Update PCF Auth plugin (#7306)

This commit is contained in:
Jim Kalafut 2019-08-14 06:43:04 -07:00 committed by Chris Hoffman
parent 38e2815d1a
commit 3e7a2211bf
5 changed files with 51 additions and 9 deletions

2
go.mod
View file

@ -75,7 +75,7 @@ require (
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190730042519-f5a47667d35c
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3
github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190730042556-6c462a37ae43

4
go.sum
View file

@ -318,8 +318,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20190730042527-3d85d12ec6b6/go.mod h1:vtUJ+05r7coC4TyKEdZ8Fw/wzRKikDkoBuHFS/9JJgo=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8 h1:wCnu6i6LgG66df7o4lK/COVo0OYiUI2bIuvLZ1GOBlY=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8/go.mod h1:vbsD/KqeeknPR31viJ/Ch3pii1NHFxsBrdBSxIV7HSs=
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d h1:1SJvD9NIS6jGdPaOqVlyjoCEAINmSEmTcEBRMG8VGa4=
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9 h1:w0wgsE7L4qjgzB4a0cZ18oM4cFkaAP6mKkIGyHUZV4U=
github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9/go.mod h1:+Zk2sV+Ga2KPH5QTmDU3v7qBJDD9GljESoNdU/Ea/0A=
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d h1:ZP2bLGMWnztAvnb6pLROTMpNzIH5UW3rcCVFEHdb8bs=
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190730042544-81772df4467d/go.mod h1:KD56g+aeTNH2AM1l8iOBf5KxX+DSNKleEswJxXE8nI8=
github.com/hashicorp/vault-plugin-secrets-ad v0.5.3-0.20190730042549-a191a183a1f3 h1:uYWb/W7Thu9OAPodpcc89xVlsLjXd5LDcJaTpyZvxME=

View file

@ -3,6 +3,16 @@
This plugin leverages PCF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation)
for authenticating to Vault.
## Official Documentation
This plugin's docs reside in the following places:
- [Overview](https://www.vaultproject.io/docs/auth/pcf.html)
- [API](https://www.vaultproject.io/api/auth/pcf/index.html)
The documentation below is intended to further elaborate, and is targeted at those developing, using,
troubleshooting, and maintaining this plugin.
## Known Risks
This authentication engine uses PCF's instance identity service to authenticate users to Vault. Because PCF
@ -302,6 +312,16 @@ Then, add a role that will be used to grant specific Vault policies to those log
application IDs. However, if `bound_application_ids` is omitted, then _any_ application ID will match. We recommend
configuring as many bound parameters as possible.
The `bound_application_ids`, `bound_space_ids`, and `bound_organization_ids` that are tied to a particular application
can be found by looking at the `instance.crt` using the following command:
```
$ openssl crl2pkcs7 -nocrl -certfile instance.crt | openssl pkcs7 -print_certs -text -noout
...
Subject: OU=organization:bc3874b4-002b-4548-ab27-f9bd38450651, OU=space:dd84618a-16f2-4dee-9936-04181acb6cc0, OU=app:b7b5a288-afa9-4022-802f-173ad94ebb02, CN=a9cff876-58f9-4247-67a6-62f2
...
```
Also, by default, the IP address on the certificate presented at login must match that of the caller. However, if
your callers tend to be proxied, this may not work for you. If that's the case, set `disable_ip_matching` to true.
```

View file

@ -11,12 +11,14 @@ import (
"errors"
"fmt"
"io/ioutil"
"strings"
"time"
"github.com/hashicorp/go-multierror"
)
const TimeFormat = "2006-01-02T15:04:05Z"
const signatureVersion = "v1"
type SignatureData struct {
SigningTime time.Time
@ -66,7 +68,7 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
if err != nil {
return "", err
}
return base64.URLEncoding.EncodeToString(signatureBytes), nil
return fmt.Sprintf("%s:%s", signatureVersion, base64.StdEncoding.EncodeToString(signatureBytes)), nil
}
// Verify ensures that a given signature was created by a private key
@ -75,16 +77,36 @@ func Sign(pathToPrivateKey string, signatureData *SignatureData) (string, error)
// and to be issued by a chain leading to the root CA certificate. There's a
// util function for this named Validate.
func Verify(signature string, signatureData *SignatureData) (*x509.Certificate, error) {
var signatureBytes []byte
var err error
if signatureData == nil {
return nil, errors.New("signatureData must be provided")
}
// Use the CA certificate to verify the signature we've received.
signatureBytes, err := base64.URLEncoding.DecodeString(signature)
// Parse signature format
parts := strings.Split(signature, ":")
switch len(parts) {
// Original release using URL-safe encoding and no embedded version
case 1:
signatureBytes, err = base64.URLEncoding.DecodeString(parts[0])
if err != nil {
return nil, err
}
case 2:
if parts[0] != "v1" {
return nil, fmt.Errorf("invalid signature version %q", parts[0])
}
signatureBytes, err = base64.StdEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
default:
return nil, errors.New("invalid signature format")
}
// Use the CA certificate to verify the signature we've received.
cfInstanceCertContentsBytes := []byte(signatureData.CFInstanceCertContents)
var block *pem.Block
var result error

2
vendor/modules.txt vendored
View file

@ -341,7 +341,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
github.com/hashicorp/vault-plugin-auth-jwt
# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190730042533-e4b69df916b8
github.com/hashicorp/vault-plugin-auth-kubernetes
# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190730042539-6f948c02ea2d
# github.com/hashicorp/vault-plugin-auth-pcf v0.0.0-20190813234723-10bdf3b39ed9
github.com/hashicorp/vault-plugin-auth-pcf
github.com/hashicorp/vault-plugin-auth-pcf/signatures
github.com/hashicorp/vault-plugin-auth-pcf/models