Update PCF Auth plugin (#7306)
This commit is contained in:
parent
38e2815d1a
commit
3e7a2211bf
2
go.mod
2
go.mod
|
@ -75,7 +75,7 @@ require (
|
||||||
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190730042519-f5a47667d35c
|
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190730042519-f5a47667d35c
|
||||||
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
|
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
|
||||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
|
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
|
||||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
|
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
|
||||||
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d
|
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d
|
||||||
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3
|
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3
|
||||||
github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190730042556-6c462a37ae43
|
github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190730042556-6c462a37ae43
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -318,8 +318,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
|
||||||
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6/go.mod h1:vtUJ+05r7coC4TyKEdZ8Fw/wzRKikDkoBuHFS/9JJgo=
|
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6/go.mod h1:vtUJ+05r7coC4TyKEdZ8Fw/wzRKikDkoBuHFS/9JJgo=
|
||||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 h1:wCnu6i6LgG66df7o4lK/COVo0OYiUI2bIuvLZ1GOBlY=
|
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 h1:wCnu6i6LgG66df7o4lK/COVo0OYiUI2bIuvLZ1GOBlY=
|
||||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8/go.mod h1:vbsD/KqeeknPR31viJ/Ch3pii1NHFxsBrdBSxIV7HSs=
|
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8/go.mod h1:vbsD/KqeeknPR31viJ/Ch3pii1NHFxsBrdBSxIV7HSs=
|
||||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d h1:1SJvD9NIS6jGdPaOqVlyjoCEAINmSEmTcEBRMG8VGa4=
|
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 h1:w0wgsE7L4qjgzB4a0cZ18oM4cFkaAP6mKkIGyHUZV4U=
|
||||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
|
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
|
||||||
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d h1:ZP2bLGMWnztAvnb6pLROTMpNzIH5UW3rcCVFEHdb8bs=
|
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d h1:ZP2bLGMWnztAvnb6pLROTMpNzIH5UW3rcCVFEHdb8bs=
|
||||||
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d/go.mod h1:KD56g+aeTNH2AM1l8iOBf5KxX+DSNKleEswJxXE8nI8=
|
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d/go.mod h1:KD56g+aeTNH2AM1l8iOBf5KxX+DSNKleEswJxXE8nI8=
|
||||||
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 h1:uYWb/W7Thu9OAPodpcc89xVlsLjXd5LDcJaTpyZvxME=
|
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 h1:uYWb/W7Thu9OAPodpcc89xVlsLjXd5LDcJaTpyZvxME=
|
||||||
|
|
20
vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md
generated
vendored
20
vendor/github.com/hashicorp/vault-plugin-auth-pcf/README.md
generated
vendored
|
@ -3,6 +3,16 @@
|
||||||
This plugin leverages PCF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation)
|
This plugin leverages PCF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation)
|
||||||
for authenticating to Vault.
|
for authenticating to Vault.
|
||||||
|
|
||||||
|
## Official Documentation
|
||||||
|
|
||||||
|
This plugin's docs reside in the following places:
|
||||||
|
|
||||||
|
- [Overview](https://www.vaultproject.io/docs/auth/pcf.html)
|
||||||
|
- [API](https://www.vaultproject.io/api/auth/pcf/index.html)
|
||||||
|
|
||||||
|
The documentation below is intended to further elaborate, and is targeted at those developing, using,
|
||||||
|
troubleshooting, and maintaining this plugin.
|
||||||
|
|
||||||
## Known Risks
|
## Known Risks
|
||||||
|
|
||||||
This authentication engine uses PCF's instance identity service to authenticate users to Vault. Because PCF
|
This authentication engine uses PCF's instance identity service to authenticate users to Vault. Because PCF
|
||||||
|
@ -302,6 +312,16 @@ Then, add a role that will be used to grant specific Vault policies to those log
|
||||||
application IDs. However, if `bound_application_ids` is omitted, then _any_ application ID will match. We recommend
|
application IDs. However, if `bound_application_ids` is omitted, then _any_ application ID will match. We recommend
|
||||||
configuring as many bound parameters as possible.
|
configuring as many bound parameters as possible.
|
||||||
|
|
||||||
|
The `bound_application_ids`, `bound_space_ids`, and `bound_organization_ids` that are tied to a particular application
|
||||||
|
can be found by looking at the `instance.crt` using the following command:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ openssl crl2pkcs7 -nocrl -certfile instance.crt | openssl pkcs7 -print_certs -text -noout
|
||||||
|
...
|
||||||
|
Subject: OU=organization:bc3874b4-002b-4548-ab27-f9bd38450651, OU=space:dd84618a-16f2-4dee-9936-04181acb6cc0, OU=app:b7b5a288-afa9-4022-802f-173ad94ebb02, CN=a9cff876-58f9-4247-67a6-62f2
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
Also, by default, the IP address on the certificate presented at login must match that of the caller. However, if
|
Also, by default, the IP address on the certificate presented at login must match that of the caller. However, if
|
||||||
your callers tend to be proxied, this may not work for you. If that's the case, set `disable_ip_matching` to true.
|
your callers tend to be proxied, this may not work for you. If that's the case, set `disable_ip_matching` to true.
|
||||||
```
|
```
|
||||||
|
|
28
vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go
generated
vendored
28
vendor/github.com/hashicorp/vault-plugin-auth-pcf/signatures/version1.go
generated
vendored
|
@ -11,12 +11,14 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/hashicorp/go-multierror"
|
"github.com/hashicorp/go-multierror"
|
||||||
)
|
)
|
||||||
|
|
||||||
const TimeFormat = "2006-01-02T15:04:05Z"
|
const TimeFormat = "2006-01-02T15:04:05Z"
|
||||||
|
const signatureVersion = "v1"
|
||||||
|
|
||||||
type SignatureData struct {
|
type SignatureData struct {
|
||||||
SigningTime time.Time
|
SigningTime time.Time
|
||||||
|
@ -66,7 +68,7 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
return base64.URLEncoding.EncodeToString(signatureBytes), nil
|
return fmt.Sprintf("%s:%s", signatureVersion, base64.StdEncoding.EncodeToString(signatureBytes)), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify ensures that a given signature was created by a private key
|
// Verify ensures that a given signature was created by a private key
|
||||||
|
@ -75,16 +77,36 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
|
||||||
// and to be issued by a chain leading to the root CA certificate. There's a
|
// and to be issued by a chain leading to the root CA certificate. There's a
|
||||||
// util function for this named Validate.
|
// util function for this named Validate.
|
||||||
func Verify(signature string, signatureData *SignatureData) (*x509.Certificate, error) {
|
func Verify(signature string, signatureData *SignatureData) (*x509.Certificate, error) {
|
||||||
|
var signatureBytes []byte
|
||||||
|
var err error
|
||||||
|
|
||||||
if signatureData == nil {
|
if signatureData == nil {
|
||||||
return nil, errors.New("signatureData must be provided")
|
return nil, errors.New("signatureData must be provided")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Use the CA certificate to verify the signature we've received.
|
// Parse signature format
|
||||||
signatureBytes, err := base64.URLEncoding.DecodeString(signature)
|
parts := strings.Split(signature, ":")
|
||||||
|
|
||||||
|
switch len(parts) {
|
||||||
|
// Original release using URL-safe encoding and no embedded version
|
||||||
|
case 1:
|
||||||
|
signatureBytes, err = base64.URLEncoding.DecodeString(parts[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
case 2:
|
||||||
|
if parts[0] != "v1" {
|
||||||
|
return nil, fmt.Errorf("invalid signature version %q", parts[0])
|
||||||
|
}
|
||||||
|
signatureBytes, err = base64.StdEncoding.DecodeString(parts[1])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return nil, errors.New("invalid signature format")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Use the CA certificate to verify the signature we've received.
|
||||||
cfInstanceCertContentsBytes := []byte(signatureData.CFInstanceCertContents)
|
cfInstanceCertContentsBytes := []byte(signatureData.CFInstanceCertContents)
|
||||||
var block *pem.Block
|
var block *pem.Block
|
||||||
var result error
|
var result error
|
||||||
|
|
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
|
@ -341,7 +341,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
|
||||||
github.com/hashicorp/vault-plugin-auth-jwt
|
github.com/hashicorp/vault-plugin-auth-jwt
|
||||||
# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
|
# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
|
||||||
github.com/hashicorp/vault-plugin-auth-kubernetes
|
github.com/hashicorp/vault-plugin-auth-kubernetes
|
||||||
# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
|
# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
|
||||||
github.com/hashicorp/vault-plugin-auth-pcf
|
github.com/hashicorp/vault-plugin-auth-pcf
|
||||||
github.com/hashicorp/vault-plugin-auth-pcf/signatures
|
github.com/hashicorp/vault-plugin-auth-pcf/signatures
|
||||||
github.com/hashicorp/vault-plugin-auth-pcf/models
|
github.com/hashicorp/vault-plugin-auth-pcf/models
|
||||||
|
|
Loading…
Reference in a new issue