mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/command/agentproxyshared/auth/cert/cert.go
Jason Joo a5caf4e1cb
fix: cert auth method watches cert file change and NewCreds() notification (#28126) 
Signed-off-by: Jason Joo <hblzxsj@gmail.com>
2024-10-02 13:41:55 -04:00

308 lines
7.6 KiB
Go
Raw Permalink Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package cert
import (
"context"
"crypto/tls"
"encoding/hex"
"errors"
"fmt"
"net/http"
"os"
"sync"
"time"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/agentproxyshared/auth"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/parseutil"
"golang.org/x/crypto/blake2b"
)
type certMethod struct {
logger hclog.Logger
mountPath string
name string
caCert string
clientCert string
clientKey string
reload bool
// Client is the cached client to use if cert info was provided.
client *api.Client
stopCh chan struct{}
doneCh chan struct{}
credSuccessGate chan struct{}
ticker *time.Ticker
once *sync.Once
credsFound chan struct{}
latestHash *string
}
var _ auth.AuthMethodWithClient = &certMethod{}
func NewCertAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
if conf == nil {
return nil, errors.New("empty config")
}
// Not concerned if the conf.Config is empty as the 'name'
// parameter is optional when using TLS Auth
lastHash := ""
c := &certMethod{
logger: conf.Logger,
mountPath: conf.MountPath,
stopCh: make(chan struct{}),
doneCh: make(chan struct{}),
credSuccessGate: make(chan struct{}),
once: new(sync.Once),
credsFound: make(chan struct{}),
latestHash: &lastHash,
}
if conf.Config != nil {
nameRaw, ok := conf.Config["name"]
if !ok {
nameRaw = ""
}
c.name, ok = nameRaw.(string)
if !ok {
return nil, errors.New("could not convert 'name' config value to string")
}
caCertRaw, ok := conf.Config["ca_cert"]
if ok {
c.caCert, ok = caCertRaw.(string)
if !ok {
return nil, errors.New("could not convert 'ca_cert' config value to string")
}
}
clientCertRaw, ok := conf.Config["client_cert"]
if ok {
c.clientCert, ok = clientCertRaw.(string)
if !ok {
return nil, errors.New("could not convert 'cert_file' config value to string")
}
}
clientKeyRaw, ok := conf.Config["client_key"]
if ok {
c.clientKey, ok = clientKeyRaw.(string)
if !ok {
return nil, errors.New("could not convert 'cert_key' config value to string")
}
}
reload, ok := conf.Config["reload"]
if ok {
c.reload, ok = reload.(bool)
if !ok {
return nil, errors.New("could not convert 'reload' config value to bool")
}
}
}
if c.isCertConfigured() && c.reload {
reloadPeriod := time.Minute
if reloadPeriodRaw, ok := conf.Config["reload_period"]; ok {
period, err := parseutil.ParseDurationSecond(reloadPeriodRaw)
if err != nil {
return nil, fmt.Errorf("error parsing 'reload_period' value: %w", err)
}
reloadPeriod = period
}
c.ticker = time.NewTicker(reloadPeriod)
go c.runWatcher()
}
return c, nil
}
func (c *certMethod) Authenticate(_ context.Context, client *api.Client) (string, http.Header, map[string]interface{}, error) {
c.logger.Trace("beginning authentication")
authMap := map[string]interface{}{}
if c.name != "" {
authMap["name"] = c.name
}
return fmt.Sprintf("%s/login", c.mountPath), nil, authMap, nil
}
func (c *certMethod) NewCreds() chan struct{} {
return c.credsFound
}
func (c *certMethod) CredSuccess() {
c.once.Do(func() {
close(c.credSuccessGate)
})
}
func (c *certMethod) Shutdown() {
if c.isCertConfigured() && c.reload {
c.ticker.Stop()
close(c.stopCh)
<-c.doneCh
}
}
func (c *certMethod) isCertConfigured() bool {
return c.caCert != "" || (c.clientKey != "" && c.clientCert != "")
}
// AuthClient uses the existing client's address and returns a new client with
// the auto-auth method's certificate information if that's provided in its
// config map.
func (c *certMethod) AuthClient(client *api.Client) (*api.Client, error) {
c.logger.Trace("deriving auth client to use")
clientToAuth := client
if c.isCertConfigured() {
// Return cached client if present
if c.client != nil && !c.reload {
return c.client, nil
}
config := api.DefaultConfig()
if config.Error != nil {
return nil, config.Error
}
config.Address = client.Address()
t := &api.TLSConfig{
CACert: c.caCert,
ClientCert: c.clientCert,
ClientKey: c.clientKey,
}
// Setup TLS config
if err := config.ConfigureTLS(t); err != nil {
return nil, err
}
// set last hash if load it successfully
if hash, err := c.hashCert(c.clientCert, c.clientKey, c.caCert); err != nil {
return nil, err
} else {
c.latestHash = &hash
}
var err error
clientToAuth, err = api.NewClient(config)
if err != nil {
return nil, err
}
if ns := client.Headers().Get(consts.NamespaceHeaderName); ns != "" {
clientToAuth.SetNamespace(ns)
}
// Cache the client for future use
c.client = clientToAuth
}
return clientToAuth, nil
}
// hashCert returns reads and verifies the given cert/key pair and return the hashing result
// in string representation. Otherwise, returns an error.
// As the pair of cert/key and ca cert are optional because they may be configured externally
// or use system default ca bundle, empty paths are simply skipped.
// A valid hashing result means:
// 1. All presented files are readable.
// 2. The client cert/key pair is valid if presented.
// 3. Any presented file in this bundle changed, the hash changes.
func (c *certMethod) hashCert(certFile, keyFile, caFile string) (string, error) {
var buf []byte
if certFile != "" && keyFile != "" {
certPEMBlock, err := os.ReadFile(certFile)
if err != nil {
return "", err
}
c.logger.Debug("Loaded cert file", "file", certFile, "length", len(certPEMBlock))
keyPEMBlock, err := os.ReadFile(keyFile)
if err != nil {
return "", err
}
c.logger.Debug("Loaded key file", "file", keyFile, "length", len(keyPEMBlock))
// verify
_, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return "", err
}
c.logger.Debug("The cert/key are valid")
buf = append(certPEMBlock, keyPEMBlock...)
}
if caFile != "" {
data, err := os.ReadFile(caFile)
if err != nil {
return "", err
}
c.logger.Debug("Loaded ca file", "file", caFile, "length", len(data))
buf = append(buf, data...)
}
sum := blake2b.Sum256(buf)
return hex.EncodeToString(sum[:]), nil
}
// runWatcher uses polling instead of inotify to sense the changes on the cert/key/ca files.
// The reason not to use inotify:
// 1. To not miss any changes, we need to watch the directory instead of files when using inotify.
// 2. These files are not frequently changed/renewed, and they don't need to be reloaded immediately after renewal.
// 3. Some network based filesystem and FUSE don't support inotify.
func (c *certMethod) runWatcher() {
defer close(c.doneCh)
select {
case <-c.stopCh:
return
case <-c.credSuccessGate:
// We only start the next loop once we're initially successful,
// since at startup Authenticate will be called, and we don't want
// to end up immediately re-authenticating by having found a new
// value
}
for {
changed := false
select {
case <-c.stopCh:
return
case <-c.ticker.C:
c.logger.Debug("Checking if files changed", "cert", c.clientCert, "key", c.clientKey)
hash, err := c.hashCert(c.clientCert, c.clientKey, c.caCert)
// ignore errors in watcher
if err == nil {
c.logger.Debug("hash before/after", "new", hash, "old", *c.latestHash)
changed = *c.latestHash != hash
} else {
c.logger.Warn("hash failed for cert/key files", "err", err)
}
}
if changed {
c.logger.Info("The cert/key files changed")
select {
case c.credsFound <- struct{}{}:
case <-c.stopCh:
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink