add provider ca auth-method support for azure
Does the required dance with the local HTTP endpoint to get the required data for the jwt based auth setup in Azure. Keeps support for 'legacy' mode where all login data is passed on via the auth methods parameters. Refactored check for hardcoded /login fields.
This commit is contained in:
parent
06725282fe
commit
5ac637f07d
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
ca: support Vault agent auto-auth config for Vault CA provider using Azure MSI authentication.
|
||||||
|
```
|
|
@ -931,6 +931,8 @@ func configureVaultAuthMethod(authMethod *structs.VaultAuthMethod) (VaultAuthent
|
||||||
switch authMethod.Type {
|
switch authMethod.Type {
|
||||||
case VaultAuthMethodTypeAWS:
|
case VaultAuthMethodTypeAWS:
|
||||||
return NewAWSAuthClient(authMethod), nil
|
return NewAWSAuthClient(authMethod), nil
|
||||||
|
case VaultAuthMethodTypeAzure:
|
||||||
|
return NewAzureAuthClient(authMethod)
|
||||||
case VaultAuthMethodTypeGCP:
|
case VaultAuthMethodTypeGCP:
|
||||||
return NewGCPAuthClient(authMethod)
|
return NewGCPAuthClient(authMethod)
|
||||||
case VaultAuthMethodTypeKubernetes:
|
case VaultAuthMethodTypeKubernetes:
|
||||||
|
@ -968,7 +970,6 @@ func configureVaultAuthMethod(authMethod *structs.VaultAuthMethod) (VaultAuthent
|
||||||
// The rest of the auth methods use auth/<auth method path> login API path.
|
// The rest of the auth methods use auth/<auth method path> login API path.
|
||||||
case VaultAuthMethodTypeAliCloud,
|
case VaultAuthMethodTypeAliCloud,
|
||||||
VaultAuthMethodTypeAppRole,
|
VaultAuthMethodTypeAppRole,
|
||||||
VaultAuthMethodTypeAzure,
|
|
||||||
VaultAuthMethodTypeCloudFoundry,
|
VaultAuthMethodTypeCloudFoundry,
|
||||||
VaultAuthMethodTypeGitHub,
|
VaultAuthMethodTypeGitHub,
|
||||||
VaultAuthMethodTypeJWT,
|
VaultAuthMethodTypeJWT,
|
||||||
|
|
|
@ -76,13 +76,14 @@ func toMapStringString(in map[string]interface{}) (map[string]string, error) {
|
||||||
return out, nil
|
return out, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// containsVaultLoginParams indicates if the provided auth method contains the
|
// legacyCheck is used to see if all the parameters needed to /login have been
|
||||||
// config parameters needed to call the auth/<method>/login API directly.
|
// hardcoded in the auth-method's config Parameters field.
|
||||||
// It compares the keys in the authMethod.Params struct to the provided slice of
|
// Note it returns true if any /login specific fields are found (vs. all). This
|
||||||
// keys and if any of the keys match it returns true.
|
// is because the AWS client has multiple possible ways to call /login with
|
||||||
func containsVaultLoginParams(authMethod *structs.VaultAuthMethod, keys ...string) bool {
|
// different parameters.
|
||||||
for _, key := range keys {
|
func legacyCheck(params map[string]any, expectedKeys ...string) bool {
|
||||||
if _, exists := authMethod.Params[key]; exists {
|
for _, key := range expectedKeys {
|
||||||
|
if v, ok := params[key]; ok && v != "" {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,7 +26,7 @@ func NewAWSAuthClient(authMethod *structs.VaultAuthMethod) *VaultAuthClient {
|
||||||
"pkcs7", // EC2 PKCS7
|
"pkcs7", // EC2 PKCS7
|
||||||
"iam_http_request_method", // IAM
|
"iam_http_request_method", // IAM
|
||||||
}
|
}
|
||||||
if containsVaultLoginParams(authMethod, keys...) {
|
if legacyCheck(authMethod.Params, keys...) {
|
||||||
return authClient
|
return authClient
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,142 @@
|
||||||
|
package ca
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
"github.com/hashicorp/go-cleanhttp"
|
||||||
|
"github.com/hashicorp/vault/sdk/helper/jsonutil"
|
||||||
|
)
|
||||||
|
|
||||||
|
func NewAzureAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
|
||||||
|
params := authMethod.Params
|
||||||
|
authClient := NewVaultAPIAuthClient(authMethod, "")
|
||||||
|
// check for login data already in params (for backwards compability)
|
||||||
|
legacyKeys := []string{
|
||||||
|
"vm_name", "vmss_name", "resource_group_name", "subscription_id", "jwt",
|
||||||
|
}
|
||||||
|
if legacyCheck(params, legacyKeys...) {
|
||||||
|
return authClient, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
role, ok := params["role"].(string)
|
||||||
|
if !ok || strings.TrimSpace(role) == "" {
|
||||||
|
return nil, fmt.Errorf("missing 'role' value")
|
||||||
|
}
|
||||||
|
resource, ok := params["resource"].(string)
|
||||||
|
if !ok || strings.TrimSpace(resource) == "" {
|
||||||
|
return nil, fmt.Errorf("missing 'resource' value")
|
||||||
|
}
|
||||||
|
|
||||||
|
authClient.LoginDataGen = AzureLoginDataGen
|
||||||
|
return authClient, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var ( // use variables so we can change these in tests
|
||||||
|
instanceEndpoint = "http://169.254.169.254/metadata/instance"
|
||||||
|
identityEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token"
|
||||||
|
// minimum version 2018-02-01 needed for identity metadata
|
||||||
|
apiVersion = "2018-02-01"
|
||||||
|
)
|
||||||
|
|
||||||
|
type instanceData struct {
|
||||||
|
Compute Compute
|
||||||
|
}
|
||||||
|
type Compute struct {
|
||||||
|
Name string
|
||||||
|
ResourceGroupName string
|
||||||
|
SubscriptionID string
|
||||||
|
VMScaleSetName string
|
||||||
|
}
|
||||||
|
type identityData struct {
|
||||||
|
AccessToken string `json:"access_token"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func AzureLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
|
||||||
|
params := authMethod.Params
|
||||||
|
role := params["role"].(string)
|
||||||
|
metaConf := map[string]string{
|
||||||
|
"role": role,
|
||||||
|
"resource": params["resource"].(string),
|
||||||
|
}
|
||||||
|
if objectID, ok := params["object_id"].(string); ok {
|
||||||
|
metaConf["object_id"] = objectID
|
||||||
|
}
|
||||||
|
if clientID, ok := params["client_id"].(string); ok {
|
||||||
|
metaConf["client_id"] = clientID
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fetch instance data
|
||||||
|
var instance instanceData
|
||||||
|
body, err := getMetadataInfo(instanceEndpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
err = jsonutil.DecodeJSON(body, &instance)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error parsing instance metadata response: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fetch JWT
|
||||||
|
var identity identityData
|
||||||
|
body, err = getMetadataInfo(identityEndpoint, metaConf)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
err = jsonutil.DecodeJSON(body, &identity)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error parsing instance metadata response: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
data := map[string]interface{}{
|
||||||
|
"role": role,
|
||||||
|
"vm_name": instance.Compute.Name,
|
||||||
|
"vmss_name": instance.Compute.VMScaleSetName,
|
||||||
|
"resource_group_name": instance.Compute.ResourceGroupName,
|
||||||
|
"subscription_id": instance.Compute.SubscriptionID,
|
||||||
|
"jwt": identity.AccessToken,
|
||||||
|
}
|
||||||
|
|
||||||
|
return data, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getMetadataInfo(endpoint string, query map[string]string) ([]byte, error) {
|
||||||
|
req, err := http.NewRequest("GET", endpoint, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
q := req.URL.Query()
|
||||||
|
q.Add("api-version", apiVersion)
|
||||||
|
for k, v := range query {
|
||||||
|
q.Add(k, v)
|
||||||
|
}
|
||||||
|
req.URL.RawQuery = q.Encode()
|
||||||
|
req.Header.Set("Metadata", "true")
|
||||||
|
req.Header.Set("User-Agent", "Consul")
|
||||||
|
|
||||||
|
client := cleanhttp.DefaultClient()
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error fetching metadata from %s: %w", endpoint, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if resp == nil {
|
||||||
|
return nil, fmt.Errorf("empty response fetching metadata from %s", endpoint)
|
||||||
|
}
|
||||||
|
|
||||||
|
defer resp.Body.Close()
|
||||||
|
body, err := io.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error reading metadata from %s: %w", endpoint, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if resp.StatusCode != http.StatusOK {
|
||||||
|
return nil, fmt.Errorf("error response in metadata from %s: %s", endpoint, body)
|
||||||
|
}
|
||||||
|
|
||||||
|
return body, nil
|
||||||
|
}
|
|
@ -16,7 +16,7 @@ func NewGCPAuthClient(authMethod *structs.VaultAuthMethod) (VaultAuthenticator,
|
||||||
// perform a direct request to the login API with the config that is provided.
|
// perform a direct request to the login API with the config that is provided.
|
||||||
// This supports the Vault CA config in a backwards compatible way so that we don't
|
// This supports the Vault CA config in a backwards compatible way so that we don't
|
||||||
// break existing configurations.
|
// break existing configurations.
|
||||||
if containsVaultLoginParams(authMethod, "jwt") {
|
if legacyCheck(authMethod.Params, "jwt") {
|
||||||
return NewVaultAPIAuthClient(authMethod, ""), nil
|
return NewVaultAPIAuthClient(authMethod, ""), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
package ca
|
package ca
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
"os"
|
"os"
|
||||||
"strconv"
|
"strconv"
|
||||||
"testing"
|
"testing"
|
||||||
|
@ -10,6 +13,7 @@ import (
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/go-secure-stdlib/awsutil"
|
"github.com/hashicorp/go-secure-stdlib/awsutil"
|
||||||
"github.com/hashicorp/vault/api/auth/gcp"
|
"github.com/hashicorp/vault/api/auth/gcp"
|
||||||
|
"github.com/hashicorp/vault/sdk/helper/jsonutil"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -301,3 +305,126 @@ func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestVaultCAProvider_AzureAuthClient(t *testing.T) {
|
||||||
|
instance := instanceData{Compute: Compute{
|
||||||
|
Name: "a", ResourceGroupName: "b", SubscriptionID: "c", VMScaleSetName: "d",
|
||||||
|
}}
|
||||||
|
instanceJSON, err := json.Marshal(instance)
|
||||||
|
require.NoError(t, err)
|
||||||
|
identity := identityData{AccessToken: "a-jwt-token"}
|
||||||
|
identityJSON, err := json.Marshal(identity)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
msi := httptest.NewServer(http.HandlerFunc(
|
||||||
|
func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
url := r.URL.Path
|
||||||
|
switch url {
|
||||||
|
case "/metadata/instance":
|
||||||
|
w.Write(instanceJSON)
|
||||||
|
case "/metadata/identity/oauth2/token":
|
||||||
|
w.Write(identityJSON)
|
||||||
|
default:
|
||||||
|
t.Errorf("unexpected testing URL: %s", url)
|
||||||
|
}
|
||||||
|
}))
|
||||||
|
|
||||||
|
origIn, origId := instanceEndpoint, identityEndpoint
|
||||||
|
instanceEndpoint = msi.URL + "/metadata/instance"
|
||||||
|
identityEndpoint = msi.URL + "/metadata/identity/oauth2/token"
|
||||||
|
defer func() {
|
||||||
|
instanceEndpoint, identityEndpoint = origIn, origId
|
||||||
|
}()
|
||||||
|
|
||||||
|
t.Run("get-metadata-instance-info", func(t *testing.T) {
|
||||||
|
md, err := getMetadataInfo(instanceEndpoint, nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
var testInstance instanceData
|
||||||
|
err = jsonutil.DecodeJSON(md, &testInstance)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, testInstance, instance)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("get-metadata-identity-info", func(t *testing.T) {
|
||||||
|
md, err := getMetadataInfo(identityEndpoint, nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
var testIdentity identityData
|
||||||
|
err = jsonutil.DecodeJSON(md, &testIdentity)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, testIdentity, identity)
|
||||||
|
})
|
||||||
|
|
||||||
|
cases := map[string]struct {
|
||||||
|
authMethod *structs.VaultAuthMethod
|
||||||
|
expData map[string]any
|
||||||
|
expErr error
|
||||||
|
}{
|
||||||
|
"legacy-case": {
|
||||||
|
authMethod: &structs.VaultAuthMethod{
|
||||||
|
Type: "azure",
|
||||||
|
Params: map[string]interface{}{
|
||||||
|
"role": "a",
|
||||||
|
"vm_name": "b",
|
||||||
|
"vmss_name": "c",
|
||||||
|
"resource_group_name": "d",
|
||||||
|
"subscription_id": "e",
|
||||||
|
"jwt": "f",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expData: map[string]any{
|
||||||
|
"role": "a",
|
||||||
|
"vm_name": "b",
|
||||||
|
"vmss_name": "c",
|
||||||
|
"resource_group_name": "d",
|
||||||
|
"subscription_id": "e",
|
||||||
|
"jwt": "f",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"base-case": {
|
||||||
|
authMethod: &structs.VaultAuthMethod{
|
||||||
|
Type: "azure",
|
||||||
|
Params: map[string]interface{}{
|
||||||
|
"role": "a-role",
|
||||||
|
"resource": "b-resource",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expData: map[string]any{
|
||||||
|
"role": "a-role",
|
||||||
|
"jwt": "a-jwt-token",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"no-role": {
|
||||||
|
authMethod: &structs.VaultAuthMethod{
|
||||||
|
Type: "azure",
|
||||||
|
Params: map[string]interface{}{
|
||||||
|
"resource": "b-resource",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expErr: fmt.Errorf("missing 'role' value"),
|
||||||
|
},
|
||||||
|
"no-resource": {
|
||||||
|
authMethod: &structs.VaultAuthMethod{
|
||||||
|
Type: "azure",
|
||||||
|
Params: map[string]interface{}{
|
||||||
|
"role": "a-role",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expErr: fmt.Errorf("missing 'resource' value"),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for name, c := range cases {
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
auth, err := NewAzureAuthClient(c.authMethod)
|
||||||
|
if c.expErr != nil {
|
||||||
|
require.EqualError(t, err, c.expErr.Error())
|
||||||
|
return
|
||||||
|
}
|
||||||
|
require.NoError(t, err)
|
||||||
|
if auth.LoginDataGen != nil {
|
||||||
|
data, err := auth.LoginDataGen(c.authMethod)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Subset(t, data, c.expData)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -107,7 +107,7 @@ func TestVaultCAProvider_configureVaultAuthMethod(t *testing.T) {
|
||||||
"alicloud": {expLoginPath: "auth/alicloud/login"},
|
"alicloud": {expLoginPath: "auth/alicloud/login"},
|
||||||
"approle": {expLoginPath: "auth/approle/login"},
|
"approle": {expLoginPath: "auth/approle/login"},
|
||||||
"aws": {expLoginPath: "auth/aws/login", params: map[string]interface{}{"type": "iam"}, hasLDG: true},
|
"aws": {expLoginPath: "auth/aws/login", params: map[string]interface{}{"type": "iam"}, hasLDG: true},
|
||||||
"azure": {expLoginPath: "auth/azure/login"},
|
"azure": {expLoginPath: "auth/azure/login", params: map[string]interface{}{"role": "test-role", "resource": "test-resource"}, hasLDG: true},
|
||||||
"cf": {expLoginPath: "auth/cf/login"},
|
"cf": {expLoginPath: "auth/cf/login"},
|
||||||
"github": {expLoginPath: "auth/github/login"},
|
"github": {expLoginPath: "auth/github/login"},
|
||||||
"gcp": {expLoginPath: "auth/gcp/login", params: map[string]interface{}{"type": "iam", "role": "test-role"}},
|
"gcp": {expLoginPath: "auth/gcp/login", params: map[string]interface{}{"type": "iam", "role": "test-role"}},
|
||||||
|
|
Loading…
Reference in New Issue