Sync in plugin updates
This commit is contained in:
Jeff Mitchell
parent
580b592f40
commit
a14ed7f48d
|
|
@ -58,6 +58,9 @@ func Backend() *GcpAuthBackend {
|
|||
Unauthenticated: []string{
|
||||
"login",
|
||||
},
|
||||
SealWrapStorage: []string{
|
||||
"config",
|
||||
},
|
||||
},
|
||||
Paths: framework.PathAppend(
|
||||
[]*framework.Path{
|
||||
|
|
|
|||
|
|
@ -206,30 +206,38 @@ func (b *GcpAuthBackend) getSigningKey(token *jwt.JSONWebToken, rawToken string,
|
|||
|
||||
accountKey, err := util.ServiceAccountKey(iamClient, keyId, serviceAccountId, role.ProjectId)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
// Attempt to get a normal Google Oauth cert in case of GCE inferrence.
|
||||
key, err := b.getGoogleOauthCert(keyId, s)
|
||||
if err != nil {
|
||||
return nil, errors.New("could not find service account key or Google Oauth cert with given 'kid' id")
|
||||
}
|
||||
return key, nil
|
||||
}
|
||||
|
||||
return util.PublicKey(accountKey.PublicKeyData)
|
||||
case gceRoleType:
|
||||
var certsEndpoint string
|
||||
conf, err := b.config(s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not read config for backend: %v", err)
|
||||
}
|
||||
if conf != nil {
|
||||
certsEndpoint = conf.GoogleCertsEndpoint
|
||||
}
|
||||
|
||||
key, err := util.OAuth2RSAPublicKey(keyId, certsEndpoint)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return key, nil
|
||||
return b.getGoogleOauthCert(keyId, s)
|
||||
default:
|
||||
return nil, fmt.Errorf("unexpected role type %s", role.RoleType)
|
||||
}
|
||||
}
|
||||
|
||||
func (b *GcpAuthBackend) getGoogleOauthCert(keyId string, s logical.Storage) (interface{}, error) {
|
||||
var certsEndpoint string
|
||||
conf, err := b.config(s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not read config for backend: %v", err)
|
||||
}
|
||||
if conf != nil {
|
||||
certsEndpoint = conf.GoogleCertsEndpoint
|
||||
}
|
||||
|
||||
key, err := util.OAuth2RSAPublicKey(keyId, certsEndpoint)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return key, nil
|
||||
}
|
||||
|
||||
func validateBaseJWTClaims(c *jwt.Claims, roleName string) error {
|
||||
exp := c.Expiry.Time()
|
||||
if exp.IsZero() || exp.Before(time.Now()) {
|
||||
|
|
@ -312,6 +320,20 @@ func (b *GcpAuthBackend) pathIamLogin(req *logical.Request, loginInfo *gcpLoginI
|
|||
},
|
||||
}
|
||||
|
||||
if role.MaxTTL > time.Duration(0) {
|
||||
// Cap maxTTL to the sysview's max TTL
|
||||
maxTTL := role.MaxTTL
|
||||
if maxTTL > b.System().MaxLeaseTTL() {
|
||||
maxTTL = b.System().MaxLeaseTTL()
|
||||
}
|
||||
|
||||
// Cap TTL to MaxTTL
|
||||
if resp.Auth.TTL > maxTTL {
|
||||
resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second)))
|
||||
resp.Auth.TTL = maxTTL
|
||||
}
|
||||
}
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -428,6 +450,20 @@ func (b *GcpAuthBackend) pathGceLogin(req *logical.Request, loginInfo *gcpLoginI
|
|||
},
|
||||
}
|
||||
|
||||
if role.MaxTTL > time.Duration(0) {
|
||||
// Cap maxTTL to the sysview's max TTL
|
||||
maxTTL := role.MaxTTL
|
||||
if maxTTL > b.System().MaxLeaseTTL() {
|
||||
maxTTL = b.System().MaxLeaseTTL()
|
||||
}
|
||||
|
||||
// Cap TTL to MaxTTL
|
||||
if resp.Auth.TTL > maxTTL {
|
||||
resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second)))
|
||||
resp.Auth.TTL = maxTTL
|
||||
}
|
||||
}
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -47,6 +47,9 @@ func Backend() *kubeAuthBackend {
|
|||
Unauthenticated: []string{
|
||||
"login",
|
||||
},
|
||||
SealWrapStorage: []string{
|
||||
configPath,
|
||||
},
|
||||
},
|
||||
Paths: framework.PathAppend(
|
||||
[]*framework.Path{
|
||||
|
|
|
|||
|
|
@ -1153,22 +1153,30 @@
|
|||
"revisionTime": "2017-10-22T02:00:50Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "of/8Lz7af5X3b1tdoVQSzOpmxMo=",
|
||||
"checksumSHA1": "sdZKlxQSisX2x4nCshF8wZYoFcs=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin",
|
||||
"revision": "4febf0d5513b41e1a3b46036e8e2d03469235205",
|
||||
"revisionTime": "2017-10-09T12:38:52Z"
|
||||
"revision": "f45fc9303c8075b5fb0ec5c8dda32e6dac5859ed",
|
||||
"revisionTime": "2017-12-21T13:29:36Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "ffJQvzbQvmCG/PdaElGSfGnDgNM=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin/util",
|
||||
"revision": "4febf0d5513b41e1a3b46036e8e2d03469235205",
|
||||
"revisionTime": "2017-10-09T12:38:52Z"
|
||||
"revision": "f45fc9303c8075b5fb0ec5c8dda32e6dac5859ed",
|
||||
"revisionTime": "2017-12-21T13:29:36Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "aCikfziXS2RwsOLI3GRBxulDpbQ=",
|
||||
"checksumSHA1": "B/pF8a80lWLgqfMZ4JYY2kKY0fs=",
|
||||
"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
|
||||
"revision": "642384e9341a4b859f64c7c32cc0bdbc51523fb6",
|
||||
"revisionTime": "2017-10-30T19:15:46Z"
|
||||
"revision": "9d1bbbd0106e1e3c4ebe16cf104cfe855874133e",
|
||||
"revisionTime": "2017-11-15T23:43:07Z"
|
||||
},
|
||||
{
|
||||
"path": "github.com/hashicorp/vault-plugin/auth-gcp/plugin",
|
||||
"revision": ""
|
||||
},
|
||||
{
|
||||
"path": "github.com/hashicorp/vault-pluginauth-gcp/plugin",
|
||||
"revision": ""
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
|
||||
|
|
|
|||
Loading…
Reference in New Issue