add provider ca support for jwt file base auth

Adds support for a jwt token in a file. Simply reads the file and sends
the read in jwt along to the vault login.

It also supports a legacy mode with the jwt string being passed
directly. In which case the path is made optional.
This commit is contained in:
John Eikenberry 2023-03-02 20:33:06 +00:00 committed by GitHub
parent 321439f5a7
commit 4211069080
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 130 additions and 2 deletions

3
.changelog/16266.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
ca: support Vault agent auto-auth config for Vault CA provider using JWT authentication.
```

View File

@ -935,6 +935,8 @@ func configureVaultAuthMethod(authMethod *structs.VaultAuthMethod) (VaultAuthent
return NewAzureAuthClient(authMethod)
case VaultAuthMethodTypeGCP:
return NewGCPAuthClient(authMethod)
case VaultAuthMethodTypeJWT:
return NewJwtAuthClient(authMethod)
case VaultAuthMethodTypeKubernetes:
// For the Kubernetes Auth method, we will try to read the JWT token
// from the default service account file location if jwt was not provided.
@ -972,7 +974,6 @@ func configureVaultAuthMethod(authMethod *structs.VaultAuthMethod) (VaultAuthent
VaultAuthMethodTypeAppRole,
VaultAuthMethodTypeCloudFoundry,
VaultAuthMethodTypeGitHub,
VaultAuthMethodTypeJWT,
VaultAuthMethodTypeKerberos,
VaultAuthMethodTypeTLS:
return NewVaultAPIAuthClient(authMethod, loginPath), nil

View File

@ -0,0 +1,50 @@
package ca
import (
"fmt"
"os"
"strings"
"github.com/hashicorp/consul/agent/structs"
)
func NewJwtAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
params := authMethod.Params
role, ok := params["role"].(string)
if !ok || strings.TrimSpace(role) == "" {
return nil, fmt.Errorf("missing 'role' value")
}
authClient := NewVaultAPIAuthClient(authMethod, "")
if legacyCheck(params, "jwt") {
return authClient, nil
}
// The path is required for the auto-auth config, but this auth provider
// seems to be used for jwt based auth by directly passing the jwt token.
// So we only require the token file path if the token string isn't
// present.
tokenPath, ok := params["path"].(string)
if !ok || strings.TrimSpace(tokenPath) == "" {
return nil, fmt.Errorf("missing 'path' value")
}
authClient.LoginDataGen = JwtLoginDataGen
return authClient, nil
}
func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
params := authMethod.Params
role := params["role"].(string)
tokenPath := params["path"].(string)
rawToken, err := os.ReadFile(tokenPath)
if err != nil {
return nil, err
}
return map[string]any{
"role": role,
"jwt": strings.TrimSpace(string(rawToken)),
}, nil
}

View File

@ -428,3 +428,77 @@ func TestVaultCAProvider_AzureAuthClient(t *testing.T) {
})
}
}
func TestVaultCAProvider_JwtAuthClient(t *testing.T) {
tokenF, err := os.CreateTemp("", "token-path")
require.NoError(t, err)
defer func() { os.Remove(tokenF.Name()) }()
_, err = tokenF.WriteString("test-token")
require.NoError(t, err)
err = tokenF.Close()
require.NoError(t, err)
cases := map[string]struct {
authMethod *structs.VaultAuthMethod
expData map[string]any
expErr error
}{
"base-case": {
authMethod: &structs.VaultAuthMethod{
Type: "jwt",
Params: map[string]any{
"role": "test-role",
"path": tokenF.Name(),
},
},
expData: map[string]any{
"role": "test-role",
"jwt": "test-token",
},
},
"no-role": {
authMethod: &structs.VaultAuthMethod{
Type: "jwt",
Params: map[string]any{},
},
expErr: fmt.Errorf("missing 'role' value"),
},
"no-path": {
authMethod: &structs.VaultAuthMethod{
Type: "jwt",
Params: map[string]any{
"role": "test-role",
},
},
expErr: fmt.Errorf("missing 'path' value"),
},
"no-path-but-jwt": {
authMethod: &structs.VaultAuthMethod{
Type: "jwt",
Params: map[string]any{
"role": "test-role",
"jwt": "test-jwt",
},
},
expData: map[string]any{
"role": "test-role",
"jwt": "test-jwt",
},
},
}
for name, c := range cases {
t.Run(name, func(t *testing.T) {
auth, err := NewJwtAuthClient(c.authMethod)
if c.expErr != nil {
require.EqualError(t, c.expErr, err.Error())
return
}
require.NoError(t, err)
if auth.LoginDataGen != nil {
data, err := auth.LoginDataGen(c.authMethod)
require.NoError(t, err)
require.Equal(t, c.expData, data)
}
})
}
}

View File

@ -111,7 +111,7 @@ func TestVaultCAProvider_configureVaultAuthMethod(t *testing.T) {
"cf": {expLoginPath: "auth/cf/login"},
"github": {expLoginPath: "auth/github/login"},
"gcp": {expLoginPath: "auth/gcp/login", params: map[string]interface{}{"type": "iam", "role": "test-role"}},
"jwt": {expLoginPath: "auth/jwt/login"},
"jwt": {expLoginPath: "auth/jwt/login", params: map[string]any{"role": "test-role", "path": "test-path"}, hasLDG: true},
"kerberos": {expLoginPath: "auth/kerberos/login"},
"kubernetes": {expLoginPath: "auth/kubernetes/login", params: map[string]interface{}{"jwt": "fake"}},
"ldap": {expLoginPath: "auth/ldap/login/foo", params: map[string]interface{}{"username": "foo"}},