Skip to content

Commit

Permalink
Merge branch 'main' into addOidcProviderRebase
Browse files Browse the repository at this point in the history
  • Loading branch information
GeorgeJahad authored Oct 17, 2024
2 parents 5c5f3c5 + 1bd59d2 commit ca256c8
Show file tree
Hide file tree
Showing 12 changed files with 282 additions and 71 deletions.
20 changes: 19 additions & 1 deletion .devcontainer/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ services:
VAULT_CREATE_ROOT: true
VAULT_ROOT_CA_MOUNT: pki
VAULT_ROOT_CA_REF: root-ca
VAULT_SSL_CERT: cert/vault.pem
JWT_SIGNING_KEY: jwt_secret
APP_REGISTRY_ADDR: http://app_registry:8800
APP_REGISTRY_TOKEN: app_reg_token
Expand All @@ -26,9 +27,26 @@ services:
restart: unless-stopped
ports:
- 8200:8200
- 8443:8443
volumes:
- ../cert:/vault/cert
environment:
VAULT_DEV_ROOT_TOKEN_ID: root_token
VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
VAULT_LOCAL_CONFIG: >
{
"listener": [
{
"tcp": {
"address": "0.0.0.0:8443",
"tls_disable": "0",
"tls_cert_file": "/vault/cert/vault.pem",
"tls_key_file": "/vault/cert/vault.key"
}
}
],
"default_lease_ttl": "168h",
"max_lease_ttl": "720h"
}
oidc_provider:
image: hashicorp/vault:latest
Expand Down
120 changes: 60 additions & 60 deletions Gemfile.lock
Original file line number Diff line number Diff line change
@@ -1,29 +1,29 @@
GEM
remote: https://rubygems.org/
specs:
actioncable (7.2.1)
actionpack (= 7.2.1)
activesupport (= 7.2.1)
actioncable (7.2.1.1)
actionpack (= 7.2.1.1)
activesupport (= 7.2.1.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
zeitwerk (~> 2.6)
actionmailbox (7.2.1)
actionpack (= 7.2.1)
activejob (= 7.2.1)
activerecord (= 7.2.1)
activestorage (= 7.2.1)
activesupport (= 7.2.1)
actionmailbox (7.2.1.1)
actionpack (= 7.2.1.1)
activejob (= 7.2.1.1)
activerecord (= 7.2.1.1)
activestorage (= 7.2.1.1)
activesupport (= 7.2.1.1)
mail (>= 2.8.0)
actionmailer (7.2.1)
actionpack (= 7.2.1)
actionview (= 7.2.1)
activejob (= 7.2.1)
activesupport (= 7.2.1)
actionmailer (7.2.1.1)
actionpack (= 7.2.1.1)
actionview (= 7.2.1.1)
activejob (= 7.2.1.1)
activesupport (= 7.2.1.1)
mail (>= 2.8.0)
rails-dom-testing (~> 2.2)
actionpack (7.2.1)
actionview (= 7.2.1)
activesupport (= 7.2.1)
actionpack (7.2.1.1)
actionview (= 7.2.1.1)
activesupport (= 7.2.1.1)
nokogiri (>= 1.8.5)
racc
rack (>= 2.2.4, < 3.2)
Expand All @@ -32,35 +32,35 @@ GEM
rails-dom-testing (~> 2.2)
rails-html-sanitizer (~> 1.6)
useragent (~> 0.16)
actiontext (7.2.1)
actionpack (= 7.2.1)
activerecord (= 7.2.1)
activestorage (= 7.2.1)
activesupport (= 7.2.1)
actiontext (7.2.1.1)
actionpack (= 7.2.1.1)
activerecord (= 7.2.1.1)
activestorage (= 7.2.1.1)
activesupport (= 7.2.1.1)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.2.1)
activesupport (= 7.2.1)
actionview (7.2.1.1)
activesupport (= 7.2.1.1)
builder (~> 3.1)
erubi (~> 1.11)
rails-dom-testing (~> 2.2)
rails-html-sanitizer (~> 1.6)
activejob (7.2.1)
activesupport (= 7.2.1)
activejob (7.2.1.1)
activesupport (= 7.2.1.1)
globalid (>= 0.3.6)
activemodel (7.2.1)
activesupport (= 7.2.1)
activerecord (7.2.1)
activemodel (= 7.2.1)
activesupport (= 7.2.1)
activemodel (7.2.1.1)
activesupport (= 7.2.1.1)
activerecord (7.2.1.1)
activemodel (= 7.2.1.1)
activesupport (= 7.2.1.1)
timeout (>= 0.4.0)
activestorage (7.2.1)
actionpack (= 7.2.1)
activejob (= 7.2.1)
activerecord (= 7.2.1)
activesupport (= 7.2.1)
activestorage (7.2.1.1)
actionpack (= 7.2.1.1)
activejob (= 7.2.1.1)
activerecord (= 7.2.1.1)
activesupport (= 7.2.1.1)
marcel (~> 1.0)
activesupport (7.2.1)
activesupport (7.2.1.1)
base64
bigdecimal
concurrent-ruby (~> 1.0, >= 1.3.1)
Expand Down Expand Up @@ -105,7 +105,7 @@ GEM
concurrent-ruby (~> 1.0)
interactor (3.1.2)
io-console (0.7.2)
irb (1.14.0)
irb (1.14.1)
rdoc (>= 4.0.0)
reline (>= 0.4.2)
jbuilder (2.13.0)
Expand All @@ -130,7 +130,7 @@ GEM
msgpack (1.7.2)
net-http (0.4.1)
uri
net-imap (0.4.14)
net-imap (0.4.17)
date
net-protocol
net-pop (0.1.2)
Expand Down Expand Up @@ -162,38 +162,38 @@ GEM
puma (6.4.3)
nio4r (~> 2.0)
racc (1.8.1)
rack (3.1.7)
rack (3.1.8)
rack-session (2.0.0)
rack (>= 3.0.0)
rack-test (2.1.0)
rack (>= 1.3)
rackup (2.1.0)
rack (>= 3)
webrick (~> 1.8)
rails (7.2.1)
actioncable (= 7.2.1)
actionmailbox (= 7.2.1)
actionmailer (= 7.2.1)
actionpack (= 7.2.1)
actiontext (= 7.2.1)
actionview (= 7.2.1)
activejob (= 7.2.1)
activemodel (= 7.2.1)
activerecord (= 7.2.1)
activestorage (= 7.2.1)
activesupport (= 7.2.1)
rails (7.2.1.1)
actioncable (= 7.2.1.1)
actionmailbox (= 7.2.1.1)
actionmailer (= 7.2.1.1)
actionpack (= 7.2.1.1)
actiontext (= 7.2.1.1)
actionview (= 7.2.1.1)
activejob (= 7.2.1.1)
activemodel (= 7.2.1.1)
activerecord (= 7.2.1.1)
activestorage (= 7.2.1.1)
activesupport (= 7.2.1.1)
bundler (>= 1.15.0)
railties (= 7.2.1)
railties (= 7.2.1.1)
rails-dom-testing (2.2.0)
activesupport (>= 5.0.0)
minitest
nokogiri (>= 1.6)
rails-html-sanitizer (1.6.0)
loofah (~> 2.21)
nokogiri (~> 1.14)
railties (7.2.1)
actionpack (= 7.2.1)
activesupport (= 7.2.1)
railties (7.2.1.1)
actionpack (= 7.2.1.1)
activesupport (= 7.2.1.1)
irb (~> 1.13)
rackup (>= 1.0.0)
rake (>= 12.2)
Expand All @@ -204,7 +204,7 @@ GEM
rdoc (6.7.0)
psych (>= 4.0.0)
regexp_parser (2.9.2)
reline (0.5.9)
reline (0.5.10)
io-console (~> 0.5)
rexml (3.3.5)
strscan
Expand Down Expand Up @@ -251,7 +251,7 @@ GEM
sqlite3 (2.1.0-x86_64-linux-musl)
stringio (3.1.1)
strscan (3.1.0)
thor (1.3.1)
thor (1.3.2)
timeout (0.4.1)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
Expand All @@ -260,11 +260,11 @@ GEM
useragent (0.16.10)
vault (0.18.2)
aws-sigv4
webrick (1.8.1)
webrick (1.8.2)
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
zeitwerk (2.6.17)
zeitwerk (2.7.0)

PLATFORMS
aarch64-linux
Expand Down
30 changes: 29 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,33 @@ docker build -t astral:latest .
docker run -p 3000:3000 astral:latest
```

# OIDC configuration
# Configuration
Astral is configured in `config/astral.yml` -- all availble
configuration options are listed in the `shared` section. Note that
configuration values can be supplied in this file or as process
environment variables with the same names (but
UPPER_CASE). Environment vars will override any values in the config
file. Per-environment settings in the config file(development, test,
production) will override the shared values for that type.

## mTLS connections
Astral can connect to Vault with mTLS. Just
set the following values in `config/astral.yml`:
```
vault_ssl_cert:
vault_ssl_client_cert:
vault_ssl_client_key:
```
A self-signed server cert for Vault can be generated with the following
command:
```
rake configure:ssl
```

To use SSL in the devcontainer, edit `.devcontainer/docker-compose.yml` so
that the `app` service has `VAULT_ADDRESS` of `https://vault:8443`.

## OIDC configuration
The OIDC modules allow the assignment of a policy to an OIDC user, by
mapping that user's email address to a policy we create. They work as
follows:
Expand Down Expand Up @@ -132,3 +158,5 @@ the provider settings, so you will need to clear the browser's
```
* Vault login failed. Expired or missing OAuth state.
```


17 changes: 16 additions & 1 deletion app/lib/clients/vault.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,29 @@ class << self
def client
::Vault::Client.new(
address: address,
token: token
token: token,
ssl_ca_cert: ssl_cert,
ssl_pem_file: ssl_client_cert,
ssl_key_file: ssl_client_key
)
end

def address
Config[:vault_addr]
end

def ssl_cert
Config[:vault_ssl_cert]
end

def ssl_client_cert
Config[:vault_ssl_client_cert]
end

def ssl_client_key
Config[:vault_ssl_client_key]
end

def enable_engine(mount, type)
client.sys.mount(mount, type, "#{type} secrets engine")
end
Expand Down
Empty file added cert/.keep
Empty file.
27 changes: 27 additions & 0 deletions cert/vault.csr
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIElzCCAn8CAQAwUjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIG
A1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEOMAwGA1UEAwwFdmF1bHQw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4GT1p/wZyxvMsZ/N7g6Hb
SNqTCA6W+JbPryhy2YjVwdH+JwYQGy4GbXYxbKZp5ZXAf5/9/y6j8BnsHrxv5pvC
Ob08aArhQE6ht0NTqaIYsSf/7TeW1e+da5ikLbrcFUcXVzKWtZPcbz4Y42G1AS9T
Lyyw01y6LUGK5WWy3ztD/8fyYVImG7q+8JGYKJpxI0fsLaEpDvHq5ZpOPMJqT0tb
aWwK8CtDcLEjv1bxmXUpD6c8FzffRwuy1SM6USMyAFFLdIVizjgekhRJPOQTeO8N
yR8O3ViT4Eq+ED051qk+oT99xvfHLOLk7BFMVYK3bYMmaOHlb9g060Og32lFbcuD
gGaGI2d+0cQrWemQiWjEMi55dIqXDmGiA3o18r7s0bEt7lPKFBqjrRfPh9/+Eqqp
YkWjp623vOW+vHPgxUNcyGMXl/nZTcvhpJLOgBkjQnq7dSpV3LzrGNN3mJFpKxQy
e7rccbZPa82ln5Y6+g97H/oy1FNkzNcI+Fv3BOCSQOoM9uPB6NP5b3seJC8GW1eh
LV/byfuwXSJJYo7csNiem90UTRR7ZDzjE8clbzATR0d+qJTf0idA5xDKU+JwxqzW
+ktBZwwS2t+A1QaHj7frJt0FuN1Us+bX6GcJ6X+JJsjxEp+WbKIncgQVk6mcbVJm
T6a4LyiFCN9oeDnkLM6L/wIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGU4/K0+
d85R/Y1ov3MJTmpOC0fGJ8/H7U/MIk0qlSfqzRMYIjHHFRqslMzGaRZG/XZN4grj
FvceoYBTH2NUip4HF+PRwxkUlwAFFea/h2noT5Ca0X00roHCf/uhJYY5OGxS5TD6
CkP6nbCpD9oVDePlLehMuvNtJBt50QQsBUyK3FCXTsunNSVrMdVQ6zlyJVo0limQ
+eQy4u/bvG0BzsIj6+HnvMTxC1gQCOsfieiJyrF51EbGZJUms89k8Oli9mgJxdaC
6sh/s+FfF0m0tp449Qv/mAy57Z5EC6SUBuAICYd/bSHXWuzAi/9jTJeyTbNpN0F8
615CWN+sIuiGG9JLdCCbJE/WxGAa4/3Ry1gtYrcrSz+i1NXT422RZfxTASLl9fT6
NlUu2DN3UQQmbxG8ujzKdZ2o746vovFWGtECh6oj0dZ2vhKAKDgIlT2ZOaZzp4mk
b7tpfXBhUsVVG2rIhHXh7HAa9YDFGNufZ+p+b2GI+i5ll6+XUsXSM0SGnM+E1VLh
wnz3krI1tFTNBUu3+n9UbQhBgCWt4bj2Ax0LCgd6sHClcHa0q07FlRVIa/edXu/p
Xt2yr1xhdsK0ss9kRyXg2AMHVTs0ES8rKxcvAmdbic4ygg7MfRhnT/B4HFSKKyoU
JCy4FPyt1+iqfDzjtS74h261lVm6bHnW+7bI
-----END CERTIFICATE REQUEST-----
52 changes: 52 additions & 0 deletions cert/vault.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC4GT1p/wZyxvMs
Z/N7g6HbSNqTCA6W+JbPryhy2YjVwdH+JwYQGy4GbXYxbKZp5ZXAf5/9/y6j8Bns
Hrxv5pvCOb08aArhQE6ht0NTqaIYsSf/7TeW1e+da5ikLbrcFUcXVzKWtZPcbz4Y
42G1AS9TLyyw01y6LUGK5WWy3ztD/8fyYVImG7q+8JGYKJpxI0fsLaEpDvHq5ZpO
PMJqT0tbaWwK8CtDcLEjv1bxmXUpD6c8FzffRwuy1SM6USMyAFFLdIVizjgekhRJ
POQTeO8NyR8O3ViT4Eq+ED051qk+oT99xvfHLOLk7BFMVYK3bYMmaOHlb9g060Og
32lFbcuDgGaGI2d+0cQrWemQiWjEMi55dIqXDmGiA3o18r7s0bEt7lPKFBqjrRfP
h9/+EqqpYkWjp623vOW+vHPgxUNcyGMXl/nZTcvhpJLOgBkjQnq7dSpV3LzrGNN3
mJFpKxQye7rccbZPa82ln5Y6+g97H/oy1FNkzNcI+Fv3BOCSQOoM9uPB6NP5b3se
JC8GW1ehLV/byfuwXSJJYo7csNiem90UTRR7ZDzjE8clbzATR0d+qJTf0idA5xDK
U+JwxqzW+ktBZwwS2t+A1QaHj7frJt0FuN1Us+bX6GcJ6X+JJsjxEp+WbKIncgQV
k6mcbVJmT6a4LyiFCN9oeDnkLM6L/wIDAQABAoICAHiLxmP+oplLXnWIR61r3vL4
fG7kSrFea1nohqLVgDz/oeI6aUTolzWMPWVVkI4sz+bxarDlhAPCtyaeZaMcLId8
SUYhlmYyNoq7tnE01Tg34Eo7aTfyM+kvSA7RBtcPc7J73VtD4GLp0I55bUQZV4Sv
kiLi84fRFGa/mN0MQQFgnes/AIyFgb1/RsaMZ7yHbpPeuPVqnMvDtktei6sS6vQb
TqzG4H1TcBpJMsQWSNovLsExLtub6LQbzepksJgQDytKTAELqUGTQ4dFQM7jVB0B
wb15AIQrzKUxevXBcqbY7PsN6rbX1GYzkYwbPfGf2s2uxaP3nWnhVzIiuArHPwdp
2hIXG7OUKNDHKSFCeVjbNpgElmiy9jAz78PouzNg/s2UMrLUixiZy/NctX6YWErt
VCaTLx3eBxdXfrW8vxije610Bo7YRvIKlTwpILb0PJx0wwfRUS9JrlYdsOB32LHW
TYvfwvE16UCFna9Ljcc9l5WVERnr7/RMnoM5mxizjoGZUp1HDBdbKqQwcUy9J7o4
2xNAx96mi4E5u7/i5xr7BI/+HhDVVKeKBXa5GV78edWYAU8Xb38ZQvt98q/2D0eG
CFddoGefiHEEpoVq2Z5uyIXhYKolNNvdQm9vZFjfJr4cwbKN0md45Og0T16BtxhF
i39rDoXRmyrvUHIJH8VxAoIBAQDurKTo7e61LJXfET4ha2wzyKC/ClllRy0ywT/a
tZh2uKcMGN/BV9GKMIZc0MpYkGEUfvxYOyN9hRCkVDujzRFKOGDyUdhb5EJ1pcs9
E4AON8nPFkUQMNbihXYIKvgv/1gsMzlT/3cSMu3r4VUhY8ijVRUsioCaM8DwAzBP
D/J3EpWFDIcoju5Srk+6/sRJdAW+6bbm7OT0lu9yOorjhqtaTCAKyylyDIGYCgI2
nythwvOYSAm0w6yfd2i4sne2WL6RGIFZWyJGhKJg8JDXYnuG78l3+wD6Bd4GynL4
qyEMQWjnlPpk+8W+cOvvY1o+c8onRFHvNydPy/9+Tvc5bMwnAoIBAQDFdmXS5Wd5
onQaSwHbCzGbpbNSXmP8r/zuQ56kTdA/NL1kGUNw+h1f5eOQmZnn78zRqwWL2D/y
iRm4qZXTinxrPHqx69/nFyjRSGaRe1Zl2xRWE8y3zg91WFJfk/zHghufIce5kMdw
Q8dndCFbe6bep3igVGVjQHv+wuFsW+4YLJaUeDNWf4b/aeg6tTqzH5g05GABqQ4s
JGMcxd7IPM2SKeShjleHBtlvTPTv0ks30dUjk1AbJHXeY9wY8Lb0eU+dRbx350Ey
zL+Ijm6MSjBz+QT0DOf1hDebMUPcBGXjLur9l0scJdiRxAmzZ9iAsg8tBV9qeL5G
VZg+lDhXDLBpAoIBAQDgmjUiQe4WLpvm7EoElxue65lhzjJsHXwKPFOD1MpiRshk
mO/P+X1lxt5ab91LVKsW550+xoBSeas8iUwKjEtOBhotTxoE95wXLGtC0Zv7RUKz
j6h0YRGG38NAUnd2a5ulFJtJUanSxXyiMk2zezxvf/zKCpiVBEj3VHjcngw1Q5bT
OwPiBgd+ZS0Aswkyem2ByFxnmdyn03YHj9Ht5WhRNDwfDCq3ec9mrVyB3G2ttREZ
aAlCQ7Wp52v0C3aecYr77gyjcyChLeXExf33wmSuie6U6u9zWZwj1dY17ozOBKvc
6pRr/YaL/aX5hAyDouFE7IUSUVu8OyP20AbU0m6XAoIBAD7xAH/688LHz65Z3luN
8+AjL0fAIqr3Be6Ey1qgGxMqonv3uZGXiCl7Q9BhxbcyrtzeYMQ0yB1tKi+8jq+B
YytjedCg2Rv2O+KJ63fQErgg3xiY8xZbrn2/C3K/30FQ7bEJuXoi9g+I61TEpaVd
gtFSHJcuj6rVcTDBuc0qeHhoLg9hSSv3NnbPsWCVSAK0vXWOnjOpSYU0jAst31eA
Wh6PD/uXPbsiqchahXC0XZmLXx8Z49zjAFdFCXFBuW+wA3qkMfEeW5/vt9W1YPOC
6nLtG3EXdBDEdl0XlQPauwdxeyIeSajNP30nOdhf75kGKOQ25DUyC6Srv/2ijVri
BpECggEBAMo2jBvMu+Vu+IOIixU6BGGQiCMJGtEg6PnHaFBH2eCgHQ6WZhRb+4V0
Xeuhz8zaOwxXFJX+OyQwqvTn1gq7W0qyKo37+qzQdYicuo10CAV9S7uS2rUSuV7b
yP7zWTABxP9Yqmr+EQ17XbYoOV2kDE8DU+sCNsOxOrewnP8Kj+0Fxm8r8qDvR1pz
tvuarGIc32Of4/2OAIXzPH3IF5mWYYuvGA8vgmk1ZM/lcZ3DYhWuT7UiWQIS5GB+
NJYMf5xB9G5Wnmq5H9RmkeAozNjnSDZHGQiGLwKW4LVqbkSxGGbGpXS57Si+QvBJ
7sscXOjF3wtZdFCFacS9FPm9KRjD7AU=
-----END PRIVATE KEY-----
Loading

0 comments on commit ca256c8

Please sign in to comment.