mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-06-27 10:40:22 -07:00
Add support for HashiCorp Vault JWT auth (#1213)
* Add support for Hashicorp Vault JWT auth * Add support for HashiCorp Vault JWT auth (continued) Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> Co-authored-by: Mike Brancato <mike@mikebrancato.com> Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
This commit is contained in:
Erik Godding Boye
GitHub
parent
33b8d1c57e
commit
64c6f20b55
11 changed files with 161 additions and 18 deletions
|
|
@ -0,0 +1,27 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw
|
||||
kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr
|
||||
m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi
|
||||
NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV
|
||||
3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2
|
||||
QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs
|
||||
kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go
|
||||
amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM
|
||||
+bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9
|
||||
D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC
|
||||
0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y
|
||||
lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+
|
||||
hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp
|
||||
bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X
|
||||
+jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B
|
||||
BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC
|
||||
2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx
|
||||
QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz
|
||||
5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9
|
||||
Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0
|
||||
NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j
|
||||
8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma
|
||||
3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K
|
||||
y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB
|
||||
jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv
|
||||
vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc
|
||||
aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy
|
||||
tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0
|
||||
e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb
|
||||
V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9
|
||||
MwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
|
|
@ -0,0 +1 @@
|
|||
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0Iiwic3ViIjoiaGFzaGlfdmF1bHRAdGVzdC5hbnNpYmxlLmNvbSIsIm5iZiI6MTYwNDgzNTEwMCwiZXhwIjozMjQ5OTA1MTM1OX0.NEWQR_Eicw8Fa9gU9HPY2M9Rp1czNTUKrICwKe7l1edaZNtgxhMGdyqnBsPrHL_dw1ZIwdvwVAioi8bEyIDEWICls0lzHwM169rrea3WEFrB5CP17A6DkvYL0cnOnGutbwUrXInPCRUfvRogIKEI-w8X-ris9LX2FBPKhXX1K3U0D8uYi5_9t8YWywTe0NkYvY-nTzMugK1MXMoBJ3fCksweJiDp6BOo3v9OU03MLgwgri2UdsqVb7WSk4XvWG-lmbiiSAWVf9BI3mecVDUHpYxbEqjv1HDG_wdX8zy1ZlAFbjp3kIpMlDVK1Q5nu_VPDzQrEvPdTnOzU36LE4UF-w
|
||||
|
|
@ -0,0 +1 @@
|
|||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMjM0IiwidXNlcl9jbGFpbSI6InVzZXJfY2xhaW0iLCJuYmYiOjE2MDQ4MzUxMDAsImV4cCI6MzI0OTkwNTEzNTl9.etc2WSH7kR3fHFlVt4wlBYFKNn7Z4DQcRVXUK4gGF-Q
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
- name: 'Create an approle policy'
|
||||
shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write approle-policy -"
|
||||
vars:
|
||||
policy: |
|
||||
command:
|
||||
cmd: '{{ vault_cmd }} policy write approle-policy -'
|
||||
stdin: |
|
||||
path "auth/approle/login" {
|
||||
capabilities = [ "create", "read" ]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,18 @@
|
|||
- name: 'Enable the JWT auth method'
|
||||
command: '{{ vault_cmd }} auth enable jwt'
|
||||
|
||||
- name: 'Configure the JWT auth method'
|
||||
command: '{{ vault_cmd }} write auth/jwt/config jwt_validation_pubkeys={{ jwt_public_key | quote }}'
|
||||
vars:
|
||||
jwt_public_key: '{{ lookup("file", "jwt_public.pem") }}'
|
||||
|
||||
- name: 'Create a named role'
|
||||
command:
|
||||
cmd: '{{ vault_cmd }} write auth/jwt/role/test-role -'
|
||||
stdin: |
|
||||
{
|
||||
"role_type": "jwt",
|
||||
"policies": "test-policy",
|
||||
"user_claim": "sub",
|
||||
"bound_audiences": "test"
|
||||
}
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
- vars:
|
||||
role_id: test-role
|
||||
jwt: '{{ lookup("file", "token.jwt") }}'
|
||||
jwt_invalid: '{{ lookup("file", "token_invalid.jwt") }}'
|
||||
block:
|
||||
- name: 'Fetch secrets using "hashi_vault" lookup'
|
||||
set_fact:
|
||||
secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
|
||||
secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
|
||||
|
||||
- name: 'Check secret values'
|
||||
fail:
|
||||
msg: 'unexpected secret values'
|
||||
when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
|
||||
|
||||
- name: 'Failure expected when erroneous credentials are used'
|
||||
vars:
|
||||
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt_invalid ~ ' role_id=' ~ role_id) }}"
|
||||
debug:
|
||||
msg: 'Failure is expected ({{ secret_wrong_cred }})'
|
||||
register: test_wrong_cred
|
||||
ignore_errors: true
|
||||
|
||||
- name: 'Failure expected when unauthorized secret is read'
|
||||
vars:
|
||||
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
|
||||
debug:
|
||||
msg: 'Failure is expected ({{ secret_unauthorized }})'
|
||||
register: test_unauthorized
|
||||
ignore_errors: true
|
||||
|
||||
- name: 'Failure expected when non-existent secret is read'
|
||||
vars:
|
||||
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
|
||||
debug:
|
||||
msg: 'Failure is expected ({{ secret_inexistent }})'
|
||||
register: test_inexistent
|
||||
ignore_errors: true
|
||||
|
||||
- name: 'Check expected failures'
|
||||
assert:
|
||||
msg: "an expected failure didn't occur"
|
||||
that:
|
||||
- test_wrong_cred is failed
|
||||
- test_unauthorized is failed
|
||||
- test_inexistent is failed
|
||||
|
|
@ -87,9 +87,9 @@
|
|||
command: '{{ vault_cmd }} secrets enable -path=kv2 -version=2 kv'
|
||||
|
||||
- name: 'Create a test policy'
|
||||
shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write test-policy -"
|
||||
vars:
|
||||
policy: |
|
||||
command:
|
||||
cmd: '{{ vault_cmd }} policy write test-policy -'
|
||||
stdin: |
|
||||
path "{{ vault_gen_path }}/secret1" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
@ -149,6 +149,10 @@
|
|||
- name: setup token auth
|
||||
import_tasks: token_setup.yml
|
||||
|
||||
- name: setup jwt auth
|
||||
import_tasks: jwt_setup.yml
|
||||
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
||||
|
||||
- import_tasks: tests.yml
|
||||
vars:
|
||||
auth_type: approle
|
||||
|
|
@ -158,6 +162,11 @@
|
|||
vars:
|
||||
auth_type: token
|
||||
|
||||
- import_tasks: tests.yml
|
||||
vars:
|
||||
auth_type: jwt
|
||||
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
|
||||
|
||||
always:
|
||||
- name: 'Kill vault process'
|
||||
shell: "kill $(cat {{ local_temp_dir }}/vault.pid)"
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
import_role:
|
||||
name: setup_openssl
|
||||
|
||||
- name: "RedHat <= 7, select last version compatible with request 2.6.0 (this version doesn't support approle auth)"
|
||||
- name: "RedHat <= 7, select last version compatible with request 2.6.0 (this version doesn't support approle or jwt auth)"
|
||||
set_fact:
|
||||
hvac_package: 'hvac==0.2.5'
|
||||
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version is version('7', '<=')
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue