Merge pull request smallstep#913 from delamart/master

Vault Kubernetes Auth

Author: maraino

cas/vaultcas/auth/approle/approle.go

@@ -0,0 +1,67 @@
+package approle
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/hashicorp/vault/api/auth/approle"
+)
+
+// AuthOptions defines the configuration options added using the
+// VaultOptions.AuthOptions field when AuthType is approle
+type AuthOptions struct {
+	RoleID          string `json:"roleID,omitempty"`
+	SecretID        string `json:"secretID,omitempty"`
+	SecretIDFile    string `json:"secretIDFile,omitempty"`
+	SecretIDEnv     string `json:"secretIDEnv,omitempty"`
+	IsWrappingToken bool   `json:"isWrappingToken,omitempty"`
+}
+
+func NewApproleAuthMethod(mountPath string, options json.RawMessage) (*approle.AppRoleAuth, error) {
+	var opts *AuthOptions
+
+	err := json.Unmarshal(options, &opts)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding AppRole auth options: %w", err)
+	}
+
+	var approleAuth *approle.AppRoleAuth
+
+	var loginOptions []approle.LoginOption
+	if mountPath != "" {
+		loginOptions = append(loginOptions, approle.WithMountPath(mountPath))
+	}
+	if opts.IsWrappingToken {
+		loginOptions = append(loginOptions, approle.WithWrappingToken())
+	}
+
+	if opts.RoleID == "" {
+		return nil, errors.New("you must set roleID")
+	}
+
+	var sid approle.SecretID
+	switch {
+	case opts.SecretID != "" && opts.SecretIDFile == "" && opts.SecretIDEnv == "":
+		sid = approle.SecretID{
+			FromString: opts.SecretID,
+		}
+	case opts.SecretIDFile != "" && opts.SecretID == "" && opts.SecretIDEnv == "":
+		sid = approle.SecretID{
+			FromFile: opts.SecretIDFile,
+		}
+	case opts.SecretIDEnv != "" && opts.SecretIDFile == "" && opts.SecretID == "":
+		sid = approle.SecretID{
+			FromEnv: opts.SecretIDEnv,
+		}
+	default:
+		return nil, errors.New("you must set one of secretID, secretIDFile or secretIDEnv")
+	}
+
+	approleAuth, err = approle.NewAppRoleAuth(opts.RoleID, &sid, loginOptions...)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
+	}
+
+	return approleAuth, nil
+}

cas/vaultcas/auth/approle/approle_test.go

@@ -0,0 +1,195 @@
+package approle
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	vault "github.com/hashicorp/vault/api"
+)
+
+func testCAHelper(t *testing.T) (*url.URL, *vault.Client) {
+	t.Helper()
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch {
+		case r.RequestURI == "/v1/auth/approle/login":
+			w.WriteHeader(http.StatusOK)
+			fmt.Fprintf(w, `{
+				  "auth": {
+					"client_token": "hvs.0000"
+				  }
+				}`)
+		case r.RequestURI == "/v1/auth/custom-approle/login":
+			w.WriteHeader(http.StatusOK)
+			fmt.Fprintf(w, `{
+				  "auth": {
+					"client_token": "hvs.9999"
+				  }
+				}`)
+		default:
+			w.WriteHeader(http.StatusNotFound)
+			fmt.Fprintf(w, `{"error":"not found"}`)
+		}
+	}))
+	t.Cleanup(func() {
+		srv.Close()
+	})
+	u, err := url.Parse(srv.URL)
+	if err != nil {
+		srv.Close()
+		t.Fatal(err)
+	}
+
+	config := vault.DefaultConfig()
+	config.Address = srv.URL
+
+	client, err := vault.NewClient(config)
+	if err != nil {
+		srv.Close()
+		t.Fatal(err)
+	}
+
+	return u, client
+}
+
+func TestApprole_LoginMountPaths(t *testing.T) {
+	caURL, _ := testCAHelper(t)
+
+	config := vault.DefaultConfig()
+	config.Address = caURL.String()
+	client, _ := vault.NewClient(config)
+
+	tests := []struct {
+		name      string
+		mountPath string
+		token     string
+	}{
+		{
+			name:      "ok default mount path",
+			mountPath: "",
+			token:     "hvs.0000",
+		},
+		{
+			name:      "ok explicit mount path",
+			mountPath: "approle",
+			token:     "hvs.0000",
+		},
+		{
+			name:      "ok custom mount path",
+			mountPath: "custom-approle",
+			token:     "hvs.9999",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			method, err := NewApproleAuthMethod(tt.mountPath, json.RawMessage(`{"RoleID":"roleID","SecretID":"secretID","IsWrappingToken":false}`))
+			if err != nil {
+				t.Errorf("NewApproleAuthMethod() error = %v", err)
+				return
+			}
+
+			secret, err := client.Auth().Login(context.Background(), method)
+			if err != nil {
+				t.Errorf("Login() error = %v", err)
+				return
+			}
+
+			token, _ := secret.TokenID()
+			if token != tt.token {
+				t.Errorf("Token error got %v, expected %v", token, tt.token)
+				return
+			}
+		})
+	}
+}
+
+func TestApprole_NewApproleAuthMethod(t *testing.T) {
+	tests := []struct {
+		name      string
+		mountPath string
+		raw       string
+		wantErr   bool
+	}{
+		{
+			"ok secret-id string",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000"}`,
+			false,
+		},
+		{
+			"ok secret-id string and wrapped",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "isWrappedToken": true}`,
+			false,
+		},
+		{
+			"ok secret-id string and wrapped with custom mountPath",
+			"approle2",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "isWrappedToken": true}`,
+			false,
+		},
+		{
+			"ok secret-id file",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id"}`,
+			false,
+		},
+		{
+			"ok secret-id env",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			false,
+		},
+		{
+			"fail mandatory role-id",
+			"",
+			`{}`,
+			true,
+		},
+		{
+			"fail mandatory secret-id any",
+			"",
+			`{"RoleID": "0000-0000-0000-0000"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types id and env",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types id and file",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types env and file",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types all",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := NewApproleAuthMethod(tt.mountPath, json.RawMessage(tt.raw))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Approle.NewApproleAuthMethod() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+		})
+	}
+}

cas/vaultcas/auth/kubernetes/kubernetes.go

@@ -0,0 +1,49 @@
+package kubernetes
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/hashicorp/vault/api/auth/kubernetes"
+)
+
+// AuthOptions defines the configuration options added using the
+// VaultOptions.AuthOptions field when AuthType is kubernetes
+type AuthOptions struct {
+	Role      string `json:"role,omitempty"`
+	TokenPath string `json:"tokenPath,omitempty"`
+}
+
+func NewKubernetesAuthMethod(mountPath string, options json.RawMessage) (*kubernetes.KubernetesAuth, error) {
+	var opts *AuthOptions
+
+	err := json.Unmarshal(options, &opts)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding Kubernetes auth options: %w", err)
+	}
+
+	var kubernetesAuth *kubernetes.KubernetesAuth
+
+	var loginOptions []kubernetes.LoginOption
+	if mountPath != "" {
+		loginOptions = append(loginOptions, kubernetes.WithMountPath(mountPath))
+	}
+	if opts.TokenPath != "" {
+		loginOptions = append(loginOptions, kubernetes.WithServiceAccountTokenPath(opts.TokenPath))
+	}
+
+	if opts.Role == "" {
+		return nil, errors.New("you must set role")
+	}
+
+	kubernetesAuth, err = kubernetes.NewKubernetesAuth(
+		opts.Role,
+		loginOptions...,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
+	}
+
+	return kubernetesAuth, nil
+}