Docs enforce autoauth token (#8270)
* rename UseAutoAuthForce to ForceAutoAuth, because I think it reads better * Document 'ForceAuthAuthToken' option for Agent Cache * Update website/pages/docs/agent/caching/index.mdx Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Add additional tests around use_auto_auth=force and add documentation * remove note, it's no longer correct Co-authored-by: Jim Kalafut <jim@kalafut.net>
This commit is contained in:
Clint
GitHub
parent
e12351f263
commit
39f1d26902
|
|
@ -464,7 +464,7 @@ func (c *AgentCommand) Run(args []string) int {
|
|||
})
|
||||
}
|
||||
|
||||
var proxyVaultToken = !config.Cache.UseAutoAuthTokenEnforce
|
||||
var proxyVaultToken = !config.Cache.ForceAutoAuthToken
|
||||
|
||||
// Create the request handler
|
||||
cacheHandler := cache.Handler(ctx, cacheLogger, leaseCache, inmemSink, proxyVaultToken)
|
||||
|
|
|
|||
|
|
@ -43,9 +43,9 @@ type Vault struct {
|
|||
|
||||
// Cache contains any configuration needed for Cache mode
|
||||
type Cache struct {
|
||||
UseAutoAuthTokenRaw interface{} `hcl:"use_auto_auth_token"`
|
||||
UseAutoAuthToken bool `hcl:"-"`
|
||||
UseAutoAuthTokenEnforce bool `hcl:"-"`
|
||||
UseAutoAuthTokenRaw interface{} `hcl:"use_auto_auth_token"`
|
||||
UseAutoAuthToken bool `hcl:"-"`
|
||||
ForceAutoAuthToken bool `hcl:"-"`
|
||||
}
|
||||
|
||||
// Listener contains configuration for any Vault Agent listeners
|
||||
|
|
@ -233,7 +233,7 @@ func parseCache(result *Config, list *ast.ObjectList) error {
|
|||
return fmt.Errorf("value of 'use_auto_auth_token' can be either true/false/force, %q is an invalid option", c.UseAutoAuthTokenRaw)
|
||||
}
|
||||
c.UseAutoAuthToken = true
|
||||
c.UseAutoAuthTokenEnforce = true
|
||||
c.ForceAutoAuthToken = true
|
||||
|
||||
default:
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -38,9 +38,9 @@ func TestLoadConfigFile_AgentCache(t *testing.T) {
|
|||
},
|
||||
},
|
||||
Cache: &Cache{
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenEnforce: false,
|
||||
UseAutoAuthTokenRaw: true,
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenRaw: true,
|
||||
ForceAutoAuthToken: false,
|
||||
},
|
||||
Listeners: []*Listener{
|
||||
&Listener{
|
||||
|
|
@ -225,6 +225,13 @@ func TestLoadConfigFile_Bad_AgentCache_InconsisentAutoAuth(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestLoadConfigFile_Bad_AgentCache_ForceAutoAuthNoMethod(t *testing.T) {
|
||||
_, err := LoadConfig("./test-fixtures/bad-config-cache-inconsistent-auto_auth.hcl")
|
||||
if err == nil {
|
||||
t.Fatal("LoadConfig should return an error when use_auto_auth_token=true and no auto_auth section present")
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadConfigFile_Bad_AgentCache_NoListeners(t *testing.T) {
|
||||
_, err := LoadConfig("./test-fixtures/bad-config-cache-no-listeners.hcl")
|
||||
if err == nil {
|
||||
|
|
@ -270,9 +277,9 @@ func TestLoadConfigFile_AgentCache_AutoAuth_NoSink(t *testing.T) {
|
|||
},
|
||||
},
|
||||
Cache: &Cache{
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenEnforce: false,
|
||||
UseAutoAuthTokenRaw: true,
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenRaw: true,
|
||||
ForceAutoAuthToken: false,
|
||||
},
|
||||
Listeners: []*Listener{
|
||||
&Listener{
|
||||
|
|
@ -308,9 +315,9 @@ func TestLoadConfigFile_AgentCache_AutoAuth_Force(t *testing.T) {
|
|||
},
|
||||
},
|
||||
Cache: &Cache{
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenEnforce: true,
|
||||
UseAutoAuthTokenRaw: "force",
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenRaw: "force",
|
||||
ForceAutoAuthToken: true,
|
||||
},
|
||||
Listeners: []*Listener{
|
||||
&Listener{
|
||||
|
|
@ -346,9 +353,9 @@ func TestLoadConfigFile_AgentCache_AutoAuth_True(t *testing.T) {
|
|||
},
|
||||
},
|
||||
Cache: &Cache{
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenEnforce: false,
|
||||
UseAutoAuthTokenRaw: "true",
|
||||
UseAutoAuthToken: true,
|
||||
UseAutoAuthTokenRaw: "true",
|
||||
ForceAutoAuthToken: false,
|
||||
},
|
||||
Listeners: []*Listener{
|
||||
&Listener{
|
||||
|
|
@ -395,9 +402,9 @@ func TestLoadConfigFile_AgentCache_AutoAuth_False(t *testing.T) {
|
|||
},
|
||||
},
|
||||
Cache: &Cache{
|
||||
UseAutoAuthToken: false,
|
||||
UseAutoAuthTokenEnforce: false,
|
||||
UseAutoAuthTokenRaw: "false",
|
||||
UseAutoAuthToken: false,
|
||||
UseAutoAuthTokenRaw: "false",
|
||||
ForceAutoAuthToken: false,
|
||||
},
|
||||
Listeners: []*Listener{
|
||||
&Listener{
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
pid_file = "./pidfile"
|
||||
|
||||
cache {
|
||||
use_auto_auth_token = "force"
|
||||
}
|
||||
|
||||
listener "tcp" {
|
||||
address = "127.0.0.1:8300"
|
||||
tls_disable = true
|
||||
}
|
||||
|
|
@ -613,6 +613,37 @@ listener "tcp" {
|
|||
request(t, agentClient, req, 200)
|
||||
}
|
||||
|
||||
// TestAgent_RequireAutoAuthWithForce ensures that the client exits with a
|
||||
// non-zero code if configured to force the use of an auto-auth token without
|
||||
// configuring the auto_auth block
|
||||
func TestAgent_RequireAutoAuthWithForce(t *testing.T) {
|
||||
logger := logging.NewVaultLogger(hclog.Trace)
|
||||
// Create a config file
|
||||
config := `
|
||||
cache {
|
||||
use_auto_auth_token = "force"
|
||||
}
|
||||
|
||||
listener "tcp" {
|
||||
address = "127.0.0.1:8101"
|
||||
tls_disable = true
|
||||
}
|
||||
`
|
||||
configPath := makeTempFile(t, "config.hcl", config)
|
||||
defer os.Remove(configPath)
|
||||
|
||||
// Start the agent
|
||||
ui, cmd := testAgentCommand(t, logger)
|
||||
cmd.startedCh = make(chan struct{})
|
||||
|
||||
code := cmd.Run([]string{"-config", configPath})
|
||||
if code == 0 {
|
||||
t.Errorf("expected error code, but got 0: %d", code)
|
||||
t.Logf("STDOUT from agent:\n%s", ui.OutputWriter.String())
|
||||
t.Logf("STDERR from agent:\n%s", ui.ErrorWriter.String())
|
||||
}
|
||||
}
|
||||
|
||||
// TestAgent_Template tests rendering templates
|
||||
func TestAgent_Template_Basic(t *testing.T) {
|
||||
//----------------------------------------------------
|
||||
|
|
|
|||
|
|
@ -49,6 +49,14 @@ configuration will be overridden if the request already has a token attached,
|
|||
in which case, the token present in the request will be used to forward the
|
||||
request to the Vault server.
|
||||
|
||||
## Forcing Auto-Auth Token
|
||||
|
||||
Vault Agent can be configured to force the use of the auto-auth token by using
|
||||
the value `force` for the `use_auto_auth_token` option. This configuration
|
||||
overrides the default behavior described above in [Using Auth-Auth
|
||||
Token](/docs/agent/caching#using-auto-auth-token), and instead ignores any
|
||||
existing Vault token in the request and instead uses the auto-auth token.
|
||||
|
||||
## Cache Evictions
|
||||
|
||||
The eviction of cache entries pertaining to secrets will occur when the agent
|
||||
|
|
@ -160,11 +168,12 @@ $ curl \
|
|||
|
||||
The top level `cache` block has the following configuration entries:
|
||||
|
||||
- `use_auto_auth_token (bool: false)` - If set, the requests made to agent
|
||||
- `use_auto_auth_token (bool/string: false)` - If set, the requests made to agent
|
||||
without a Vault token will be forwarded to the Vault server with the
|
||||
auto-auth token attached. If the requests already bear a token, this
|
||||
configuration will be overridden and the token in the request will be used to
|
||||
forward the request to the Vault server.
|
||||
forward the request to the Vault server. If set to `"force"` Agent will use the
|
||||
auto-auth token, overwriting the attached Vault token if set.
|
||||
|
||||
## Configuration (`listener`)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue