Updating to jwt plugin@master (#10266)

2025-11-18 17:21:13 +01:00 · 2020-10-29 14:25:06 -07:00 · 2020-10-29 14:25:06 -07:00 · df5b607c40
commit df5b607c40
parent b18f841be5
6 changed files with 56 additions and 8 deletions
--- a/go.mod
+++ b/go.mod
@ -78,7 +78,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-centrify v0.5.5
 	github.com/hashicorp/vault-plugin-auth-cf v0.5.4
 	github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe
-	github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6
+	github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d
 	github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6
 	github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb
 	github.com/hashicorp/vault-plugin-auth-oci v0.5.5
--- a/go.sum
+++ b/go.sum
@ -629,8 +629,8 @@ github.com/hashicorp/vault-plugin-auth-cf v0.5.4/go.mod h1:idkFYHc6ske2BE7fe00Sp
 github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI=
 github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe h1:eh3UrWk1CIXTT54gqSXHHqFGkDQ9uFPB8sr4IymU4bE=
 github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w=
-github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6 h1:VKSpsLdPzCwJh/BPd/T+SBXpQmH1hva77Ty7Mj6t1Rw=
-github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6/go.mod h1:pyR4z5f2Vuz9TXucuN0rivUJTtSdlOtDdZ16IqBjZVo=
+github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d h1:q/gyY/cDMSYhQdvsyVuuNLfi1O5pntNDm69vIbmjMLs=
+github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d/go.mod h1:pyR4z5f2Vuz9TXucuN0rivUJTtSdlOtDdZ16IqBjZVo=
 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 h1:l5wu8J7aiQBLsTtkKhf1QQjGoeVjcfcput+uJ/pu2MM=
 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6/go.mod h1:IM/n7LY1rIM4MVzOfSH6cRmY/C2rGkrjGrEr0B/yO9c=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb h1:cLnxjA5VwdkSdPkqI8qsZn3A1HojSUzFQz3JIVNlhZ4=
@ -1023,8 +1023,6 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUt
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/sethvargo/go-limiter v0.3.0 h1:yRMc+Qs2yqw6YJp6UxrO2iUs6DOSq4zcnljbB7/rMns=
 github.com/sethvargo/go-limiter v0.3.0/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU=
-github.com/shirou/gopsutil v2.20.6-0.20200630091542-01afd763e6c0+incompatible h1:IYOqH6sML3rQGNVEQ5foLtpDt4TeW8PIUBuI9f8itkI=
-github.com/shirou/gopsutil v2.20.6-0.20200630091542-01afd763e6c0+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/shirou/gopsutil v2.20.9+incompatible h1:msXs2frUV+O/JLva9EDLpuJ84PrFsdCTCQex8PUdtkQ=
 github.com/shirou/gopsutil v2.20.9+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE=
--- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go
@ -168,9 +168,10 @@ func fetchAuthURL(c *api.Client, role, mount, callbackport string, callbackMetho
 		return "", "", err
 	}

+	redirectURI := fmt.Sprintf("%s://%s:%s/oidc/callback", callbackMethod, callbackHost, callbackport)
 	data := map[string]interface{}{
 		"role":         role,
-		"redirect_uri": fmt.Sprintf("%s://%s:%s/oidc/callback", callbackMethod, callbackHost, callbackport),
+		"redirect_uri": redirectURI,
 		"client_nonce": clientNonce,
 	}

@ -184,7 +185,7 @@ func fetchAuthURL(c *api.Client, role, mount, callbackport string, callbackMetho
 	}

 	if authURL == "" {
-		return "", "", fmt.Errorf("Unable to authorize role %q. Check Vault logs for more information.", role)
+		return "", "", fmt.Errorf("Unable to authorize role %q with redirect_uri %q. Check Vault logs for more information.", role, redirectURI)
 	}

 	return authURL, clientNonce, nil
--- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go
@ -89,6 +89,14 @@ func pathConfig(b *jwtAuthBackend) *framework.Path {
 					Name: "Provider Config",
 				},
 			},
+			"namespace_in_state": {
+				Type:        framework.TypeBool,
+				Description: "Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "Namespace in OIDC state",
+					Value: true,
+				},
+			},
 		},

 		Operations: map[logical.Operation]framework.OperationHandler{
@ -166,6 +174,7 @@ func (b *jwtAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reques
 			"jwks_ca_pem":            config.JWKSCAPEM,
 			"bound_issuer":           config.BoundIssuer,
 			"provider_config":        config.ProviderConfig,
+			"namespace_in_state":     config.NamespaceInState,
 		},
 	}

@ -189,6 +198,23 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque
 		ProviderConfig:       d.Get("provider_config").(map[string]interface{}),
 	}

+	// Check if the config already exists, to determine if this is a create or
+	// an update, since req.Operation is always 'update' in this handler, and
+	// there's no existence check defined.
+	existingConfig, err := b.config(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	if nsInState, ok := d.GetOk("namespace_in_state"); ok {
+		config.NamespaceInState = nsInState.(bool)
+	} else if existingConfig == nil {
+		// new configs default to true
+		config.NamespaceInState = true
+	} else {
+		// maintain the existing value
+		config.NamespaceInState = existingConfig.NamespaceInState
+	}
+
 	// Run checks on values
 	methodCount := 0
 	if config.OIDCDiscoveryURL != "" {
@ -349,6 +375,7 @@ type jwtConfig struct {
 	BoundIssuer          string                 `json:"bound_issuer"`
 	DefaultRole          string                 `json:"default_role"`
 	ProviderConfig       map[string]interface{} `json:"provider_config"`
+	NamespaceInState     bool                   `json:"namespace_in_state"`

 	ParsedJWTPubKeys []interface{} `json:"-"`
 }
--- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go
@ -371,6 +371,24 @@ func (b *jwtAuthBackend) authURL(ctx context.Context, req *logical.Request, d *f
 		return logical.ErrorResponse("role %q could not be found", roleName), nil
 	}

+	// If namespace will be passed around in state, and it has been provided as
+	// a redirectURI query parameter, remove it from redirectURI, and append it
+	// to the state (later in this function)
+	namespace := ""
+	if config.NamespaceInState {
+		inputURI, err := url.Parse(redirectURI)
+		if err != nil {
+			return resp, nil
+		}
+		qParam := inputURI.Query()
+		namespace = qParam.Get("namespace")
+		if len(namespace) > 0 {
+			qParam.Del("namespace")
+			inputURI.RawQuery = qParam.Encode()
+			redirectURI = inputURI.String()
+		}
+	}
+
 	if !validRedirect(redirectURI, role.AllowedRedirectURIs) {
 		logger.Warn("unauthorized redirect_uri", "redirect_uri", redirectURI)
 		return resp, nil
@ -408,6 +426,10 @@ func (b *jwtAuthBackend) authURL(ctx context.Context, req *logical.Request, d *f
 		logger.Warn("error generating OAuth state", "error", err)
 		return resp, nil
 	}
+	if config.NamespaceInState && len(namespace) > 0 {
+		// embed namespace in state in the auth_url
+		stateID = fmt.Sprintf("%s,ns=%s", stateID, namespace)
+	}

 	authCodeOpts := []oauth2.AuthCodeOption{
 		oidc.Nonce(nonce),
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -515,7 +515,7 @@ github.com/hashicorp/vault-plugin-auth-cf/util
 # github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe
 github.com/hashicorp/vault-plugin-auth-gcp/plugin
 github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
-# github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201022174242-a68fde2bb2b6
+# github.com/hashicorp/vault-plugin-auth-jwt v0.7.2-0.20201029051557-9705f34b237d
 github.com/hashicorp/vault-plugin-auth-jwt
 # github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6
 github.com/hashicorp/vault-plugin-auth-kerberos