From df5b607c40c81eacf0dff50b2d45ce7a21e10efc Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 29 Oct 2020 14:25:06 -0700 Subject: [PATCH] Updating to jwt plugin@master (#10266) --- go.mod | 2 +- go.sum | 6 ++--- .../hashicorp/vault-plugin-auth-jwt/cli.go | 5 ++-- .../vault-plugin-auth-jwt/path_config.go | 27 +++++++++++++++++++ .../vault-plugin-auth-jwt/path_oidc.go | 22 +++++++++++++++ vendor/modules.txt | 2 +- 6 files changed, 56 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index c22a88547e..d135ab3ae1 100644 --- a/go.mod +++ b/go.mod @@ -78,7 +78,7 @@ require ( github.com/hashicorp/vault-plugin-auth-centrify v0.5.5 github.com/hashicorp/vault-plugin-auth-cf v0.5.4 github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe - github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6 + github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb github.com/hashicorp/vault-plugin-auth-oci v0.5.5 diff --git a/go.sum b/go.sum index ec4f97b4d9..cbf2c8c646 100644 --- a/go.sum +++ b/go.sum @@ -629,8 +629,8 @@ github.com/hashicorp/vault-plugin-auth-cf v0.5.4/go.mod h1:idkFYHc6ske2BE7fe00Sp github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI= github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe h1:eh3UrWk1CIXTT54gqSXHHqFGkDQ9uFPB8sr4IymU4bE= github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w= -github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6 h1:VKSpsLdPzCwJh/BPd/T+SBXpQmH1hva77Ty7Mj6t1Rw= -github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6/go.mod h1:pyR4z5f2Vuz9TXucuN0rivUJTtSdlOtDdZ16IqBjZVo= +github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d h1:q/gyY/cDMSYhQdvsyVuuNLfi1O5pntNDm69vIbmjMLs= +github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d/go.mod h1:pyR4z5f2Vuz9TXucuN0rivUJTtSdlOtDdZ16IqBjZVo= github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 h1:l5wu8J7aiQBLsTtkKhf1QQjGoeVjcfcput+uJ/pu2MM= github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6/go.mod h1:IM/n7LY1rIM4MVzOfSH6cRmY/C2rGkrjGrEr0B/yO9c= github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb h1:cLnxjA5VwdkSdPkqI8qsZn3A1HojSUzFQz3JIVNlhZ4= @@ -1023,8 +1023,6 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUt github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/sethvargo/go-limiter v0.3.0 h1:yRMc+Qs2yqw6YJp6UxrO2iUs6DOSq4zcnljbB7/rMns= github.com/sethvargo/go-limiter v0.3.0/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU= -github.com/shirou/gopsutil v2.20.6-0.20200630091542-01afd763e6c0+incompatible h1:IYOqH6sML3rQGNVEQ5foLtpDt4TeW8PIUBuI9f8itkI= -github.com/shirou/gopsutil v2.20.6-0.20200630091542-01afd763e6c0+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shirou/gopsutil v2.20.9+incompatible h1:msXs2frUV+O/JLva9EDLpuJ84PrFsdCTCQex8PUdtkQ= github.com/shirou/gopsutil v2.20.9+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go index 91cb6b90aa..fff7b2d9f2 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go @@ -168,9 +168,10 @@ func fetchAuthURL(c *api.Client, role, mount, callbackport string, callbackMetho return "", "", err } + redirectURI := fmt.Sprintf("%s://%s:%s/oidc/callback", callbackMethod, callbackHost, callbackport) data := map[string]interface{}{ "role": role, - "redirect_uri": fmt.Sprintf("%s://%s:%s/oidc/callback", callbackMethod, callbackHost, callbackport), + "redirect_uri": redirectURI, "client_nonce": clientNonce, } @@ -184,7 +185,7 @@ func fetchAuthURL(c *api.Client, role, mount, callbackport string, callbackMetho } if authURL == "" { - return "", "", fmt.Errorf("Unable to authorize role %q. Check Vault logs for more information.", role) + return "", "", fmt.Errorf("Unable to authorize role %q with redirect_uri %q. Check Vault logs for more information.", role, redirectURI) } return authURL, clientNonce, nil diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go index 2fd9571854..0b3c2682c5 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go @@ -89,6 +89,14 @@ func pathConfig(b *jwtAuthBackend) *framework.Path { Name: "Provider Config", }, }, + "namespace_in_state": { + Type: framework.TypeBool, + Description: "Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.", + DisplayAttrs: &framework.DisplayAttributes{ + Name: "Namespace in OIDC state", + Value: true, + }, + }, }, Operations: map[logical.Operation]framework.OperationHandler{ @@ -166,6 +174,7 @@ func (b *jwtAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reques "jwks_ca_pem": config.JWKSCAPEM, "bound_issuer": config.BoundIssuer, "provider_config": config.ProviderConfig, + "namespace_in_state": config.NamespaceInState, }, } @@ -189,6 +198,23 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque ProviderConfig: d.Get("provider_config").(map[string]interface{}), } + // Check if the config already exists, to determine if this is a create or + // an update, since req.Operation is always 'update' in this handler, and + // there's no existence check defined. + existingConfig, err := b.config(ctx, req.Storage) + if err != nil { + return nil, err + } + if nsInState, ok := d.GetOk("namespace_in_state"); ok { + config.NamespaceInState = nsInState.(bool) + } else if existingConfig == nil { + // new configs default to true + config.NamespaceInState = true + } else { + // maintain the existing value + config.NamespaceInState = existingConfig.NamespaceInState + } + // Run checks on values methodCount := 0 if config.OIDCDiscoveryURL != "" { @@ -349,6 +375,7 @@ type jwtConfig struct { BoundIssuer string `json:"bound_issuer"` DefaultRole string `json:"default_role"` ProviderConfig map[string]interface{} `json:"provider_config"` + NamespaceInState bool `json:"namespace_in_state"` ParsedJWTPubKeys []interface{} `json:"-"` } diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go index 363456008f..88cd95c421 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go @@ -371,6 +371,24 @@ func (b *jwtAuthBackend) authURL(ctx context.Context, req *logical.Request, d *f return logical.ErrorResponse("role %q could not be found", roleName), nil } + // If namespace will be passed around in state, and it has been provided as + // a redirectURI query parameter, remove it from redirectURI, and append it + // to the state (later in this function) + namespace := "" + if config.NamespaceInState { + inputURI, err := url.Parse(redirectURI) + if err != nil { + return resp, nil + } + qParam := inputURI.Query() + namespace = qParam.Get("namespace") + if len(namespace) > 0 { + qParam.Del("namespace") + inputURI.RawQuery = qParam.Encode() + redirectURI = inputURI.String() + } + } + if !validRedirect(redirectURI, role.AllowedRedirectURIs) { logger.Warn("unauthorized redirect_uri", "redirect_uri", redirectURI) return resp, nil @@ -408,6 +426,10 @@ func (b *jwtAuthBackend) authURL(ctx context.Context, req *logical.Request, d *f logger.Warn("error generating OAuth state", "error", err) return resp, nil } + if config.NamespaceInState && len(namespace) > 0 { + // embed namespace in state in the auth_url + stateID = fmt.Sprintf("%s,ns=%s", stateID, namespace) + } authCodeOpts := []oauth2.AuthCodeOption{ oidc.Nonce(nonce), diff --git a/vendor/modules.txt b/vendor/modules.txt index 08f9fe0f2e..b7f6c8f738 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -515,7 +515,7 @@ github.com/hashicorp/vault-plugin-auth-cf/util # github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe github.com/hashicorp/vault-plugin-auth-gcp/plugin github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache -# github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6 +# github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 github.com/hashicorp/vault-plugin-auth-kerberos