Update plugins

This commit is contained in:
Brian Kassouf 2019-11-11 19:28:09 -08:00
parent c4d0391893
commit f8085f518f
13 changed files with 82 additions and 42 deletions

7
go.mod
View file

@ -74,15 +74,15 @@ require (
github.com/hashicorp/vault-plugin-auth-azure v0.5.2-0.20190814210035-08e00d801115
github.com/hashicorp/vault-plugin-auth-centrify v0.5.2-0.20190814210042-090ec2ed93ce
github.com/hashicorp/vault-plugin-auth-cf v0.0.0-20190821162840-1c2205826fee
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6
github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190814210117-e079e01fbb93
github.com/hashicorp/vault-plugin-secrets-ad v0.6.1-0.20191108162300-8f4121d78b9c
github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190814210129-4d18bec92f56
github.com/hashicorp/vault-plugin-secrets-azure v0.5.2
github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04
github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac
github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.2-0.20190814210149-315cdbf5de6e
github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20191017213228-e8cf7060a4d0
github.com/hashicorp/vault/api v1.0.5-0.20191108163347-bdd38fca2cff
@ -95,6 +95,7 @@ require (
github.com/joyent/triton-go v0.0.0-20190112182421-51ffac552869
github.com/keybase/go-crypto v0.0.0-20190403132359-d65b6b94177f
github.com/kr/pretty v0.1.0
github.com/kr/pty v1.1.3 // indirect
github.com/kr/text v0.1.0
github.com/lib/pq v1.2.0
github.com/mattn/go-colorable v0.1.2

6
go.sum
View file

@ -369,10 +369,14 @@ github.com/hashicorp/vault-plugin-auth-gcp v0.5.1 h1:8DR00s+Wmc21i3sfzvsqW88VMdf
github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI=
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102 h1:RTHVdxCDwxTq/4zZFkV+b8zexkSU5EOXkY2D/kAvyFU=
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102/go.mod h1:j0hMnnTD44zXGQhLM1jarYDaTmSp6OPiOzgFQ6mNgzc=
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2 h1:gtpqHauSoJCxZStLVWKMQcsdW61EewJSoegMrZLQ/GU=
github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2/go.mod h1:j0hMnnTD44zXGQhLM1jarYDaTmSp6OPiOzgFQ6mNgzc=
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2 h1:Oi9HO9/JItId2XYLEoTIW9Wcfg5sblxxO5Nr7ln1jnk=
github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2/go.mod h1:Ti2NPndKhSGpSL6gWg11n7TkmuI7318BIPeojayIVRU=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9 h1:PjbIf3mlPBJopQSJstQAhVbdGTVZ/W35RZtm/GCOTUs=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9/go.mod h1:qkrONCr71ckSCTItJQ1j9uet/faieZJ5c7+GZugTm7s=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6 h1:WgxwYXCuZJtU/oIDah4A99+MuqzzL/oGQu9421IYZ6M=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6/go.mod h1:qkrONCr71ckSCTItJQ1j9uet/faieZJ5c7+GZugTm7s=
github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c h1:z6LQZvs1OtoVy2XgbgNhiDgp0U62Xbstn7/cgNZvh6g=
github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c/go.mod h1:YAl51RsYRihPbSdnug1NsvutzbRVfrZ12FjEIvSiOTs=
github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190814210117-e079e01fbb93 h1:kXTV1ImOPgDGZxAlbEQfiXgnZY/34vfgnZVhI/tscmg=
@ -385,6 +389,8 @@ github.com/hashicorp/vault-plugin-secrets-azure v0.5.2 h1:8Jz4kl0D4+DPpP13jbIrys
github.com/hashicorp/vault-plugin-secrets-azure v0.5.2/go.mod h1:SBc53adxMmf+o8zqRbqYvq+nuSrz8OHYmgmPfxVMJEo=
github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04 h1:2FLjwVqpWueSoxaNdcC2Za7RX8FNp8Xt8pF/03dinV4=
github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04/go.mod h1:Sc+ba3kscakE5a/pi8JJhWvXWok3cpt1P77DApmUuDc=
github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac h1:ULcFIOOFykOSrJvY3yWqDLsgcj/SuUqhY7aZ5yQ7rkM=
github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac/go.mod h1:Sc+ba3kscakE5a/pi8JJhWvXWok3cpt1P77DApmUuDc=
github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.2-0.20190814210149-315cdbf5de6e h1:RjQBOFneGwxhHsymNtbEUJXAjMO74GlZcmUrGqJnYxY=
github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.2-0.20190814210149-315cdbf5de6e/go.mod h1:5prAHuCcBiyv+xfGBviTVYeDQUhmQYN7WrxC2gMRWeQ=
github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20191017213228-e8cf7060a4d0 h1:w4qR/yfqWOYmncR1HK1CVU7iHkqgcf0USWtbp/fTHM4=

View file

@ -3,7 +3,9 @@ package gcpauth
import (
"context"
"fmt"
"strings"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/sdk/helper/strutil"
"google.golang.org/api/compute/v1"
"google.golang.org/api/iam/v1"
@ -15,6 +17,7 @@ var _ client = (*gcpClient)(nil)
// abstracted as an interface for stubbing during testing. See stubbedClient for
// more details.
type gcpClient struct {
logger log.Logger
computeSvc *compute.Service
iamSvc *iam.Service
}
@ -28,6 +31,13 @@ func (c *gcpClient) InstanceGroups(ctx context.Context, project string, boundIns
Fields("items/*/instanceGroups/name").
Pages(ctx, func(l *compute.InstanceGroupAggregatedList) error {
for k, v := range l.Items {
// Some groups returned are regional
// TODO(emilymye, #73): Support regions?
if strings.Contains(k, "/regions/") {
c.logger.Debug("ignoring instance groups under region in instance group aggregated list", "key", k)
continue
}
zone, err := zoneFromSelfLink(k)
if err != nil {
return err

View file

@ -663,6 +663,7 @@ func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, project strin
return AuthorizeGCE(ctx, &AuthorizeGCEInput{
client: &gcpClient{
logger: b.Logger(),
computeSvc: computeClient,
iamSvc: iamClient,
},

View file

@ -73,7 +73,7 @@ func (t *tokenReviewAPI) Review(jwt string) (*tokenReviewResult, error) {
}
// Build the request to the token review API
url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", t.config.Host)
url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", strings.TrimSuffix(t.config.Host, "/"))
req, err := http.NewRequest("POST", url, bytes.NewBuffer(trJSON))
if err != nil {
return nil, err
@ -152,7 +152,7 @@ func parseResponse(resp *http.Response) (*authv1.TokenReview, error) {
return nil, kubeerrors.NewGenericServerResponse(resp.StatusCode, "POST", schema.GroupResource{}, "", strings.TrimSpace(string(body)), 0, true)
}
// If we can succesfully Unmarshal into a status object that means there is
// If we can successfully Unmarshal into a status object that means there is
// an error to return
errStatus := &metav1.Status{}
err = json.Unmarshal(body, errStatus)

View file

@ -17,6 +17,7 @@ import (
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/iam/v1"
"google.golang.org/api/option"
)
const (
@ -85,15 +86,15 @@ func Backend() *backend {
return b
}
// IAMClient returns a new IAM client. The client is cached.
func (b *backend) IAMClient(s logical.Storage) (*iam.Service, error) {
// IAMAdminClient returns a new IAM client. The client is cached.
func (b *backend) IAMAdminClient(s logical.Storage) (*iam.Service, error) {
httpClient, err := b.HTTPClient(s)
if err != nil {
return nil, errwrap.Wrapf("failed to create IAM HTTP client: {{err}}", err)
}
client, err := b.cache.Fetch("iam", cacheTime, func() (interface{}, error) {
client, err := iam.New(httpClient)
client, err := iam.NewService(context.Background(), option.WithHTTPClient(httpClient))
if err != nil {
return nil, errwrap.Wrapf("failed to create IAM client: {{err}}", err)
}

View file

@ -28,9 +28,13 @@ func pathConfig(b *backend) *framework.Path {
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathConfigRead,
logical.UpdateOperation: b.pathConfigWrite,
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathConfigRead,
},
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathConfigWrite,
},
},
HelpSynopsis: pathConfigHelpSyn,

View file

@ -12,6 +12,7 @@ import (
"github.com/hashicorp/vault/sdk/helper/useragent"
"github.com/hashicorp/vault/sdk/logical"
"google.golang.org/api/iam/v1"
"google.golang.org/api/option"
)
const (
@ -46,11 +47,19 @@ func pathsRoleSet(b *backend) []*framework.Path {
},
},
ExistenceCheck: b.pathRoleSetExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.DeleteOperation: b.pathRoleSetDelete,
logical.ReadOperation: b.pathRoleSetRead,
logical.CreateOperation: b.pathRoleSetCreateUpdate,
logical.UpdateOperation: b.pathRoleSetCreateUpdate,
Operations: map[logical.Operation]framework.OperationHandler{
logical.DeleteOperation: &framework.PathOperation{
Callback: b.pathRoleSetDelete,
},
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathRoleSetRead,
},
logical.CreateOperation: &framework.PathOperation{
Callback: b.pathRoleSetCreateUpdate,
},
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathRoleSetCreateUpdate,
},
},
HelpSynopsis: pathRoleSetHelpSyn,
HelpDescription: pathRoleSetHelpDesc,
@ -65,8 +74,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
},
},
ExistenceCheck: b.pathRoleSetExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathRoleSetRotateAccount,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathRoleSetRotateAccount,
},
},
HelpSynopsis: pathRoleSetRotateHelpSyn,
HelpDescription: pathRoleSetRotateHelpDesc,
@ -81,8 +92,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
},
},
ExistenceCheck: b.pathRoleSetExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathRoleSetRotateKey,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathRoleSetRotateKey,
},
},
HelpSynopsis: pathRoleSetRotateKeyHelpSyn,
HelpDescription: pathRoleSetRotateKeyHelpDesc,
@ -90,8 +103,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
// Paths for listing role sets
{
Pattern: "rolesets/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathRoleSetList,
Operations: map[logical.Operation]framework.OperationHandler{
logical.ListOperation: &framework.PathOperation{
Callback: b.pathRoleSetList,
},
},
HelpSynopsis: pathListRoleSetHelpSyn,
@ -99,8 +114,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
},
{
Pattern: "roleset/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathRoleSetList,
Operations: map[logical.Operation]framework.OperationHandler{
logical.ListOperation: &framework.PathOperation{
Callback: b.pathRoleSetList,
},
},
HelpSynopsis: pathListRoleSetHelpSyn,
@ -217,7 +234,7 @@ func (b *backend) pathRoleSetDelete(ctx context.Context, req *logical.Request, d
return nil, err
}
iamAdmin, err := iam.New(httpC)
iamAdmin, err := iam.NewService(ctx, option.WithHTTPClient(httpC))
if err != nil {
return nil, err
}

View file

@ -132,7 +132,7 @@ func (b *backend) saveRoleSetWithNewAccount(ctx context.Context, s logical.Stora
return nil, err
}
iamAdmin, err := b.IAMClient(s)
iamAdmin, err := b.IAMAdminClient(s)
if err != nil {
return nil, err
}
@ -217,7 +217,7 @@ func (b *backend) saveRoleSetWithNewTokenKey(ctx context.Context, s logical.Stor
return "", fmt.Errorf("a key is not saved or used for non-access-token role set '%s'", rs.Name)
}
iamAdmin, err := b.IAMClient(s)
iamAdmin, err := b.IAMAdminClient(s)
if err != nil {
return "", err
}

View file

@ -76,7 +76,7 @@ func (b *backend) serviceAccountRollback(ctx context.Context, req *logical.Reque
}
// Delete service account.
iamC, err := b.IAMClient(req.Storage)
iamC, err := b.IAMAdminClient(req.Storage)
if err != nil {
return err
}
@ -104,7 +104,7 @@ func (b *backend) serviceAccountKeyRollback(ctx context.Context, req *logical.Re
return nil
}
iamC, err := b.IAMClient(req.Storage)
iamC, err := b.IAMAdminClient(req.Storage)
if err != nil {
return err
}
@ -273,7 +273,7 @@ func isGoogleAccountKeyNotFoundErr(err error) bool {
return isGoogleApiErrorWithCodes(err, 403, 404)
}
func isGoogleApiErrorWithCodes(err error, validErrCodes... int) bool {
func isGoogleApiErrorWithCodes(err error, validErrCodes ...int) bool {
if err == nil {
return false
}

View file

@ -23,9 +23,9 @@ func pathSecretAccessToken(b *backend) *framework.Path {
},
},
ExistenceCheck: b.pathRoleSetExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathAccessToken,
logical.UpdateOperation: b.pathAccessToken,
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{Callback: b.pathAccessToken},
logical.UpdateOperation: &framework.PathOperation{Callback: b.pathAccessToken},
},
HelpSynopsis: pathTokenHelpSyn,
HelpDescription: pathTokenHelpDesc,

View file

@ -59,9 +59,9 @@ func pathSecretServiceAccountKey(b *backend) *framework.Path {
},
},
ExistenceCheck: b.pathRoleSetExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathServiceAccountKey,
logical.UpdateOperation: b.pathServiceAccountKey,
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{Callback: b.pathServiceAccountKey},
logical.UpdateOperation: &framework.PathOperation{Callback: b.pathServiceAccountKey},
},
HelpSynopsis: pathServiceAccountKeySyn,
HelpDescription: pathServiceAccountKeyDesc,
@ -138,7 +138,7 @@ func (b *backend) verifySecretServiceKeyExists(ctx context.Context, req *logical
}
// Verify service account key still exists.
iamAdmin, err := b.IAMClient(req.Storage)
iamAdmin, err := b.IAMAdminClient(req.Storage)
if err != nil {
return logical.ErrorResponse("could not confirm key still exists in GCP"), nil
}
@ -154,7 +154,7 @@ func (b *backend) secretKeyRevoke(ctx context.Context, req *logical.Request, d *
return nil, fmt.Errorf("secret is missing key_name internal data")
}
iamAdmin, err := b.IAMClient(req.Storage)
iamAdmin, err := b.IAMAdminClient(req.Storage)
if err != nil {
return logical.ErrorResponse(err.Error()), nil
}
@ -176,7 +176,7 @@ func (b *backend) getSecretKey(ctx context.Context, s logical.Storage, rs *RoleS
cfg = &config{}
}
iamC, err := b.IAMClient(s)
iamC, err := b.IAMAdminClient(s)
if err != nil {
return nil, errwrap.Wrapf("could not create IAM Admin client: {{err}}", err)
}

6
vendor/modules.txt vendored
View file

@ -372,12 +372,12 @@ github.com/hashicorp/vault-plugin-auth-cf/models
github.com/hashicorp/vault-plugin-auth-cf/util
github.com/hashicorp/vault-plugin-auth-cf/testing/certificates
github.com/hashicorp/vault-plugin-auth-cf/testing/cf
# github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102
# github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2
github.com/hashicorp/vault-plugin-auth-gcp/plugin
github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
# github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2
github.com/hashicorp/vault-plugin-auth-jwt
# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9
# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6
github.com/hashicorp/vault-plugin-auth-kubernetes
# github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c
github.com/hashicorp/vault-plugin-auth-oci
@ -392,7 +392,7 @@ github.com/hashicorp/vault-plugin-secrets-alicloud
github.com/hashicorp/vault-plugin-secrets-alicloud/clients
# github.com/hashicorp/vault-plugin-secrets-azure v0.5.2
github.com/hashicorp/vault-plugin-secrets-azure
# github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04
# github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac
github.com/hashicorp/vault-plugin-secrets-gcp/plugin
github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil
github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util