Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update AWS auth method certificates #15719

Merged
merged 2 commits into from
Jun 1, 2022
Merged

Update AWS auth method certificates #15719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8c4454c
Update AWS auth method certificates
May 31, 2022
fcb10a2
Address PR feedack, add changelog
Jun 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions api/auth/aws/aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ type AWSAuth struct {
mountPath string
// Can be "iam" or "ec2". Defaults to "iam".
authType string
// Can be "pkcs7" or "identity". Defaults to "pkcs7".
// Can be "pkcs7", "identity", or "rsa2048". Defaults to "pkcs7".
signatureType string
region string
iamServerIDHeaderValue string
Expand All @@ -42,6 +42,7 @@ const (
ec2Type = "ec2"
pkcs7Type = "pkcs7"
identityType = "identity"
rsa2048Type = "rsa2048"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can add this type to the comment on AWSAuth.signatureType

defaultMountPath = "aws"
defaultAuthType = iamType
defaultRegion = "us-east-1"
Expand Down Expand Up @@ -108,7 +109,7 @@ func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e
}
pkcs7 := strings.TrimSpace(resp)
loginData["pkcs7"] = pkcs7
} else {
} else if a.signatureType == identityType {
austingebauer marked this conversation as resolved.
Show resolved Hide resolved
// fetch signature from identity document
doc, err := metadataSvc.GetDynamicData("/instance-identity/document")
if err != nil {
Expand All @@ -121,6 +122,16 @@ func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e
return nil, fmt.Errorf("error requesting signature: %w", err)
}
loginData["signature"] = signature
} else if a.signatureType == rsa2048Type {
// fetch RSA 2048 signature, which is also a PKCS#7 signature
resp, err := metadataSvc.GetDynamicData("/instance-identity/rsa2048")
if err != nil {
return nil, fmt.Errorf("unable to get PKCS 7 data from metadata service: %w", err)
}
pkcs7 := strings.TrimSpace(resp)
loginData["pkcs7"] = pkcs7
} else {
return nil, fmt.Errorf("unknown signature type: %s", a.signatureType)
}

// Add the reauthentication value, if we have one
Expand Down
39 changes: 38 additions & 1 deletion builtin/credential/aws/backend_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1023,6 +1023,7 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) {

/* This is an acceptance test.
Requires the following env vars:
TEST_AWS_EC2_RSA2048
TEST_AWS_EC2_PKCS7
TEST_AWS_EC2_IDENTITY_DOCUMENT
TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG
Expand All @@ -1032,6 +1033,7 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) {

If this is being run on an EC2 instance, you can set the environment vars using this bash snippet:

export TEST_AWS_EC2_RSA2048=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/rsa2048)
export TEST_AWS_EC2_PKCS7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)
export TEST_AWS_EC2_IDENTITY_DOCUMENT=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0)
export TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n')
Expand All @@ -1054,6 +1056,11 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndAccessListIdentity(t *testing
return
}

rsa2048 := os.Getenv("TEST_AWS_EC2_RSA2048")
if rsa2048 == "" {
t.Skipf("env var TEST_AWS_EC2_RSA2048 not set, skipping test")
}

pkcs7 := os.Getenv("TEST_AWS_EC2_PKCS7")
if pkcs7 == "" {
t.Skipf("env var TEST_AWS_EC2_PKCS7 not set, skipping test")
Expand Down Expand Up @@ -1290,7 +1297,7 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndAccessListIdentity(t *testing
t.Fatalf("login attempt should have failed due to client nonce mismatch")
}

// Check if a access list identity entry is created after the login.
// Check if an access list identity entry is created after the login.
wlRequest := &logical.Request{
Operation: logical.ReadOperation,
Path: path + instanceID,
Expand Down Expand Up @@ -1329,6 +1336,36 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndAccessListIdentity(t *testing
if !ok {
t.Fatalf("expected nonce to be returned")
}

// Attempt to re-login with the rsa2048 signature as a pkcs7 signature
wlRequest.Operation = logical.DeleteOperation
resp, err = b.HandleRequest(context.Background(), wlRequest)
if err != nil {
t.Fatal(err)
}
if resp.IsError() {
t.Fatalf("failed to delete access list identity")
}
delete(loginInput, "identity")
delete(loginInput, "signature")
loginInput["pkcs7"] = rsa2048

resp, err = b.HandleRequest(context.Background(), loginRequest)
if err != nil {
t.Fatal(err)
}
if resp == nil || resp.Auth == nil || resp.IsError() {
t.Fatalf("bad: failed to login: resp:%#v\nerr:%v", resp, err)
}

// verify the presence of instance_id in the response object.
instanceID = resp.Auth.Metadata["instance_id"]
if instanceID == "" {
t.Fatalf("instance ID not present in the response object")
}
if instanceID != parsedIdentityDoc.InstanceID {
t.Fatalf("instance ID in response (%q) did not match instance ID from identity document (%q)", instanceID, parsedIdentityDoc.InstanceID)
}
}
}

Expand Down
Loading