e18f180609
* Add native Login method for GCP auth backend * Add native Login method for Azure auth backend * Add changelog entry * Use official azure library Environment struct rather than passing string, add timeouts * Use v1.3.0 which now has interface definition * Don't throw away error and close resp body * Back to WithResource so we can support non-Azure URLs for aud
185 lines
4.9 KiB
Go
185 lines
4.9 KiB
Go
package gcp
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
"cloud.google.com/go/compute/metadata"
|
|
credentials "cloud.google.com/go/iam/credentials/apiv1"
|
|
"github.com/hashicorp/vault/api"
|
|
credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1"
|
|
)
|
|
|
|
type GCPAuth struct {
|
|
roleName string
|
|
mountPath string
|
|
authType string
|
|
serviceAccountEmail string
|
|
}
|
|
|
|
var _ api.AuthMethod = (*GCPAuth)(nil)
|
|
|
|
type LoginOption func(a *GCPAuth) error
|
|
|
|
const (
|
|
iamType = "iam"
|
|
gceType = "gce"
|
|
defaultMountPath = "gcp"
|
|
defaultAuthType = gceType
|
|
identityMetadataURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
|
|
)
|
|
|
|
// NewGCPAuth initializes a new GCP auth method interface to be
|
|
// passed as a parameter to the client.Auth().Login method.
|
|
//
|
|
// Supported options: WithMountPath, WithIAMAuth, WithGCEAuth
|
|
func NewGCPAuth(roleName string, opts ...LoginOption) (*GCPAuth, error) {
|
|
if roleName == "" {
|
|
return nil, fmt.Errorf("no role name provided for login")
|
|
}
|
|
|
|
a := &GCPAuth{
|
|
mountPath: defaultMountPath,
|
|
authType: defaultAuthType,
|
|
roleName: roleName,
|
|
}
|
|
|
|
// Loop through each option
|
|
for _, opt := range opts {
|
|
// Call the option giving the instantiated
|
|
// *GCPAuth as the argument
|
|
err := opt(a)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error with login option: %w", err)
|
|
}
|
|
}
|
|
|
|
// return the modified auth struct instance
|
|
return a, nil
|
|
}
|
|
|
|
// Login sets up the required request body for the GCP auth method's /login
|
|
// endpoint, and performs a write to it. This method defaults to the "gce"
|
|
// auth type unless NewGCPAuth is called with WithIAMAuth().
|
|
func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
|
loginData := map[string]interface{}{
|
|
"role": a.roleName,
|
|
}
|
|
switch a.authType {
|
|
case gceType:
|
|
jwt, err := a.getJWTFromMetadataService(client.Address())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to retrieve JWT from GCE metadata service: %w", err)
|
|
}
|
|
loginData["jwt"] = jwt
|
|
case iamType:
|
|
jwtResp, err := a.signJWT()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to sign JWT for authenticating to GCP: %w", err)
|
|
}
|
|
loginData["jwt"] = jwtResp.SignedJwt
|
|
}
|
|
|
|
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
|
resp, err := client.Logical().Write(path, loginData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to log in with GCP auth: %w", err)
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func WithMountPath(mountPath string) LoginOption {
|
|
return func(a *GCPAuth) error {
|
|
a.mountPath = mountPath
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithIAMAuth(serviceAccountEmail string) LoginOption {
|
|
return func(a *GCPAuth) error {
|
|
a.serviceAccountEmail = serviceAccountEmail
|
|
a.authType = iamType
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithGCEAuth() LoginOption {
|
|
return func(a *GCPAuth) error {
|
|
a.authType = gceType
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// generate signed JWT token from GCP IAM.
|
|
func (a *GCPAuth) signJWT() (*credentialspb.SignJwtResponse, error) {
|
|
ctx := context.Background()
|
|
iamClient, err := credentials.NewIamCredentialsClient(ctx) // can pass option.WithCredentialsFile("path/to/creds.json") as second param if GOOGLE_APPLICATION_CREDENTIALS env var not set
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to initialize IAM credentials client: %w", err)
|
|
}
|
|
defer iamClient.Close()
|
|
|
|
resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", a.serviceAccountEmail)
|
|
jwtPayload := map[string]interface{}{
|
|
"aud": fmt.Sprintf("vault/%s", a.roleName),
|
|
"sub": a.serviceAccountEmail,
|
|
"exp": time.Now().Add(time.Minute * 10).Unix(),
|
|
}
|
|
|
|
payloadBytes, err := json.Marshal(jwtPayload)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to marshal jwt payload to json: %w", err)
|
|
}
|
|
|
|
signJWTReq := &credentialspb.SignJwtRequest{
|
|
Name: resourceName,
|
|
Payload: string(payloadBytes),
|
|
}
|
|
|
|
jwtResp, err := iamClient.SignJwt(ctx, signJWTReq)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to sign JWT: %w", err)
|
|
}
|
|
|
|
return jwtResp, nil
|
|
}
|
|
|
|
func (a *GCPAuth) getJWTFromMetadataService(vaultAddress string) (string, error) {
|
|
if !metadata.OnGCE() {
|
|
return "", fmt.Errorf("GCE metadata service not available")
|
|
}
|
|
|
|
// build request to metadata server
|
|
c := &http.Client{}
|
|
req, err := http.NewRequest(http.MethodGet, identityMetadataURL, nil)
|
|
if err != nil {
|
|
return "", fmt.Errorf("error creating http request: %w", err)
|
|
}
|
|
|
|
req.Header.Add("Metadata-Flavor", "Google")
|
|
q := url.Values{}
|
|
q.Add("audience", fmt.Sprintf("%s/vault/%s", vaultAddress, a.roleName))
|
|
q.Add("format", "full")
|
|
req.URL.RawQuery = q.Encode()
|
|
resp, err := c.Do(req)
|
|
if err != nil {
|
|
return "", fmt.Errorf("error making request to metadata service: %w", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
// get jwt from response
|
|
body, err := ioutil.ReadAll(resp.Body)
|
|
jwt := string(body)
|
|
if err != nil {
|
|
return "", fmt.Errorf("error reading response from metadata service: %w", err)
|
|
}
|
|
|
|
return jwt, nil
|
|
}
|