mirror of
https://github.com/hashicorp/vault.git
synced 2025-11-17 16:51:45 +01:00
Add bound cidr checking at login time for remaining auths (#7046)
This commit is contained in:
Jeff Mitchell
GitHub
parent
3ae451ec78
commit
b918a156da
@ -24,6 +24,7 @@ import (
|
||||
uuid "github.com/hashicorp/go-uuid"
|
||||
"github.com/hashicorp/vault/helper/awsutil"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/jsonutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/strutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
@ -605,6 +606,11 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
|
||||
return logical.ErrorResponse(fmt.Sprintf("entry for role %q not found", roleName)), nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, roleEntry.TokenBoundCIDRs) {
|
||||
return nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
if roleEntry.AuthType != ec2AuthType {
|
||||
return logical.ErrorResponse(fmt.Sprintf("auth method ec2 not allowed for role %s", roleName)), nil
|
||||
}
|
||||
@ -1211,6 +1217,11 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
|
||||
return logical.ErrorResponse(fmt.Sprintf("entry for role %s not found", roleName)), nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, roleEntry.TokenBoundCIDRs) {
|
||||
return nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
if roleEntry.AuthType != iamAuthType {
|
||||
return logical.ErrorResponse(fmt.Sprintf("auth method iam not allowed for role %s", roleName)), nil
|
||||
}
|
||||
|
||||
@ -9,6 +9,7 @@ import (
|
||||
"github.com/google/go-github/github"
|
||||
"github.com/hashicorp/errwrap"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/policyutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
@ -148,6 +149,11 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, t
|
||||
return nil, logical.ErrorResponse("configuration has not been set"), nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, config.TokenBoundCIDRs) {
|
||||
return nil, nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
if config.Organization == "" {
|
||||
return nil, logical.ErrorResponse(
|
||||
"organization not found in configuration"), nil
|
||||
|
||||
@ -5,6 +5,7 @@ import (
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/policyutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
@ -58,6 +59,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
|
||||
return logical.ErrorResponse("auth method not configured"), nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
|
||||
return nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
username := d.Get("username").(string)
|
||||
password := d.Get("password").(string)
|
||||
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"github.com/chrismalek/oktasdk-go/okta"
|
||||
"github.com/hashicorp/vault/helper/mfa"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
||||
@ -65,6 +66,11 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
|
||||
return nil, logical.ErrorResponse("Okta auth method not configured"), nil, nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
|
||||
return nil, nil, nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
client := cfg.OktaClient()
|
||||
|
||||
type mfaFactor struct {
|
||||
|
||||
@ -12,6 +12,7 @@ import (
|
||||
. "layeh.com/radius/rfc2865"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/policyutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
@ -70,6 +71,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
|
||||
return logical.ErrorResponse("radius backend not configured"), nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cfg.TokenBoundCIDRs) {
|
||||
return nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
username := d.Get("username").(string)
|
||||
password := d.Get("password").(string)
|
||||
|
||||
|
||||
@ -64,6 +64,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
|
||||
// Get the user and validate auth
|
||||
user, userError := b.user(ctx, req.Storage, username)
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
|
||||
return nil, logical.ErrPermissionDenied
|
||||
}
|
||||
|
||||
var userPassword []byte
|
||||
var legacyPassword bool
|
||||
// If there was an error or it's nil, we fake a password for the bcrypt
|
||||
@ -103,11 +108,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
|
||||
return logical.ErrorResponse("invalid username or password"), nil
|
||||
}
|
||||
|
||||
// Check for a CIDR match.
|
||||
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
|
||||
return logical.ErrorResponse("login request originated from invalid CIDR"), nil
|
||||
}
|
||||
|
||||
auth := &logical.Auth{
|
||||
Metadata: map[string]string{
|
||||
"username": username,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user