Update PCF Auth plugin (#7306)

2019-08-14 06:43:04 -07:00 · 2019-08-14 06:43:04 -07:00 · 3e7a2211bf
parent 38e2815d1a
commit 3e7a2211bf
5 changed files with 51 additions and 9 deletions
--- a/go.mod
+++ b/go.mod
@ -75,7 +75,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190730042519-f5a47667d35c
 	github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
 	github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
-	github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
+	github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
 	github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d
 	github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3
 	github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190730042556-6c462a37ae43
--- a/go.sum
+++ b/go.sum
@ -318,8 +318,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
 github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6/go.mod h1:vtUJ+05r7coC4TyKEdZ8Fw/wzRKikDkoBuHFS/9JJgo=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 h1:wCnu6i6LgG66df7o4lK/COVo0OYiUI2bIuvLZ1GOBlY=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8/go.mod h1:vbsD/KqeeknPR31viJ/Ch3pii1NHFxsBrdBSxIV7HSs=
-github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d h1:1SJvD9NIS6jGdPaOqVlyjoCEAINmSEmTcEBRMG8VGa4=
-github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
+github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 h1:w0wgsE7L4qjgzB4a0cZ18oM4cFkaAP6mKkIGyHUZV4U=
+github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
 github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d h1:ZP2bLGMWnztAvnb6pLROTMpNzIH5UW3rcCVFEHdb8bs=
 github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d/go.mod h1:KD56g+aeTNH2AM1l8iOBf5KxX+DSNKleEswJxXE8nI8=
 github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 h1:uYWb/W7Thu9OAPodpcc89xVlsLjXd5LDcJaTpyZvxME=
--- a/vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md
@ -3,6 +3,16 @@
 This plugin leverages PCF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation)
 for authenticating to Vault. 

+## Official Documentation
+
+This plugin's docs reside in the following places:
+
+- [Overview](https://www.vaultproject.io/docs/auth/pcf.html)
+- [API](https://www.vaultproject.io/api/auth/pcf/index.html)
+
+The documentation below is intended to further elaborate, and is targeted at those developing, using,
+troubleshooting, and maintaining this plugin.
+
 ## Known Risks

 This authentication engine uses PCF's instance identity service to authenticate users to Vault. Because PCF
@ -302,6 +312,16 @@ Then, add a role that will be used to grant specific Vault policies to those log
 application IDs. However, if `bound_application_ids` is omitted, then _any_ application ID will match. We recommend
 configuring as many bound parameters as possible.

+The `bound_application_ids`, `bound_space_ids`, and `bound_organization_ids` that are tied to a particular application
+can be found by looking at the `instance.crt` using the following command:
+
+```
+$ openssl crl2pkcs7 -nocrl -certfile instance.crt | openssl pkcs7 -print_certs -text -noout
+...
+        Subject: OU=organization:bc3874b4-002b-4548-ab27-f9bd38450651, OU=space:dd84618a-16f2-4dee-9936-04181acb6cc0, OU=app:b7b5a288-afa9-4022-802f-173ad94ebb02, CN=a9cff876-58f9-4247-67a6-62f2
+...
+```
+
 Also, by default, the IP address on the certificate presented at login must match that of the caller. However, if
 your callers tend to be proxied, this may not work for you. If that's the case, set `disable_ip_matching` to true.
 ```
--- a/vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go
@ -11,12 +11,14 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"strings"
 	"time"

 	"github.com/hashicorp/go-multierror"
 )

 const TimeFormat = "2006-01-02T15:04:05Z"
+const signatureVersion = "v1"

 type SignatureData struct {
 	SigningTime time.Time
@ -66,7 +68,7 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
 	if err != nil {
 		return "", err
 	}
-	return base64.URLEncoding.EncodeToString(signatureBytes), nil
+	return fmt.Sprintf("%s:%s", signatureVersion, base64.StdEncoding.EncodeToString(signatureBytes)), nil
 }

 // Verify ensures that a given signature was created by a private key
@ -75,16 +77,36 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
 // and to be issued by a chain leading to the root CA certificate. There's a
 // util function for this named Validate.
 func Verify(signature string, signatureData *SignatureData) (*x509.Certificate, error) {
+	var signatureBytes []byte
+	var err error
+
 	if signatureData == nil {
 		return nil, errors.New("signatureData must be provided")
 	}

-	// Use the CA certificate to verify the signature we've received.
-	signatureBytes, err := base64.URLEncoding.DecodeString(signature)
-	if err != nil {
-		return nil, err
+	// Parse signature format
+	parts := strings.Split(signature, ":")
+
+	switch len(parts) {
+	// Original release using URL-safe encoding and no embedded version
+	case 1:
+		signatureBytes, err = base64.URLEncoding.DecodeString(parts[0])
+		if err != nil {
+			return nil, err
+		}
+	case 2:
+		if parts[0] != "v1" {
+			return nil, fmt.Errorf("invalid signature version %q", parts[0])
+		}
+		signatureBytes, err = base64.StdEncoding.DecodeString(parts[1])
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, errors.New("invalid signature format")
 	}

+	// Use the CA certificate to verify the signature we've received.
 	cfInstanceCertContentsBytes := []byte(signatureData.CFInstanceCertContents)
 	var block *pem.Block
 	var result error
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -341,7 +341,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
 github.com/hashicorp/vault-plugin-auth-jwt
 # github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
 github.com/hashicorp/vault-plugin-auth-kubernetes
-# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
+# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
 github.com/hashicorp/vault-plugin-auth-pcf
 github.com/hashicorp/vault-plugin-auth-pcf/signatures
 github.com/hashicorp/vault-plugin-auth-pcf/models