197 lines
4.2 KiB
Go
197 lines
4.2 KiB
Go
package jwt
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io/fs"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"sync"
|
|
"sync/atomic"
|
|
"time"
|
|
|
|
hclog "github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/vault/api"
|
|
"github.com/hashicorp/vault/command/agent/auth"
|
|
)
|
|
|
|
type jwtMethod struct {
|
|
logger hclog.Logger
|
|
path string
|
|
mountPath string
|
|
role string
|
|
credsFound chan struct{}
|
|
watchCh chan string
|
|
stopCh chan struct{}
|
|
doneCh chan struct{}
|
|
credSuccessGate chan struct{}
|
|
ticker *time.Ticker
|
|
once *sync.Once
|
|
latestToken *atomic.Value
|
|
}
|
|
|
|
// NewJWTAuthMethod returns an implementation of Agent's auth.AuthMethod
|
|
// interface for JWT auth.
|
|
func NewJWTAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
|
|
if conf == nil {
|
|
return nil, errors.New("empty config")
|
|
}
|
|
if conf.Config == nil {
|
|
return nil, errors.New("empty config data")
|
|
}
|
|
|
|
j := &jwtMethod{
|
|
logger: conf.Logger,
|
|
mountPath: conf.MountPath,
|
|
credsFound: make(chan struct{}),
|
|
watchCh: make(chan string),
|
|
stopCh: make(chan struct{}),
|
|
doneCh: make(chan struct{}),
|
|
credSuccessGate: make(chan struct{}),
|
|
once: new(sync.Once),
|
|
latestToken: new(atomic.Value),
|
|
}
|
|
j.latestToken.Store("")
|
|
|
|
pathRaw, ok := conf.Config["path"]
|
|
if !ok {
|
|
return nil, errors.New("missing 'path' value")
|
|
}
|
|
j.path, ok = pathRaw.(string)
|
|
if !ok {
|
|
return nil, errors.New("could not convert 'path' config value to string")
|
|
}
|
|
|
|
roleRaw, ok := conf.Config["role"]
|
|
if !ok {
|
|
return nil, errors.New("missing 'role' value")
|
|
}
|
|
j.role, ok = roleRaw.(string)
|
|
if !ok {
|
|
return nil, errors.New("could not convert 'role' config value to string")
|
|
}
|
|
|
|
switch {
|
|
case j.path == "":
|
|
return nil, errors.New("'path' value is empty")
|
|
case j.role == "":
|
|
return nil, errors.New("'role' value is empty")
|
|
}
|
|
|
|
j.ticker = time.NewTicker(500 * time.Millisecond)
|
|
|
|
go j.runWatcher()
|
|
|
|
j.logger.Info("jwt auth method created", "path", j.path)
|
|
|
|
return j, nil
|
|
}
|
|
|
|
func (j *jwtMethod) Authenticate(_ context.Context, _ *api.Client) (string, http.Header, map[string]interface{}, error) {
|
|
j.logger.Trace("beginning authentication")
|
|
|
|
j.ingressToken()
|
|
|
|
latestToken := j.latestToken.Load().(string)
|
|
if latestToken == "" {
|
|
return "", nil, nil, errors.New("latest known jwt is empty, cannot authenticate")
|
|
}
|
|
|
|
return fmt.Sprintf("%s/login", j.mountPath), nil, map[string]interface{}{
|
|
"role": j.role,
|
|
"jwt": latestToken,
|
|
}, nil
|
|
}
|
|
|
|
func (j *jwtMethod) NewCreds() chan struct{} {
|
|
return j.credsFound
|
|
}
|
|
|
|
func (j *jwtMethod) CredSuccess() {
|
|
j.once.Do(func() {
|
|
close(j.credSuccessGate)
|
|
})
|
|
}
|
|
|
|
func (j *jwtMethod) Shutdown() {
|
|
j.ticker.Stop()
|
|
close(j.stopCh)
|
|
<-j.doneCh
|
|
}
|
|
|
|
func (j *jwtMethod) runWatcher() {
|
|
defer close(j.doneCh)
|
|
|
|
select {
|
|
case <-j.stopCh:
|
|
return
|
|
|
|
case <-j.credSuccessGate:
|
|
// We only start the next loop once we're initially successful,
|
|
// since at startup Authenticate will be called and we don't want
|
|
// to end up immediately reauthenticating by having found a new
|
|
// value
|
|
}
|
|
|
|
for {
|
|
select {
|
|
case <-j.stopCh:
|
|
return
|
|
|
|
case <-j.ticker.C:
|
|
latestToken := j.latestToken.Load().(string)
|
|
j.ingressToken()
|
|
newToken := j.latestToken.Load().(string)
|
|
if newToken != latestToken {
|
|
j.credsFound <- struct{}{}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func (j *jwtMethod) ingressToken() {
|
|
fi, err := os.Lstat(j.path)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
return
|
|
}
|
|
j.logger.Error("error encountered stat'ing jwt file", "error", err)
|
|
return
|
|
}
|
|
|
|
j.logger.Debug("new jwt file found")
|
|
|
|
// Check that the path refers to a file.
|
|
// If it's a symlink, it could still be a symlink to a directory,
|
|
// but ioutil.ReadFile below will return a descriptive error.
|
|
switch mode := fi.Mode(); {
|
|
case mode.IsRegular():
|
|
// regular file
|
|
case mode&fs.ModeSymlink != 0:
|
|
// symlink
|
|
default:
|
|
j.logger.Error("jwt file is not a regular file or symlink")
|
|
return
|
|
}
|
|
|
|
token, err := ioutil.ReadFile(j.path)
|
|
if err != nil {
|
|
j.logger.Error("failed to read jwt file", "error", err)
|
|
return
|
|
}
|
|
|
|
switch len(token) {
|
|
case 0:
|
|
j.logger.Warn("empty jwt file read")
|
|
|
|
default:
|
|
j.latestToken.Store(string(token))
|
|
}
|
|
|
|
if err := os.Remove(j.path); err != nil {
|
|
j.logger.Error("error removing jwt file", "error", err)
|
|
}
|
|
}
|