diff --git a/go.mod b/go.mod index 4fbd01af569d..c33766ac6ee8 100644 --- a/go.mod +++ b/go.mod @@ -78,7 +78,7 @@ require ( github.com/hashicorp/vault-plugin-auth-jwt v0.6.2 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.5 github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.1 - github.com/hashicorp/vault-plugin-auth-oci v0.5.4 + github.com/hashicorp/vault-plugin-auth-oci v0.5.5-0.20200616221217-ae6d56006639 github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4 github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.2-0.20200520204052-f840e9d4895c github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f diff --git a/go.sum b/go.sum index 809d2ec3d16a..b7c59a06f347 100644 --- a/go.sum +++ b/go.sum @@ -408,18 +408,12 @@ github.com/hashicorp/vault-plugin-auth-kerberos v0.1.5 h1:knWedzZ51g8Aj6Hyi1ATlQ github.com/hashicorp/vault-plugin-auth-kerberos v0.1.5/go.mod h1:r4UqWITHYKmBeAMKPWqLo4V8bl/wNqoSIaQcMpeK9ss= github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.1 h1:TpdQhHdZZN1Wo9RpJG33gUfuiVtajVcSF/hNpHWaatI= github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.1/go.mod h1:/Y9W5aZULfPeNVRQK0/nrFGpHWyNm0J3UWhOdsAu0vM= -github.com/hashicorp/vault-plugin-auth-oci v0.5.4 h1:Hoauxh1V8Lusf7BRs+yXfoDTFQzgykbb3OC77aReXDY= -github.com/hashicorp/vault-plugin-auth-oci v0.5.4/go.mod h1:j05O2b9fw2Q82NxDPhHMYVfHKvitUYGWfmqmpBdqmmc= +github.com/hashicorp/vault-plugin-auth-oci v0.5.5-0.20200616221217-ae6d56006639 h1:PcgBOeT/nWDlmJ6TiK9CICTiKydfZRSnIhGeyAAPUOY= +github.com/hashicorp/vault-plugin-auth-oci v0.5.5-0.20200616221217-ae6d56006639/go.mod h1:j05O2b9fw2Q82NxDPhHMYVfHKvitUYGWfmqmpBdqmmc= github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4 h1:YE4qndazWmYGpVOoZI7nDGG+gwTZKzL1Ou4WZQ+Tdxk= github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4/go.mod h1:QjGrrxcRXv/4XkEZAlM0VMZEa3uxKAICFqDj27FP/48= -github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.1 h1:fA6cFH8lIPH2M4KNTEzf1bpc6Tbyy5ZvoYP8H/TI9ts= -github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.1/go.mod h1:MP3kfr0N+7miOTZFwKv952b9VkXM4S2Q6YtQCiNKWq8= github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.2-0.20200520204052-f840e9d4895c h1:P9rZXBJx+UHu/T8lK8NEtS2PGeSnyZ31zeOtkvGo4yo= github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.2-0.20200520204052-f840e9d4895c/go.mod h1:MP3kfr0N+7miOTZFwKv952b9VkXM4S2Q6YtQCiNKWq8= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.4-beta1.0.20200518124111-3dceeb3ce90e h1:0GK1BNBfglD2sydZ4XXMjJElhY8bC2TDdc0vk1Q9zbA= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.4-beta1.0.20200518124111-3dceeb3ce90e/go.mod h1:SCsKcChP8yrtOHXOeTD7oRk0oflj3IxA9y9zTOGtQ8s= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.5 h1:wrHzXSD6qmKvkuHaQn+BNj89+HGhMNchxAckGnd7YTc= -github.com/hashicorp/vault-plugin-secrets-ad v0.6.5/go.mod h1:kk98nB+cwDbt3I7UGQq3ota7+eHZrGSTQZfSRGpluvA= github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f h1:2pbH2I37C40+VvC5YkQONEwcqqFLNzsoFxJPiWaZZHE= github.com/hashicorp/vault-plugin-secrets-ad v0.6.6-0.20200520202259-fc6b89630f9f/go.mod h1:kk98nB+cwDbt3I7UGQq3ota7+eHZrGSTQZfSRGpluvA= github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.5 h1:BOOtSls+BQ1EtPmpE9LoqZztsEZ1fRWVSkHWtRIrCB4= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-oci/cli.go b/vendor/github.com/hashicorp/vault-plugin-auth-oci/cli.go index 8f3b4ffccd37..0966d668228c 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-oci/cli.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-oci/cli.go @@ -50,13 +50,19 @@ Configuration: } func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) { + mount, ok := m["mount"] + if !ok { + mount = "oci" + } + mount = strings.TrimSuffix(mount, "/") + role, ok := m["role"] if !ok { return nil, fmt.Errorf("Enter the role") } role = strings.ToLower(role) - path := fmt.Sprintf(PathBaseFormat, role) + path := fmt.Sprintf(PathBaseFormat, mount, role) signingPath := PathVersionBase + path loginData, err := CreateLoginData(c.Address(), m, signingPath) diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-oci/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-oci/path_login.go index 6484f137f711..85e1f078aae0 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-oci/path_login.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-oci/path_login.go @@ -4,21 +4,25 @@ package ociauth import ( "context" "fmt" + "net/http" + "strings" + "unicode" + log "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/oracle/oci-go-sdk/common" "github.com/pkg/errors" - "net/http" - "strings" - "unicode" ) // These constants store the required http path & method information for validating the signed request const ( - PathVersionBase = "/v1" - PathBaseFormat = "/auth/oci/login/%s" - PathLoginMethod = "get" + PathVersionBase = "/v1" + PathBaseFormat = "/auth/%s/login/%s" + PathLoginMethod = "get" + PathSegmentAuth = "auth" + PathSegmentLogin = "login" + PathSegmentVersion = "v1" ) // Signing Header constants @@ -78,8 +82,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat authenticateRequestHeaders := requestHeaders.(http.Header) // Find the targetUrl and Method - finalLoginPath := PathVersionBase + fmt.Sprintf(PathBaseFormat, roleName) - method, targetUrl, err := requestTargetToMethodURL(authenticateRequestHeaders[HdrRequestTarget], PathLoginMethod, finalLoginPath) + method, targetUrl, err := requestTargetToMethodURL(authenticateRequestHeaders[HdrRequestTarget], roleName) if err != nil { return unauthorizedLogicalResponse(req, b.Logger(), err) } @@ -213,14 +216,31 @@ func unauthorizedLogicalResponse(req *logical.Request, logger log.Logger, err er return logical.RespondWithStatusCode(nil, req, http.StatusUnauthorized) } -func requestTargetToMethodURL(requestTarget []string, expectedMethod string, expectedUrl string) (method string, url string, err error) { +func requestTargetToMethodURL(requestTarget []string, roleName string) (method string, url string, err error) { if len(requestTarget) == 0 { return "", "", errors.New("no (request-target) specified in header") } + errHeader := errors.New("incorrect (request-target) specified in header") + + // Ensure both the request method and URL path are present in the (request-target) header parts := strings.FieldsFunc(requestTarget[0], unicode.IsSpace) - if len(parts) != 2 || strings.ToLower(parts[0]) != expectedMethod || strings.ToLower(parts[1]) != expectedUrl { - return "", "", errors.New("incorrect (request-target) specified in header") + if len(parts) != 2 { + return "", "", errHeader + } + + // Validate the request method + if strings.ToLower(parts[0]) != PathLoginMethod { + return "", "", errHeader } + + // Validate the URL path by inspecting its segments. + // The path mount segment of the URL is not validated. + segments := strings.Split(strings.TrimPrefix(parts[1], "/"), "/") + if len(segments) < 5 || segments[0] != PathSegmentVersion || segments[1] != PathSegmentAuth || + segments[len(segments)-2] != PathSegmentLogin || segments[len(segments)-1] != roleName { + return "", "", errHeader + } + return parts[0], parts[1], nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 702d326764a0..04fe651c75f9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -401,7 +401,7 @@ github.com/hashicorp/vault-plugin-auth-jwt github.com/hashicorp/vault-plugin-auth-kerberos # github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.1 github.com/hashicorp/vault-plugin-auth-kubernetes -# github.com/hashicorp/vault-plugin-auth-oci v0.5.4 +# github.com/hashicorp/vault-plugin-auth-oci v0.5.5-0.20200616221217-ae6d56006639 github.com/hashicorp/vault-plugin-auth-oci # github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4 github.com/hashicorp/vault-plugin-database-elasticsearch