"); ok {`
`115`	`115`	`role.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second`
`116`	`116`	`}`
	`117`	`+ role.PasswordSpec = DefaultPasswordSpec() // XXX make configurable`
`117`	`118`
`118`	`119`	`if roles, ok := getValue(data, req.Operation, "roles"); ok {`
`119`	`120`	`role.Roles = roles.([]string)`