Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Enabling hooks for Vault identity features #171

Merged
merged 1 commit into from
Feb 6, 2023
Merged

feat: Enabling hooks for Vault identity features #171

merged 1 commit into from
Feb 6, 2023

Conversation

bnevis-i
Copy link
Collaborator

@bnevis-i bnevis-i commented Dec 3, 2022
edited
Loading

This set of changes enables secret store tokens to be identity-based.
Instead of issuing anonymous Vault tokens with attached policy,
this commit adds additional methods to create Vault-based
identities and authenticate to these identities using
programmable auth methods. This is important step to "deprivilege"
Vault usage, as creating raw tokens requires "sudo" ability in Vault,
whereas identity auth is a user operation. Additionally,
vault-based identity can be attested (as a JWT) and verified.

Signed-off-by: Bryon Nevis [email protected]

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/go-mod-secrets/blob/main/.github/Contributing.md

PR Checklist

Please check if your PR fulfills the following requirements:

  • I am not introducing a breaking change (if you are, flag in conventional commit message with BREAKING CHANGE: describing the break)
  • I am not introducing a new dependency (add notes below if you are)
  • I have added unit tests for the new feature or bug fix (if not, why?)
  • I have fully tested (add details below) this the new feature or bug fix (if not, why?)
  • I have opened a PR for the related docs change (if not, why?)

Testing Instructions

New Dependency Instructions (If applicable)

@codecov-commenter
Copy link

Codecov Report

Merging #171 (11915e4) into main (158b1e7) will decrease coverage by 5.09%.
The diff coverage is 52.40%.

@@            Coverage Diff             @@
##             main     #171      +/-   ##
==========================================
- Coverage   77.42%   72.33%   -5.10%     
==========================================
  Files          18       18              
  Lines         988     1236     +248     
==========================================
+ Hits          765      894     +129     
- Misses        162      265     +103     
- Partials       61       77      +16
Impacted Files Coverage Δ
internal/pkg/vault/request.go 56.25% <ø> (-1.33%) ⬇️
internal/pkg/vault/management.go 70.28% <48.67%> (-25.40%) ⬇️
internal/pkg/vault/secrets.go 72.86% <63.93%> (-2.05%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@bnevis-i bnevis-i marked this pull request as ready for review December 9, 2022 23:46
@bnevis-i bnevis-i added this to the Minnesota milestone Dec 10, 2022
jim-wang-intel
jim-wang-intel reviewed Dec 12, 2022
View reviewed changes
internal/pkg/vault/management.go Show resolved Hide resolved
internal/pkg/vault/management.go Outdated Show resolved Hide resolved
internal/pkg/vault/management.go Show resolved Hide resolved
jim-wang-intel
jim-wang-intel previously approved these changes Dec 16, 2022
View reviewed changes
Copy link
Contributor

@jim-wang-intel jim-wang-intel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bnevis-i
feat: Enabling hooks for Vault identity features
252a772 
This set of changes enables secret store tokens to be identity-based.
This change only add new methods to the secret store interfaces
and implementions and does not modify existing functionality.

Instead of issuing anonymous Vault tokens with attached policy.
This commit adds additional methods to create Vault-based
identities and authenticate to these identities using
programmable auth methods. This is important step to "deprivilege"
Vault usage, as creating raw tokens requires "sudo" ability in Vault,
whereas identity auth is a user operation. Additionally,
vault-based identity can be attested (as a JWT) and verified.

Signed-off-by: Bryon Nevis <[email protected]>
@bnevis-i
Copy link
Collaborator Author

bnevis-i commented Feb 2, 2023

@jim-wang-intel, @lenny-intel. This one ready for review and merge.

jim-wang-intel
jim-wang-intel approved these changes Feb 2, 2023
View reviewed changes
Copy link
Contributor

@jim-wang-intel jim-wang-intel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bnevis-i bnevis-i merged commit 53c30ee into edgexfoundry:main Feb 6, 2023
chr1shung
chr1shung reviewed Mar 7, 2023
View reviewed changes
internal/pkg/vault/management.go
}

for _, v := range response.Data.Keys {
if v == "keyName" {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be if v == keyName ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Fixed in #192

@bnevis-i bnevis-i deleted the identity-methods branch March 7, 2023 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chr1shung chr1shung chr1shung left review comments

@jim-wang-intel jim-wang-intel jim-wang-intel approved these changes

@lenny-goodell lenny-goodell Awaiting requested review from lenny-goodell

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Minnesota
Development

Successfully merging this pull request may close these issues.
4 participants
@bnevis-i @codecov-commenter @chr1shung @jim-wang-intel