From 528f27a002e5f2c15a07d345d9d18235b94c153b Mon Sep 17 00:00:00 2001 From: Magnus Runesson Date: Mon, 25 Mar 2019 20:19:39 +0100 Subject: [PATCH 1/2] Support for auth within Kubernetes and generic JWT Support using JWT token for Kubernetes service account to authenticate. Since both GCP and Kubernetes uses JWT, refactored to also offer generic JWT support to be used by aginst other JWT based authentication services. --- .../java/com/bettercloud/vault/api/Auth.java | 53 +++++++++++++++++-- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/src/main/java/com/bettercloud/vault/api/Auth.java b/src/main/java/com/bettercloud/vault/api/Auth.java index 9c36ca78..abba01cc 100644 --- a/src/main/java/com/bettercloud/vault/api/Auth.java +++ b/src/main/java/com/bettercloud/vault/api/Auth.java @@ -879,23 +879,24 @@ public AuthResponse loginByGithub(final String githubToken, final String githubA } /** - *

Basic login operation to authenticate to an GCP backend. Example usage:

+ *

Basic login operation to authenticate to an JWT backend. Example usage:

* *
*
{@code
-     * final AuthResponse response = vault.auth().loginByGCP("dev", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...");
+     * final AuthResponse response = vault.auth().loginByJwt("kubernetes", "dev", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...");
      *
      * final String token = response.getAuthClientToken();
      * }
*
* + * @param provider Provider of JWT token. * @param role The gcp role used for authentication * @param jwt The JWT token for the role * @return The auth token, with additional response metadata * @throws VaultException If any error occurs, or unexpected response received from Vault */ // TODO: Needs integration test coverage if possible - public AuthResponse loginByGCP(final String role, final String jwt) throws VaultException { + public AuthResponse loginByJwt(final String provider, final String role, final String jwt) throws VaultException { int retryCount = 0; while (true) { @@ -903,7 +904,7 @@ public AuthResponse loginByGCP(final String role, final String jwt) throws Vault // HTTP request to Vault final String requestJson = Json.object().add("role", role).add("jwt", jwt).toString(); final RestResponse restResponse = new Rest() - .url(config.getAddress() + "/v1/auth/gcp/login") + .url(config.getAddress() + "/v1/auth/" + provider + "/login") .optionalHeader("X-Vault-Namespace", this.nameSpace) .body(requestJson.getBytes(StandardCharsets.UTF_8)) .connectTimeoutSeconds(config.getOpenTimeout()) @@ -941,6 +942,50 @@ public AuthResponse loginByGCP(final String role, final String jwt) throws Vault } } + + /** + *

Basic login operation to authenticate to an GCP backend. Example usage:

+ * + *
+ *
{@code
+     * final AuthResponse response = vault.auth().loginByGCP("dev", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...");
+     *
+     * final String token = response.getAuthClientToken();
+     * }
+ *
+ * + * @param role The gcp role used for authentication + * @param jwt The JWT token for the role + * @return The auth token, with additional response metadata + * @throws VaultException If any error occurs, or unexpected response received from Vault + */ + public AuthResponse loginByGCP(final String role, final String jwt) throws VaultException { + return loginByJwt("gcp", role, jwt); + } + + + /** + * Basic login operation to authenticate to an kubernetes backend. Example usage: + * + *
+ * + *
{@code
+     * final AuthResponse response =
+     *     vault.auth().loginByKubernetes("dev", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...");
+     *
+     * final String token = response.getAuthClientToken();
+     * }
+ *
+ * + * @param role The kubernetes role used for authentication + * @param jwt The JWT token for the role, typically read from /var/run/secrets/kubernetes.io/serviceaccount/token + * @return The auth token, with additional response metadata + * @throws VaultException If any error occurs, or unexpected response received from Vault + */ + private AuthResponse loginByKubernetes(final String role, final String jwt) throws VaultException { + return loginByJwt("kubernetes", role, jwt); + } + /** *

Basic login operation to authenticate using Vault's TLS Certificate auth backend. Example usage:

* From 3ee0ce5979f2ddc2d99ff22eb4b33c0c31c88022 Mon Sep 17 00:00:00 2001 From: Magnus Runesson Date: Sat, 11 May 2019 14:32:49 +0200 Subject: [PATCH 2/2] Fix scope issue. --- src/main/java/com/bettercloud/vault/api/Auth.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/bettercloud/vault/api/Auth.java b/src/main/java/com/bettercloud/vault/api/Auth.java index abba01cc..b00a74b1 100644 --- a/src/main/java/com/bettercloud/vault/api/Auth.java +++ b/src/main/java/com/bettercloud/vault/api/Auth.java @@ -982,7 +982,7 @@ public AuthResponse loginByGCP(final String role, final String jwt) throws Vault * @return The auth token, with additional response metadata * @throws VaultException If any error occurs, or unexpected response received from Vault */ - private AuthResponse loginByKubernetes(final String role, final String jwt) throws VaultException { + public AuthResponse loginByKubernetes(final String role, final String jwt) throws VaultException { return loginByJwt("kubernetes", role, jwt); }