[VAULT-1969] Add support for custom IAM usernames based on templates (#12066)

* add ability to customize IAM usernames based on templates

* add changelog

* remove unnecessary logs

* patch: add test for readConfig

* patch: add default STS Template

* patch: remove unnecessary if cases

* patch: add regex checks in username test

* patch: update genUsername to return an error instead of warnings

* patch: separate tests for default and custom templates

* patch: return truncate warning from genUsername and trigger a 400 response on errors

* patch: truncate midString to 42 chars in default template

* docs: add new username_template field to aws docs
This commit is contained in:
vinay-gopalan 2021-07-20 09:48:29 -07:00 committed by GitHub
parent 4a9669a1bc
commit 859b60cafc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 282 additions and 42 deletions

View File

@ -8,6 +8,8 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)
const defaultUserNameTemplate = `{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}`
func pathConfigRoot(b *backend) *framework.Path {
return &framework.Path{
Pattern: "config/root",
@ -39,6 +41,10 @@ func pathConfigRoot(b *backend) *framework.Path {
Default: aws.UseServiceDefaultRetries,
Description: "Maximum number of retries for recoverable exceptions of AWS APIs",
},
"username_template": {
Type: framework.TypeString,
Description: "Template to generate custom IAM usernames",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
@ -75,6 +81,7 @@ func (b *backend) pathConfigRootRead(ctx context.Context, req *logical.Request,
"iam_endpoint": config.IAMEndpoint,
"sts_endpoint": config.STSEndpoint,
"max_retries": config.MaxRetries,
"username_template": config.UsernameTemplate,
}
return &logical.Response{
Data: configData,
@ -86,6 +93,10 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request,
iamendpoint := data.Get("iam_endpoint").(string)
stsendpoint := data.Get("sts_endpoint").(string)
maxretries := data.Get("max_retries").(int)
usernameTemplate := data.Get("username_template").(string)
if usernameTemplate == "" {
usernameTemplate = defaultUserNameTemplate
}
b.clientMutex.Lock()
defer b.clientMutex.Unlock()
@ -97,6 +108,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request,
STSEndpoint: stsendpoint,
Region: region,
MaxRetries: maxretries,
UsernameTemplate: usernameTemplate,
})
if err != nil {
return nil, err
@ -121,6 +133,7 @@ type rootConfig struct {
STSEndpoint string `json:"sts_endpoint"`
Region string `json:"region"`
MaxRetries int `json:"max_retries"`
UsernameTemplate string `json:"username_template"`
}
const pathConfigRootHelpSyn = `

View File

@ -24,6 +24,7 @@ func TestBackend_PathConfigRoot(t *testing.T) {
"iam_endpoint": "https://iam.amazonaws.com",
"sts_endpoint": "https://sts.us-west-2.amazonaws.com",
"max_retries": 10,
"username_template": defaultUserNameTemplate,
}
configReq := &logical.Request{

View File

@ -3,12 +3,12 @@ package aws
import (
"context"
"fmt"
"math/rand"
"regexp"
"time"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/awsutil"
"github.com/hashicorp/vault/sdk/helper/template"
"github.com/hashicorp/vault/sdk/logical"
"github.com/aws/aws-sdk-go/aws"
@ -17,7 +17,11 @@ import (
"github.com/hashicorp/errwrap"
)
const secretAccessKeyType = "access_keys"
const (
secretAccessKeyType = "access_keys"
storageKey = "config/root"
defaultSTSTemplate = `{{ printf "vault-%d-%d" (unix_time) (random 20) | truncate 32 }}`
)
func secretAccessKeys(b *backend) *framework.Secret {
return &framework.Secret{
@ -43,26 +47,45 @@ func secretAccessKeys(b *backend) *framework.Secret {
}
}
func genUsername(displayName, policyName, userType string) (ret string, warning string) {
var midString string
func genUsername(displayName, policyName, userType, usernameTemplate string) (ret string, warning string, err error) {
switch userType {
case "iam_user":
// IAM users are capped at 64 chars; this leaves, after the beginning and
// end added below, 42 chars to play with.
midString = fmt.Sprintf("%s-%s-",
normalizeDisplayName(displayName),
normalizeDisplayName(policyName))
if len(midString) > 42 {
midString = midString[0:42]
warning = "the calling token display name/IAM policy name were truncated to fit into IAM username length limits"
up, err := template.NewTemplate(template.Template(usernameTemplate))
if err != nil {
return "", "", fmt.Errorf("unable to initialize username template: %w", err)
}
um := UsernameMetadata{
DisplayName: normalizeDisplayName(displayName),
PolicyName: normalizeDisplayName(policyName),
}
ret, err = up.Generate(um)
if err != nil {
return "", "", fmt.Errorf("failed to generate username: %w", err)
}
// To prevent template from exceeding IAM length limits
if len(ret) > 64 {
ret = ret[0:64]
warning = "the calling token display name/IAM policy name were truncated to 64 characters to fit within IAM username length limits"
}
case "sts":
// Capped at 32 chars, which leaves only a couple of characters to play
// with, so don't insert display name or policy name at all
up, err := template.NewTemplate(template.Template(usernameTemplate))
if err != nil {
return "", "", fmt.Errorf("unable to initialize username template: %w", err)
}
ret = fmt.Sprintf("vault-%s%d-%d", midString, time.Now().Unix(), rand.Int31n(10000))
um := UsernameMetadata{}
ret, err = up.Generate(um)
if err != nil {
return "", "", fmt.Errorf("failed to generate username: %w", err)
}
}
return
}
@ -90,7 +113,11 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
return logical.ErrorResponse(err.Error()), nil
}
username, usernameWarning := genUsername(displayName, policyName, "sts")
username, usernameWarning, usernameError := genUsername(displayName, policyName, "sts", defaultSTSTemplate)
// Send a 400 to Framework.OperationFunc Handler
if usernameError != nil {
return nil, usernameError
}
getTokenInput := &sts.GetFederationTokenInput{
Name: aws.String(username),
@ -165,15 +192,27 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
return logical.ErrorResponse(err.Error()), nil
}
config, err := readConfig(ctx, s)
if err != nil {
return nil, fmt.Errorf("unable to read configuration: %w", err)
}
// Set as defaultUsernameTemplate if not provided
usernameTemplate := config.UsernameTemplate
if usernameTemplate == "" {
usernameTemplate = defaultUserNameTemplate
}
roleSessionNameWarning := ""
var roleSessionNameError error
if roleSessionName == "" {
roleSessionName, roleSessionNameWarning = genUsername(displayName, roleName, "iam_user")
roleSessionName, roleSessionNameWarning, roleSessionNameError = genUsername(displayName, roleName, "iam_user", usernameTemplate)
// Send a 400 to Framework.OperationFunc Handler
if roleSessionNameError != nil {
return nil, roleSessionNameError
}
} else {
roleSessionName = normalizeDisplayName(roleSessionName)
if len(roleSessionName) > 64 {
roleSessionName = roleSessionName[0:64]
roleSessionNameWarning = "the role session name was truncated to 64 characters to fit within IAM session name length limits"
}
}
assumeRoleInput := &sts.AssumeRoleInput{
@ -216,6 +255,22 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
return resp, nil
}
func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {
entry, err := storage.Get(ctx, storageKey)
if err != nil {
return rootConfig{}, err
}
if entry == nil {
return rootConfig{}, nil
}
var connConfig rootConfig
if err := entry.DecodeJSON(&connConfig); err != nil {
return rootConfig{}, err
}
return connConfig, nil
}
func (b *backend) secretAccessKeysCreate(
ctx context.Context,
s logical.Storage,
@ -226,7 +281,22 @@ func (b *backend) secretAccessKeysCreate(
return logical.ErrorResponse(err.Error()), nil
}
username, usernameWarning := genUsername(displayName, policyName, "iam_user")
config, err := readConfig(ctx, s)
if err != nil {
return nil, fmt.Errorf("unable to read configuration: %w", err)
}
// Set as defaultUsernameTemplate if not provided
usernameTemplate := config.UsernameTemplate
if usernameTemplate == "" {
usernameTemplate = defaultUserNameTemplate
}
username, usernameWarning, usernameError := genUsername(displayName, policyName, "iam_user", usernameTemplate)
// Send a 400 to Framework.OperationFunc Handler
if usernameError != nil {
return nil, usernameError
}
// Write to the WAL that this user will be created. We do this before
// the user is created because if switch the order then the WAL put
@ -435,3 +505,8 @@ func convertPolicyARNs(policyARNs []string) []*sts.PolicyDescriptorType {
}
return retval
}
type UsernameMetadata struct {
DisplayName string
PolicyName string
}

View File

@ -1,7 +1,12 @@
package aws
import (
"context"
"strings"
"testing"
"github.com/hashicorp/vault/sdk/logical"
"github.com/stretchr/testify/require"
)
func TestNormalizeDisplayName_NormRequired(t *testing.T) {
@ -40,3 +45,143 @@ func TestNormalizeDisplayName_NormNotRequired(t *testing.T) {
}
}
}
func TestGenUsername(t *testing.T) {
testUsername, warning, err := genUsername("name1", "policy1", "iam_user", `{{ printf "vault-%s-%s-%s-%s" (.DisplayName) (.PolicyName) (unix_time) (random 20) | truncate 64 }}`)
if err != nil {
t.Fatalf(
"expected no err; got %s",
err,
)
}
expectedUsernameRegex := `^vault-name1-policy1-[0-9]+-[a-zA-Z0-9]+`
require.Regexp(t, expectedUsernameRegex, testUsername)
// IAM usernames are capped at 64 characters
if len(testUsername) > 64 {
t.Fatalf(
"expected IAM username to be of length 64, got %d",
len(testUsername),
)
}
testUsername, warning, err = genUsername(
"this---is---a---very---long---name",
"long------policy------name",
"iam_user",
`{{ printf "%s-%s-%s-%s" (.DisplayName) (.PolicyName) (unix_time) (random 20) }}`,
)
if warning == "" || !strings.Contains(warning, "calling token display name/IAM policy name were truncated to 64 characters") {
t.Fatalf("expected a truncate warning; received empty string")
}
if len(testUsername) != 64 {
t.Fatalf("expected a username cap at 64 chars; got length: %d", len(testUsername))
}
testUsername, warning, err = genUsername("name1", "policy1", "sts", defaultSTSTemplate)
if strings.Contains(testUsername, "name1") || strings.Contains(testUsername, "policy1") {
t.Fatalf(
"expected sts username to not contain display name or policy name; got %s",
testUsername,
)
}
// STS usernames are capped at 64 characters
if len(testUsername) > 32 {
t.Fatalf(
"expected sts username to be under 32 chars; got %s of length %d",
testUsername,
len(testUsername),
)
}
}
func TestReadConfig_DefaultTemplate(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b := Backend()
if err := b.Setup(context.Background(), config); err != nil {
t.Fatal(err)
}
testTemplate := ""
configData := map[string]interface{}{
"connection_uri": "test_uri",
"username": "guest",
"password": "guest",
"username_template": testTemplate,
}
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config/root",
Storage: config.StorageView,
Data: configData,
}
resp, err := b.HandleRequest(context.Background(), configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr:%s", resp, err)
}
if resp != nil {
t.Fatal("expected a nil response")
}
configResult, err := readConfig(context.Background(), config.StorageView)
if err != nil {
t.Fatalf("expected err to be nil; got %s", err)
}
// No template provided, config set to defaultUsernameTemplate
if configResult.UsernameTemplate != defaultUserNameTemplate {
t.Fatalf(
"expected template %s; got %s",
defaultUserNameTemplate,
configResult.UsernameTemplate,
)
}
}
func TestReadConfig_CustomTemplate(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b := Backend()
if err := b.Setup(context.Background(), config); err != nil {
t.Fatal(err)
}
testTemplate := "`foo-{{ .DisplayName }}`"
configData := map[string]interface{}{
"connection_uri": "test_uri",
"username": "guest",
"password": "guest",
"username_template": testTemplate,
}
configReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config/root",
Storage: config.StorageView,
Data: configData,
}
resp, err := b.HandleRequest(context.Background(), configReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr:%s", resp, err)
}
if resp != nil {
t.Fatal("expected a nil response")
}
configResult, err := readConfig(context.Background(), config.StorageView)
if err != nil {
t.Fatalf("expected err to be nil; got %s", err)
}
if configResult.UsernameTemplate != testTemplate {
t.Fatalf(
"expected template %s; got %s",
testTemplate,
configResult.UsernameTemplate,
)
}
}

3
changelog/12066.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
secrets/aws: add support for custom IAM usernames
```

View File

@ -58,6 +58,9 @@ valid AWS credentials with proper permissions.
- `sts_endpoint` `(string: <optional>)`  Specifies a custom HTTP STS endpoint to use.
- `username_template` `(string: <optional>)` - [Template](/docs/concepts/username-templating) describing how
dynamic usernames are generated. IAM usernames are capped at 64 characters. Longer usernames will be truncated.
### Sample Payload
```json