Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow mTLS for mysql secrets engine #9181

Merged
merged 10 commits into from
Jun 17, 2020
Merged

Allow mTLS for mysql secrets engine #9181

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
06c98a9
Extract certificate helpers for use in non-mongodb packages
Jun 2, 2020
ddc2f7d
Created mTLS/X509 test for MySQL secrets engine.
Jun 9, 2020
f1202b3
Ensure mysql username and passwords aren't url encoded
Jun 10, 2020
702e4ed
Remove now unused dependencies from mongo plugin tests.
Jun 10, 2020
6aa1095
Fixing of many nits
Jun 15, 2020
0789c9c
Skip mTLS test for circleCI
Jun 15, 2020
75acb94
Continuing nit cleanup
Jun 15, 2020
5acc198
Fixing more nits, pulled DSN construction into func
Jun 16, 2020
1ca7aea
Fix failing test due to renaming certhelps.Dns -> DNS
Jun 16, 2020
a862d6f
Final pass for this PR? Time will tell
Jun 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
244 changes: 244 additions & 0 deletions helper/testhelpers/certhelpers/cert_helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,244 @@
package certhelpers

import (
"bytes"
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/sha1"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"strings"
"testing"
"time"
)

type CertBuilder struct {
tmpl *x509.Certificate
parentTmpl *x509.Certificate

selfSign bool
parentKey *rsa.PrivateKey

isCA bool
}

type CertOpt func(*CertBuilder) error
catsby marked this conversation as resolved.
Show resolved Hide resolved

func CommonName(cn string) CertOpt {
return func(builder *CertBuilder) error {
builder.tmpl.Subject.CommonName = cn
return nil
}
}

func Parent(parent Certificate) CertOpt {
return func(builder *CertBuilder) error {
builder.parentKey = parent.PrivKey.PrivKey
builder.parentTmpl = parent.Template
return nil
}
}

func IsCA(isCA bool) CertOpt {
return func(builder *CertBuilder) error {
builder.isCA = isCA
return nil
}
}

func SelfSign() CertOpt {
return func(builder *CertBuilder) error {
builder.selfSign = true
return nil
}
}

func IP(ip ...string) CertOpt {
return func(builder *CertBuilder) error {
for _, addr := range ip {
if ipAddr := net.ParseIP(addr); ipAddr != nil {
builder.tmpl.IPAddresses = append(builder.tmpl.IPAddresses, ipAddr)
}
}
return nil
}
}

func DNS(dns ...string) CertOpt {
return func(builder *CertBuilder) error {
builder.tmpl.DNSNames = dns
return nil
}
}

func NewCert(t *testing.T, opts ...CertOpt) (cert Certificate) {
t.Helper()

builder := CertBuilder{
tmpl: &x509.Certificate{
SerialNumber: makeSerial(t),
Subject: pkix.Name{
CommonName: makeCommonName(),
},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(1 * time.Hour),
IsCA: false,
KeyUsage: x509.KeyUsageDigitalSignature |
x509.KeyUsageKeyEncipherment |
x509.KeyUsageKeyAgreement,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
},
}

for _, opt := range opts {
err := opt(&builder)
if err != nil {
Copy link
Contributor

@catsby catsby Jun 12, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style nit: If we're only evaluating a local variable, it's common to see these statements on one line like so:

if err := opt(&builder); err != nil {
  // reference err here
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting style, noted. Used elsewhere, unsure if I changed this one.

t.Fatalf("Failed to set up certificate builder: %s", err)
}
}

key := NewPrivateKey(t)

builder.tmpl.SubjectKeyId = getSubjKeyID(t, key.PrivKey)

tmpl := builder.tmpl
parent := builder.parentTmpl
publicKey := key.PrivKey.Public()
signingKey := builder.parentKey

if builder.selfSign {
parent = tmpl
signingKey = key.PrivKey
}

if builder.isCA {
tmpl.IsCA = true
tmpl.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign
tmpl.ExtKeyUsage = nil
} else {
tmpl.KeyUsage = x509.KeyUsageDigitalSignature |
x509.KeyUsageKeyEncipherment |
x509.KeyUsageKeyAgreement
tmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
}

certBytes, err := x509.CreateCertificate(rand.Reader, tmpl, parent, publicKey, signingKey)
if err != nil {
t.Fatalf("Unable to generate certificate: %s", err)
}
certPem := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})

tlsCert, err := tls.X509KeyPair(certPem, key.Pem)
if err != nil {
t.Fatalf("Unable to parse X509 key pair: %s", err)
}

return Certificate{
Template: tmpl,
PrivKey: key,
TLSCert: tlsCert,
RawCert: certBytes,
Pem: certPem,
IsCA: builder.isCA,
}
}

// ////////////////////////////////////////////////////////////////////////////
// Private Key
// ////////////////////////////////////////////////////////////////////////////
type KeyWrapper struct {
PrivKey *rsa.PrivateKey
Pem []byte
}

func NewPrivateKey(t *testing.T) (key KeyWrapper) {
t.Helper()

privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("Unable to generate key for cert: %s", err)
}

privKeyPem := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(privKey),
},
)

key = KeyWrapper{
PrivKey: privKey,
Pem: privKeyPem,
}

return key
}

// ////////////////////////////////////////////////////////////////////////////
// Certificate
// ////////////////////////////////////////////////////////////////////////////
type Certificate struct {
PrivKey KeyWrapper
Template *x509.Certificate
TLSCert tls.Certificate
RawCert []byte
Pem []byte
IsCA bool
}

func (cert Certificate) CombinedPEM() []byte {
if cert.IsCA {
return cert.Pem
}
return bytes.Join([][]byte{cert.PrivKey.Pem, cert.Pem}, []byte{'\n'})
}

func (cert Certificate) PrivateKeyPEM() []byte {
return cert.PrivKey.Pem
}

// ////////////////////////////////////////////////////////////////////////////
// Helpers
// ////////////////////////////////////////////////////////////////////////////
func makeSerial(t *testing.T) *big.Int {
t.Helper()

v := &big.Int{}
serialNumberLimit := v.Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
t.Fatalf("Unable to generate serial number: %s", err)
}
return serialNumber
}

// Pulled from sdk/helper/certutil & slightly modified for test usage
func getSubjKeyID(t *testing.T, privateKey crypto.Signer) []byte {
t.Helper()

if privateKey == nil {
t.Fatalf("passed-in private key is nil")
}

marshaledKey, err := x509.MarshalPKIXPublicKey(privateKey.Public())
if err != nil {
t.Fatalf("error marshalling public key: %s", err)
}

subjKeyID := sha1.Sum(marshaledKey)

return subjKeyID[:]
}

func makeCommonName() (cn string) {
return strings.ReplaceAll(time.Now().Format("20060102T150405.000"), ".", "")
}
14 changes: 0 additions & 14 deletions plugins/database/mongodb/cert_helpers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,7 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"math/big"
"os"
"strings"
"testing"
"time"
Expand Down Expand Up @@ -192,18 +190,6 @@ func (cert certificate) CombinedPEM() []byte {
return bytes.Join([][]byte{cert.privKey.pem, cert.pem}, []byte{'\n'})
}

// ////////////////////////////////////////////////////////////////////////////
// Writing to file
// ////////////////////////////////////////////////////////////////////////////
func writeFile(t *testing.T, filename string, data []byte, perms os.FileMode) {
t.Helper()

err := ioutil.WriteFile(filename, data, perms)
if err != nil {
t.Fatalf("Unable to write to file [%s]: %s", filename, err)
}
}

// ////////////////////////////////////////////////////////////////////////////
// Helpers
// ////////////////////////////////////////////////////////////////////////////
Expand Down
46 changes: 30 additions & 16 deletions plugins/database/mongodb/connection_producer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"testing"
"time"

"github.com/hashicorp/vault/helper/testhelpers/certhelpers"
"github.com/hashicorp/vault/helper/testhelpers/mongodb"
"github.com/ory/dockertest"
"go.mongodb.org/mongo-driver/mongo"
Expand All @@ -30,20 +31,20 @@ func TestInit_clientTLS(t *testing.T) {
defer os.RemoveAll(confDir)

// Create certificates for Mongo authentication
caCert := newCert(t,
commonName("test certificate authority"),
isCA(true),
selfSign(),
caCert := certhelpers.NewCert(t,
certhelpers.CommonName("test certificate authority"),
certhelpers.IsCA(true),
certhelpers.SelfSign(),
)
serverCert := newCert(t,
commonName("server"),
dns("localhost"),
parent(caCert),
serverCert := certhelpers.NewCert(t,
certhelpers.CommonName("server"),
certhelpers.Dns("localhost"),
certhelpers.Parent(caCert),
)
clientCert := newCert(t,
commonName("client"),
dns("client"),
parent(caCert),
clientCert := certhelpers.NewCert(t,
certhelpers.CommonName("client"),
certhelpers.Dns("client"),
certhelpers.Parent(caCert),
)

writeFile(t, paths.Join(confDir, "ca.pem"), caCert.CombinedPEM(), 0644)
Expand Down Expand Up @@ -81,7 +82,7 @@ net:
"connection_url": retURL,
"allowed_roles": "*",
"tls_certificate_key": clientCert.CombinedPEM(),
"tls_ca": caCert.pem,
"tls_ca": caCert.Pem,
}

ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
Expand Down Expand Up @@ -111,7 +112,7 @@ net:
AuthInfo: authInfo{
AuthenticatedUsers: []user{
{
User: fmt.Sprintf("CN=%s", clientCert.template.Subject.CommonName),
User: fmt.Sprintf("CN=%s", clientCert.Template.Subject.CommonName),
DB: "$external",
},
},
Expand Down Expand Up @@ -249,11 +250,11 @@ func connect(t *testing.T, uri string) (client *mongo.Client) {
return client
}

func setUpX509User(t *testing.T, client *mongo.Client, cert certificate) {
func setUpX509User(t *testing.T, client *mongo.Client, cert certhelpers.Certificate) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()

username := fmt.Sprintf("CN=%s", cert.template.Subject.CommonName)
username := fmt.Sprintf("CN=%s", cert.Template.Subject.CommonName)

cmd := &createUserCommand{
Username: username,
Expand Down Expand Up @@ -301,3 +302,16 @@ type roles []role
func (r roles) Len() int { return len(r) }
func (r roles) Less(i, j int) bool { return r[i].Role < r[j].Role }
func (r roles) Swap(i, j int) { r[i], r[j] = r[j], r[i] }

// ////////////////////////////////////////////////////////////////////////////
// Writing to file
// ////////////////////////////////////////////////////////////////////////////
func writeFile(t *testing.T, filename string, data []byte, perms os.FileMode) {
t.Helper()

err := ioutil.WriteFile(filename, data, perms)
if err != nil {
t.Fatalf("Unable to write to file [%s]: %s", filename, err)
}
}

Loading