Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IAM EC2 auth #161

Merged
merged 21 commits into from
Feb 27, 2018
Merged

Add IAM EC2 auth #161

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
4432283
Add IAM EC2 auth
maschwenk Dec 13, 2017
b70de61
Service needs to be STS. Provide session token from credentials API
maschwenk Dec 20, 2017
78c05e9
Make Vault header optional
maschwenk Dec 20, 2017
60f70e2
Split ECS/EC2 into seperate public methods delegating to single priva…
maschwenk Dec 21, 2017
7602166
Provide a CrendentialsProvider and region instead of complex metadata…
maschwenk Jan 4, 2018
75fd1b0
Fix header name
maschwenk Jan 6, 2018
cc1365b
Replace hard-coded region with STS endpoint from which region is deri…
maschwenk Jan 8, 2018
128fdef
Remove canary header
maschwenk Jan 9, 2018
e598ffc
Add note about Beijing STS endpoint
maschwenk Jan 9, 2018
98ddc19
Reorder params to have least likely to be overriden as the last
maschwenk Jan 9, 2018
11a5cde
Correct wrong var name
maschwenk Jan 9, 2018
6217a9f
Add a mocked out integration test
maschwenk Jan 9, 2018
370d7e0
Adjust documentation of header value
maschwenk Jan 10, 2018
d23372a
Escape the period because it's actually part of the url
maschwenk Jan 10, 2018
d8357d4
Split region method into seperate method so it can be easily unit tested
maschwenk Jan 10, 2018
1321c11
Formal doc
maschwenk Jan 18, 2018
1a57422
Add canary header to integration test
maschwenk Jan 18, 2018
9f4ff2f
Unit test for url parsing
maschwenk Jan 18, 2018
ca17bac
Fix documentation
maschwenk Feb 4, 2018
43e211d
Properly test iam header check
maschwenk Feb 4, 2018
63a54f7
Fix documentation method name
maschwenk Feb 8, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 18 additions & 8 deletions lib/vault/api/auth.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,20 +197,14 @@ def aws_ec2(role, pkcs7, nonce = nil)
# @param [CredentialProvider] credentials_provider
# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CredentialProvider.html
# @param [String] iam_auth_header_value optional
# As of Jan 2018, Vault will accept ANY or NO header, but this is subject to change and should not be relied upon
# As of Jan 2018, Vault will accept ANY or NO header if none is configured by the Vault server admin
# @param [String] sts_endpoint optional
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
# @return [Secret]
def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com')
require "aws-sigv4"
require "base64"

# STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn
# Take care changing below regex with that edge case in mind
valid_sts_endpoint = %r{https:\/\/sts.?(.*).amazonaws.com}.match(sts_endpoint)
raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
region = valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]

request_body = 'Action=GetCallerIdentity&Version=2011-06-15'
request_method = 'POST'

Expand All @@ -223,7 +217,7 @@ def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoin

sig4_headers = Aws::Sigv4::Signer.new(
service: 'sts',
region: region,
region: region_from_sts_endpoint(sts_endpoint),
credentials_provider: credentials_provider
).sign_request(
http_method: request_method,
Expand Down Expand Up @@ -275,5 +269,21 @@ def tls(pem = nil, path = 'cert')
client.token = secret.auth.client_token
return secret
end

private

# Parse an AWS region from a STS endpoint
# STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn
# Take care changing below regex with that edge case in mind
#
# @param [String] sts_endpoint
# The raw pem contents to use for the login procedure.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like something left over from copy/pasting?

#
# @return [String] aws region
def region_from_sts_endpoint(sts_endpoint)
valid_sts_endpoint = %r{https:\/\/sts\.?(.*).amazonaws.com}.match(sts_endpoint)
raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint
valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1]
end
end
end
3 changes: 2 additions & 1 deletion spec/integration/api/auth_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ module Vault
describe "#aws_iam" do
before(:context) do
vault_test_client.sys.enable_auth("aws", "aws", nil)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to also configure the header value here and then insert it, just to ensure it gets processed properly.

vault_test_client.sys.put_auth_tune("aws", "iam_server_id_header_value" => "iam_header_canary")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the .sys.put_auth_tune here isn't right. The configuration of the header value is done via the auth/aws/config/client API endpoint, not via a mount-tune call.

end

after(:context) do
Expand Down Expand Up @@ -243,7 +244,7 @@ module Vault
service: 'sts', region: 'cn-north-1', credentials_provider: credentials_provider
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this expectation could obviate the need for the comment in e598ffc

).and_call_original
)
subject.auth.aws_iam('yabba', credentials_provider, 'canary_header', 'https://sts.cn-north-1.amazonaws.com.cn')
subject.auth.aws_iam('yabba', credentials_provider, 'iam_header_canary', 'https://sts.cn-north-1.amazonaws.com.cn')
end
end
end
Expand Down
30 changes: 30 additions & 0 deletions spec/unit/auth_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
require "spec_helper"

module Vault
describe Authenticate do
let(:auth) { Authenticate.new(client: nil) }
describe "#region_from_sts_endpoint" do
subject { auth.send(:region_from_sts_endpoint, sts_endpoint) }

context 'with a china endpoint' do
let(:sts_endpoint) { "https://sts.cn-north-1.amazonaws.com.cn" }
it { is_expected.to eq 'cn-north-1' }
end

context 'with a GovCloud endpoint' do
let(:sts_endpoint) { "https://sts.us-gov-west-1.amazonaws.com" }
it { is_expected.to eq 'us-gov-west-1' }
end

context 'with no regional endpoint' do
let(:sts_endpoint) { "https://sts.amazonaws.com" }
it { is_expected.to eq 'us-east-1' }
end

context 'with a malformed url' do
let(:sts_endpoint) { "https:sts.amazonaws.com" }
it { expect { subject }.to raise_exception(StandardError, "Unable to parse STS endpoint https:sts.amazonaws.com") }
end
end
end
end