From 3e7a2211bf0a93a314bb720d44952996ed51c434 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Wed, 14 Aug 2019 06:43:04 -0700 Subject: [PATCH] Update PCF Auth plugin (#7306) --- go.mod | 2 +- go.sum | 4 +-- .../hashicorp/vault-plugin-auth-pcf/README.md | 20 ++++++++++++ .../signatures/version1.go | 32 ++++++++++++++++--- vendor/modules.txt | 2 +- 5 files changed, 51 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 6945f983b..4401ba3cd 100644 --- a/go.mod +++ b/go.mod @@ -75,7 +75,7 @@ require ( github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190730042519-f5a47667d35c github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6 github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 - github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d + github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190730042556-6c462a37ae43 diff --git a/go.sum b/go.sum index 021581ba6..d9d27118a 100644 --- a/go.sum +++ b/go.sum @@ -318,8 +318,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6 github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6/go.mod h1:vtUJ+05r7coC4TyKEdZ8Fw/wzRKikDkoBuHFS/9JJgo= github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 h1:wCnu6i6LgG66df7o4lK/COVo0OYiUI2bIuvLZ1GOBlY= github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8/go.mod h1:vbsD/KqeeknPR31viJ/Ch3pii1NHFxsBrdBSxIV7HSs= -github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d h1:1SJvD9NIS6jGdPaOqVlyjoCEAINmSEmTcEBRMG8VGa4= -github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A= +github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 h1:w0wgsE7L4qjgzB4a0cZ18oM4cFkaAP6mKkIGyHUZV4U= +github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A= github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d h1:ZP2bLGMWnztAvnb6pLROTMpNzIH5UW3rcCVFEHdb8bs= github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d/go.mod h1:KD56g+aeTNH2AM1l8iOBf5KxX+DSNKleEswJxXE8nI8= github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 h1:uYWb/W7Thu9OAPodpcc89xVlsLjXd5LDcJaTpyZvxME= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md b/vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md index 27978b038..ad7464ca7 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md +++ b/vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md @@ -3,6 +3,16 @@ This plugin leverages PCF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation) for authenticating to Vault. +## Official Documentation + +This plugin's docs reside in the following places: + +- [Overview](https://www.vaultproject.io/docs/auth/pcf.html) +- [API](https://www.vaultproject.io/api/auth/pcf/index.html) + +The documentation below is intended to further elaborate, and is targeted at those developing, using, +troubleshooting, and maintaining this plugin. + ## Known Risks This authentication engine uses PCF's instance identity service to authenticate users to Vault. Because PCF @@ -302,6 +312,16 @@ Then, add a role that will be used to grant specific Vault policies to those log application IDs. However, if `bound_application_ids` is omitted, then _any_ application ID will match. We recommend configuring as many bound parameters as possible. +The `bound_application_ids`, `bound_space_ids`, and `bound_organization_ids` that are tied to a particular application +can be found by looking at the `instance.crt` using the following command: + +``` +$ openssl crl2pkcs7 -nocrl -certfile instance.crt | openssl pkcs7 -print_certs -text -noout +... + Subject: OU=organization:bc3874b4-002b-4548-ab27-f9bd38450651, OU=space:dd84618a-16f2-4dee-9936-04181acb6cc0, OU=app:b7b5a288-afa9-4022-802f-173ad94ebb02, CN=a9cff876-58f9-4247-67a6-62f2 +... +``` + Also, by default, the IP address on the certificate presented at login must match that of the caller. However, if your callers tend to be proxied, this may not work for you. If that's the case, set `disable_ip_matching` to true. ``` diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go b/vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go index 045a54271..a8cc52ffa 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go @@ -11,12 +11,14 @@ import ( "errors" "fmt" "io/ioutil" + "strings" "time" "github.com/hashicorp/go-multierror" ) const TimeFormat = "2006-01-02T15:04:05Z" +const signatureVersion = "v1" type SignatureData struct { SigningTime time.Time @@ -66,7 +68,7 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error) if err != nil { return "", err } - return base64.URLEncoding.EncodeToString(signatureBytes), nil + return fmt.Sprintf("%s:%s", signatureVersion, base64.StdEncoding.EncodeToString(signatureBytes)), nil } // Verify ensures that a given signature was created by a private key @@ -75,16 +77,36 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error) // and to be issued by a chain leading to the root CA certificate. There's a // util function for this named Validate. func Verify(signature string, signatureData *SignatureData) (*x509.Certificate, error) { + var signatureBytes []byte + var err error + if signatureData == nil { return nil, errors.New("signatureData must be provided") } - // Use the CA certificate to verify the signature we've received. - signatureBytes, err := base64.URLEncoding.DecodeString(signature) - if err != nil { - return nil, err + // Parse signature format + parts := strings.Split(signature, ":") + + switch len(parts) { + // Original release using URL-safe encoding and no embedded version + case 1: + signatureBytes, err = base64.URLEncoding.DecodeString(parts[0]) + if err != nil { + return nil, err + } + case 2: + if parts[0] != "v1" { + return nil, fmt.Errorf("invalid signature version %q", parts[0]) + } + signatureBytes, err = base64.StdEncoding.DecodeString(parts[1]) + if err != nil { + return nil, err + } + default: + return nil, errors.New("invalid signature format") } + // Use the CA certificate to verify the signature we've received. cfInstanceCertContentsBytes := []byte(signatureData.CFInstanceCertContents) var block *pem.Block var result error diff --git a/vendor/modules.txt b/vendor/modules.txt index 3eea230d0..fe37117c2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -341,7 +341,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 github.com/hashicorp/vault-plugin-auth-kubernetes -# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d +# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 github.com/hashicorp/vault-plugin-auth-pcf github.com/hashicorp/vault-plugin-auth-pcf/signatures github.com/hashicorp/vault-plugin-auth-pcf/models