Update PCF Auth plugin (#7306)
This commit is contained in:
parent
38e2815d1a
commit
3e7a2211bf
2
go.mod
2
go.mod
|
@ -75,7 +75,7 @@ require (
|
|||
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190730042519-f5a47667d35c
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
|
||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
|
||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
|
||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
|
||||
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d
|
||||
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3
|
||||
github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190730042556-6c462a37ae43
|
||||
|
|
4
go.sum
4
go.sum
|
@ -318,8 +318,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
|
|||
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6/go.mod h1:vtUJ+05r7coC4TyKEdZ8Fw/wzRKikDkoBuHFS/9JJgo=
|
||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 h1:wCnu6i6LgG66df7o4lK/COVo0OYiUI2bIuvLZ1GOBlY=
|
||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8/go.mod h1:vbsD/KqeeknPR31viJ/Ch3pii1NHFxsBrdBSxIV7HSs=
|
||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d h1:1SJvD9NIS6jGdPaOqVlyjoCEAINmSEmTcEBRMG8VGa4=
|
||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
|
||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 h1:w0wgsE7L4qjgzB4a0cZ18oM4cFkaAP6mKkIGyHUZV4U=
|
||||
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
|
||||
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d h1:ZP2bLGMWnztAvnb6pLROTMpNzIH5UW3rcCVFEHdb8bs=
|
||||
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d/go.mod h1:KD56g+aeTNH2AM1l8iOBf5KxX+DSNKleEswJxXE8nI8=
|
||||
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 h1:uYWb/W7Thu9OAPodpcc89xVlsLjXd5LDcJaTpyZvxME=
|
||||
|
|
|
@ -3,6 +3,16 @@
|
|||
This plugin leverages PCF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation)
|
||||
for authenticating to Vault.
|
||||
|
||||
## Official Documentation
|
||||
|
||||
This plugin's docs reside in the following places:
|
||||
|
||||
- [Overview](https://www.vaultproject.io/docs/auth/pcf.html)
|
||||
- [API](https://www.vaultproject.io/api/auth/pcf/index.html)
|
||||
|
||||
The documentation below is intended to further elaborate, and is targeted at those developing, using,
|
||||
troubleshooting, and maintaining this plugin.
|
||||
|
||||
## Known Risks
|
||||
|
||||
This authentication engine uses PCF's instance identity service to authenticate users to Vault. Because PCF
|
||||
|
@ -302,6 +312,16 @@ Then, add a role that will be used to grant specific Vault policies to those log
|
|||
application IDs. However, if `bound_application_ids` is omitted, then _any_ application ID will match. We recommend
|
||||
configuring as many bound parameters as possible.
|
||||
|
||||
The `bound_application_ids`, `bound_space_ids`, and `bound_organization_ids` that are tied to a particular application
|
||||
can be found by looking at the `instance.crt` using the following command:
|
||||
|
||||
```
|
||||
$ openssl crl2pkcs7 -nocrl -certfile instance.crt | openssl pkcs7 -print_certs -text -noout
|
||||
...
|
||||
Subject: OU=organization:bc3874b4-002b-4548-ab27-f9bd38450651, OU=space:dd84618a-16f2-4dee-9936-04181acb6cc0, OU=app:b7b5a288-afa9-4022-802f-173ad94ebb02, CN=a9cff876-58f9-4247-67a6-62f2
|
||||
...
|
||||
```
|
||||
|
||||
Also, by default, the IP address on the certificate presented at login must match that of the caller. However, if
|
||||
your callers tend to be proxied, this may not work for you. If that's the case, set `disable_ip_matching` to true.
|
||||
```
|
||||
|
|
|
@ -11,12 +11,14 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/go-multierror"
|
||||
)
|
||||
|
||||
const TimeFormat = "2006-01-02T15:04:05Z"
|
||||
const signatureVersion = "v1"
|
||||
|
||||
type SignatureData struct {
|
||||
SigningTime time.Time
|
||||
|
@ -66,7 +68,7 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
|
|||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return base64.URLEncoding.EncodeToString(signatureBytes), nil
|
||||
return fmt.Sprintf("%s:%s", signatureVersion, base64.StdEncoding.EncodeToString(signatureBytes)), nil
|
||||
}
|
||||
|
||||
// Verify ensures that a given signature was created by a private key
|
||||
|
@ -75,16 +77,36 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
|
|||
// and to be issued by a chain leading to the root CA certificate. There's a
|
||||
// util function for this named Validate.
|
||||
func Verify(signature string, signatureData *SignatureData) (*x509.Certificate, error) {
|
||||
var signatureBytes []byte
|
||||
var err error
|
||||
|
||||
if signatureData == nil {
|
||||
return nil, errors.New("signatureData must be provided")
|
||||
}
|
||||
|
||||
// Use the CA certificate to verify the signature we've received.
|
||||
signatureBytes, err := base64.URLEncoding.DecodeString(signature)
|
||||
// Parse signature format
|
||||
parts := strings.Split(signature, ":")
|
||||
|
||||
switch len(parts) {
|
||||
// Original release using URL-safe encoding and no embedded version
|
||||
case 1:
|
||||
signatureBytes, err = base64.URLEncoding.DecodeString(parts[0])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
case 2:
|
||||
if parts[0] != "v1" {
|
||||
return nil, fmt.Errorf("invalid signature version %q", parts[0])
|
||||
}
|
||||
signatureBytes, err = base64.StdEncoding.DecodeString(parts[1])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
default:
|
||||
return nil, errors.New("invalid signature format")
|
||||
}
|
||||
|
||||
// Use the CA certificate to verify the signature we've received.
|
||||
cfInstanceCertContentsBytes := []byte(signatureData.CFInstanceCertContents)
|
||||
var block *pem.Block
|
||||
var result error
|
||||
|
|
|
@ -341,7 +341,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
|
|||
github.com/hashicorp/vault-plugin-auth-jwt
|
||||
# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
|
||||
github.com/hashicorp/vault-plugin-auth-kubernetes
|
||||
# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
|
||||
# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
|
||||
github.com/hashicorp/vault-plugin-auth-pcf
|
||||
github.com/hashicorp/vault-plugin-auth-pcf/signatures
|
||||
github.com/hashicorp/vault-plugin-auth-pcf/models
|
||||
|
|
Loading…
Reference in New Issue