2023-03-15 12:00:52 -04:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2019-04-15 13:38:08 -04:00
|
|
|
package api
|
2017-03-16 14:55:21 -04:00
|
|
|
|
|
|
|
|
import (
|
2022-03-23 17:47:43 -04:00
|
|
|
"context"
|
2017-03-16 14:55:21 -04:00
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"errors"
|
2019-04-12 17:54:35 -04:00
|
|
|
"flag"
|
2017-03-16 14:55:21 -04:00
|
|
|
"net/url"
|
|
|
|
|
"os"
|
|
|
|
|
|
2024-04-19 07:17:41 -04:00
|
|
|
jose "github.com/go-jose/go-jose/v4"
|
|
|
|
|
"github.com/go-jose/go-jose/v4/jwt"
|
2017-03-16 14:55:21 -04:00
|
|
|
"github.com/hashicorp/errwrap"
|
2019-05-08 19:21:23 -04:00
|
|
|
)
|
|
|
|
|
|
2023-07-18 07:20:34 -04:00
|
|
|
// This file contains helper code used when writing Vault auth method or secrets engine plugins.
|
|
|
|
|
//
|
|
|
|
|
// As such, it would be better located in the sdk module with the rest of the code which is only to support plugins,
|
|
|
|
|
// rather than api, but is here for historical reasons. (The api module used to depend on the sdk module, this code
|
|
|
|
|
// calls NewClient within the api package, so placing it in the sdk would have created a dependency cycle. This reason
|
|
|
|
|
// is now historical, as the dependency between sdk and api has since been reversed in direction.)
|
|
|
|
|
// Moving this code to the sdk would be appropriate if an api v2.0.0 release is ever planned.
|
|
|
|
|
//
|
|
|
|
|
// This helper code is used when a plugin is hosted by Vault 1.11 and earlier. Vault 1.12 and sdk v0.6.0 introduced
|
|
|
|
|
// version 5 of the backend plugin interface, which uses go-plugin's AutoMTLS feature instead of this code.
|
|
|
|
|
|
2022-08-29 22:42:26 -04:00
|
|
|
const (
|
|
|
|
|
// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
|
|
|
|
|
// setting a TLSProviderFunc for a plugin.
|
|
|
|
|
PluginAutoMTLSEnv = "VAULT_PLUGIN_AUTOMTLS_ENABLED"
|
|
|
|
|
|
2019-05-08 19:21:23 -04:00
|
|
|
// PluginMetadataModeEnv is an ENV name used to disable TLS communication
|
|
|
|
|
// to bootstrap mounting plugins.
|
|
|
|
|
PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
|
|
|
|
|
|
|
|
|
|
// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
|
|
|
|
|
// plugin.
|
|
|
|
|
PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
|
2024-04-19 07:17:41 -04:00
|
|
|
|
|
|
|
|
// CubbyHoleJWTSignatureAlgorithm is the signature algorithm used for
|
|
|
|
|
// the unwrap token that Vault passes to a plugin when auto-mTLS is
|
|
|
|
|
// not enabled.
|
|
|
|
|
CubbyHoleJWTSignatureAlgorithm = jose.ES512
|
2017-03-16 14:55:21 -04:00
|
|
|
)
|
|
|
|
|
|
2019-04-15 13:38:08 -04:00
|
|
|
// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
|
2019-04-12 17:54:35 -04:00
|
|
|
// back to Vault.
|
2019-04-15 13:38:08 -04:00
|
|
|
type PluginAPIClientMeta struct {
|
2019-04-12 17:54:35 -04:00
|
|
|
// These are set by the command line flags.
|
|
|
|
|
flagCACert string
|
|
|
|
|
flagCAPath string
|
|
|
|
|
flagClientCert string
|
|
|
|
|
flagClientKey string
|
2023-10-20 10:05:21 -04:00
|
|
|
flagServerName string
|
2019-04-12 17:54:35 -04:00
|
|
|
flagInsecure bool
|
2017-03-16 17:14:49 -04:00
|
|
|
}
|
|
|
|
|
|
2019-04-12 17:54:35 -04:00
|
|
|
// FlagSet returns the flag set for configuring the TLS connection
|
2019-04-15 13:38:08 -04:00
|
|
|
func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {
|
2019-04-12 17:54:35 -04:00
|
|
|
fs := flag.NewFlagSet("vault plugin settings", flag.ContinueOnError)
|
2017-03-16 17:14:49 -04:00
|
|
|
|
2019-04-12 17:54:35 -04:00
|
|
|
fs.StringVar(&f.flagCACert, "ca-cert", "", "")
|
|
|
|
|
fs.StringVar(&f.flagCAPath, "ca-path", "", "")
|
|
|
|
|
fs.StringVar(&f.flagClientCert, "client-cert", "", "")
|
|
|
|
|
fs.StringVar(&f.flagClientKey, "client-key", "", "")
|
2023-10-20 10:05:21 -04:00
|
|
|
fs.StringVar(&f.flagServerName, "tls-server-name", "", "")
|
2019-04-12 17:54:35 -04:00
|
|
|
fs.BoolVar(&f.flagInsecure, "tls-skip-verify", false, "")
|
2017-03-16 17:14:49 -04:00
|
|
|
|
2019-04-12 17:54:35 -04:00
|
|
|
return fs
|
2017-03-16 17:14:49 -04:00
|
|
|
}
|
|
|
|
|
|
2019-04-12 17:54:35 -04:00
|
|
|
// GetTLSConfig will return a TLSConfig based off the values from the flags
|
2019-04-15 13:38:08 -04:00
|
|
|
func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig {
|
2019-04-12 17:54:35 -04:00
|
|
|
// If we need custom TLS configuration, then set it
|
2023-10-20 10:05:21 -04:00
|
|
|
if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure || f.flagServerName != "" {
|
2019-04-15 13:38:08 -04:00
|
|
|
t := &TLSConfig{
|
2019-04-12 17:54:35 -04:00
|
|
|
CACert: f.flagCACert,
|
|
|
|
|
CAPath: f.flagCAPath,
|
|
|
|
|
ClientCert: f.flagClientCert,
|
|
|
|
|
ClientKey: f.flagClientKey,
|
2023-10-20 10:05:21 -04:00
|
|
|
TLSServerName: f.flagServerName,
|
2019-04-12 17:54:35 -04:00
|
|
|
Insecure: f.flagInsecure,
|
|
|
|
|
}
|
2017-03-16 17:14:49 -04:00
|
|
|
|
2019-04-12 17:54:35 -04:00
|
|
|
return t
|
2017-04-24 15:15:01 -04:00
|
|
|
}
|
2017-03-16 17:14:49 -04:00
|
|
|
|
2019-04-12 17:54:35 -04:00
|
|
|
return nil
|
2017-03-16 14:55:21 -04:00
|
|
|
}
|
|
|
|
|
|
2022-03-23 17:47:43 -04:00
|
|
|
// VaultPluginTLSProvider wraps VaultPluginTLSProviderContext using context.Background.
|
2019-04-15 13:38:08 -04:00
|
|
|
func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
|
2022-03-23 17:47:43 -04:00
|
|
|
return VaultPluginTLSProviderContext(context.Background(), apiTLSConfig)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// VaultPluginTLSProviderContext is run inside a plugin and retrieves the response
|
|
|
|
|
// wrapped TLS certificate from vault. It returns a configured TLS Config.
|
|
|
|
|
func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
|
2022-08-29 22:42:26 -04:00
|
|
|
if os.Getenv(PluginAutoMTLSEnv) == "true" || os.Getenv(PluginMetadataModeEnv) == "true" {
|
2017-09-01 01:02:03 -04:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-02 17:40:11 -04:00
|
|
|
return func() (*tls.Config, error) {
|
2019-05-08 19:21:23 -04:00
|
|
|
unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
|
2017-05-02 17:40:11 -04:00
|
|
|
|
2024-04-19 07:17:41 -04:00
|
|
|
parsedJWT, err := jwt.ParseSigned(unwrapToken, []jose.SignatureAlgorithm{CubbyHoleJWTSignatureAlgorithm})
|
2017-05-02 17:40:11 -04:00
|
|
|
if err != nil {
|
2019-03-20 14:54:03 -04:00
|
|
|
return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
2019-03-20 14:54:03 -04:00
|
|
|
|
2021-04-08 12:43:39 -04:00
|
|
|
allClaims := make(map[string]interface{})
|
2019-03-20 14:54:03 -04:00
|
|
|
if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
2019-03-20 14:54:03 -04:00
|
|
|
addrClaimRaw, ok := allClaims["addr"]
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("could not validate addr claim")
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
2019-03-20 14:54:03 -04:00
|
|
|
vaultAddr, ok := addrClaimRaw.(string)
|
2017-05-02 17:40:11 -04:00
|
|
|
if !ok {
|
2019-03-20 14:54:03 -04:00
|
|
|
return nil, errors.New("could not parse addr claim")
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
if vaultAddr == "" {
|
2017-12-05 12:01:35 -05:00
|
|
|
return nil, errors.New(`no vault api_addr found`)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Sanity check the value
|
|
|
|
|
if _, err := url.Parse(vaultAddr); err != nil {
|
2018-04-05 11:49:21 -04:00
|
|
|
return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Unwrap the token
|
2019-04-15 13:38:08 -04:00
|
|
|
clientConf := DefaultConfig()
|
2017-05-02 17:40:11 -04:00
|
|
|
clientConf.Address = vaultAddr
|
|
|
|
|
if apiTLSConfig != nil {
|
2017-09-01 01:02:03 -04:00
|
|
|
err := clientConf.ConfigureTLS(apiTLSConfig)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error configuring api client {{err}}", err)
|
|
|
|
|
}
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
2019-04-15 13:38:08 -04:00
|
|
|
client, err := NewClient(clientConf)
|
2017-05-02 17:40:11 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error during api client creation: {{err}}", err)
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-02 04:40:13 -05:00
|
|
|
// Reset token value to make sure nothing has been set by default
|
|
|
|
|
client.ClearToken()
|
|
|
|
|
|
2022-03-23 17:47:43 -04:00
|
|
|
secret, err := client.Logical().UnwrapWithContext(ctx, unwrapToken)
|
2017-05-02 17:40:11 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error during token unwrap request: {{err}}", err)
|
|
|
|
|
}
|
|
|
|
|
if secret == nil {
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
|
|
|
return nil, errors.New("error during token unwrap request: secret is nil")
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Retrieve and parse the server's certificate
|
|
|
|
|
serverCertBytesRaw, ok := secret.Data["ServerCert"].(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("error unmarshalling certificate")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)
|
|
|
|
|
if err != nil {
|
2018-04-05 11:49:21 -04:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverCert, err := x509.ParseCertificate(serverCertBytes)
|
|
|
|
|
if err != nil {
|
2018-04-05 11:49:21 -04:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Retrieve and parse the server's private key
|
|
|
|
|
serverKeyB64, ok := secret.Data["ServerKey"].(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.New("error unmarshalling certificate")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)
|
|
|
|
|
if err != nil {
|
2018-04-05 11:49:21 -04:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)
|
|
|
|
|
if err != nil {
|
2018-04-05 11:49:21 -04:00
|
|
|
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add CA cert to the cert pool
|
|
|
|
|
caCertPool := x509.NewCertPool()
|
|
|
|
|
caCertPool.AddCert(serverCert)
|
|
|
|
|
|
|
|
|
|
// Build a certificate object out of the server's cert and private key.
|
|
|
|
|
cert := tls.Certificate{
|
|
|
|
|
Certificate: [][]byte{serverCertBytes},
|
|
|
|
|
PrivateKey: serverKey,
|
|
|
|
|
Leaf: serverCert,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Setup TLS config
|
|
|
|
|
tlsConfig := &tls.Config{
|
|
|
|
|
ClientCAs: caCertPool,
|
|
|
|
|
RootCAs: caCertPool,
|
|
|
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
|
|
|
// TLS 1.2 minimum
|
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
|
Certificates: []tls.Certificate{cert},
|
2018-01-18 16:49:20 -05:00
|
|
|
ServerName: serverCert.Subject.CommonName,
|
2017-05-02 17:40:11 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tlsConfig, nil
|
2017-03-16 14:55:21 -04:00
|
|
|
}
|
|
|
|
|
}
|
