From e7d31cb7fb48f70c81daf3fac26731b3b08db481 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 16:59:07 -0700 Subject: [PATCH 01/65] rebased --- .devcontainer/devcontainer.json | 2 +- .devcontainer/docker-compose.yml | 10 ++++ app/lib/clients/vault.rb | 1 + app/lib/clients/vault/oidc.rb | 88 ++++++++++++++++++++++++++++++++ app/lib/clients/vault/policy.rb | 30 +++++++++++ config/application.rb | 9 ++++ config/astral.yml | 18 +++++++ test/lib/clients/oidc_test.rb | 36 +++++++++++++ 8 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 app/lib/clients/vault/oidc.rb create mode 100644 test/lib/clients/oidc_test.rb diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 32d22d1..203151d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -17,7 +17,7 @@ // Use 'forwardPorts' to make a list of ports inside the container available locally. // This can be used to network with other containers or the host. - "forwardPorts": [3000, 5432, 8200], + "forwardPorts": [3000, 5432, 8200, 8300], // Use 'postCreateCommand' to run commands after the container is created. "postCreateCommand": "bundle install && rake db:setup", diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index dcafb8a..a899452 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -30,6 +30,16 @@ services: VAULT_DEV_ROOT_TOKEN_ID: root_token VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200 + oidc_provider: + image: hashicorp/vault:latest + restart: unless-stopped + ports: + - 8300:8300 + - 8400:8400 + environment: + VAULT_DEV_ROOT_TOKEN_ID: root_token + VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8300 + app_registry: image: node:latest restart: unless-stopped diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb index 5f0c5e0..811d544 100644 --- a/app/lib/clients/vault.rb +++ b/app/lib/clients/vault.rb @@ -5,6 +5,7 @@ class Vault extend Clients::Vault::Policy extend Clients::Vault::Entity extend Clients::Vault::EntityAlias + extend Clients::Vault::Oidc class_attribute :token diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb new file mode 100644 index 0000000..224d2f6 --- /dev/null +++ b/app/lib/clients/vault/oidc.rb @@ -0,0 +1,88 @@ +module Clients + class Vault + class_attribute :client_id + class_attribute :client_secret + module Oidc + def configure_oidc_provider + # create test user for oidc + oidc_provider.logical.delete("/sys/auth/userpass") + oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") + oidc_provider.logical.write("/auth/userpass/users/#{Config[:test_user][:name]}", password: Config[:test_user][:password]) + + # create oidc provider app + oidc_provider.logical.write(WEBAPP_NAME, + redirect_uris: "http://localhost:8250/oidc/callback", + assignments: "allow_all") + + app = oidc_provider.logical.read(WEBAPP_NAME) + @@client_id = app.data[:client_id] + binding.irb + @@client_secret = app.data[:client_secret] + + # create email scope + oidc_provider.logical.write("identity/oidc/scope/email", + template: '{"email": {{identity.entity.metadata.email}}}') + + oidc_provider.logical.write(Config[:oidc_provider][:name], + issuer: Config[:oidc_provider][:host], + allowed_client_ids: @@client_id, + scopes_supported: "email") + oidc_provider.logical.write("identity/entity", + policies: "default", + name: Config[:test_user][:name], + metadata: "email=#{Config[:test_user][:email]}", + disabled: false) + provider = oidc_provider.logical.read(Config[:oidc_provider][:name]) + + op_entity = oidc_provider.logical.read("identity/entity/name/#{Config[:test_user][:name]}") + op_entity_id = op_entity.data[:id] + op_auth_list = oidc_provider.logical.read("/sys/auth") + up_accessor = op_auth_list.data[:"userpass/"][:accessor] + oidc_provider.logical.write("identity/entity-alias", + name: Config[:test_user][:name], + canonical_id: op_entity_id, + mount_accessor: up_accessor) + end + + + def configure_oidc_client(id, secret, issuer) + client.logical.delete("/sys/auth/oidc") + client.logical.write("/sys/auth/oidc", type: "oidc") + client.logical.write("auth/oidc/config", + oidc_discovery_url: issuer, + oidc_client_id: id, + oidc_client_secret: secret, + default_role: "reader") + policy = <<-EOH + path "sys" { + policy = "deny" + } + EOH + client.sys.put_policy("reader", policy) + client.logical.write("auth/oidc/role/reader", + bound_audiences: id, + allowed_redirect_uris: "http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback,http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback,http://127.0.0.1:8250/oidc/callback", + user_claim: "email", + oidc_scopes: "email", + token_policies: "reader") + end + + def configure_oidc_user(name, email, policy) + client.sys.put_policy(email, policy) + put_entity(name, email); + put_entity_alias(name, email, "oidc"); + end + + private + WEBAPP_NAME = "identity/oidc/client/my-webapp" + + def oidc_provider + ::Vault::Client.new( + address: Config[:oidc_provider][:host], + token: Config[:oidc_provider][:token] + ) + end + + end + end +end diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index 0d670c7..9a3dd3c 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -20,6 +20,36 @@ def create_astral_policy path "#{kv_mount}/data/*" { capabilities = ["create", "read", "update", "delete", "list"] } + path "/sys/auth" { + capabilities = ["read"] + } + path "/sys/auth/oidc" { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + path "/sys/policy/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "auth/oidc/config" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "auth/oidc/role/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "auth/userpass/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "identity/oidc/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "identity/entity-alias" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "identity/entity" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "identity/entity/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } HCL client.sys.put_policy("astral_policy", policy) diff --git a/config/application.rb b/config/application.rb index a4bd5f2..73f47a0 100644 --- a/config/application.rb +++ b/config/application.rb @@ -40,6 +40,15 @@ class Application < Rails::Application Clients::Vault.token = Config[:vault_token] Clients::Vault.configure_kv Clients::Vault.configure_pki + if config.astral.configure_oidc? + Clients::Vault.configure_oidc_provider + provider = "#{config.astral.oidc_provider[:host]}/v1/#{config.astral.oidc_provider[:name]}" + binding.irb + Clients::Vault.configure_oidc_client(Clients::Vault.client_id, + Clients::Vault.client_secret, + provider) + + end Clients::Vault.rotate_token end end diff --git a/config/astral.yml b/config/astral.yml index a574607..48e21ac 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -19,9 +19,27 @@ shared: audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %> test: + configure_oidc?: true + oidc_provider: + name: "identity/oidc/provider/my-provider" + host: "http://oidc_provider:8300" + token: "root_token" + test_user: + name: "test" + password: "test" + email: "test@example.com" cert_ttl: <%= 24.hours.in_seconds %> development: + configure_oidc?: true + oidc_provider: + name: "identity/oidc/provider/my-provider" + host: "http://oidc_provider:8300" + token: "root_token" + test_user: + name: "test" + password: "test" + email: "test@example.com" production: vault_create_root: false diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb new file mode 100644 index 0000000..d0262ab --- /dev/null +++ b/test/lib/clients/oidc_test.rb @@ -0,0 +1,36 @@ +require "test_helper" + +class OIDCTest < ActiveSupport::TestCase + setup do + @client = Clients::Vault + end + + test ".configure_oidc_user" do + policy = <<-EOH + path "sys" { + policy = "deny" + } + EOH + @client.configure_oidc_user(Config[:test_user][:name], Config[:test_user][:email], policy) + entity = @client.read_entity(Config[:test_user][:name]) + assert_equal Config[:test_user][:email], entity.data[:policies][0] + aliases = entity.data[:aliases] + assert aliases.find { |a| a[:name] == Config[:test_user][:email] } + end + + private + def vault_client + ::Vault::Client.new( + address: vault_addr, + token: vault_token + ) + end + + def vault_addr + Config[:vault_addr] + end + + def vault_token + Config[:vault_token] + end +end From 593126b3fb865454e17c81716807ed4d84ab1d82 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 18:08:10 -0700 Subject: [PATCH 02/65] class vars --- app/lib/clients/vault/oidc.rb | 11 +++++------ config/application.rb | 4 ++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 224d2f6..438d734 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,7 +1,7 @@ module Clients class Vault - class_attribute :client_id - class_attribute :client_secret + cattr_accessor :client_id + cattr_accessor :client_secret module Oidc def configure_oidc_provider # create test user for oidc @@ -15,17 +15,16 @@ def configure_oidc_provider assignments: "allow_all") app = oidc_provider.logical.read(WEBAPP_NAME) - @@client_id = app.data[:client_id] + ::Clients::Vault.client_id = app.data[:client_id] + ::Clients::Vault.client_secret = app.data[:client_secret] binding.irb - @@client_secret = app.data[:client_secret] - # create email scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') oidc_provider.logical.write(Config[:oidc_provider][:name], issuer: Config[:oidc_provider][:host], - allowed_client_ids: @@client_id, + allowed_client_ids: ::Clients::Vault.client_id, scopes_supported: "email") oidc_provider.logical.write("identity/entity", policies: "default", diff --git a/config/application.rb b/config/application.rb index 73f47a0..5eb4748 100644 --- a/config/application.rb +++ b/config/application.rb @@ -44,8 +44,8 @@ class Application < Rails::Application Clients::Vault.configure_oidc_provider provider = "#{config.astral.oidc_provider[:host]}/v1/#{config.astral.oidc_provider[:name]}" binding.irb - Clients::Vault.configure_oidc_client(Clients::Vault.client_id, - Clients::Vault.client_secret, + Clients::Vault.configure_oidc_client(::Clients::Vault.client_id, + ::Clients::Vault.client_secret, provider) end From ad3c23754ba8969237359b3c5fb748f9e4b67994 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 19:32:39 -0700 Subject: [PATCH 03/65] cleanup --- .devcontainer/docker-compose.yml | 3 +-- app/lib/clients/vault/oidc.rb | 13 ++++++------- app/lib/clients/vault/policy.rb | 27 ++++++--------------------- config/application.rb | 5 ++--- config/astral.yml | 2 -- 5 files changed, 15 insertions(+), 35 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index a899452..5dc7677 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -35,8 +35,7 @@ services: restart: unless-stopped ports: - 8300:8300 - - 8400:8400 - environment: + environment: VAULT_DEV_ROOT_TOKEN_ID: root_token VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8300 diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 438d734..21d45ba 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,8 +1,8 @@ module Clients class Vault - cattr_accessor :client_id - cattr_accessor :client_secret module Oidc + cattr_accessor :client_id + cattr_accessor :client_secret def configure_oidc_provider # create test user for oidc oidc_provider.logical.delete("/sys/auth/userpass") @@ -15,16 +15,15 @@ def configure_oidc_provider assignments: "allow_all") app = oidc_provider.logical.read(WEBAPP_NAME) - ::Clients::Vault.client_id = app.data[:client_id] - ::Clients::Vault.client_secret = app.data[:client_secret] - binding.irb + @@client_id = app.data[:client_id] + @@client_secret = app.data[:client_secret] # create email scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') oidc_provider.logical.write(Config[:oidc_provider][:name], issuer: Config[:oidc_provider][:host], - allowed_client_ids: ::Clients::Vault.client_id, + allowed_client_ids: @@client_id, scopes_supported: "email") oidc_provider.logical.write("identity/entity", policies: "default", @@ -78,7 +77,7 @@ def configure_oidc_user(name, email, policy) def oidc_provider ::Vault::Client.new( address: Config[:oidc_provider][:host], - token: Config[:oidc_provider][:token] + token: token ) end diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index 9a3dd3c..53be156 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -20,27 +20,6 @@ def create_astral_policy path "#{kv_mount}/data/*" { capabilities = ["create", "read", "update", "delete", "list"] } - path "/sys/auth" { - capabilities = ["read"] - } - path "/sys/auth/oidc" { - capabilities = ["create", "read", "update", "delete", "list", "sudo"] - } - path "/sys/policy/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - path "auth/oidc/config" { - capabilities = ["create", "read", "update", "delete", "list"] - } - path "auth/oidc/role/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - path "auth/userpass/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - path "identity/oidc/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } path "identity/entity-alias" { capabilities = ["create", "read", "update", "delete", "list"] } @@ -50,6 +29,12 @@ def create_astral_policy path "identity/entity/*" { capabilities = ["create", "read", "update", "delete", "list"] } + path "/sys/auth" { + capabilities = ["read"] + } + path "/sys/policy/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } HCL client.sys.put_policy("astral_policy", policy) diff --git a/config/application.rb b/config/application.rb index 5eb4748..6172582 100644 --- a/config/application.rb +++ b/config/application.rb @@ -43,9 +43,8 @@ class Application < Rails::Application if config.astral.configure_oidc? Clients::Vault.configure_oidc_provider provider = "#{config.astral.oidc_provider[:host]}/v1/#{config.astral.oidc_provider[:name]}" - binding.irb - Clients::Vault.configure_oidc_client(::Clients::Vault.client_id, - ::Clients::Vault.client_secret, + Clients::Vault.configure_oidc_client(::Clients::Vault::Oidc.client_id, + ::Clients::Vault::Oidc.client_secret, provider) end diff --git a/config/astral.yml b/config/astral.yml index 48e21ac..1ce4d88 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -23,7 +23,6 @@ test: oidc_provider: name: "identity/oidc/provider/my-provider" host: "http://oidc_provider:8300" - token: "root_token" test_user: name: "test" password: "test" @@ -35,7 +34,6 @@ development: oidc_provider: name: "identity/oidc/provider/my-provider" host: "http://oidc_provider:8300" - token: "root_token" test_user: name: "test" password: "test" From 770bc424428e53912aed44e5cac98e3c89eb4d5b Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 19:41:05 -0700 Subject: [PATCH 04/65] cleanup --- app/lib/clients/vault/oidc.rb | 23 +++++++++++++---------- app/lib/clients/vault/policy.rb | 6 +++--- config/astral.yml | 4 ++-- test/lib/clients/oidc_test.rb | 10 +++++----- 4 files changed, 23 insertions(+), 20 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 21d45ba..21f3062 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -4,40 +4,43 @@ module Oidc cattr_accessor :client_id cattr_accessor :client_secret def configure_oidc_provider - # create test user for oidc - oidc_provider.logical.delete("/sys/auth/userpass") - oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{Config[:test_user][:name]}", password: Config[:test_user][:password]) - # create oidc provider app oidc_provider.logical.write(WEBAPP_NAME, redirect_uris: "http://localhost:8250/oidc/callback", assignments: "allow_all") - app = oidc_provider.logical.read(WEBAPP_NAME) @@client_id = app.data[:client_id] @@client_secret = app.data[:client_secret] + # create email scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') + # create the provider oidc_provider.logical.write(Config[:oidc_provider][:name], issuer: Config[:oidc_provider][:host], allowed_client_ids: @@client_id, scopes_supported: "email") + + # create an entity for an initial user oidc_provider.logical.write("identity/entity", policies: "default", - name: Config[:test_user][:name], - metadata: "email=#{Config[:test_user][:email]}", + name: Config[:initial_user][:name], + metadata: "email=#{Config[:initial_user][:email]}", disabled: false) provider = oidc_provider.logical.read(Config[:oidc_provider][:name]) - op_entity = oidc_provider.logical.read("identity/entity/name/#{Config[:test_user][:name]}") + # create test userpass for the provider + oidc_provider.logical.delete("/sys/auth/userpass") + oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") + oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user][:name]}", password: Config[:initial_user][:password]) + + op_entity = oidc_provider.logical.read("identity/entity/name/#{Config[:initial_user][:name]}") op_entity_id = op_entity.data[:id] op_auth_list = oidc_provider.logical.read("/sys/auth") up_accessor = op_auth_list.data[:"userpass/"][:accessor] oidc_provider.logical.write("identity/entity-alias", - name: Config[:test_user][:name], + name: Config[:initial_user][:name], canonical_id: op_entity_id, mount_accessor: up_accessor) end diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index 53be156..a5df2ac 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -20,15 +20,15 @@ def create_astral_policy path "#{kv_mount}/data/*" { capabilities = ["create", "read", "update", "delete", "list"] } - path "identity/entity-alias" { - capabilities = ["create", "read", "update", "delete", "list"] - } path "identity/entity" { capabilities = ["create", "read", "update", "delete", "list"] } path "identity/entity/*" { capabilities = ["create", "read", "update", "delete", "list"] } + path "identity/entity-alias" { + capabilities = ["create", "read", "update", "delete", "list"] + } path "/sys/auth" { capabilities = ["read"] } diff --git a/config/astral.yml b/config/astral.yml index 1ce4d88..de2af91 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -23,7 +23,7 @@ test: oidc_provider: name: "identity/oidc/provider/my-provider" host: "http://oidc_provider:8300" - test_user: + initial_user: name: "test" password: "test" email: "test@example.com" @@ -34,7 +34,7 @@ development: oidc_provider: name: "identity/oidc/provider/my-provider" host: "http://oidc_provider:8300" - test_user: + initial_user: name: "test" password: "test" email: "test@example.com" diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index d0262ab..d68feda 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -5,17 +5,17 @@ class OIDCTest < ActiveSupport::TestCase @client = Clients::Vault end - test ".configure_oidc_user" do + test "#configure_oidc_user" do policy = <<-EOH path "sys" { policy = "deny" } EOH - @client.configure_oidc_user(Config[:test_user][:name], Config[:test_user][:email], policy) - entity = @client.read_entity(Config[:test_user][:name]) - assert_equal Config[:test_user][:email], entity.data[:policies][0] + @client.configure_oidc_user(Config[:initial_user][:name], Config[:initial_user][:email], policy) + entity = @client.read_entity(Config[:initial_user][:name]) + assert_equal Config[:initial_user][:email], entity.data[:policies][0] aliases = entity.data[:aliases] - assert aliases.find { |a| a[:name] == Config[:test_user][:email] } + assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } end private From 8e999f3cc823fa680fce3b8d07d6537aed7d623a Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 19:49:26 -0700 Subject: [PATCH 05/65] adding comments --- app/lib/clients/vault/oidc.rb | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 21f3062..0715118 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -30,12 +30,16 @@ def configure_oidc_provider disabled: false) provider = oidc_provider.logical.read(Config[:oidc_provider][:name]) - # create test userpass for the provider + # create initial userpass for the provider oidc_provider.logical.delete("/sys/auth/userpass") oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user][:name]}", password: Config[:initial_user][:password]) + oidc_provider.logical.write( + "/auth/userpass/users/#{Config[:initial_user][:name]}", + password: Config[:initial_user][:password]) - op_entity = oidc_provider.logical.read("identity/entity/name/#{Config[:initial_user][:name]}") + # create an alias that maps the userpass to the entity + op_entity = oidc_provider.logical.read( + "identity/entity/name/#{Config[:initial_user][:name]}") op_entity_id = op_entity.data[:id] op_auth_list = oidc_provider.logical.read("/sys/auth") up_accessor = op_auth_list.data[:"userpass/"][:accessor] @@ -45,7 +49,6 @@ def configure_oidc_provider mount_accessor: up_accessor) end - def configure_oidc_client(id, secret, issuer) client.logical.delete("/sys/auth/oidc") client.logical.write("/sys/auth/oidc", type: "oidc") @@ -54,18 +57,27 @@ def configure_oidc_client(id, secret, issuer) oidc_client_id: id, oidc_client_secret: secret, default_role: "reader") + + # create default role that all oidc users will receive policy = <<-EOH path "sys" { - policy = "deny" + policy = "read" } EOH client.sys.put_policy("reader", policy) - client.logical.write("auth/oidc/role/reader", - bound_audiences: id, - allowed_redirect_uris: "http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback,http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback,http://127.0.0.1:8250/oidc/callback", - user_claim: "email", - oidc_scopes: "email", - token_policies: "reader") + uris = <<-EOH + http://localhost:8200/ui/vault/auth/oidc/oidc/callback, + http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback, + http://localhost:8250/oidc/callback, + http://127.0.0.1:8250/oidc/callback + EOH + client.logical.write( + "auth/oidc/role/reader", + bound_audiences: id, + allowed_redirect_uris: uris, + user_claim: "email", + oidc_scopes: "email", + token_policies: "reader") end def configure_oidc_user(name, email, policy) From 3e9da0e719bbda5b56c36787af96303bf0451414 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 19:50:46 -0700 Subject: [PATCH 06/65] comments --- test/lib/clients/oidc_test.rb | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index d68feda..62c8ef0 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -8,29 +8,14 @@ class OIDCTest < ActiveSupport::TestCase test "#configure_oidc_user" do policy = <<-EOH path "sys" { - policy = "deny" + policy = "read" } EOH - @client.configure_oidc_user(Config[:initial_user][:name], Config[:initial_user][:email], policy) + @client.configure_oidc_user(Config[:initial_user][:name], + Config[:initial_user][:email], policy) entity = @client.read_entity(Config[:initial_user][:name]) assert_equal Config[:initial_user][:email], entity.data[:policies][0] aliases = entity.data[:aliases] assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } end - - private - def vault_client - ::Vault::Client.new( - address: vault_addr, - token: vault_token - ) - end - - def vault_addr - Config[:vault_addr] - end - - def vault_token - Config[:vault_token] - end end From 616e979cce86d6d3f934d3aa5edc533e4782a712 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 20:02:53 -0700 Subject: [PATCH 07/65] fixed yml file --- .devcontainer/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 5dc7677..fc156f6 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -35,7 +35,7 @@ services: restart: unless-stopped ports: - 8300:8300 - environment: + environment: VAULT_DEV_ROOT_TOKEN_ID: root_token VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8300 From 1903d1151dde2f51500e6976cf37918e6d4582eb Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 20:11:33 -0700 Subject: [PATCH 08/65] cleanup --- app/lib/clients/vault/oidc.rb | 7 +++---- config/astral.yml | 4 ++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 0715118..efb47ae 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -82,12 +82,12 @@ def configure_oidc_client(id, secret, issuer) def configure_oidc_user(name, email, policy) client.sys.put_policy(email, policy) - put_entity(name, email); - put_entity_alias(name, email, "oidc"); + put_entity(name, email) + put_entity_alias(name, email, "oidc") end private - WEBAPP_NAME = "identity/oidc/client/my-webapp" + WEBAPP_NAME = "identity/oidc/client/astral" def oidc_provider ::Vault::Client.new( @@ -95,7 +95,6 @@ def oidc_provider token: token ) end - end end end diff --git a/config/astral.yml b/config/astral.yml index de2af91..a08c434 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -21,7 +21,7 @@ shared: test: configure_oidc?: true oidc_provider: - name: "identity/oidc/provider/my-provider" + name: "identity/oidc/provider/astral" host: "http://oidc_provider:8300" initial_user: name: "test" @@ -32,7 +32,7 @@ test: development: configure_oidc?: true oidc_provider: - name: "identity/oidc/provider/my-provider" + name: "identity/oidc/provider/astral" host: "http://oidc_provider:8300" initial_user: name: "test" From 806fca27188bb830dfc87cabd6bb8548820b355a Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 22:43:22 -0700 Subject: [PATCH 09/65] cleanup client configure --- app/lib/clients/vault/oidc.rb | 13 +++++++------ config/application.rb | 6 +----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index efb47ae..88e9773 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,8 +1,6 @@ module Clients class Vault module Oidc - cattr_accessor :client_id - cattr_accessor :client_secret def configure_oidc_provider # create oidc provider app oidc_provider.logical.write(WEBAPP_NAME, @@ -49,13 +47,14 @@ def configure_oidc_provider mount_accessor: up_accessor) end - def configure_oidc_client(id, secret, issuer) + def configure_oidc_client client.logical.delete("/sys/auth/oidc") client.logical.write("/sys/auth/oidc", type: "oidc") + issuer = "#{Config[:oidc_provider][:host]}/v1/#{Config[:oidc_provider][:name]}" client.logical.write("auth/oidc/config", oidc_discovery_url: issuer, - oidc_client_id: id, - oidc_client_secret: secret, + oidc_client_id: @@client_id, + oidc_client_secret: @@client_secret, default_role: "reader") # create default role that all oidc users will receive @@ -73,7 +72,7 @@ def configure_oidc_client(id, secret, issuer) EOH client.logical.write( "auth/oidc/role/reader", - bound_audiences: id, + bound_audiences: @@client_id, allowed_redirect_uris: uris, user_claim: "email", oidc_scopes: "email", @@ -87,6 +86,8 @@ def configure_oidc_user(name, email, policy) end private + cattr_accessor :client_id + cattr_accessor :client_secret WEBAPP_NAME = "identity/oidc/client/astral" def oidc_provider diff --git a/config/application.rb b/config/application.rb index 6172582..dd237b4 100644 --- a/config/application.rb +++ b/config/application.rb @@ -42,11 +42,7 @@ class Application < Rails::Application Clients::Vault.configure_pki if config.astral.configure_oidc? Clients::Vault.configure_oidc_provider - provider = "#{config.astral.oidc_provider[:host]}/v1/#{config.astral.oidc_provider[:name]}" - Clients::Vault.configure_oidc_client(::Clients::Vault::Oidc.client_id, - ::Clients::Vault::Oidc.client_secret, - provider) - + Clients::Vault.configure_oidc_client end Clients::Vault.rotate_token end From 84b16387f0b9207be03f6a47373068717b528668 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 7 Oct 2024 22:46:49 -0700 Subject: [PATCH 10/65] comments --- app/lib/clients/vault/oidc.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 88e9773..4758b1a 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -10,11 +10,9 @@ def configure_oidc_provider @@client_id = app.data[:client_id] @@client_secret = app.data[:client_secret] - # create email scope + # create provider with email scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') - - # create the provider oidc_provider.logical.write(Config[:oidc_provider][:name], issuer: Config[:oidc_provider][:host], allowed_client_ids: @@client_id, @@ -28,12 +26,11 @@ def configure_oidc_provider disabled: false) provider = oidc_provider.logical.read(Config[:oidc_provider][:name]) - # create initial userpass for the provider + # create userpass for initial user oidc_provider.logical.delete("/sys/auth/userpass") oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write( - "/auth/userpass/users/#{Config[:initial_user][:name]}", - password: Config[:initial_user][:password]) + oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user][:name]}", + password: Config[:initial_user][:password]) # create an alias that maps the userpass to the entity op_entity = oidc_provider.logical.read( From 9d55d269bcf9402fd2f76fc43ad536d28a79c267 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 09:03:10 -0700 Subject: [PATCH 11/65] cleanup --- app/lib/clients/vault/oidc.rb | 79 ++++++++++++++++++++++------------- 1 file changed, 51 insertions(+), 28 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 4758b1a..103f2a8 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -2,37 +2,71 @@ module Clients class Vault module Oidc def configure_oidc_provider - # create oidc provider app + create_provider_app + create_provider_with_email_scope + create_entity_for_initial_user + create_userpass_for_initial_user + create_alias_mapping_userpass_to_entity + end + + def configure_oidc_client + create_client_config + create_default_policy_for_role + create_default_role + end + + def configure_oidc_user(name, email, policy) + client.sys.put_policy(email, policy) + put_entity(name, email) + put_entity_alias(name, email, "oidc") + end + + private + cattr_accessor :client_id + cattr_accessor :client_secret + WEBAPP_NAME = "identity/oidc/client/astral" + + def oidc_provider + ::Vault::Client.new( + address: Config[:oidc_provider][:host], + token: token + ) + end + + def create_provider_app oidc_provider.logical.write(WEBAPP_NAME, redirect_uris: "http://localhost:8250/oidc/callback", assignments: "allow_all") app = oidc_provider.logical.read(WEBAPP_NAME) @@client_id = app.data[:client_id] @@client_secret = app.data[:client_secret] + end - # create provider with email scope + def create_provider_with_email_scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') oidc_provider.logical.write(Config[:oidc_provider][:name], issuer: Config[:oidc_provider][:host], allowed_client_ids: @@client_id, scopes_supported: "email") + end - # create an entity for an initial user + def create_entity_for_initial_user oidc_provider.logical.write("identity/entity", policies: "default", name: Config[:initial_user][:name], metadata: "email=#{Config[:initial_user][:email]}", disabled: false) - provider = oidc_provider.logical.read(Config[:oidc_provider][:name]) + end - # create userpass for initial user + def create_userpass_for_initial_user oidc_provider.logical.delete("/sys/auth/userpass") oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user][:name]}", password: Config[:initial_user][:password]) + end - # create an alias that maps the userpass to the entity + def create_alias_mapping_userpass_to_entity op_entity = oidc_provider.logical.read( "identity/entity/name/#{Config[:initial_user][:name]}") op_entity_id = op_entity.data[:id] @@ -44,7 +78,7 @@ def configure_oidc_provider mount_accessor: up_accessor) end - def configure_oidc_client + def create_client_config client.logical.delete("/sys/auth/oidc") client.logical.write("/sys/auth/oidc", type: "oidc") issuer = "#{Config[:oidc_provider][:host]}/v1/#{Config[:oidc_provider][:name]}" @@ -53,46 +87,35 @@ def configure_oidc_client oidc_client_id: @@client_id, oidc_client_secret: @@client_secret, default_role: "reader") + end - # create default role that all oidc users will receive + def create_default_policy_for_role policy = <<-EOH path "sys" { policy = "read" } EOH client.sys.put_policy("reader", policy) - uris = <<-EOH + end + + def get_redirect_uris + redirect_uris = <<-EOH http://localhost:8200/ui/vault/auth/oidc/oidc/callback, http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback, http://localhost:8250/oidc/callback, http://127.0.0.1:8250/oidc/callback EOH + end + + def create_default_role client.logical.write( "auth/oidc/role/reader", bound_audiences: @@client_id, - allowed_redirect_uris: uris, + allowed_redirect_uris: get_redirect_uris, user_claim: "email", oidc_scopes: "email", token_policies: "reader") end - - def configure_oidc_user(name, email, policy) - client.sys.put_policy(email, policy) - put_entity(name, email) - put_entity_alias(name, email, "oidc") - end - - private - cattr_accessor :client_id - cattr_accessor :client_secret - WEBAPP_NAME = "identity/oidc/client/astral" - - def oidc_provider - ::Vault::Client.new( - address: Config[:oidc_provider][:host], - token: token - ) - end end end end From 6915b0e1a03720edb7d287726d0520c2d00da526 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 09:39:27 -0700 Subject: [PATCH 12/65] fix provider addr --- app/lib/clients/vault/oidc.rb | 19 ++++++++++--------- config/astral.yml | 4 ++-- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 103f2a8..9b42917 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -28,15 +28,17 @@ def configure_oidc_user(name, email, policy) def oidc_provider ::Vault::Client.new( - address: Config[:oidc_provider][:host], + address: Config[:oidc_provider][:addr], token: token ) end def create_provider_app - oidc_provider.logical.write(WEBAPP_NAME, - redirect_uris: "http://localhost:8250/oidc/callback", - assignments: "allow_all") + oidc_provider.logical.write( + WEBAPP_NAME, + # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris + redirect_uris: "http://localhost:8250/oidc/callback", + assignments: "allow_all") app = oidc_provider.logical.read(WEBAPP_NAME) @@client_id = app.data[:client_id] @@client_secret = app.data[:client_secret] @@ -46,7 +48,7 @@ def create_provider_with_email_scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') oidc_provider.logical.write(Config[:oidc_provider][:name], - issuer: Config[:oidc_provider][:host], + issuer: Config[:oidc_provider][:addr], allowed_client_ids: @@client_id, scopes_supported: "email") end @@ -81,7 +83,7 @@ def create_alias_mapping_userpass_to_entity def create_client_config client.logical.delete("/sys/auth/oidc") client.logical.write("/sys/auth/oidc", type: "oidc") - issuer = "#{Config[:oidc_provider][:host]}/v1/#{Config[:oidc_provider][:name]}" + issuer = "#{Config[:oidc_provider][:addr]}/v1/#{Config[:oidc_provider][:name]}" client.logical.write("auth/oidc/config", oidc_discovery_url: issuer, oidc_client_id: @@client_id, @@ -99,11 +101,10 @@ def create_default_policy_for_role end def get_redirect_uris + # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris redirect_uris = <<-EOH - http://localhost:8200/ui/vault/auth/oidc/oidc/callback, - http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback, http://localhost:8250/oidc/callback, - http://127.0.0.1:8250/oidc/callback + #{Config[:vault_addr]}/ui/vault/auth/oidc/oidc/callback, EOH end diff --git a/config/astral.yml b/config/astral.yml index a08c434..16e42de 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -22,7 +22,7 @@ test: configure_oidc?: true oidc_provider: name: "identity/oidc/provider/astral" - host: "http://oidc_provider:8300" + addr: "http://oidc_provider:8300" initial_user: name: "test" password: "test" @@ -33,7 +33,7 @@ development: configure_oidc?: true oidc_provider: name: "identity/oidc/provider/astral" - host: "http://oidc_provider:8300" + addr: "http://oidc_provider:8300" initial_user: name: "test" password: "test" From 9ff6d1fb5adf26796dbac6faf3673f20db5fdfc9 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 09:52:05 -0700 Subject: [PATCH 13/65] separate out issuer config --- app/lib/clients/vault/oidc.rb | 18 +++++++++--------- config/application.rb | 9 +++++++-- config/astral.yml | 4 ++-- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 9b42917..a571abb 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -9,10 +9,11 @@ def configure_oidc_provider create_alias_mapping_userpass_to_entity end - def configure_oidc_client - create_client_config + def configure_oidc_client(issuer, client_id, client_secret) + create_client_config(issuer, client_id, client_secret) create_default_policy_for_role - create_default_role + create_default_role(client_id) + end def configure_oidc_user(name, email, policy) @@ -80,14 +81,13 @@ def create_alias_mapping_userpass_to_entity mount_accessor: up_accessor) end - def create_client_config + def create_client_config(issuer, client_id, client_secret) client.logical.delete("/sys/auth/oidc") client.logical.write("/sys/auth/oidc", type: "oidc") - issuer = "#{Config[:oidc_provider][:addr]}/v1/#{Config[:oidc_provider][:name]}" client.logical.write("auth/oidc/config", oidc_discovery_url: issuer, - oidc_client_id: @@client_id, - oidc_client_secret: @@client_secret, + oidc_client_id: client_id, + oidc_client_secret: client_secret, default_role: "reader") end @@ -108,10 +108,10 @@ def get_redirect_uris EOH end - def create_default_role + def create_default_role(client_id) client.logical.write( "auth/oidc/role/reader", - bound_audiences: @@client_id, + bound_audiences: client_id, allowed_redirect_uris: get_redirect_uris, user_claim: "email", oidc_scopes: "email", diff --git a/config/application.rb b/config/application.rb index dd237b4..041add3 100644 --- a/config/application.rb +++ b/config/application.rb @@ -40,10 +40,15 @@ class Application < Rails::Application Clients::Vault.token = Config[:vault_token] Clients::Vault.configure_kv Clients::Vault.configure_pki - if config.astral.configure_oidc? + issuer = "#{config.astral.oidc_provider[:addr]}/v1/#{config.astral.oidc_provider[:name]}" + client_id = config.astral.oidc_provider[:client_id] + client_secret = config.astral.oidc_provider[:client_secret] + if config.astral.configure_oidc_provider? Clients::Vault.configure_oidc_provider - Clients::Vault.configure_oidc_client + client_id = ::Clients::Vault::Oidc.client_id + client_secret = ::Clients::Vault::Oidc.client_secret end + Clients::Vault.configure_oidc_client(issuer, client_id, client_secret) Clients::Vault.rotate_token end end diff --git a/config/astral.yml b/config/astral.yml index 16e42de..e78f07b 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -19,7 +19,7 @@ shared: audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %> test: - configure_oidc?: true + configure_oidc_provider?: true oidc_provider: name: "identity/oidc/provider/astral" addr: "http://oidc_provider:8300" @@ -30,7 +30,7 @@ test: cert_ttl: <%= 24.hours.in_seconds %> development: - configure_oidc?: true + configure_oidc_provider?: true oidc_provider: name: "identity/oidc/provider/astral" addr: "http://oidc_provider:8300" From 97fdf62b9eb6f80491d358cc8e11ff7776ab07f1 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 14:42:48 -0700 Subject: [PATCH 14/65] added comments --- README.md | 43 +++++++++++++++++++++++++++++++++++ app/lib/clients/vault/oidc.rb | 43 +++++++++++++++++++++++++++++------ test/lib/clients/oidc_test.rb | 19 +++++++++++----- 3 files changed, 92 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 26177f6..de7bf54 100644 --- a/README.md +++ b/README.md @@ -61,3 +61,46 @@ docker build -t astral:latest . ``` docker run -p 3000:3000 astral:latest ``` +# Logging into vault with OIDC + +The rails test's configure the OIDC provider, so if the tests pass, +you can run invoke the oidc login as follows: + +``` + export VAULT_ADDR=http://127.0.0.1:8200; vault login -method=oidc +``` + +You should do this on your host machine, not in docker. This will +allow a browser window to open on your host. When it does, select +"username" option with user test/test. (That is the username/pw +configured by the rails tests.) + +When thata succeeds, you should see something like the following in the cli: +``` +Success! You are now authenticated +. +. +. +identity_policies ["test@example.com"] +. +. +. +``` + +Note that "identity_policies" is "test@example.com", which is the +policy we created for this user. + +To make it work smoothly with the browser, you should add the +following to the /etc/hosts file on your host: + +``` + 127.0.0.1 oidc_provider +``` + +Finally, if you run "rails test" a second time, it will recreate the +provider settings, so you will need to clear the browser's +"oidc_provider" cookie. Otherwise you will see this error: + +``` + * Vault login failed. Expired or missing OAuth state. +``` diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index a571abb..9a1aeb8 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,19 +1,49 @@ +=begin + +The purpose of this module is to assign a policy to an OIDC user, by +mapping that user's email address to a policy we create. +It works as follows: + +It creates an OIDC provider and user. That user has a +username/password/email addr, that can be accessed with OIDC auth. + +It creates an OIDC client which connects to that provider. When a +user tries to auth, the client connects to the provider, which opens +up a browser window allowing the user to enter his username/password. + +On success, the provider returns an OIDC token, which includes the +user's email addr. + +The client has been configured to map that email address to an entity +in vault, which has the policy which we want the user to have. + +So the mapping goes from the email address on the provider, to the +policy in vault. The email addr may not be the best mapping to use. +Some other piece of user info may ultimately be better used to map the +user to the policy. But we don't yet have a good understanding of +different OIDC provider configurations, so this should be good enough +for now + +Note that this provider is only meant to be used in our dev/test +environment to excercise the client. In a prod env, a real OIDC +provider is configured in. + +=end module Clients class Vault module Oidc def configure_oidc_provider - create_provider_app + create_provider_webapp create_provider_with_email_scope create_entity_for_initial_user create_userpass_for_initial_user - create_alias_mapping_userpass_to_entity + map_userpass_to_entity end def configure_oidc_client(issuer, client_id, client_secret) create_client_config(issuer, client_id, client_secret) create_default_policy_for_role create_default_role(client_id) - end def configure_oidc_user(name, email, policy) @@ -34,11 +64,10 @@ def oidc_provider ) end - def create_provider_app + def create_provider_webapp oidc_provider.logical.write( WEBAPP_NAME, - # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris - redirect_uris: "http://localhost:8250/oidc/callback", + redirect_uris: get_redirect_uris, assignments: "allow_all") app = oidc_provider.logical.read(WEBAPP_NAME) @@client_id = app.data[:client_id] @@ -69,7 +98,7 @@ def create_userpass_for_initial_user password: Config[:initial_user][:password]) end - def create_alias_mapping_userpass_to_entity + def map_userpass_to_entity op_entity = oidc_provider.logical.read( "identity/entity/name/#{Config[:initial_user][:name]}") op_entity_id = op_entity.data[:id] diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 62c8ef0..2c00106 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -1,21 +1,28 @@ require "test_helper" +# NOTE: these tests excercise the OIDC config but can't really verify a +# successful OIDC login. (Because that requires browser interaction.) +# See the readme for how to use with the browser class OIDCTest < ActiveSupport::TestCase setup do @client = Clients::Vault end test "#configure_oidc_user" do - policy = <<-EOH - path "sys" { - policy = "read" - } - EOH @client.configure_oidc_user(Config[:initial_user][:name], - Config[:initial_user][:email], policy) + Config[:initial_user][:email], get_test_policy) entity = @client.read_entity(Config[:initial_user][:name]) assert_equal Config[:initial_user][:email], entity.data[:policies][0] aliases = entity.data[:aliases] assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } end + private + def get_test_policy + policy = <<-EOH + path "sys" { + policy = "read" + } + EOH + end + end From 20cb10de0a35c3d97cf35b11ce4f23e0368dc788 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 14:47:07 -0700 Subject: [PATCH 15/65] cleanup readme --- README.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index de7bf54..2e997c1 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ docker run -p 3000:3000 astral:latest # Logging into vault with OIDC The rails test's configure the OIDC provider, so if the tests pass, -you can run invoke the oidc login as follows: +you can invoke the oidc login as follows: ``` export VAULT_ADDR=http://127.0.0.1:8200; vault login -method=oidc @@ -75,22 +75,19 @@ allow a browser window to open on your host. When it does, select "username" option with user test/test. (That is the username/pw configured by the rails tests.) -When thata succeeds, you should see something like the following in the cli: +When that succeeds, you should see something like the following in the cli: ``` Success! You are now authenticated . -. -. identity_policies ["test@example.com"] . . -. ``` -Note that "identity_policies" is "test@example.com", which is the +Note that "identity_policies" includes "test@example.com", which is the policy we created for this user. -To make it work smoothly with the browser, you should add the +To make this work smoothly with the browser, you should add the following to the /etc/hosts file on your host: ``` From 8f6d97a6bb202aa40cb05adfe318e6e1ac202a59 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 14:53:24 -0700 Subject: [PATCH 16/65] cleanup --- test/lib/clients/oidc_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 2c00106..8c20c86 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -16,7 +16,9 @@ class OIDCTest < ActiveSupport::TestCase aliases = entity.data[:aliases] assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } end + private + def get_test_policy policy = <<-EOH path "sys" { @@ -24,5 +26,4 @@ def get_test_policy } EOH end - end From e496ef69e7fd8adac0b2b0be45e8fdfded7f1a08 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 18:18:52 -0700 Subject: [PATCH 17/65] fix for prod --- config/application.rb | 2 +- config/astral.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/application.rb b/config/application.rb index 041add3..32800eb 100644 --- a/config/application.rb +++ b/config/application.rb @@ -48,7 +48,7 @@ class Application < Rails::Application client_id = ::Clients::Vault::Oidc.client_id client_secret = ::Clients::Vault::Oidc.client_secret end - Clients::Vault.configure_oidc_client(issuer, client_id, client_secret) + Clients::Vault.configure_oidc_client(issuer, client_id, client_secret) unless client_id.nil? Clients::Vault.rotate_token end end diff --git a/config/astral.yml b/config/astral.yml index e78f07b..4c6f3b3 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -41,3 +41,9 @@ development: production: vault_create_root: false + configure_oidc_provider?: false + oidc_provider: + name: + addr: + client_id: + client_secret: \ No newline at end of file From d33a69ca6bf33051e4cd28c0ce7f45501c82e29c Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 19:44:48 -0700 Subject: [PATCH 18/65] fixed issuer --- app/lib/clients/vault/oidc.rb | 6 +++--- config/application.rb | 2 +- config/astral.yml | 9 +++------ 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 9a1aeb8..1e104f9 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -59,7 +59,7 @@ def configure_oidc_user(name, email, policy) def oidc_provider ::Vault::Client.new( - address: Config[:oidc_provider][:addr], + address: "http://oidc_provider:8300", token: token ) end @@ -77,8 +77,8 @@ def create_provider_webapp def create_provider_with_email_scope oidc_provider.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') - oidc_provider.logical.write(Config[:oidc_provider][:name], - issuer: Config[:oidc_provider][:addr], + oidc_provider.logical.write("identity/oidc/provider/astral", + issuer: "http://oidc_provider:8300", allowed_client_ids: @@client_id, scopes_supported: "email") end diff --git a/config/application.rb b/config/application.rb index 32800eb..8f653eb 100644 --- a/config/application.rb +++ b/config/application.rb @@ -40,7 +40,7 @@ class Application < Rails::Application Clients::Vault.token = Config[:vault_token] Clients::Vault.configure_kv Clients::Vault.configure_pki - issuer = "#{config.astral.oidc_provider[:addr]}/v1/#{config.astral.oidc_provider[:name]}" + issuer = config.astral.oidc_provider[:issuer] client_id = config.astral.oidc_provider[:client_id] client_secret = config.astral.oidc_provider[:client_secret] if config.astral.configure_oidc_provider? diff --git a/config/astral.yml b/config/astral.yml index 4c6f3b3..922a21d 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -21,8 +21,7 @@ shared: test: configure_oidc_provider?: true oidc_provider: - name: "identity/oidc/provider/astral" - addr: "http://oidc_provider:8300" + issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" initial_user: name: "test" password: "test" @@ -32,8 +31,7 @@ test: development: configure_oidc_provider?: true oidc_provider: - name: "identity/oidc/provider/astral" - addr: "http://oidc_provider:8300" + issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" initial_user: name: "test" password: "test" @@ -43,7 +41,6 @@ production: vault_create_root: false configure_oidc_provider?: false oidc_provider: - name: - addr: + issuer: client_id: client_secret: \ No newline at end of file From 14326f04e9cb1c00de0ecdd04a67f060a92fcabb Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 19:48:18 -0700 Subject: [PATCH 19/65] cleanup --- test/lib/clients/oidc_test.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 8c20c86..cca493c 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -3,6 +3,7 @@ # NOTE: these tests excercise the OIDC config but can't really verify a # successful OIDC login. (Because that requires browser interaction.) # See the readme for how to use with the browser + class OIDCTest < ActiveSupport::TestCase setup do @client = Clients::Vault From 4957347cd0a6a6fc84eccb8762a80c28fc32c58b Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 19:54:12 -0700 Subject: [PATCH 20/65] comment --- test/lib/clients/oidc_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index cca493c..f69499b 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -2,7 +2,7 @@ # NOTE: these tests excercise the OIDC config but can't really verify a # successful OIDC login. (Because that requires browser interaction.) -# See the readme for how to use with the browser +# See the readme for how to use oidc login with the browser. class OIDCTest < ActiveSupport::TestCase setup do From f3a48287702f008530e246bc459d2808b12d43fb Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 20:14:53 -0700 Subject: [PATCH 21/65] cleanup local names --- app/lib/clients/vault/oidc.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 1e104f9..176070c 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -99,14 +99,14 @@ def create_userpass_for_initial_user end def map_userpass_to_entity - op_entity = oidc_provider.logical.read( + entity = oidc_provider.logical.read( "identity/entity/name/#{Config[:initial_user][:name]}") - op_entity_id = op_entity.data[:id] - op_auth_list = oidc_provider.logical.read("/sys/auth") - up_accessor = op_auth_list.data[:"userpass/"][:accessor] + entity_id = entity.data[:id] + auth_list = oidc_provider.logical.read("/sys/auth") + up_accessor = auth_list.data[:"userpass/"][:accessor] oidc_provider.logical.write("identity/entity-alias", name: Config[:initial_user][:name], - canonical_id: op_entity_id, + canonical_id: entity_id, mount_accessor: up_accessor) end From 3d3d1fb26f0eb9a3042b4c27b2df0a4f4dcb439b Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 9 Oct 2024 20:16:19 -0700 Subject: [PATCH 22/65] cleanup local names --- app/lib/clients/vault/oidc.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 176070c..2afabd4 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -103,11 +103,11 @@ def map_userpass_to_entity "identity/entity/name/#{Config[:initial_user][:name]}") entity_id = entity.data[:id] auth_list = oidc_provider.logical.read("/sys/auth") - up_accessor = auth_list.data[:"userpass/"][:accessor] + accessor = auth_list.data[:"userpass/"][:accessor] oidc_provider.logical.write("identity/entity-alias", name: Config[:initial_user][:name], canonical_id: entity_id, - mount_accessor: up_accessor) + mount_accessor: accessor) end def create_client_config(issuer, client_id, client_secret) From 5c59530e48944e422561a999f9df8855c85461b3 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Thu, 10 Oct 2024 17:54:26 -0700 Subject: [PATCH 23/65] review fixes --- app/lib/clients/vault/oidc.rb | 22 ++++++++++++---------- test/lib/clients/oidc_test.rb | 18 ++++++++++-------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 2afabd4..1574771 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -18,11 +18,7 @@ in vault, which has the policy which we want the user to have. So the mapping goes from the email address on the provider, to the -policy in vault. The email addr may not be the best mapping to use. -Some other piece of user info may ultimately be better used to map the -user to the policy. But we don't yet have a good understanding of -different OIDC provider configurations, so this should be good enough -for now +policy in vault. Note that this provider is only meant to be used in our dev/test environment to excercise the client. In a prod env, a real OIDC @@ -32,12 +28,17 @@ module Clients class Vault module Oidc + cattr_accessor :provider def configure_oidc_provider - create_provider_webapp - create_provider_with_email_scope - create_entity_for_initial_user - create_userpass_for_initial_user - map_userpass_to_entity + @@provider ||= + begin + create_provider_webapp + provider = create_provider_with_email_scope + create_entity_for_initial_user + create_userpass_for_initial_user + map_userpass_to_entity + provider + end end def configure_oidc_client(issuer, client_id, client_secret) @@ -81,6 +82,7 @@ def create_provider_with_email_scope issuer: "http://oidc_provider:8300", allowed_client_ids: @@client_id, scopes_supported: "email") + oidc_provider.logical.read("identity/oidc/provider/astral") end def create_entity_for_initial_user diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index f69499b..0e2b8f6 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -6,18 +6,20 @@ class OIDCTest < ActiveSupport::TestCase setup do - @client = Clients::Vault + client = Clients::Vault + client.configure_oidc_user(Config[:initial_user][:name], + Config[:initial_user][:email], get_test_policy) + @entity = client.read_entity(Config[:initial_user][:name]) end - test "#configure_oidc_user" do - @client.configure_oidc_user(Config[:initial_user][:name], - Config[:initial_user][:email], get_test_policy) - entity = @client.read_entity(Config[:initial_user][:name]) - assert_equal Config[:initial_user][:email], entity.data[:policies][0] - aliases = entity.data[:aliases] - assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } + test "#policies_contain_initial_users_email" do + assert_equal Config[:initial_user][:email], @entity.data[:policies][0] end + test "#aliases_contain_initial_users_email" do + aliases = @entity.data[:aliases] + assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } + end private def get_test_policy From 52e242015acaba8a20563ad04a9b94961e1130ef Mon Sep 17 00:00:00 2001 From: George Jahad Date: Thu, 10 Oct 2024 17:54:44 -0700 Subject: [PATCH 24/65] application.rb fixes --- config/application.rb | 17 ----------------- config/environments/development.rb | 14 ++++++++++++++ config/environments/production.rb | 12 ++++++++++++ config/environments/test.rb | 13 +++++++++++++ 4 files changed, 39 insertions(+), 17 deletions(-) diff --git a/config/application.rb b/config/application.rb index 8f653eb..1fea729 100644 --- a/config/application.rb +++ b/config/application.rb @@ -34,22 +34,5 @@ class Application < Rails::Application # Application configs from config/astral.yml config.astral = config_for :astral - - config.after_initialize do - # bootstrap with provided token, then rotate - Clients::Vault.token = Config[:vault_token] - Clients::Vault.configure_kv - Clients::Vault.configure_pki - issuer = config.astral.oidc_provider[:issuer] - client_id = config.astral.oidc_provider[:client_id] - client_secret = config.astral.oidc_provider[:client_secret] - if config.astral.configure_oidc_provider? - Clients::Vault.configure_oidc_provider - client_id = ::Clients::Vault::Oidc.client_id - client_secret = ::Clients::Vault::Oidc.client_secret - end - Clients::Vault.configure_oidc_client(issuer, client_id, client_secret) unless client_id.nil? - Clients::Vault.rotate_token - end end end diff --git a/config/environments/development.rb b/config/environments/development.rb index 98128ff..1f4320e 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -72,4 +72,18 @@ # Apply autocorrection by RuboCop to files generated by `bin/rails generate`. # config.generators.apply_rubocop_autocorrect_after_generate! + + + config.after_initialize do + # bootstrap with provided token, then rotate + Clients::Vault.token = Config[:vault_token] + Clients::Vault.configure_kv + Clients::Vault.configure_pki + Clients::Vault.configure_oidc_provider + Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], + Clients::Vault::Oidc.client_id, + Clients::Vault::Oidc.client_secret) + Clients::Vault.rotate_token + end + end diff --git a/config/environments/production.rb b/config/environments/production.rb index 4f5d1e6..258b5c6 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -92,4 +92,16 @@ # ] # Skip DNS rebinding protection for the default health check endpoint. # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } + + config.after_initialize do + # bootstrap with provided token, then rotate + Clients::Vault.token = Config[:vault_token] + Clients::Vault.configure_kv + Clients::Vault.configure_pki + Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], + config.astral.oidc_provider[:client_secret], + config.astral.oidc_provider[:client_secret]) + Clients::Vault.rotate_token + end + end diff --git a/config/environments/test.rb b/config/environments/test.rb index 0c616a1..f9e6e72 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -64,4 +64,17 @@ # Raise error when a before_action's only/except options reference missing actions. config.action_controller.raise_on_missing_callback_actions = true + + config.after_initialize do + # bootstrap with provided token, then rotate + Clients::Vault.token = Config[:vault_token] + Clients::Vault.configure_kv + Clients::Vault.configure_pki + Clients::Vault.configure_oidc_provider + Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], + Clients::Vault::Oidc.client_id, + Clients::Vault::Oidc.client_secret) + Clients::Vault.rotate_token + end + end From 0617b3001cd04aab8f951f09b4c39a8482de16e9 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Thu, 10 Oct 2024 18:55:46 -0700 Subject: [PATCH 25/65] application.rb fixes --- config/application.rb | 9 +++++++++ config/environments/development.rb | 9 ++------- config/environments/production.rb | 15 ++++++--------- config/environments/test.rb | 8 +------- 4 files changed, 18 insertions(+), 23 deletions(-) diff --git a/config/application.rb b/config/application.rb index 1fea729..eb51962 100644 --- a/config/application.rb +++ b/config/application.rb @@ -34,5 +34,14 @@ class Application < Rails::Application # Application configs from config/astral.yml config.astral = config_for :astral + + config.after_initialize do + # bootstrap with provided token, then rotate + Clients::Vault.token = Config[:vault_token] + Clients::Vault.configure_kv + Clients::Vault.configure_pki + configure_oidc + Clients::Vault.rotate_token + end end end diff --git a/config/environments/development.rb b/config/environments/development.rb index 1f4320e..0d1f611 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -73,17 +73,12 @@ # Apply autocorrection by RuboCop to files generated by `bin/rails generate`. # config.generators.apply_rubocop_autocorrect_after_generate! - - config.after_initialize do - # bootstrap with provided token, then rotate - Clients::Vault.token = Config[:vault_token] - Clients::Vault.configure_kv - Clients::Vault.configure_pki + def configure_oidc Clients::Vault.configure_oidc_provider Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], Clients::Vault::Oidc.client_id, Clients::Vault::Oidc.client_secret) - Clients::Vault.rotate_token end + end diff --git a/config/environments/production.rb b/config/environments/production.rb index 258b5c6..5e35071 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -93,15 +93,12 @@ # Skip DNS rebinding protection for the default health check endpoint. # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } - config.after_initialize do - # bootstrap with provided token, then rotate - Clients::Vault.token = Config[:vault_token] - Clients::Vault.configure_kv - Clients::Vault.configure_pki - Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - config.astral.oidc_provider[:client_secret], - config.astral.oidc_provider[:client_secret]) - Clients::Vault.rotate_token + def configure_oidc + unless config.astral.oidc_provider[:client_id].nil? + Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], + config.astral.oidc_provider[:client_id], + config.astral.oidc_provider[:client_secret]) + end end end diff --git a/config/environments/test.rb b/config/environments/test.rb index f9e6e72..3202de6 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -65,16 +65,10 @@ # Raise error when a before_action's only/except options reference missing actions. config.action_controller.raise_on_missing_callback_actions = true - config.after_initialize do - # bootstrap with provided token, then rotate - Clients::Vault.token = Config[:vault_token] - Clients::Vault.configure_kv - Clients::Vault.configure_pki + def configure_oidc Clients::Vault.configure_oidc_provider Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], Clients::Vault::Oidc.client_id, Clients::Vault::Oidc.client_secret) - Clients::Vault.rotate_token end - end From 71a2259751fa0c9c4db7f95574c02c6670565907 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 09:01:12 -0700 Subject: [PATCH 26/65] cleanup configs --- config/astral.yml | 3 --- config/environments/production.rb | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/config/astral.yml b/config/astral.yml index 922a21d..ec15b1f 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -19,7 +19,6 @@ shared: audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %> test: - configure_oidc_provider?: true oidc_provider: issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" initial_user: @@ -29,7 +28,6 @@ test: cert_ttl: <%= 24.hours.in_seconds %> development: - configure_oidc_provider?: true oidc_provider: issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" initial_user: @@ -39,7 +37,6 @@ development: production: vault_create_root: false - configure_oidc_provider?: false oidc_provider: issuer: client_id: diff --git a/config/environments/production.rb b/config/environments/production.rb index 5e35071..51d9a12 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -94,7 +94,7 @@ # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } def configure_oidc - unless config.astral.oidc_provider[:client_id].nil? + if !config.astral.oidc_provider[:client_id].nil? Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], config.astral.oidc_provider[:client_id], config.astral.oidc_provider[:client_secret]) From 289dea6ece2a68a6aba53f7a4d6669bdaab4a2ff Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 10:51:59 -0700 Subject: [PATCH 27/65] added initial_user() --- app/lib/clients/vault/oidc.rb | 40 +++++++++++++++++++---------------- test/lib/clients/oidc_test.rb | 14 ++++++------ 2 files changed, 29 insertions(+), 25 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 1574771..8a05613 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -30,15 +30,13 @@ class Vault module Oidc cattr_accessor :provider def configure_oidc_provider - @@provider ||= - begin - create_provider_webapp - provider = create_provider_with_email_scope - create_entity_for_initial_user - create_userpass_for_initial_user - map_userpass_to_entity - provider - end + if oidc_provider.logical.read("identity/oidc/provider/astral").nil? + create_provider_webapp + create_provider_with_email_scope + create_entity_for_initial_user + create_userpass_for_initial_user + map_userpass_to_entity + end end def configure_oidc_client(issuer, client_id, client_secret) @@ -53,6 +51,12 @@ def configure_oidc_user(name, email, policy) put_entity_alias(name, email, "oidc") end + def initial_user + if Config[:initial_user].nil? + raise "initial user not configured." + end + Config[:initial_user] + end private cattr_accessor :client_id cattr_accessor :client_secret @@ -68,7 +72,7 @@ def oidc_provider def create_provider_webapp oidc_provider.logical.write( WEBAPP_NAME, - redirect_uris: get_redirect_uris, + redirect_uris: redirect_uris, assignments: "allow_all") app = oidc_provider.logical.read(WEBAPP_NAME) @@client_id = app.data[:client_id] @@ -88,26 +92,26 @@ def create_provider_with_email_scope def create_entity_for_initial_user oidc_provider.logical.write("identity/entity", policies: "default", - name: Config[:initial_user][:name], - metadata: "email=#{Config[:initial_user][:email]}", + name: initial_user[:name], + metadata: "email=#{initial_user[:email]}", disabled: false) end def create_userpass_for_initial_user oidc_provider.logical.delete("/sys/auth/userpass") oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user][:name]}", - password: Config[:initial_user][:password]) + oidc_provider.logical.write("/auth/userpass/users/#{initial_user[:name]}", + password: initial_user[:password]) end def map_userpass_to_entity entity = oidc_provider.logical.read( - "identity/entity/name/#{Config[:initial_user][:name]}") + "identity/entity/name/#{initial_user[:name]}") entity_id = entity.data[:id] auth_list = oidc_provider.logical.read("/sys/auth") accessor = auth_list.data[:"userpass/"][:accessor] oidc_provider.logical.write("identity/entity-alias", - name: Config[:initial_user][:name], + name: initial_user[:name], canonical_id: entity_id, mount_accessor: accessor) end @@ -131,7 +135,7 @@ def create_default_policy_for_role client.sys.put_policy("reader", policy) end - def get_redirect_uris + def redirect_uris # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris redirect_uris = <<-EOH http://localhost:8250/oidc/callback, @@ -143,7 +147,7 @@ def create_default_role(client_id) client.logical.write( "auth/oidc/role/reader", bound_audiences: client_id, - allowed_redirect_uris: get_redirect_uris, + allowed_redirect_uris: redirect_uris, user_claim: "email", oidc_scopes: "email", token_policies: "reader") diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 0e2b8f6..5cf71f7 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -6,23 +6,23 @@ class OIDCTest < ActiveSupport::TestCase setup do - client = Clients::Vault - client.configure_oidc_user(Config[:initial_user][:name], - Config[:initial_user][:email], get_test_policy) - @entity = client.read_entity(Config[:initial_user][:name]) + @client = Clients::Vault + @client.configure_oidc_user(@client.initial_user[:name], + @client.initial_user[:email], test_policy) + @entity = @client.read_entity(@client.initial_user[:name]) end test "#policies_contain_initial_users_email" do - assert_equal Config[:initial_user][:email], @entity.data[:policies][0] + assert_equal @client.initial_user[:email], @entity.data[:policies][0] end test "#aliases_contain_initial_users_email" do aliases = @entity.data[:aliases] - assert aliases.find { |a| a[:name] == Config[:initial_user][:email] } + assert aliases.find { |a| a[:name] == @client.initial_user[:email] } end private - def get_test_policy + def test_policy policy = <<-EOH path "sys" { policy = "read" From 87a56aa9546c5a641445a31f1e82c71d1cfc05ff Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 11:01:30 -0700 Subject: [PATCH 28/65] don't refresh the provider unnecessarily --- app/lib/clients/vault/oidc.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 8a05613..6246a9d 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -22,7 +22,7 @@ Note that this provider is only meant to be used in our dev/test environment to excercise the client. In a prod env, a real OIDC -provider is configured in. +provider is configured in config/astral.yml =end module Clients @@ -30,12 +30,15 @@ class Vault module Oidc cattr_accessor :provider def configure_oidc_provider - if oidc_provider.logical.read("identity/oidc/provider/astral").nil? + provider = oidc_provider.logical.read("identity/oidc/provider/astral") + if provider.nil? create_provider_webapp create_provider_with_email_scope create_entity_for_initial_user create_userpass_for_initial_user map_userpass_to_entity + else + set_client_id end end @@ -74,6 +77,10 @@ def create_provider_webapp WEBAPP_NAME, redirect_uris: redirect_uris, assignments: "allow_all") + set_client_id + end + + def set_client_id app = oidc_provider.logical.read(WEBAPP_NAME) @@client_id = app.data[:client_id] @@client_secret = app.data[:client_secret] From 66c9bb183e26a566cfd191491663db73116f7677 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 11:10:21 -0700 Subject: [PATCH 29/65] cleanup --- README.md | 4 ++-- app/lib/clients/vault/oidc.rb | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2e997c1..c9f7d28 100644 --- a/README.md +++ b/README.md @@ -94,8 +94,8 @@ following to the /etc/hosts file on your host: 127.0.0.1 oidc_provider ``` -Finally, if you run "rails test" a second time, it will recreate the -provider settings, so you will need to clear the browser's +Finally, if you restart the docker vault container, it will recreate +the provider settings, so you will need to clear the browser's "oidc_provider" cookie. Otherwise you will see this error: ``` diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 6246a9d..4ecf24e 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -28,7 +28,6 @@ module Clients class Vault module Oidc - cattr_accessor :provider def configure_oidc_provider provider = oidc_provider.logical.read("identity/oidc/provider/astral") if provider.nil? From 0d6bf1cb6014fc5313f39144826832d91923c6dd Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 11:14:23 -0700 Subject: [PATCH 30/65] rubocop --- config/environments/development.rb | 2 -- config/environments/production.rb | 1 - 2 files changed, 3 deletions(-) diff --git a/config/environments/development.rb b/config/environments/development.rb index 0d1f611..0eda1b0 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -79,6 +79,4 @@ def configure_oidc Clients::Vault::Oidc.client_id, Clients::Vault::Oidc.client_secret) end - - end diff --git a/config/environments/production.rb b/config/environments/production.rb index 51d9a12..d615d06 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -100,5 +100,4 @@ def configure_oidc config.astral.oidc_provider[:client_secret]) end end - end From bb90ac491ad6cb3f5593408ae78452aa26d4b96d Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 11:30:12 -0700 Subject: [PATCH 31/65] memoized oidc_provider --- app/lib/clients/vault/oidc.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 4ecf24e..39ec851 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -62,13 +62,17 @@ def initial_user private cattr_accessor :client_id cattr_accessor :client_secret + cattr_accessor :provider WEBAPP_NAME = "identity/oidc/client/astral" def oidc_provider - ::Vault::Client.new( - address: "http://oidc_provider:8300", - token: token - ) + @@provider ||= + begin + ::Vault::Client.new( + address: "http://oidc_provider:8300", + token: token + ) + end end def create_provider_webapp From a5dfa94f2ca40cefd922a2d224c8220f7c018a7f Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 13:03:01 -0700 Subject: [PATCH 32/65] cleanup --- app/lib/clients/vault/oidc.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 39ec851..48eccb3 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -54,9 +54,7 @@ def configure_oidc_user(name, email, policy) end def initial_user - if Config[:initial_user].nil? - raise "initial user not configured." - end + raise "initial user not configured." unless Config[:initial_user] Config[:initial_user] end private From 38978354bda77f2dc92f6fa34e05129cf78e71a0 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 14:34:13 -0700 Subject: [PATCH 33/65] removed unneeded reader policy --- app/lib/clients/vault/oidc.rb | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 48eccb3..e822723 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -43,7 +43,6 @@ def configure_oidc_provider def configure_oidc_client(issuer, client_id, client_secret) create_client_config(issuer, client_id, client_secret) - create_default_policy_for_role create_default_role(client_id) end @@ -131,18 +130,8 @@ def create_client_config(issuer, client_id, client_secret) oidc_discovery_url: issuer, oidc_client_id: client_id, oidc_client_secret: client_secret, - default_role: "reader") + default_role: "default") end - - def create_default_policy_for_role - policy = <<-EOH - path "sys" { - policy = "read" - } - EOH - client.sys.put_policy("reader", policy) - end - def redirect_uris # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris redirect_uris = <<-EOH @@ -153,12 +142,12 @@ def redirect_uris def create_default_role(client_id) client.logical.write( - "auth/oidc/role/reader", + "auth/oidc/role/default", bound_audiences: client_id, allowed_redirect_uris: redirect_uris, user_claim: "email", oidc_scopes: "email", - token_policies: "reader") + token_policies: "default") end end end From 9a4942632e5746b87fbdcc567b3e7378e713570d Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 11 Oct 2024 15:01:59 -0700 Subject: [PATCH 34/65] moved provider to test dir --- app/lib/clients/vault/oidc.rb | 82 ---------------------------------- config/environments/test.rb | 6 +-- test/lib/clients/oidc_test.rb | 84 +++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+), 85 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index e822723..5f6f745 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -28,19 +28,6 @@ module Clients class Vault module Oidc - def configure_oidc_provider - provider = oidc_provider.logical.read("identity/oidc/provider/astral") - if provider.nil? - create_provider_webapp - create_provider_with_email_scope - create_entity_for_initial_user - create_userpass_for_initial_user - map_userpass_to_entity - else - set_client_id - end - end - def configure_oidc_client(issuer, client_id, client_secret) create_client_config(issuer, client_id, client_secret) create_default_role(client_id) @@ -52,76 +39,7 @@ def configure_oidc_user(name, email, policy) put_entity_alias(name, email, "oidc") end - def initial_user - raise "initial user not configured." unless Config[:initial_user] - Config[:initial_user] - end private - cattr_accessor :client_id - cattr_accessor :client_secret - cattr_accessor :provider - WEBAPP_NAME = "identity/oidc/client/astral" - - def oidc_provider - @@provider ||= - begin - ::Vault::Client.new( - address: "http://oidc_provider:8300", - token: token - ) - end - end - - def create_provider_webapp - oidc_provider.logical.write( - WEBAPP_NAME, - redirect_uris: redirect_uris, - assignments: "allow_all") - set_client_id - end - - def set_client_id - app = oidc_provider.logical.read(WEBAPP_NAME) - @@client_id = app.data[:client_id] - @@client_secret = app.data[:client_secret] - end - - def create_provider_with_email_scope - oidc_provider.logical.write("identity/oidc/scope/email", - template: '{"email": {{identity.entity.metadata.email}}}') - oidc_provider.logical.write("identity/oidc/provider/astral", - issuer: "http://oidc_provider:8300", - allowed_client_ids: @@client_id, - scopes_supported: "email") - oidc_provider.logical.read("identity/oidc/provider/astral") - end - - def create_entity_for_initial_user - oidc_provider.logical.write("identity/entity", - policies: "default", - name: initial_user[:name], - metadata: "email=#{initial_user[:email]}", - disabled: false) - end - - def create_userpass_for_initial_user - oidc_provider.logical.delete("/sys/auth/userpass") - oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{initial_user[:name]}", - password: initial_user[:password]) - end - - def map_userpass_to_entity - entity = oidc_provider.logical.read( - "identity/entity/name/#{initial_user[:name]}") - entity_id = entity.data[:id] - auth_list = oidc_provider.logical.read("/sys/auth") - accessor = auth_list.data[:"userpass/"][:accessor] - oidc_provider.logical.write("identity/entity-alias", - name: initial_user[:name], - canonical_id: entity_id, - mount_accessor: accessor) - end def create_client_config(issuer, client_id, client_secret) client.logical.delete("/sys/auth/oidc") diff --git a/config/environments/test.rb b/config/environments/test.rb index 3202de6..1e494a2 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -66,9 +66,9 @@ config.action_controller.raise_on_missing_callback_actions = true def configure_oidc - Clients::Vault.configure_oidc_provider + OIDCTest.configure_oidc_provider Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - Clients::Vault::Oidc.client_id, - Clients::Vault::Oidc.client_secret) + OIDCTest.client_id, + OIDCTest.client_secret) end end diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 5cf71f7..7f67ff8 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -20,7 +20,91 @@ class OIDCTest < ActiveSupport::TestCase aliases = @entity.data[:aliases] assert aliases.find { |a| a[:name] == @client.initial_user[:email] } end + + def configure_oidc_provider + provider = oidc_provider.logical.read("identity/oidc/provider/astral") + if provider.nil? + create_provider_webapp + create_provider_with_email_scope + create_entity_for_initial_user + create_userpass_for_initial_user + map_userpass_to_entity + else + set_client_id + end + end + + private + def initial_user + raise "initial user not configured." unless Config[:initial_user] + Config[:initial_user] + end + cattr_accessor :client_id + cattr_accessor :client_secret + cattr_accessor :provider + WEBAPP_NAME = "identity/oidc/client/astral" + + def oidc_provider + @@provider ||= + begin + ::Vault::Client.new( + address: "http://oidc_provider:8300", + token: token + ) + end + end + + def create_provider_webapp + oidc_provider.logical.write( + WEBAPP_NAME, + redirect_uris: redirect_uris, + assignments: "allow_all") + set_client_id + end + + def set_client_id + app = oidc_provider.logical.read(WEBAPP_NAME) + @@client_id = app.data[:client_id] + @@client_secret = app.data[:client_secret] + end + + def create_provider_with_email_scope + oidc_provider.logical.write("identity/oidc/scope/email", + template: '{"email": {{identity.entity.metadata.email}}}') + oidc_provider.logical.write("identity/oidc/provider/astral", + issuer: "http://oidc_provider:8300", + allowed_client_ids: @@client_id, + scopes_supported: "email") + oidc_provider.logical.read("identity/oidc/provider/astral") + end + + def create_entity_for_initial_user + oidc_provider.logical.write("identity/entity", + policies: "default", + name: initial_user[:name], + metadata: "email=#{initial_user[:email]}", + disabled: false) + end + + def create_userpass_for_initial_user + oidc_provider.logical.delete("/sys/auth/userpass") + oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") + oidc_provider.logical.write("/auth/userpass/users/#{initial_user[:name]}", + password: initial_user[:password]) + end + + def map_userpass_to_entity + entity = oidc_provider.logical.read( + "identity/entity/name/#{initial_user[:name]}") + entity_id = entity.data[:id] + auth_list = oidc_provider.logical.read("/sys/auth") + accessor = auth_list.data[:"userpass/"][:accessor] + oidc_provider.logical.write("identity/entity-alias", + name: initial_user[:name], + canonical_id: entity_id, + mount_accessor: accessor) + end def test_policy policy = <<-EOH From 9bf51242abfce5d7b48a00a0be32fe5965f54c41 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 15 Oct 2024 08:41:00 -0700 Subject: [PATCH 35/65] init --- config/environments/test.rb | 2 ++ test/lib/clients/oidc_test.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/environments/test.rb b/config/environments/test.rb index 1e494a2..f30b384 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -1,4 +1,5 @@ require "active_support/core_ext/integer/time" +require_relative "../../test/lib/clients/oidc_test" # The test environment is used exclusively to run your application's # test suite. You never need to work with it otherwise. Remember that @@ -66,6 +67,7 @@ config.action_controller.raise_on_missing_callback_actions = true def configure_oidc + binding.irb OIDCTest.configure_oidc_provider Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], OIDCTest.client_id, diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 7f67ff8..0e0ff11 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -21,7 +21,7 @@ class OIDCTest < ActiveSupport::TestCase assert aliases.find { |a| a[:name] == @client.initial_user[:email] } end - def configure_oidc_provider + def configure_oidc_provider provider = oidc_provider.logical.read("identity/oidc/provider/astral") if provider.nil? create_provider_webapp From a73339662341e9264a2f51ff303b73f9b885670c Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 15 Oct 2024 14:43:08 -0700 Subject: [PATCH 36/65] moved provider --- app/lib/utils/oidc_provider.rb | 85 ++++++++++++++++++++++++++++++ config/environments/test.rb | 10 ++-- test/lib/clients/oidc_test.rb | 96 +++------------------------------- 3 files changed, 97 insertions(+), 94 deletions(-) create mode 100644 app/lib/utils/oidc_provider.rb diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb new file mode 100644 index 0000000..a386f4a --- /dev/null +++ b/app/lib/utils/oidc_provider.rb @@ -0,0 +1,85 @@ +class OidcProvider + attr_reader :client_id + attr_reader :client_secret + attr_reader :provider + + def configure + provider = oidc_provider.logical.read("identity/oidc/provider/astral") + if provider.nil? + create_provider_webapp + create_provider_with_email_scope + create_entity_for_initial_user + create_userpass_for_initial_user + map_userpass_to_entity + else + set_client_id + end + end + + def initial_user + raise "initial user not configured." unless Config[:initial_user] + Config[:initial_user] + end + + private + WEBAPP_NAME = "identity/oidc/client/astral" + + def oidc_provider + @provider ||= + ::Vault::Client.new( + address: "http://oidc_provider:8300", + token: Config[:vault_token] + ) + end + + def create_provider_webapp + oidc_provider.logical.write( + WEBAPP_NAME, + redirect_uris: redirect_uris, + assignments: "allow_all") + set_client_id + end + + def set_client_id + app = oidc_provider.logical.read(WEBAPP_NAME) + @client_id = app.data[:client_id] + @client_secret = app.data[:client_secret] + end + + def create_provider_with_email_scope + oidc_provider.logical.write("identity/oidc/scope/email", + template: '{"email": {{identity.entity.metadata.email}}}') + oidc_provider.logical.write("identity/oidc/provider/astral", + issuer: "http://oidc_provider:8300", + allowed_client_ids: @client_id, + scopes_supported: "email") + oidc_provider.logical.read("identity/oidc/provider/astral") + end + + def create_entity_for_initial_user + oidc_provider.logical.write("identity/entity", + policies: "default", + name: initial_user[:name], + metadata: "email=#{initial_user[:email]}", + disabled: false) + end + + def create_userpass_for_initial_user + oidc_provider.logical.delete("/sys/auth/userpass") + oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") + oidc_provider.logical.write("/auth/userpass/users/#{initial_user[:name]}", + password: initial_user[:password]) + end + + def map_userpass_to_entity + entity = oidc_provider.logical.read( + "identity/entity/name/#{initial_user[:name]}") + entity_id = entity.data[:id] + auth_list = oidc_provider.logical.read("/sys/auth") + accessor = auth_list.data[:"userpass/"][:accessor] + oidc_provider.logical.write("identity/entity-alias", + name: initial_user[:name], + canonical_id: entity_id, + mount_accessor: accessor) + end +end diff --git a/config/environments/test.rb b/config/environments/test.rb index f30b384..47d4a4d 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -1,5 +1,5 @@ require "active_support/core_ext/integer/time" -require_relative "../../test/lib/clients/oidc_test" +require_relative "../../app/lib/utils/oidc_provider" # The test environment is used exclusively to run your application's # test suite. You never need to work with it otherwise. Remember that @@ -67,10 +67,10 @@ config.action_controller.raise_on_missing_callback_actions = true def configure_oidc - binding.irb - OIDCTest.configure_oidc_provider + provider = OidcProvider.new + provider.configure Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - OIDCTest.client_id, - OIDCTest.client_secret) + provider.client_id, + provider.client_secret) end end diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 0e0ff11..a3187e0 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -1,4 +1,5 @@ require "test_helper" +require_relative "../../../app/lib/utils/oidc_provider" # NOTE: these tests excercise the OIDC config but can't really verify a # successful OIDC login. (Because that requires browser interaction.) @@ -6,105 +7,22 @@ class OIDCTest < ActiveSupport::TestCase setup do + @provider = OidcProvider.new @client = Clients::Vault - @client.configure_oidc_user(@client.initial_user[:name], - @client.initial_user[:email], test_policy) - @entity = @client.read_entity(@client.initial_user[:name]) + @client.configure_oidc_user(@provider.initial_user[:name], + @provider.initial_user[:email], test_policy) + @entity = @client.read_entity(@provider.initial_user[:name]) end test "#policies_contain_initial_users_email" do - assert_equal @client.initial_user[:email], @entity.data[:policies][0] + assert_equal @provider.initial_user[:email], @entity.data[:policies][0] end test "#aliases_contain_initial_users_email" do aliases = @entity.data[:aliases] - assert aliases.find { |a| a[:name] == @client.initial_user[:email] } + assert aliases.find { |a| a[:name] == @provider.initial_user[:email] } end - - def configure_oidc_provider - provider = oidc_provider.logical.read("identity/oidc/provider/astral") - if provider.nil? - create_provider_webapp - create_provider_with_email_scope - create_entity_for_initial_user - create_userpass_for_initial_user - map_userpass_to_entity - else - set_client_id - end - end - - private - def initial_user - raise "initial user not configured." unless Config[:initial_user] - Config[:initial_user] - end - cattr_accessor :client_id - cattr_accessor :client_secret - cattr_accessor :provider - WEBAPP_NAME = "identity/oidc/client/astral" - - def oidc_provider - @@provider ||= - begin - ::Vault::Client.new( - address: "http://oidc_provider:8300", - token: token - ) - end - end - - def create_provider_webapp - oidc_provider.logical.write( - WEBAPP_NAME, - redirect_uris: redirect_uris, - assignments: "allow_all") - set_client_id - end - - def set_client_id - app = oidc_provider.logical.read(WEBAPP_NAME) - @@client_id = app.data[:client_id] - @@client_secret = app.data[:client_secret] - end - - def create_provider_with_email_scope - oidc_provider.logical.write("identity/oidc/scope/email", - template: '{"email": {{identity.entity.metadata.email}}}') - oidc_provider.logical.write("identity/oidc/provider/astral", - issuer: "http://oidc_provider:8300", - allowed_client_ids: @@client_id, - scopes_supported: "email") - oidc_provider.logical.read("identity/oidc/provider/astral") - end - - def create_entity_for_initial_user - oidc_provider.logical.write("identity/entity", - policies: "default", - name: initial_user[:name], - metadata: "email=#{initial_user[:email]}", - disabled: false) - end - - def create_userpass_for_initial_user - oidc_provider.logical.delete("/sys/auth/userpass") - oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{initial_user[:name]}", - password: initial_user[:password]) - end - - def map_userpass_to_entity - entity = oidc_provider.logical.read( - "identity/entity/name/#{initial_user[:name]}") - entity_id = entity.data[:id] - auth_list = oidc_provider.logical.read("/sys/auth") - accessor = auth_list.data[:"userpass/"][:accessor] - oidc_provider.logical.write("identity/entity-alias", - name: initial_user[:name], - canonical_id: entity_id, - mount_accessor: accessor) - end def test_policy policy = <<-EOH From 2a9039209a5e4a81bec222682d7b7835ebe832be Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 15 Oct 2024 14:55:37 -0700 Subject: [PATCH 37/65] refactored init code --- app/lib/clients/vault/oidc.rb | 6 ++++-- config/application.rb | 7 +++++++ config/environments/production.rb | 5 ----- config/environments/test.rb | 5 ++--- 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 5f6f745..d3e4732 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -29,8 +29,10 @@ module Clients class Vault module Oidc def configure_oidc_client(issuer, client_id, client_secret) - create_client_config(issuer, client_id, client_secret) - create_default_role(client_id) + if !client_id.nil? + create_client_config(issuer, client_id, client_secret) + create_default_role(client_id) + end end def configure_oidc_user(name, email, policy) diff --git a/config/application.rb b/config/application.rb index eb51962..d92cc03 100644 --- a/config/application.rb +++ b/config/application.rb @@ -41,7 +41,14 @@ class Application < Rails::Application Clients::Vault.configure_kv Clients::Vault.configure_pki configure_oidc + Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], + config.astral.oidc_provider[:client_id], + config.astral.oidc_provider[:client_secret]) Clients::Vault.rotate_token end + + def configure_oidc + # do nothing by default + end end end diff --git a/config/environments/production.rb b/config/environments/production.rb index d615d06..e3709da 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -94,10 +94,5 @@ # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } def configure_oidc - if !config.astral.oidc_provider[:client_id].nil? - Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - config.astral.oidc_provider[:client_id], - config.astral.oidc_provider[:client_secret]) - end end end diff --git a/config/environments/test.rb b/config/environments/test.rb index 47d4a4d..7fad613 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -69,8 +69,7 @@ def configure_oidc provider = OidcProvider.new provider.configure - Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - provider.client_id, - provider.client_secret) + config.astral.oidc_provider[:client_id] = provider.client_id + config.astral.oidc_provider[:client_secret] = provider.client_secret end end From 56b6f767a16feb059651ff7d187ac543ebce48b2 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 15 Oct 2024 17:14:32 -0700 Subject: [PATCH 38/65] rake task --- .devcontainer/devcontainer.json | 2 +- app/lib/clients/vault/oidc.rb | 18 +++++------------- app/lib/utils/oidc.rb | 8 ++++++++ app/lib/utils/oidc_provider.rb | 29 +++++++++++++++-------------- config/application.rb | 6 +++--- config/astral.yml | 13 +++++-------- config/environments/development.rb | 6 ++---- config/environments/test.rb | 5 +---- lib/tasks/oidc_provider.rake | 12 ++++++++++++ 9 files changed, 52 insertions(+), 47 deletions(-) create mode 100644 app/lib/utils/oidc.rb create mode 100644 lib/tasks/oidc_provider.rake diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 203151d..a0ce7b8 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -20,7 +20,7 @@ "forwardPorts": [3000, 5432, 8200, 8300], // Use 'postCreateCommand' to run commands after the container is created. - "postCreateCommand": "bundle install && rake db:setup", + "postCreateCommand": "bundle install && rake db:setup && rake oidc_provider:configure", // Configure tool-specific properties. // "customizations": {}, diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index d3e4732..3bf2d54 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -25,14 +25,14 @@ provider is configured in config/astral.yml =end +require_relative "../../utils/oidc" module Clients class Vault module Oidc def configure_oidc_client(issuer, client_id, client_secret) - if !client_id.nil? - create_client_config(issuer, client_id, client_secret) - create_default_role(client_id) - end + return if client_id.nil? + create_client_config(issuer, client_id, client_secret) + create_default_role(client_id) end def configure_oidc_user(name, email, policy) @@ -52,19 +52,11 @@ def create_client_config(issuer, client_id, client_secret) oidc_client_secret: client_secret, default_role: "default") end - def redirect_uris - # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris - redirect_uris = <<-EOH - http://localhost:8250/oidc/callback, - #{Config[:vault_addr]}/ui/vault/auth/oidc/oidc/callback, - EOH - end - def create_default_role(client_id) client.logical.write( "auth/oidc/role/default", bound_audiences: client_id, - allowed_redirect_uris: redirect_uris, + allowed_redirect_uris: OidcUtils.redirect_uris, user_claim: "email", oidc_scopes: "email", token_policies: "default") diff --git a/app/lib/utils/oidc.rb b/app/lib/utils/oidc.rb new file mode 100644 index 0000000..359a772 --- /dev/null +++ b/app/lib/utils/oidc.rb @@ -0,0 +1,8 @@ +class OidcUtils + class << self + def redirect_uris + # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris + "http://localhost:8250/oidc/callback" + end + end +end diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index a386f4a..71d12eb 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -1,9 +1,13 @@ +require_relative "oidc" class OidcProvider attr_reader :client_id attr_reader :client_secret attr_reader :provider + attr_reader :initial_user - def configure + def configure(token, initial_user) + @token = token + @initial_user = initial_user provider = oidc_provider.logical.read("identity/oidc/provider/astral") if provider.nil? create_provider_webapp @@ -12,13 +16,16 @@ def configure create_userpass_for_initial_user map_userpass_to_entity else - set_client_id + get_client_info end end - def initial_user - raise "initial user not configured." unless Config[:initial_user] - Config[:initial_user] + + def get_client_info + app = oidc_provider.logical.read(WEBAPP_NAME) + @client_id = app.data[:client_id] + @client_secret = app.data[:client_secret] + [@client_id, @client_secret] end private @@ -28,22 +35,16 @@ def oidc_provider @provider ||= ::Vault::Client.new( address: "http://oidc_provider:8300", - token: Config[:vault_token] + token: @token ) end def create_provider_webapp oidc_provider.logical.write( WEBAPP_NAME, - redirect_uris: redirect_uris, + redirect_uris: OidcUtils.redirect_uris, assignments: "allow_all") - set_client_id - end - - def set_client_id - app = oidc_provider.logical.read(WEBAPP_NAME) - @client_id = app.data[:client_id] - @client_secret = app.data[:client_secret] + get_client_info end def create_provider_with_email_scope diff --git a/config/application.rb b/config/application.rb index d92cc03..a6e134f 100644 --- a/config/application.rb +++ b/config/application.rb @@ -41,9 +41,9 @@ class Application < Rails::Application Clients::Vault.configure_kv Clients::Vault.configure_pki configure_oidc - Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - config.astral.oidc_provider[:client_id], - config.astral.oidc_provider[:client_secret]) + Clients::Vault.configure_oidc_client(config.astral.oidc_issuer, + config.astral.oidc_client_id, + config.astral.oidc_client_secret) Clients::Vault.rotate_token end diff --git a/config/astral.yml b/config/astral.yml index ec15b1f..99c3188 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -17,10 +17,12 @@ shared: app_registry_client_key: audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %> + oidc_issuer: + oidc_client_id: + oidc_client_secret: test: - oidc_provider: - issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" + oidc_issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" initial_user: name: "test" password: "test" @@ -28,8 +30,7 @@ test: cert_ttl: <%= 24.hours.in_seconds %> development: - oidc_provider: - issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" + oidc_issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" initial_user: name: "test" password: "test" @@ -37,7 +38,3 @@ development: production: vault_create_root: false - oidc_provider: - issuer: - client_id: - client_secret: \ No newline at end of file diff --git a/config/environments/development.rb b/config/environments/development.rb index 0eda1b0..16e02fd 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -1,4 +1,5 @@ require "active_support/core_ext/integer/time" +require_relative "../../app/lib/utils/oidc_provider" Rails.application.configure do # Settings specified here will take precedence over those in config/application.rb. @@ -74,9 +75,6 @@ # config.generators.apply_rubocop_autocorrect_after_generate! def configure_oidc - Clients::Vault.configure_oidc_provider - Clients::Vault.configure_oidc_client(config.astral.oidc_provider[:issuer], - Clients::Vault::Oidc.client_id, - Clients::Vault::Oidc.client_secret) + config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info end end diff --git a/config/environments/test.rb b/config/environments/test.rb index 7fad613..268de71 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -67,9 +67,6 @@ config.action_controller.raise_on_missing_callback_actions = true def configure_oidc - provider = OidcProvider.new - provider.configure - config.astral.oidc_provider[:client_id] = provider.client_id - config.astral.oidc_provider[:client_secret] = provider.client_secret + config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info end end diff --git a/lib/tasks/oidc_provider.rake b/lib/tasks/oidc_provider.rake new file mode 100644 index 0000000..589d76f --- /dev/null +++ b/lib/tasks/oidc_provider.rake @@ -0,0 +1,12 @@ +require "rake" +require_relative "../../app/lib/utils/oidc_provider" +data = YAML.load(File.read("config/astral.yml")) +initial_user = data["test"]["initial_user"].stringify_keys + +# Rake tasks for oidc provider +namespace :oidc_provider do + desc "Configure the provider" + task :configure do + OidcProvider.new.configure ENV["VAULT_TOKEN"], initial_user + end +end From 52122d08f330ff1f14cf170d30e31bc191625890 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Tue, 15 Oct 2024 17:14:41 -0700 Subject: [PATCH 39/65] rake task --- lib/tasks/oidc_provider.rake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tasks/oidc_provider.rake b/lib/tasks/oidc_provider.rake index 589d76f..250a771 100644 --- a/lib/tasks/oidc_provider.rake +++ b/lib/tasks/oidc_provider.rake @@ -1,7 +1,7 @@ require "rake" require_relative "../../app/lib/utils/oidc_provider" data = YAML.load(File.read("config/astral.yml")) -initial_user = data["test"]["initial_user"].stringify_keys +initial_user = data["test"]["initial_user"].symbolize_keys # Rake tasks for oidc provider namespace :oidc_provider do From 27934253b71d2e4098e8dff869e41ef00b13def0 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 10:37:37 -0700 Subject: [PATCH 40/65] added Config --- lib/tasks/oidc_provider.rake | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/tasks/oidc_provider.rake b/lib/tasks/oidc_provider.rake index 250a771..7c3b9bd 100644 --- a/lib/tasks/oidc_provider.rake +++ b/lib/tasks/oidc_provider.rake @@ -1,12 +1,11 @@ require "rake" require_relative "../../app/lib/utils/oidc_provider" -data = YAML.load(File.read("config/astral.yml")) -initial_user = data["test"]["initial_user"].symbolize_keys +require_relative "../../app/lib/config" # Rake tasks for oidc provider namespace :oidc_provider do desc "Configure the provider" task :configure do - OidcProvider.new.configure ENV["VAULT_TOKEN"], initial_user + OidcProvider.new.configure ENV["VAULT_TOKEN"], Config[:initial_user] end end From 609cbcfa9ed7a23afea0cf813348e3a0b384bbea Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 11:59:47 -0700 Subject: [PATCH 41/65] rake task working --- .devcontainer/devcontainer.json | 2 +- app/lib/utils/oidc_provider.rb | 12 +++++++----- lib/tasks/oidc_provider.rake | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a0ce7b8..578f913 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -20,7 +20,7 @@ "forwardPorts": [3000, 5432, 8200, 8300], // Use 'postCreateCommand' to run commands after the container is created. - "postCreateCommand": "bundle install && rake db:setup && rake oidc_provider:configure", + "postCreateCommand": "bundle install && rake oidc_provider:configure && rake db:setup", // Configure tool-specific properties. // "customizations": {}, diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 71d12eb..aca86ca 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -3,11 +3,8 @@ class OidcProvider attr_reader :client_id attr_reader :client_secret attr_reader :provider - attr_reader :initial_user - def configure(token, initial_user) - @token = token - @initial_user = initial_user + def configure provider = oidc_provider.logical.read("identity/oidc/provider/astral") if provider.nil? create_provider_webapp @@ -28,6 +25,11 @@ def get_client_info [@client_id, @client_secret] end + def initial_user + raise "initial user not configured." unless Config[:initial_user] + Config[:initial_user] + end + private WEBAPP_NAME = "identity/oidc/client/astral" @@ -35,7 +37,7 @@ def oidc_provider @provider ||= ::Vault::Client.new( address: "http://oidc_provider:8300", - token: @token + token: Config[:vault_token] ) end diff --git a/lib/tasks/oidc_provider.rake b/lib/tasks/oidc_provider.rake index 7c3b9bd..7f44b71 100644 --- a/lib/tasks/oidc_provider.rake +++ b/lib/tasks/oidc_provider.rake @@ -6,6 +6,6 @@ require_relative "../../app/lib/config" namespace :oidc_provider do desc "Configure the provider" task :configure do - OidcProvider.new.configure ENV["VAULT_TOKEN"], Config[:initial_user] + OidcProvider.new.configure end end From a43272f2f63fc2e4c58a9c43f41b9ade20247751 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 15:02:29 -0700 Subject: [PATCH 42/65] moved oidc comment block --- README.md | 29 +++++++++++++++++++++++++++++ app/lib/clients/vault/oidc.rb | 28 +--------------------------- config/astral.yml | 16 ++++++++-------- 3 files changed, 38 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index c9f7d28..a4b521e 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,35 @@ docker build -t astral:latest . ``` docker run -p 3000:3000 astral:latest ``` + +# OIDC configuration +The OIDC modules allow the assignment of a policy to an OIDC user, by +mapping that user's email address to a policy we create. They work +as follows: + +OidcProvider::configure_oidc_provider() creates an OIDC provider and +user on a separate dedicate vault instance. The user created has a +username/password/email addr, that can be accessed with OIDC auth from +vault. + +Clients::Vault::Oidc::configure_oidc_client creates an OIDC client on +our vault instance. It connects to that provider just created. When +a user tries to auth, the client connects to the provider, which opens +up a browser window allowing the user to enter his username/password. + +On success, the provider returns an OIDC token, which includes the +user's email addr. + +The OIDC client has been configured to map that email address to an entity +in vault, which has the policy which we want the user to have. + +So the mapping goes from the email address on the provider, to the +policy in vault. + +Note that this provider is mainly meant to be used in our dev/test +environment to excercise the client. In a prod env, a real OIDC +provider would used instead, (by configuring it in config/astral.yml). + # Logging into vault with OIDC The rails test's configure the OIDC provider, so if the tests pass, diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 3bf2d54..8bb38f2 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,35 +1,9 @@ -=begin - -The purpose of this module is to assign a policy to an OIDC user, by -mapping that user's email address to a policy we create. -It works as follows: - -It creates an OIDC provider and user. That user has a -username/password/email addr, that can be accessed with OIDC auth. - -It creates an OIDC client which connects to that provider. When a -user tries to auth, the client connects to the provider, which opens -up a browser window allowing the user to enter his username/password. - -On success, the provider returns an OIDC token, which includes the -user's email addr. - -The client has been configured to map that email address to an entity -in vault, which has the policy which we want the user to have. - -So the mapping goes from the email address on the provider, to the -policy in vault. - -Note that this provider is only meant to be used in our dev/test -environment to excercise the client. In a prod env, a real OIDC -provider is configured in config/astral.yml - -=end require_relative "../../utils/oidc" module Clients class Vault module Oidc def configure_oidc_client(issuer, client_id, client_secret) + binding.irb return if client_id.nil? create_client_config(issuer, client_id, client_secret) create_default_role(client_id) diff --git a/config/astral.yml b/config/astral.yml index 99c3188..05e5a91 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -22,19 +22,19 @@ shared: oidc_client_secret: test: - oidc_issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" + oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral initial_user: - name: "test" - password: "test" - email: "test@example.com" + name: test + password: test + email: test@example.com cert_ttl: <%= 24.hours.in_seconds %> development: - oidc_issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral" + oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral initial_user: - name: "test" - password: "test" - email: "test@example.com" + name: test + password: test + email: test@example.com production: vault_create_root: false From 0772fdd52e770ce85da71f6a4379360800cc2879 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 15:08:01 -0700 Subject: [PATCH 43/65] removed utils/oidc.rb --- app/lib/clients/vault/oidc.rb | 4 +--- app/lib/utils/oidc.rb | 8 -------- app/lib/utils/oidc_provider.rb | 3 +-- config/astral.yml | 2 ++ 4 files changed, 4 insertions(+), 13 deletions(-) delete mode 100644 app/lib/utils/oidc.rb diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 8bb38f2..48d982b 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,9 +1,7 @@ -require_relative "../../utils/oidc" module Clients class Vault module Oidc def configure_oidc_client(issuer, client_id, client_secret) - binding.irb return if client_id.nil? create_client_config(issuer, client_id, client_secret) create_default_role(client_id) @@ -30,7 +28,7 @@ def create_default_role(client_id) client.logical.write( "auth/oidc/role/default", bound_audiences: client_id, - allowed_redirect_uris: OidcUtils.redirect_uris, + allowed_redirect_uris: Config[:oidc_redirect_uris], user_claim: "email", oidc_scopes: "email", token_policies: "default") diff --git a/app/lib/utils/oidc.rb b/app/lib/utils/oidc.rb deleted file mode 100644 index 359a772..0000000 --- a/app/lib/utils/oidc.rb +++ /dev/null @@ -1,8 +0,0 @@ -class OidcUtils - class << self - def redirect_uris - # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris - "http://localhost:8250/oidc/callback" - end - end -end diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index aca86ca..37c73d2 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -1,4 +1,3 @@ -require_relative "oidc" class OidcProvider attr_reader :client_id attr_reader :client_secret @@ -44,7 +43,7 @@ def oidc_provider def create_provider_webapp oidc_provider.logical.write( WEBAPP_NAME, - redirect_uris: OidcUtils.redirect_uris, + redirect_uris: Config[:oidc_redirect_uris], assignments: "allow_all") get_client_info end diff --git a/config/astral.yml b/config/astral.yml index 05e5a91..e3fb3b9 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -17,9 +17,11 @@ shared: app_registry_client_key: audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %> + oidc_issuer: oidc_client_id: oidc_client_secret: + oidc_redirect_uris: http://localhost:8250/oidc/callback test: oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral From 34024886cc5c6d0c743c573699154d6be8504262 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 15:26:28 -0700 Subject: [PATCH 44/65] cleanup --- README.md | 25 +++++++++++++------------ app/lib/clients/vault/oidc.rb | 2 +- app/lib/utils/oidc_provider.rb | 10 ++++++---- config/application.rb | 6 +++--- config/environments/development.rb | 2 +- config/environments/production.rb | 2 -- config/environments/test.rb | 2 +- test/lib/clients/oidc_test.rb | 20 ++++++++++++-------- 8 files changed, 37 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index a4b521e..72d5e20 100644 --- a/README.md +++ b/README.md @@ -64,24 +64,25 @@ docker run -p 3000:3000 astral:latest # OIDC configuration The OIDC modules allow the assignment of a policy to an OIDC user, by -mapping that user's email address to a policy we create. They work -as follows: +mapping that user's email address to a policy we create. They work as +follows: -OidcProvider::configure_oidc_provider() creates an OIDC provider and -user on a separate dedicate vault instance. The user created has a -username/password/email addr, that can be accessed with OIDC auth from -vault. +OidcProvider::configure_as_oidc_provider() creates an OIDC provider +and user on a separate dedicate vault instance. The user created has +a username/password/email addr, that can be accessed with OIDC auth +from vault. -Clients::Vault::Oidc::configure_oidc_client creates an OIDC client on -our vault instance. It connects to that provider just created. When -a user tries to auth, the client connects to the provider, which opens -up a browser window allowing the user to enter his username/password. +Clients::Vault::Oidc::configure_as_oidc_client() creates an OIDC +client on our vault instance. It connects to that provider just +created. When a user tries to auth, the client connects to the +provider, which opens up a browser window allowing the user to enter +his username/password. On success, the provider returns an OIDC token, which includes the user's email addr. -The OIDC client has been configured to map that email address to an entity -in vault, which has the policy which we want the user to have. +The OIDC client has been configured to map that email address to an +entity in vault, which has the policy which we want the user to have. So the mapping goes from the email address on the provider, to the policy in vault. diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 48d982b..d3ba874 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -1,7 +1,7 @@ module Clients class Vault module Oidc - def configure_oidc_client(issuer, client_id, client_secret) + def configure_as_oidc_client(issuer, client_id, client_secret) return if client_id.nil? create_client_config(issuer, client_id, client_secret) create_default_role(client_id) diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 37c73d2..eed6c51 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -24,10 +24,6 @@ def get_client_info [@client_id, @client_secret] end - def initial_user - raise "initial user not configured." unless Config[:initial_user] - Config[:initial_user] - end private WEBAPP_NAME = "identity/oidc/client/astral" @@ -84,4 +80,10 @@ def map_userpass_to_entity canonical_id: entity_id, mount_accessor: accessor) end + + def initial_user + raise "initial user not configured." unless Config[:initial_user] + Config[:initial_user] + end + end diff --git a/config/application.rb b/config/application.rb index a6e134f..fde99a8 100644 --- a/config/application.rb +++ b/config/application.rb @@ -40,14 +40,14 @@ class Application < Rails::Application Clients::Vault.token = Config[:vault_token] Clients::Vault.configure_kv Clients::Vault.configure_pki - configure_oidc - Clients::Vault.configure_oidc_client(config.astral.oidc_issuer, + get_oidc_config + Clients::Vault.configure_as_oidc_client(config.astral.oidc_issuer, config.astral.oidc_client_id, config.astral.oidc_client_secret) Clients::Vault.rotate_token end - def configure_oidc + def get_oidc_config # do nothing by default end end diff --git a/config/environments/development.rb b/config/environments/development.rb index 16e02fd..89409a5 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -74,7 +74,7 @@ # Apply autocorrection by RuboCop to files generated by `bin/rails generate`. # config.generators.apply_rubocop_autocorrect_after_generate! - def configure_oidc + def get_oidc_config config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info end end diff --git a/config/environments/production.rb b/config/environments/production.rb index e3709da..f242dbb 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -93,6 +93,4 @@ # Skip DNS rebinding protection for the default health check endpoint. # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } - def configure_oidc - end end diff --git a/config/environments/test.rb b/config/environments/test.rb index 268de71..48fb972 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -66,7 +66,7 @@ # Raise error when a before_action's only/except options reference missing actions. config.action_controller.raise_on_missing_callback_actions = true - def configure_oidc + def get_oidc_config config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info end end diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index a3187e0..1418a9f 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -1,5 +1,4 @@ require "test_helper" -require_relative "../../../app/lib/utils/oidc_provider" # NOTE: these tests excercise the OIDC config but can't really verify a # successful OIDC login. (Because that requires browser interaction.) @@ -7,23 +6,22 @@ class OIDCTest < ActiveSupport::TestCase setup do - @provider = OidcProvider.new @client = Clients::Vault - @client.configure_oidc_user(@provider.initial_user[:name], - @provider.initial_user[:email], test_policy) - @entity = @client.read_entity(@provider.initial_user[:name]) + @client.configure_oidc_user(initial_user[:name], + initial_user[:email], test_policy) + @entity = @client.read_entity(initial_user[:name]) end test "#policies_contain_initial_users_email" do - assert_equal @provider.initial_user[:email], @entity.data[:policies][0] + assert_equal initial_user[:email], @entity.data[:policies][0] end test "#aliases_contain_initial_users_email" do aliases = @entity.data[:aliases] - assert aliases.find { |a| a[:name] == @provider.initial_user[:email] } + assert aliases.find { |a| a[:name] == initial_user[:email] } end - private + private def test_policy policy = <<-EOH path "sys" { @@ -31,4 +29,10 @@ def test_policy } EOH end + + def initial_user + raise "initial user not configured." unless Config[:initial_user] + Config[:initial_user] + end + end From a474cbdd0b5eab8ec5a1740795239068a147acd5 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 16:07:12 -0700 Subject: [PATCH 45/65] added tests --- app/lib/clients/vault/oidc.rb | 3 +++ app/lib/clients/vault/policy.rb | 3 +++ app/lib/utils/oidc_provider.rb | 5 +++-- config/astral.yml | 2 ++ test/lib/clients/oidc_test.rb | 17 ++++++++++++----- 5 files changed, 23 insertions(+), 7 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index d3ba874..3280226 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -13,6 +13,9 @@ def configure_oidc_user(name, email, policy) put_entity_alias(name, email, "oidc") end + def get_oidc_client_config + client.logical.read("auth/oidc/config") + end private def create_client_config(issuer, client_id, client_secret) diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index a5df2ac..d2b12d0 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -32,6 +32,9 @@ def create_astral_policy path "/sys/auth" { capabilities = ["read"] } + path "auth/oidc/config" { + capabilities = ["read"] + } path "/sys/policy/*" { capabilities = ["create", "read", "update", "delete", "list"] } diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index eed6c51..6193719 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -31,8 +31,9 @@ def get_client_info def oidc_provider @provider ||= ::Vault::Client.new( - address: "http://oidc_provider:8300", - token: Config[:vault_token] + address: Config[:oidc_provider_addr], + # use the original token for the provider + token: ENV["VAULT_TOKEN"] ) end diff --git a/config/astral.yml b/config/astral.yml index e3fb3b9..f2e068b 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -25,6 +25,7 @@ shared: test: oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral + oidc_provider_addr: http://oidc_provider:8300 initial_user: name: test password: test @@ -33,6 +34,7 @@ test: development: oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral + oidc_provider_addr: http://oidc_provider:8300 initial_user: name: test password: test diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 1418a9f..349f60f 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -4,23 +4,30 @@ # successful OIDC login. (Because that requires browser interaction.) # See the readme for how to use oidc login with the browser. -class OIDCTest < ActiveSupport::TestCase +class OidcTest < ActiveSupport::TestCase setup do @client = Clients::Vault - @client.configure_oidc_user(initial_user[:name], - initial_user[:email], test_policy) + @client.configure_oidc_user( + initial_user[:name], + initial_user[:email], + test_policy) @entity = @client.read_entity(initial_user[:name]) end - test "#policies_contain_initial_users_email" do + test "policies_contain_initial_users_email" do assert_equal initial_user[:email], @entity.data[:policies][0] end - test "#aliases_contain_initial_users_email" do + test "aliases_contain_initial_users_email" do aliases = @entity.data[:aliases] assert aliases.find { |a| a[:name] == initial_user[:email] } end + test "vault_is_configured_as_oidc_client" do + auth = @client.get_oidc_client_config + assert_equal Config[:oidc_client_id], auth.data[:oidc_client_id] + end + private def test_policy policy = <<-EOH From 4f7d5d306334d189a57c7cbfb5767764c492c66b Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 16:09:19 -0700 Subject: [PATCH 46/65] fixed token --- app/lib/utils/oidc_provider.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 6193719..9a7ea9a 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -32,8 +32,7 @@ def oidc_provider @provider ||= ::Vault::Client.new( address: Config[:oidc_provider_addr], - # use the original token for the provider - token: ENV["VAULT_TOKEN"] + token: Config[:vault_token] ) end From 2aba8fb80623a9e24e52bb62bfe1bcb220dbcbed Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 16:25:59 -0700 Subject: [PATCH 47/65] provider tests --- app/lib/utils/oidc_provider.rb | 3 +++ test/lib/clients/oidc_provider_test.rb | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 test/lib/clients/oidc_provider_test.rb diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 9a7ea9a..261c1d5 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -24,6 +24,9 @@ def get_client_info [@client_id, @client_secret] end + def get_info + oidc_provider.logical.read("identity/oidc/provider/astral") + end private WEBAPP_NAME = "identity/oidc/client/astral" diff --git a/test/lib/clients/oidc_provider_test.rb b/test/lib/clients/oidc_provider_test.rb new file mode 100644 index 0000000..de21ca1 --- /dev/null +++ b/test/lib/clients/oidc_provider_test.rb @@ -0,0 +1,21 @@ +require "test_helper" +require_relative "../../../app/lib/utils/oidc_provider" + +class OidcProviderTest < ActiveSupport::TestCase + setup do + @provider = OidcProvider.new + end + + test "provider has correct info" do + info = @provider.get_info + assert_equal Config[:oidc_issuer], info.data[:issuer] + assert_equal "email", info.data[:scopes_supported][0] + end + + test "provider has correct client info" do + info = @provider.get_client_info + assert_equal Config[:oidc_client_id], info[0] + assert_equal Config[:oidc_client_secret], info[1] + end + +end From 7456b02465de54350bb124a34950dd1ab4963aa5 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 17:47:06 -0700 Subject: [PATCH 48/65] cleanup --- app/lib/utils/oidc_provider.rb | 3 +-- config/environments/production.rb | 1 - test/lib/clients/oidc_provider_test.rb | 5 ++--- test/lib/clients/oidc_test.rb | 1 - 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 261c1d5..24f8e5a 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -21,7 +21,7 @@ def get_client_info app = oidc_provider.logical.read(WEBAPP_NAME) @client_id = app.data[:client_id] @client_secret = app.data[:client_secret] - [@client_id, @client_secret] + [ @client_id, @client_secret ] end def get_info @@ -88,5 +88,4 @@ def initial_user raise "initial user not configured." unless Config[:initial_user] Config[:initial_user] end - end diff --git a/config/environments/production.rb b/config/environments/production.rb index f242dbb..4f5d1e6 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -92,5 +92,4 @@ # ] # Skip DNS rebinding protection for the default health check endpoint. # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } - end diff --git a/test/lib/clients/oidc_provider_test.rb b/test/lib/clients/oidc_provider_test.rb index de21ca1..6f733cd 100644 --- a/test/lib/clients/oidc_provider_test.rb +++ b/test/lib/clients/oidc_provider_test.rb @@ -6,16 +6,15 @@ class OidcProviderTest < ActiveSupport::TestCase @provider = OidcProvider.new end - test "provider has correct info" do + test ".get_info returns correct info" do info = @provider.get_info assert_equal Config[:oidc_issuer], info.data[:issuer] assert_equal "email", info.data[:scopes_supported][0] end - test "provider has correct client info" do + test ".get_client_info return correct info" do info = @provider.get_client_info assert_equal Config[:oidc_client_id], info[0] assert_equal Config[:oidc_client_secret], info[1] end - end diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index 349f60f..e436a50 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -41,5 +41,4 @@ def initial_user raise "initial user not configured." unless Config[:initial_user] Config[:initial_user] end - end From 37745101c8d3d981457112146785bd9c14fd09c0 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 17:53:59 -0700 Subject: [PATCH 49/65] fix test comments --- test/lib/clients/oidc_provider_test.rb | 1 - test/lib/clients/oidc_test.rb | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/test/lib/clients/oidc_provider_test.rb b/test/lib/clients/oidc_provider_test.rb index 6f733cd..cc1985d 100644 --- a/test/lib/clients/oidc_provider_test.rb +++ b/test/lib/clients/oidc_provider_test.rb @@ -1,5 +1,4 @@ require "test_helper" -require_relative "../../../app/lib/utils/oidc_provider" class OidcProviderTest < ActiveSupport::TestCase setup do diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index e436a50..b121ff2 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -14,16 +14,16 @@ class OidcTest < ActiveSupport::TestCase @entity = @client.read_entity(initial_user[:name]) end - test "policies_contain_initial_users_email" do + test "policies contain initial users email" do assert_equal initial_user[:email], @entity.data[:policies][0] end - test "aliases_contain_initial_users_email" do + test "aliases contain initial users email" do aliases = @entity.data[:aliases] assert aliases.find { |a| a[:name] == initial_user[:email] } end - test "vault_is_configured_as_oidc_client" do + test "vault is configured as oidc client" do auth = @client.get_oidc_client_config assert_equal Config[:oidc_client_id], auth.data[:oidc_client_id] end From caeb603f08783c77fbbeb6398dd40e9b8d5f2c68 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Wed, 16 Oct 2024 17:57:58 -0700 Subject: [PATCH 50/65] commented rake task --- lib/tasks/oidc_provider.rake | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/tasks/oidc_provider.rake b/lib/tasks/oidc_provider.rake index 7f44b71..ce2491d 100644 --- a/lib/tasks/oidc_provider.rake +++ b/lib/tasks/oidc_provider.rake @@ -7,5 +7,6 @@ namespace :oidc_provider do desc "Configure the provider" task :configure do OidcProvider.new.configure + puts "oidc provider configured" end end From ed18d74034184bf66901d30cad7214bced2368df Mon Sep 17 00:00:00 2001 From: George Jahad Date: Thu, 17 Oct 2024 10:22:38 -0700 Subject: [PATCH 51/65] fixed initial user --- README.md | 5 +++-- app/lib/clients/vault/oidc.rb | 11 +++++++++-- app/lib/utils/oidc_provider.rb | 17 ++++++----------- config/astral.yml | 14 ++++++-------- test/lib/clients/oidc_test.rb | 15 +++++---------- 5 files changed, 29 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 72d5e20..c4be670 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ mapping that user's email address to a policy we create. They work as follows: OidcProvider::configure_as_oidc_provider() creates an OIDC provider -and user on a separate dedicate vault instance. The user created has +and user on a separate dedicated vault instance. The user created has a username/password/email addr, that can be accessed with OIDC auth from vault. @@ -89,7 +89,8 @@ policy in vault. Note that this provider is mainly meant to be used in our dev/test environment to excercise the client. In a prod env, a real OIDC -provider would used instead, (by configuring it in config/astral.yml). +provider would probably be used instead, (by configuring it in +config/astral.yml). # Logging into vault with OIDC diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 3280226..d171b34 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -2,7 +2,6 @@ module Clients class Vault module Oidc def configure_as_oidc_client(issuer, client_id, client_secret) - return if client_id.nil? create_client_config(issuer, client_id, client_secret) create_default_role(client_id) end @@ -19,7 +18,9 @@ def get_oidc_client_config private def create_client_config(issuer, client_id, client_secret) - client.logical.delete("/sys/auth/oidc") + if client_id.nil? || !oidc_auth_data.nil? + return + end client.logical.write("/sys/auth/oidc", type: "oidc") client.logical.write("auth/oidc/config", oidc_discovery_url: issuer, @@ -27,6 +28,7 @@ def create_client_config(issuer, client_id, client_secret) oidc_client_secret: client_secret, default_role: "default") end + def create_default_role(client_id) client.logical.write( "auth/oidc/role/default", @@ -36,6 +38,11 @@ def create_default_role(client_id) oidc_scopes: "email", token_policies: "default") end + + def oidc_auth_data + auth_list = client.logical.read("/sys/auth") + auth_list.data[:"oidc/"] + end end end end diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 24f8e5a..30748d6 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -60,32 +60,27 @@ def create_provider_with_email_scope def create_entity_for_initial_user oidc_provider.logical.write("identity/entity", policies: "default", - name: initial_user[:name], - metadata: "email=#{initial_user[:email]}", + name: Config[:initial_user_name], + metadata: "email=#{Config[:initial_user_email]}", disabled: false) end def create_userpass_for_initial_user oidc_provider.logical.delete("/sys/auth/userpass") oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{initial_user[:name]}", - password: initial_user[:password]) + oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user_name]}", + password: Config[:initial_user_password]) end def map_userpass_to_entity entity = oidc_provider.logical.read( - "identity/entity/name/#{initial_user[:name]}") + "identity/entity/name/#{Config[:initial_user_name]}") entity_id = entity.data[:id] auth_list = oidc_provider.logical.read("/sys/auth") accessor = auth_list.data[:"userpass/"][:accessor] oidc_provider.logical.write("identity/entity-alias", - name: initial_user[:name], + name: Config[:initial_user_name], canonical_id: entity_id, mount_accessor: accessor) end - - def initial_user - raise "initial user not configured." unless Config[:initial_user] - Config[:initial_user] - end end diff --git a/config/astral.yml b/config/astral.yml index f2e068b..7d251a5 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -26,19 +26,17 @@ shared: test: oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral oidc_provider_addr: http://oidc_provider:8300 - initial_user: - name: test - password: test - email: test@example.com + initial_user_name: test + initial_user_password: test + initial_user_email: test@example.com cert_ttl: <%= 24.hours.in_seconds %> development: oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral oidc_provider_addr: http://oidc_provider:8300 - initial_user: - name: test - password: test - email: test@example.com + initial_user_name: test + initial_user_password: test + initial_user_email: test@example.com production: vault_create_root: false diff --git a/test/lib/clients/oidc_test.rb b/test/lib/clients/oidc_test.rb index b121ff2..73ce009 100644 --- a/test/lib/clients/oidc_test.rb +++ b/test/lib/clients/oidc_test.rb @@ -8,19 +8,19 @@ class OidcTest < ActiveSupport::TestCase setup do @client = Clients::Vault @client.configure_oidc_user( - initial_user[:name], - initial_user[:email], + Config[:initial_user_name], + Config[:initial_user_email], test_policy) - @entity = @client.read_entity(initial_user[:name]) + @entity = @client.read_entity(Config[:initial_user_name]) end test "policies contain initial users email" do - assert_equal initial_user[:email], @entity.data[:policies][0] + assert_equal Config[:initial_user_email], @entity.data[:policies][0] end test "aliases contain initial users email" do aliases = @entity.data[:aliases] - assert aliases.find { |a| a[:name] == initial_user[:email] } + assert aliases.find { |a| a[:name] == Config[:initial_user_email] } end test "vault is configured as oidc client" do @@ -36,9 +36,4 @@ def test_policy } EOH end - - def initial_user - raise "initial user not configured." unless Config[:initial_user] - Config[:initial_user] - end end From bbb3255d596cbd510647d054598ad60464629042 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Thu, 17 Oct 2024 15:39:25 -0700 Subject: [PATCH 52/65] cleanup review comments --- README.md | 28 ++++++++++++------------ app/lib/clients/vault/oidc.rb | 7 +++--- app/lib/utils/oidc_provider.rb | 34 +++++++++++++++--------------- config/application.rb | 2 +- config/astral.yml | 20 +++++++++++------- config/environments/development.rb | 3 --- config/environments/production.rb | 4 ++++ config/environments/test.rb | 3 --- 8 files changed, 52 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index c4be670..51365a3 100644 --- a/README.md +++ b/README.md @@ -67,34 +67,34 @@ The OIDC modules allow the assignment of a policy to an OIDC user, by mapping that user's email address to a policy we create. They work as follows: -OidcProvider::configure_as_oidc_provider() creates an OIDC provider -and user on a separate dedicated vault instance. The user created has -a username/password/email addr, that can be accessed with OIDC auth -from vault. +OidcProvider.new.configure creates an OIDC provider +and user on a separate dedicated Vault instance. The user created has +a username/password/email address, that can be accessed with OIDC auth +from in the principal Vault instance. -Clients::Vault::Oidc::configure_as_oidc_client() creates an OIDC -client on our vault instance. It connects to that provider just +Clients::Vault::configure_as_oidc_client creates an OIDC +client on our Vault instance. It connects to that provider just created. When a user tries to auth, the client connects to the provider, which opens up a browser window allowing the user to enter -his username/password. +their username/password. On success, the provider returns an OIDC token, which includes the -user's email addr. +user's email address. The OIDC client has been configured to map that email address to an -entity in vault, which has the policy which we want the user to have. +entity in Vault, which has the policy which we want the user to have. So the mapping goes from the email address on the provider, to the -policy in vault. +policy in Vault. Note that this provider is mainly meant to be used in our dev/test environment to excercise the client. In a prod env, a real OIDC provider would probably be used instead, (by configuring it in config/astral.yml). -# Logging into vault with OIDC +# Logging into Vault with OIDC -The rails test's configure the OIDC provider, so if the tests pass, +The rails test's configure the OIDC initial user, so if the tests pass, you can invoke the oidc login as follows: ``` @@ -104,7 +104,7 @@ you can invoke the oidc login as follows: You should do this on your host machine, not in docker. This will allow a browser window to open on your host. When it does, select "username" option with user test/test. (That is the username/pw -configured by the rails tests.) +configured at startup.) When that succeeds, you should see something like the following in the cli: ``` @@ -125,7 +125,7 @@ following to the /etc/hosts file on your host: 127.0.0.1 oidc_provider ``` -Finally, if you restart the docker vault container, it will recreate +Finally, if you restart the docker Vault container, it will recreate the provider settings, so you will need to clear the browser's "oidc_provider" cookie. Otherwise you will see this error: diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index d171b34..44fff0e 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -2,6 +2,9 @@ module Clients class Vault module Oidc def configure_as_oidc_client(issuer, client_id, client_secret) + if client_id.nil? || !oidc_auth_data.nil? + return + end create_client_config(issuer, client_id, client_secret) create_default_role(client_id) end @@ -15,12 +18,10 @@ def configure_oidc_user(name, email, policy) def get_oidc_client_config client.logical.read("auth/oidc/config") end + private def create_client_config(issuer, client_id, client_secret) - if client_id.nil? || !oidc_auth_data.nil? - return - end client.logical.write("/sys/auth/oidc", type: "oidc") client.logical.write("auth/oidc/config", oidc_discovery_url: issuer, diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 30748d6..bdc5e28 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -1,10 +1,10 @@ class OidcProvider attr_reader :client_id attr_reader :client_secret - attr_reader :provider + attr_reader :vault_client def configure - provider = oidc_provider.logical.read("identity/oidc/provider/astral") + provider = vault_client.logical.read("identity/oidc/provider/astral") if provider.nil? create_provider_webapp create_provider_with_email_scope @@ -18,21 +18,21 @@ def configure def get_client_info - app = oidc_provider.logical.read(WEBAPP_NAME) + app = vault_client.logical.read(WEBAPP_NAME) @client_id = app.data[:client_id] @client_secret = app.data[:client_secret] [ @client_id, @client_secret ] end def get_info - oidc_provider.logical.read("identity/oidc/provider/astral") + vault_client.logical.read("identity/oidc/provider/astral") end private WEBAPP_NAME = "identity/oidc/client/astral" - def oidc_provider - @provider ||= + def vault_client + @vault_client ||= ::Vault::Client.new( address: Config[:oidc_provider_addr], token: Config[:vault_token] @@ -40,7 +40,7 @@ def oidc_provider end def create_provider_webapp - oidc_provider.logical.write( + vault_client.logical.write( WEBAPP_NAME, redirect_uris: Config[:oidc_redirect_uris], assignments: "allow_all") @@ -48,17 +48,17 @@ def create_provider_webapp end def create_provider_with_email_scope - oidc_provider.logical.write("identity/oidc/scope/email", + vault_client.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') - oidc_provider.logical.write("identity/oidc/provider/astral", + vault_client.logical.write("identity/oidc/provider/astral", issuer: "http://oidc_provider:8300", allowed_client_ids: @client_id, scopes_supported: "email") - oidc_provider.logical.read("identity/oidc/provider/astral") + vault_client.logical.read("identity/oidc/provider/astral") end def create_entity_for_initial_user - oidc_provider.logical.write("identity/entity", + vault_client.logical.write("identity/entity", policies: "default", name: Config[:initial_user_name], metadata: "email=#{Config[:initial_user_email]}", @@ -66,19 +66,19 @@ def create_entity_for_initial_user end def create_userpass_for_initial_user - oidc_provider.logical.delete("/sys/auth/userpass") - oidc_provider.logical.write("/sys/auth/userpass", type: "userpass") - oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user_name]}", + vault_client.logical.delete("/sys/auth/userpass") + vault_client.logical.write("/sys/auth/userpass", type: "userpass") + vault_client.logical.write("/auth/userpass/users/#{Config[:initial_user_name]}", password: Config[:initial_user_password]) end def map_userpass_to_entity - entity = oidc_provider.logical.read( + entity = vault_client.logical.read( "identity/entity/name/#{Config[:initial_user_name]}") entity_id = entity.data[:id] - auth_list = oidc_provider.logical.read("/sys/auth") + auth_list = vault_client.logical.read("/sys/auth") accessor = auth_list.data[:"userpass/"][:accessor] - oidc_provider.logical.write("identity/entity-alias", + vault_client.logical.write("identity/entity-alias", name: Config[:initial_user_name], canonical_id: entity_id, mount_accessor: accessor) diff --git a/config/application.rb b/config/application.rb index fde99a8..e39537e 100644 --- a/config/application.rb +++ b/config/application.rb @@ -48,7 +48,7 @@ class Application < Rails::Application end def get_oidc_config - # do nothing by default + config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info end end end diff --git a/config/astral.yml b/config/astral.yml index 7d251a5..9686c14 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -22,21 +22,25 @@ shared: oidc_client_id: oidc_client_secret: oidc_redirect_uris: http://localhost:8250/oidc/callback - -test: - oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral oidc_provider_addr: http://oidc_provider:8300 + oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral + initial_user_name: test initial_user_password: test initial_user_email: test@example.com + +test: cert_ttl: <%= 24.hours.in_seconds %> development: - oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral - oidc_provider_addr: http://oidc_provider:8300 - initial_user_name: test - initial_user_password: test - initial_user_email: test@example.com production: vault_create_root: false + + oidc_provider_addr: + oidc_issuer: + + initial_user_name: + initial_user_password: + initial_user_email: + diff --git a/config/environments/development.rb b/config/environments/development.rb index 89409a5..a5426bc 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -74,7 +74,4 @@ # Apply autocorrection by RuboCop to files generated by `bin/rails generate`. # config.generators.apply_rubocop_autocorrect_after_generate! - def get_oidc_config - config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info - end end diff --git a/config/environments/production.rb b/config/environments/production.rb index 4f5d1e6..eb58309 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -92,4 +92,8 @@ # ] # Skip DNS rebinding protection for the default health check endpoint. # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } + + def get_oidc_config + end + end diff --git a/config/environments/test.rb b/config/environments/test.rb index 48fb972..ea4ba32 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -66,7 +66,4 @@ # Raise error when a before_action's only/except options reference missing actions. config.action_controller.raise_on_missing_callback_actions = true - def get_oidc_config - config.astral.oidc_client_id, config.astral.oidc_client_secret = OidcProvider.new.get_client_info - end end From 5c5f3c5723d13b959c662a91f7228d6a06186b88 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Thu, 17 Oct 2024 15:47:12 -0700 Subject: [PATCH 53/65] rubocop --- config/environments/development.rb | 1 - config/environments/production.rb | 1 - config/environments/test.rb | 1 - 3 files changed, 3 deletions(-) diff --git a/config/environments/development.rb b/config/environments/development.rb index a5426bc..dddb726 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -73,5 +73,4 @@ # Apply autocorrection by RuboCop to files generated by `bin/rails generate`. # config.generators.apply_rubocop_autocorrect_after_generate! - end diff --git a/config/environments/production.rb b/config/environments/production.rb index eb58309..11bb8fd 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -95,5 +95,4 @@ def get_oidc_config end - end diff --git a/config/environments/test.rb b/config/environments/test.rb index ea4ba32..3dac6dc 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -65,5 +65,4 @@ # Raise error when a before_action's only/except options reference missing actions. config.action_controller.raise_on_missing_callback_actions = true - end From 70329c3d12ab2d89bbe1ef4fa8043ba9652d3494 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 18 Oct 2024 11:26:49 -0700 Subject: [PATCH 54/65] Because the "VAULT_SSL_CERT" env var is set, added ssl parameters to the oidc vault client creation. --- app/lib/utils/oidc_provider.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index bdc5e28..83a74f4 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -35,7 +35,10 @@ def vault_client @vault_client ||= ::Vault::Client.new( address: Config[:oidc_provider_addr], - token: Config[:vault_token] + token: Config[:vault_token], + ssl_ca_cert: Config[:vault_ssl_cert], + ssl_pem_file: Config[:vault_ssl_client_cert], + ssl_key_file: Config[:vault_ssl_client_key] ) end From de43ef3ba559f7d406b007cfe940790227b89114 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 18 Oct 2024 14:11:39 -0700 Subject: [PATCH 55/65] updated Brakeman --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ac74dd8..0f925c8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -79,7 +79,7 @@ GEM bigdecimal (3.1.8) bootsnap (1.18.4) msgpack (~> 1.2) - brakeman (6.2.1) + brakeman (6.2.2) racc builder (3.3.0) concurrent-ruby (1.3.4) From 8f195cae383059b55e8026055c570d40f305e897 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 18 Oct 2024 14:49:40 -0700 Subject: [PATCH 56/65] added oidc provider ssl --- .devcontainer/docker-compose.yml | 18 ++++++++++- app/lib/utils/oidc_provider.rb | 6 ++-- cert/oidc_provider.csr | 27 +++++++++++++++++ cert/oidc_provider.key | 52 ++++++++++++++++++++++++++++++++ cert/oidc_provider.pem | 30 ++++++++++++++++++ config/astral.yml | 9 +++++- lib/tasks/configure.rake | 16 +++++----- 7 files changed, 146 insertions(+), 12 deletions(-) create mode 100644 cert/oidc_provider.csr create mode 100644 cert/oidc_provider.key create mode 100644 cert/oidc_provider.pem diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 0fc0bd9..f690e2a 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -53,9 +53,25 @@ services: restart: unless-stopped ports: - 8300:8300 + - 9443:9443 environment: VAULT_DEV_ROOT_TOKEN_ID: root_token - VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8300 + VAULT_LOCAL_CONFIG: > + { + "listener": [ + { + "tcp": { + "address": "0.0.0.0:9443", + "tls_disable": "0", + "tls_cert_file": "/vault/cert/oidc_provider.pem", + "tls_key_file": "/vault/cert/oidc_provider.key" + } + } + ], + "default_lease_ttl": "168h", + "max_lease_ttl": "720h" + } + app_registry: image: node:latest diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 83a74f4..cd7ef9e 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -36,9 +36,9 @@ def vault_client ::Vault::Client.new( address: Config[:oidc_provider_addr], token: Config[:vault_token], - ssl_ca_cert: Config[:vault_ssl_cert], - ssl_pem_file: Config[:vault_ssl_client_cert], - ssl_key_file: Config[:vault_ssl_client_key] + ssl_ca_cert: Config[:oidc_provider_ssl_cert], + ssl_pem_file: Config[:oidc_provider_ssl_client_cert], + ssl_key_file: Config[:oidc_provider_ssl_client_key] ) end diff --git a/cert/oidc_provider.csr b/cert/oidc_provider.csr new file mode 100644 index 0000000..dbf3563 --- /dev/null +++ b/cert/oidc_provider.csr @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEnzCCAocCAQAwWjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIG +A1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEWMBQGA1UEAwwNb2lkY19w +cm92aWRlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6Q6ix1Y48b +XvAwHAEBSnVZ3e1VCjkpRG0viMX6X4Z5ecPuPtBSzl5sb1KhxpoZgfrFgPSRzD0M +tDTQoygQ/x6DfPQTMJcpx8+iWvJoAJrHFFG4G4Ti8t+HjD/jKpnkfCJX/h1o5pts +RHlvwqlrJWaN5MMIDeM/NhdhZd+Zz98YLUYYh1edB5Tmu19ZMElnikhee4KOITn5 +n7V+O3NiFmGUWzbVImovUkb/jMSwBfCZHxDVYABDdUDDJ+LkbX8eQB/HanLrp2EV +vzyro/KmeenTwhuk5bK6qhNv0KadNiouWBxeryEfCZBr/sqVNo39uW8J+KD21zvh +hGAURDY9seLXsAKTJ2ZCSeO6AkcVCnezU3RwnYgqjokjKXDcV3m2s8T7Mo9ZAfG2 +7i9jVe1Jwfekse5na0e2grqdGXglA25gamqZ7+eVcn4sOTj9pZD/cVOKT0ji/5eU +d6ABrTYvivzkoTacsTfwn1+6txKYfUhxuvlb++MkMeU8tHFID+7JZb7fZeszuaXX +wSQxDfB+4DIbrk/6i3+yPGv4I9fAXxuDAHEsaAZNHmoIvYSK8amc3B7c5G8JF0pf +jfyH9amcrtuthFvnMzn3+ewEUX2vXPAQAGLF7thfBYSb/RSWTgf3r0kAM9qfUYXI +Z88JIIhTxIspyunOUVjVkgozhHReUAdTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC +AgEAYZO0skuwyKdI46OUdgE+wDqlFxduMXKJILDvfUulZaUEJ/4RjHXqtrqg5Tlr +ZdXLq4sF/qkhCaQne5pcla6c06Bk7eN7o3ToIraJ8McloEY4urfvTFvLEMrb7SVi +5OXKROdiO9KsQXmU9jmaXxBpokpO3VE2O9VdK7/0OvLz5ccCvg1usy5yVHvm7ykk +c02jo20w3N9WcodJgLL0xzD2yH2DfAY8zyqu+zZKpt5gaRomPmpuGAmd2+zECnM+ +yu3WaZxVjbc5YBlnaRouo1GZxOcQkR2YIT60+Gs2uRMskf0L7zwIhisVlL4up1Ha +WeDI3EEGPUPJxwFEomyzrB8eom/iGw6KBfzue/uij7MJrAS5znaNk4kVn8d6XyGH +sQNILW01qdq5ER2g7ofDvqHDJbh4kwjK4C3gt8nDJlP01ngjtmpTr24o5xI81byf +QD36BTytlgkn0qEgnSkuoMpKNfF9eTjUSV4YBqVjI+zsHVYUhZR9Z++z1Jy5yNWs +zgeLqJBHqsUzjGgj/bLkOQ3QrDGwKtZ02odUXlLTdBLpPCfh/NYQldJCfqh4IOi5 +nACm5WVRrDDo1E3p0kTPKpaCSEeCXXgzhA+A2aaiU0m9I+92gp/k/fguXcuu1+DJ +XMLf0Hb02YQ0+zYWVMoFm/tfhMmGqtmEK9VmkreBe6nIdVw= +-----END CERTIFICATE REQUEST----- diff --git a/cert/oidc_provider.key b/cert/oidc_provider.key new file mode 100644 index 0000000..a5adfc8 --- /dev/null +++ b/cert/oidc_provider.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC+kOosdWOPG17w +MBwBAUp1Wd3tVQo5KURtL4jF+l+GeXnD7j7QUs5ebG9SocaaGYH6xYD0kcw9DLQ0 +0KMoEP8eg3z0EzCXKcfPolryaACaxxRRuBuE4vLfh4w/4yqZ5HwiV/4daOabbER5 +b8KpayVmjeTDCA3jPzYXYWXfmc/fGC1GGIdXnQeU5rtfWTBJZ4pIXnuCjiE5+Z+1 +fjtzYhZhlFs21SJqL1JG/4zEsAXwmR8Q1WAAQ3VAwyfi5G1/HkAfx2py66dhFb88 +q6Pypnnp08IbpOWyuqoTb9CmnTYqLlgcXq8hHwmQa/7KlTaN/blvCfig9tc74YRg +FEQ2PbHi17ACkydmQknjugJHFQp3s1N0cJ2IKo6JIylw3Fd5trPE+zKPWQHxtu4v +Y1XtScH3pLHuZ2tHtoK6nRl4JQNuYGpqme/nlXJ+LDk4/aWQ/3FTik9I4v+XlHeg +Aa02L4r85KE2nLE38J9furcSmH1Icbr5W/vjJDHlPLRxSA/uyWW+32XrM7ml18Ek +MQ3wfuAyG65P+ot/sjxr+CPXwF8bgwBxLGgGTR5qCL2EivGpnNwe3ORvCRdKX438 +h/WpnK7brYRb5zM59/nsBFF9r1zwEABixe7YXwWEm/0Ulk4H969JADPan1GFyGfP +CSCIU8SLKcrpzlFY1ZIKM4R0XlAHUwIDAQABAoICADRcLuuOSY+tjpViMp+YEjRS +P+cRAaEZFKMHd4YmOA8D25AZKwskZW2OT7wdlSsMLSmRENCiKsLvdag5V0sP+HkS +2cdaanRuV2dWjbSjHN9qKcwWUQFfNipy3PdE3JSyMeVh1gGQrCQySFIxggP426rk +++EWmnJBEQS1jz8zzOjYhMAIx08sZ0PjbcJSCDFzEIy34SnLEZgTXW2JxJ38anff +Qny7bRxN6kZ1uuDkGI22FNIUPq9z2Yi01oXCC8/sqOPScA4pb7D+P7BU3NQ0J7U2 +qNPdp/tGzKpQg7zz30kRuMX6whXQqFkVQ0m4W+gBueynibf4esUKPswDZYadxv06 +sQY7KOdutTSJmA76H08h08wEnw0HXlKF2gDsFrVblC619utoapSG2sukICdHoCes +i8uewgkV580RZgNB+/TFgtEUQhoDbofJXlaM+wQ5devD78Mglxs+tTBNk+sQOtH7 +8om7sT5eQM0dNvRi0kMdsp61CL9QGQaPSMtZcYx8OQdaKKh5emFMOzWnMQp6ZMIV +wonZJw070rD5jhqPZGEhlUlCMNZF9F5/VZZmJL34OYQxMDiRUx+i31iGJ9Akl/4K +k0e1phIujXXYmTcZ208D5z4umVdGZ4hs0unI8CS7yxh4hX6scuj+7w7oLWtHqJS0 +2Mec3Wb41yrdNpx8oboZAoIBAQDf3lZEdUhZKhAyBP1769TICpCskE+dPuX31AAA +YeRlKzCsF8EsiQzh6Z07RYlFmqAwquiOCpP6sGrGSw2HdV5+/g0CYEh2IcDi4Euj +36/gRHuUocD/yXeVEtEzBud6h2MLTQJCaJW1Gzmfo0c9Hbf3hcVi3yozqm0jnkxh +zhRNzc+nWcxexBWD4VEoz1AxlyLMdNZKmcoimMZID8IsV2n2yYdTNkvEUkhJHD19 +STTLwyFpZvtZ5+5c6Wpy3gj/H/lddgD0h4azTN0UmG4mTnbzR30pugkjF2u9vFfO +5cRz66Ho6z6mR1yfZwrQyDIIpyrjZdTF2PR7737S+HBX1/B/AoIBAQDZ6u/vAFQj +fS8Ppp1KCtfYjFJZ/n9UuUE2umHx0MxgK0Vj2iR+IhLGNrTGeCcO5TOIKnLP7bSa +C1XdN4Z+kt7pYFRzG1qE6hPaeDggPoFPBshEN7OyyTo65hDcfllz6uAGnaqsyJVG +JdvH2hDofkJUKu7MsVpfUKeI4azvg4V4X4r5b9dvBxFV3yTCHjeBJP/c3uuqumL2 +wQWTbkJW7XTQhRCcTYQELMjiXDPSbeVp2V1KQXmiI3JGEqi48vj3Z91JQYRgWwmD +F6ZCEKsQoqQr6o37ERz5f4lNjPHH5+fnOggGm6HJyhDLg2RIUes59QnCpE+9JmgZ +kpGvFmB5FL8tAoIBAA5yJXTzcIC4cyUXJ1hIxolGDUHlag3GkkZkur9LkdZpbBGe +0stR6K/nSEsb2JjSOoYJcUpBKn1hxvIWw7+69icRs7s0hViCIxVAzgC8HXhGUwcr +TO30jS/kb/Vv+53vgJepF307jHWMVTKU8bLi6Q0i57LSncGJvNMwktM43hyLLFwr +MkHnO1AwSPFuN0mL7CXvYCieNen3m8vooGoGFgNjy8S12zvG5304QkuEXtDLPau0 +hoGtsrbyJPlWlJQJ9yhtxfABktKdIiMDFxCHvatDMLNxmsdV6pDqx2vFbeDhEqia +DYfjUPnER3Fjib7/MohL+OfvcQ9STAfHGlDA0XcCggEAQTjW7SKdDC4oirekdge+ +yJpe/35zX8k+ooGwVO7YbKQm1Zbxuyq5kcfH3WsSzZt+C/AggukzV7Oy1E4NHA8b +VqA1RmpWcleY75dxvPzYOO3fvMMrLoSZwA0h2MycO1x+Bpzj+2jhfKhSGoPC8cLw +WT6sUGl4kfSS4B4jY2Bq7zcxYiy+PwXPg3MRDmR62lVXmyTBRk0Y15+36oNiqZ/S +iaJ58T4mGBXLXiyYeg/YTRD4ogPswsF3L0/gXdKi/3F/wrAwTaKRu0G1yiow+P6k +wlwmeJGLqYUpdCOOLfXT69nrkwa7qqim1DKULi0OiT8016PUFdnL6HN81PmOkE7M +VQKCAQAhXonYGX+Bdqx2sWr4ns4wJWzExz6G9JYxLrFdJnsij9pPdcBHGKfukG6e +2J6kXOA8QH6b1JEeZm56vuR587BN+2mE3GwwnpJroxNYLBM9rsiUswU6rH9A6oNu +ATQju3uVQpU/tCyqeYunNrCEPfB8TdC32BfKbbzDlMr8ZrQiT7gn1NheuyBP1CZ9 +WkpBcCfPY5IvSVXfmSgQuEX0QKzKDP4XfkstsGla1UuqUjeOcSDTZspmzBwC7Dcp +jk9Pggw6A1aD4dUUG7FR40j0s5uM0WfjIsm2CilBCE5C8dM9MK8HxkFmBXxfsvfM +vL/XuAVFPrjpkrTnYFD+5prQtM5x +-----END PRIVATE KEY----- diff --git a/cert/oidc_provider.pem b/cert/oidc_provider.pem new file mode 100644 index 0000000..f9850c6 --- /dev/null +++ b/cert/oidc_provider.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFOzCCAyMCFFaPCvUziWw+8kv2dAXpy2fsF06YMA0GCSqGSIb3DQEBCwUAMFox +CzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2Zp +ZWxkMQwwCgYDVQQKDANEaXMxFjAUBgNVBAMMDW9pZGNfcHJvdmlkZXIwHhcNMjQx +MDE4MjEzMDMxWhcNMjUxMDE4MjEzMDMxWjBaMQswCQYDVQQGEwJVUzEPMA0GA1UE +CAwGRGVuaWFsMRQwEgYDVQQHDAtTcHJpbmdmaWVsZDEMMAoGA1UECgwDRGlzMRYw +FAYDVQQDDA1vaWRjX3Byb3ZpZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +CgKCAgEAvpDqLHVjjxte8DAcAQFKdVnd7VUKOSlEbS+Ixfpfhnl5w+4+0FLOXmxv +UqHGmhmB+sWA9JHMPQy0NNCjKBD/HoN89BMwlynHz6Ja8mgAmscUUbgbhOLy34eM +P+MqmeR8Ilf+HWjmm2xEeW/CqWslZo3kwwgN4z82F2Fl35nP3xgtRhiHV50HlOa7 +X1kwSWeKSF57go4hOfmftX47c2IWYZRbNtUiai9SRv+MxLAF8JkfENVgAEN1QMMn +4uRtfx5AH8dqcuunYRW/PKuj8qZ56dPCG6TlsrqqE2/Qpp02Ki5YHF6vIR8JkGv+ +ypU2jf25bwn4oPbXO+GEYBRENj2x4tewApMnZkJJ47oCRxUKd7NTdHCdiCqOiSMp +cNxXebazxPsyj1kB8bbuL2NV7UnB96Sx7mdrR7aCup0ZeCUDbmBqapnv55Vyfiw5 +OP2lkP9xU4pPSOL/l5R3oAGtNi+K/OShNpyxN/CfX7q3Eph9SHG6+Vv74yQx5Ty0 +cUgP7sllvt9l6zO5pdfBJDEN8H7gMhuuT/qLf7I8a/gj18BfG4MAcSxoBk0eagi9 +hIrxqZzcHtzkbwkXSl+N/If1qZyu262EW+czOff57ARRfa9c8BAAYsXu2F8FhJv9 +FJZOB/evSQAz2p9RhchnzwkgiFPEiynK6c5RWNWSCjOEdF5QB1MCAwEAATANBgkq +hkiG9w0BAQsFAAOCAgEAE2UpjTnG1l21v9MW7Y9N4uGnPz2duwox+HsW+7AQxykA +UNIGijrsN6GNBg0/kNY+MG8TK4or80bAadcl7IUygJzxbX5XJnCrSqTPvPQC+REi +l6FRRYABHptfPwJncMgshrjds+uzmWqzVnlVjkWzG8jDKRMBid/VFFA/06zQ2W1Y +vFoTR9m8Urg+9tVYTnhu1IYCSGdRY8Q1nNxl03cJbkB5C72ijlKUNuMWPaDnFLI1 +7IXv6GPcjzmEBA13n8xBed3lXMWPzg2qEWIo/9srX3oweFA/IzY3yoXjM4cG363K +cxyrARNGo2uXLwvZUekMKMLipvjf7loBTO4Nd0YdA3reJY9lTT1zqtRUP+a+QC04 +8eDHpDIH3TIWPAfxHibygVos+Sbm9GO9JwWedJygPo/96vIDRb8t6qzLK6Zl3wLL +krQAHJ4ULMX2onw5u0SH3pMnbX7qgDqLbodIsSi8LNGE8id8GYT12CxhxSWu6Y4s +G4MAt0ep7vowkBwNOfCz4ImO1RWSGr+b5ujFU8JHaFai8cx4AYIvHWFZExWUOpwG +zAhsRXvZ8rQByVr37exhJhp+Mf5LBAg+5/611e/8IajZEaxqFBmpbdU153wv/7rd +FY3PO5VSbK/H5mGZ/yivuOuOppf2en19VA5j4nWy2W7+cYqOiViPymXEDXQcJBM= +-----END CERTIFICATE----- diff --git a/config/astral.yml b/config/astral.yml index 280e374..fb5bf29 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -31,8 +31,15 @@ shared: oidc_client_id: oidc_client_secret: oidc_redirect_uris: http://localhost:8250/oidc/callback - oidc_provider_addr: http://oidc_provider:8300 + oidc_provider_cert_name: cert/oidc_provider oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral + oidc_provider_addr: http://oidc_provider:8300 + # if oidc_provider_addr is https with self-signed cert, need to provide + # CA cert (path to file) in "oidc_provider_ssl_cert" below: + oidc_provider_ssl_cert: + # oidc provider client cert if required (path to file) + oidc_provider_ssl_client_cert: + oidc_provider_ssl_client_key: initial_user_name: test initial_user_password: test diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake index 80ad985..fdc8ba2 100644 --- a/lib/tasks/configure.rake +++ b/lib/tasks/configure.rake @@ -3,15 +3,17 @@ require "rake" # Rake tasks for making a vault cert namespace :configure do desc "Make the server cert for vault" - task :ssl do + task :ssl, [:cert_name] do |t, args| + cert_name = args[:cert_name] + cert_name = "vault" if cert_name.nil? %x( openssl req -new -newkey rsa:4096 -nodes \ - -keyout cert/vault.key -out cert/vault.csr \ - -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=vault" - openssl x509 -req -days 365 -in cert/vault.csr \ - -signkey cert/vault.key \ - -out cert/vault.pem + -keyout cert/#{cert_name}.key -out cert/#{cert_name}.csr \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{cert_name}" + openssl x509 -req -days 365 -in cert/#{cert_name}.csr \ + -signkey cert/#{cert_name}.key \ + -out cert/#{cert_name}.pem ) - puts "SSL key for vault created" + puts "SSL key for #{cert_name} created" end end From a87e951dfb68ac72076f1684203f2ef5c229dfe1 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Fri, 18 Oct 2024 16:42:01 -0700 Subject: [PATCH 57/65] fixed up provider certs --- .devcontainer/docker-compose.yml | 3 +++ app/lib/utils/oidc_provider.rb | 2 +- config/astral.yml | 7 ++++--- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index f690e2a..e73e950 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -54,8 +54,11 @@ services: ports: - 8300:8300 - 9443:9443 + volumes: + - ../cert:/vault/cert environment: VAULT_DEV_ROOT_TOKEN_ID: root_token + VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8300 VAULT_LOCAL_CONFIG: > { "listener": [ diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index cd7ef9e..f6bc787 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -54,7 +54,7 @@ def create_provider_with_email_scope vault_client.logical.write("identity/oidc/scope/email", template: '{"email": {{identity.entity.metadata.email}}}') vault_client.logical.write("identity/oidc/provider/astral", - issuer: "http://oidc_provider:8300", + issuer: Config[:oidc_provider_addr], allowed_client_ids: @client_id, scopes_supported: "email") vault_client.logical.read("identity/oidc/provider/astral") diff --git a/config/astral.yml b/config/astral.yml index fb5bf29..3f5264c 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -32,15 +32,16 @@ shared: oidc_client_secret: oidc_redirect_uris: http://localhost:8250/oidc/callback oidc_provider_cert_name: cert/oidc_provider - oidc_issuer: http://oidc_provider:8300/v1/identity/oidc/provider/astral - oidc_provider_addr: http://oidc_provider:8300 + oidc_issuer: https://oidc_provider:9443/v1/identity/oidc/provider/astral + oidc_provider_addr: https://oidc_provider:9443 # if oidc_provider_addr is https with self-signed cert, need to provide # CA cert (path to file) in "oidc_provider_ssl_cert" below: - oidc_provider_ssl_cert: + oidc_provider_ssl_cert: cert/oidc_provider.pem # oidc provider client cert if required (path to file) oidc_provider_ssl_client_cert: oidc_provider_ssl_client_key: + initial_user_name: test initial_user_password: test initial_user_email: test@example.com From 6b866aff560ce19a5c47ad014d64f719773d4dc8 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Sun, 20 Oct 2024 15:10:48 -0700 Subject: [PATCH 58/65] fixed oidc_provider for ssl --- app/lib/clients/vault/oidc.rb | 3 +- cert/oidc_provider.csr | 49 +++++++++-------- cert/oidc_provider.key | 100 +++++++++++++++++----------------- cert/oidc_provider.pem | 57 +++++++++---------- config/application.rb | 1 + config/astral.yml | 2 +- lib/tasks/configure.rake | 9 ++- 7 files changed, 114 insertions(+), 107 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 44fff0e..5b4c026 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -24,7 +24,8 @@ def get_oidc_client_config def create_client_config(issuer, client_id, client_secret) client.logical.write("/sys/auth/oidc", type: "oidc") client.logical.write("auth/oidc/config", - oidc_discovery_url: issuer, + oidc_discovery_url: issuer, + oidc_discovery_ca_pem: File.read("/workspaces/astral/cert/oidc_provider.pem"), oidc_client_id: client_id, oidc_client_secret: client_secret, default_role: "default") diff --git a/cert/oidc_provider.csr b/cert/oidc_provider.csr index dbf3563..5e9b274 100644 --- a/cert/oidc_provider.csr +++ b/cert/oidc_provider.csr @@ -1,27 +1,28 @@ -----BEGIN CERTIFICATE REQUEST----- -MIIEnzCCAocCAQAwWjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIG +MIIEyjCCArICAQAwWjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIG A1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEWMBQGA1UEAwwNb2lkY19w -cm92aWRlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6Q6ix1Y48b -XvAwHAEBSnVZ3e1VCjkpRG0viMX6X4Z5ecPuPtBSzl5sb1KhxpoZgfrFgPSRzD0M -tDTQoygQ/x6DfPQTMJcpx8+iWvJoAJrHFFG4G4Ti8t+HjD/jKpnkfCJX/h1o5pts -RHlvwqlrJWaN5MMIDeM/NhdhZd+Zz98YLUYYh1edB5Tmu19ZMElnikhee4KOITn5 -n7V+O3NiFmGUWzbVImovUkb/jMSwBfCZHxDVYABDdUDDJ+LkbX8eQB/HanLrp2EV -vzyro/KmeenTwhuk5bK6qhNv0KadNiouWBxeryEfCZBr/sqVNo39uW8J+KD21zvh -hGAURDY9seLXsAKTJ2ZCSeO6AkcVCnezU3RwnYgqjokjKXDcV3m2s8T7Mo9ZAfG2 -7i9jVe1Jwfekse5na0e2grqdGXglA25gamqZ7+eVcn4sOTj9pZD/cVOKT0ji/5eU -d6ABrTYvivzkoTacsTfwn1+6txKYfUhxuvlb++MkMeU8tHFID+7JZb7fZeszuaXX -wSQxDfB+4DIbrk/6i3+yPGv4I9fAXxuDAHEsaAZNHmoIvYSK8amc3B7c5G8JF0pf -jfyH9amcrtuthFvnMzn3+ewEUX2vXPAQAGLF7thfBYSb/RSWTgf3r0kAM9qfUYXI -Z88JIIhTxIspyunOUVjVkgozhHReUAdTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC -AgEAYZO0skuwyKdI46OUdgE+wDqlFxduMXKJILDvfUulZaUEJ/4RjHXqtrqg5Tlr -ZdXLq4sF/qkhCaQne5pcla6c06Bk7eN7o3ToIraJ8McloEY4urfvTFvLEMrb7SVi -5OXKROdiO9KsQXmU9jmaXxBpokpO3VE2O9VdK7/0OvLz5ccCvg1usy5yVHvm7ykk -c02jo20w3N9WcodJgLL0xzD2yH2DfAY8zyqu+zZKpt5gaRomPmpuGAmd2+zECnM+ -yu3WaZxVjbc5YBlnaRouo1GZxOcQkR2YIT60+Gs2uRMskf0L7zwIhisVlL4up1Ha -WeDI3EEGPUPJxwFEomyzrB8eom/iGw6KBfzue/uij7MJrAS5znaNk4kVn8d6XyGH -sQNILW01qdq5ER2g7ofDvqHDJbh4kwjK4C3gt8nDJlP01ngjtmpTr24o5xI81byf -QD36BTytlgkn0qEgnSkuoMpKNfF9eTjUSV4YBqVjI+zsHVYUhZR9Z++z1Jy5yNWs -zgeLqJBHqsUzjGgj/bLkOQ3QrDGwKtZ02odUXlLTdBLpPCfh/NYQldJCfqh4IOi5 -nACm5WVRrDDo1E3p0kTPKpaCSEeCXXgzhA+A2aaiU0m9I+92gp/k/fguXcuu1+DJ -XMLf0Hb02YQ0+zYWVMoFm/tfhMmGqtmEK9VmkreBe6nIdVw= +cm92aWRlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALLlCiIekgeJ +H59rImWNgudYgc/b+sOPUz5TNxQlFeao30NXYiVWylVU79zBGOqlOdgF/34sQac8 +hwwmyLHCPjWpcSrY78TjGpMljIcRSwR6ujqpmdyI715YetoS8qjuDiBm4zbwQnPq +mCWIJ3TX0UZgMsLe1q62wxZkzFI7wK/D7mjcl6MYT1aKHCYTsxZPj2rEP30PNLbW +xnBgSyuoNzJbsdELLvX/QTZZHvvcL9aHE4o51tndr3C7IsCUzTlT/xPm5Zc2czai +SaKLbXkH9hAQQu9e8y6WJyATnzLH0r5B31OMt9ivlQ/cM48tL4fUvufQYBE0Ux3J +lNRf0LnwcEdp1zc9v1PSIliYo8OgCs22MbkGljcmZQcFGckkbluT0s/0nyKRiS3n +Zk2wYe3Zx+DI/9uGqIQl5Q9FSvJORSN26ThwNavgUz85kx7UeLhB/xdD51SX/8Nd +e51Fwozgxcg0bLbyzryQm6v8bnz1KTj9be+wq74byenFedYdJJp51oCPhzNMt1Qd +/F3Xkhz5n/Rk5AVCUUarvlIi8LUtJIaIi87yQmu6XLOAf7d1fk3uyQADDND+pCn6 +I6t2I76Fny3IuawC+gN1v7Ao6QZIiexguQkJWMN5uejCJLvd+WiPARbrgCTP7lzV +oDp5QNWN9CS2zV1H/4Ws/BMpmv38J8uFAgMBAAGgKzApBgkqhkiG9w0BCQ4xHDAa +MBgGA1UdEQQRMA+CDW9pZGNfcHJvdmlkZXIwDQYJKoZIhvcNAQELBQADggIBABk6 +xvXozPpJX3BwzGkLjRgzkKQqMjCVoVSYJ5DBomNX4cSpdnbSdF3mkY6hyB8ldI/B +0XFwetlvIMndOpUPV/CwNYOlKiTcFbGtww3EFHcTW8Eqty+eCAUjUwK+3u9EayyA +m6W/ekkceBXTf5bLBNtO14WRY098Bm1P4qgOEtYiSL0ovlhuZmYxvoqbzc5i45E3 +n58O7nubACyKLse0Cwgdw2oW83rvBoTdzcSmxw8qT6QvCEftIeC0VeWRcT1l/NfE +1o4yTItsyJd3pgL6fp1+ly1uth2pD34sWB0lQVWMUgZDmJPF8dJmo+eHoamD4RE7 +Z/ssizSObnW5TXvHskXeS6bqU/XmY1rZ7gn68jzdlGEU4RgGChubUR+K0DNyYrKQ +1ZTIRibLgIAouY/m+dc4QQCUoq3XEpl/cUEbf/sG/Bn3FSfWCxNnNJ3tzchxb72f +54uNZXff2pM3y0/VbMQa5RXqYR83nlWNjQyYz6dgml5aV5KODjS/qqwh90AGad9x +zSnF+D25MOlPSxgUBeKPVuchasLAlUrR+YYouLRc+cpwyWDHapY3o9rk/Y2MRCdn +nWRA1KauztxrsH4PZKTV7LmTFhMFSMgCmWg6/fLQ0oum/SK2mPlA4gMTCNEEMiiJ +9Z/UqBM+C0p0EG7NID67mYtbvsEL7KLJr3Jy1sAP -----END CERTIFICATE REQUEST----- diff --git a/cert/oidc_provider.key b/cert/oidc_provider.key index a5adfc8..7a72549 100644 --- a/cert/oidc_provider.key +++ b/cert/oidc_provider.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC+kOosdWOPG17w -MBwBAUp1Wd3tVQo5KURtL4jF+l+GeXnD7j7QUs5ebG9SocaaGYH6xYD0kcw9DLQ0 -0KMoEP8eg3z0EzCXKcfPolryaACaxxRRuBuE4vLfh4w/4yqZ5HwiV/4daOabbER5 -b8KpayVmjeTDCA3jPzYXYWXfmc/fGC1GGIdXnQeU5rtfWTBJZ4pIXnuCjiE5+Z+1 -fjtzYhZhlFs21SJqL1JG/4zEsAXwmR8Q1WAAQ3VAwyfi5G1/HkAfx2py66dhFb88 -q6Pypnnp08IbpOWyuqoTb9CmnTYqLlgcXq8hHwmQa/7KlTaN/blvCfig9tc74YRg -FEQ2PbHi17ACkydmQknjugJHFQp3s1N0cJ2IKo6JIylw3Fd5trPE+zKPWQHxtu4v -Y1XtScH3pLHuZ2tHtoK6nRl4JQNuYGpqme/nlXJ+LDk4/aWQ/3FTik9I4v+XlHeg -Aa02L4r85KE2nLE38J9furcSmH1Icbr5W/vjJDHlPLRxSA/uyWW+32XrM7ml18Ek -MQ3wfuAyG65P+ot/sjxr+CPXwF8bgwBxLGgGTR5qCL2EivGpnNwe3ORvCRdKX438 -h/WpnK7brYRb5zM59/nsBFF9r1zwEABixe7YXwWEm/0Ulk4H969JADPan1GFyGfP -CSCIU8SLKcrpzlFY1ZIKM4R0XlAHUwIDAQABAoICADRcLuuOSY+tjpViMp+YEjRS -P+cRAaEZFKMHd4YmOA8D25AZKwskZW2OT7wdlSsMLSmRENCiKsLvdag5V0sP+HkS -2cdaanRuV2dWjbSjHN9qKcwWUQFfNipy3PdE3JSyMeVh1gGQrCQySFIxggP426rk -++EWmnJBEQS1jz8zzOjYhMAIx08sZ0PjbcJSCDFzEIy34SnLEZgTXW2JxJ38anff -Qny7bRxN6kZ1uuDkGI22FNIUPq9z2Yi01oXCC8/sqOPScA4pb7D+P7BU3NQ0J7U2 -qNPdp/tGzKpQg7zz30kRuMX6whXQqFkVQ0m4W+gBueynibf4esUKPswDZYadxv06 -sQY7KOdutTSJmA76H08h08wEnw0HXlKF2gDsFrVblC619utoapSG2sukICdHoCes -i8uewgkV580RZgNB+/TFgtEUQhoDbofJXlaM+wQ5devD78Mglxs+tTBNk+sQOtH7 -8om7sT5eQM0dNvRi0kMdsp61CL9QGQaPSMtZcYx8OQdaKKh5emFMOzWnMQp6ZMIV -wonZJw070rD5jhqPZGEhlUlCMNZF9F5/VZZmJL34OYQxMDiRUx+i31iGJ9Akl/4K -k0e1phIujXXYmTcZ208D5z4umVdGZ4hs0unI8CS7yxh4hX6scuj+7w7oLWtHqJS0 -2Mec3Wb41yrdNpx8oboZAoIBAQDf3lZEdUhZKhAyBP1769TICpCskE+dPuX31AAA -YeRlKzCsF8EsiQzh6Z07RYlFmqAwquiOCpP6sGrGSw2HdV5+/g0CYEh2IcDi4Euj -36/gRHuUocD/yXeVEtEzBud6h2MLTQJCaJW1Gzmfo0c9Hbf3hcVi3yozqm0jnkxh -zhRNzc+nWcxexBWD4VEoz1AxlyLMdNZKmcoimMZID8IsV2n2yYdTNkvEUkhJHD19 -STTLwyFpZvtZ5+5c6Wpy3gj/H/lddgD0h4azTN0UmG4mTnbzR30pugkjF2u9vFfO -5cRz66Ho6z6mR1yfZwrQyDIIpyrjZdTF2PR7737S+HBX1/B/AoIBAQDZ6u/vAFQj -fS8Ppp1KCtfYjFJZ/n9UuUE2umHx0MxgK0Vj2iR+IhLGNrTGeCcO5TOIKnLP7bSa -C1XdN4Z+kt7pYFRzG1qE6hPaeDggPoFPBshEN7OyyTo65hDcfllz6uAGnaqsyJVG -JdvH2hDofkJUKu7MsVpfUKeI4azvg4V4X4r5b9dvBxFV3yTCHjeBJP/c3uuqumL2 -wQWTbkJW7XTQhRCcTYQELMjiXDPSbeVp2V1KQXmiI3JGEqi48vj3Z91JQYRgWwmD -F6ZCEKsQoqQr6o37ERz5f4lNjPHH5+fnOggGm6HJyhDLg2RIUes59QnCpE+9JmgZ -kpGvFmB5FL8tAoIBAA5yJXTzcIC4cyUXJ1hIxolGDUHlag3GkkZkur9LkdZpbBGe -0stR6K/nSEsb2JjSOoYJcUpBKn1hxvIWw7+69icRs7s0hViCIxVAzgC8HXhGUwcr -TO30jS/kb/Vv+53vgJepF307jHWMVTKU8bLi6Q0i57LSncGJvNMwktM43hyLLFwr -MkHnO1AwSPFuN0mL7CXvYCieNen3m8vooGoGFgNjy8S12zvG5304QkuEXtDLPau0 -hoGtsrbyJPlWlJQJ9yhtxfABktKdIiMDFxCHvatDMLNxmsdV6pDqx2vFbeDhEqia -DYfjUPnER3Fjib7/MohL+OfvcQ9STAfHGlDA0XcCggEAQTjW7SKdDC4oirekdge+ -yJpe/35zX8k+ooGwVO7YbKQm1Zbxuyq5kcfH3WsSzZt+C/AggukzV7Oy1E4NHA8b -VqA1RmpWcleY75dxvPzYOO3fvMMrLoSZwA0h2MycO1x+Bpzj+2jhfKhSGoPC8cLw -WT6sUGl4kfSS4B4jY2Bq7zcxYiy+PwXPg3MRDmR62lVXmyTBRk0Y15+36oNiqZ/S -iaJ58T4mGBXLXiyYeg/YTRD4ogPswsF3L0/gXdKi/3F/wrAwTaKRu0G1yiow+P6k -wlwmeJGLqYUpdCOOLfXT69nrkwa7qqim1DKULi0OiT8016PUFdnL6HN81PmOkE7M -VQKCAQAhXonYGX+Bdqx2sWr4ns4wJWzExz6G9JYxLrFdJnsij9pPdcBHGKfukG6e -2J6kXOA8QH6b1JEeZm56vuR587BN+2mE3GwwnpJroxNYLBM9rsiUswU6rH9A6oNu -ATQju3uVQpU/tCyqeYunNrCEPfB8TdC32BfKbbzDlMr8ZrQiT7gn1NheuyBP1CZ9 -WkpBcCfPY5IvSVXfmSgQuEX0QKzKDP4XfkstsGla1UuqUjeOcSDTZspmzBwC7Dcp -jk9Pggw6A1aD4dUUG7FR40j0s5uM0WfjIsm2CilBCE5C8dM9MK8HxkFmBXxfsvfM -vL/XuAVFPrjpkrTnYFD+5prQtM5x +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCy5QoiHpIHiR+f +ayJljYLnWIHP2/rDj1M+UzcUJRXmqN9DV2IlVspVVO/cwRjqpTnYBf9+LEGnPIcM +Jsixwj41qXEq2O/E4xqTJYyHEUsEero6qZnciO9eWHraEvKo7g4gZuM28EJz6pgl +iCd019FGYDLC3tautsMWZMxSO8Cvw+5o3JejGE9WihwmE7MWT49qxD99DzS21sZw +YEsrqDcyW7HRCy71/0E2WR773C/WhxOKOdbZ3a9wuyLAlM05U/8T5uWXNnM2okmi +i215B/YQEELvXvMulicgE58yx9K+Qd9TjLfYr5UP3DOPLS+H1L7n0GARNFMdyZTU +X9C58HBHadc3Pb9T0iJYmKPDoArNtjG5BpY3JmUHBRnJJG5bk9LP9J8ikYkt52ZN +sGHt2cfgyP/bhqiEJeUPRUryTkUjduk4cDWr4FM/OZMe1Hi4Qf8XQ+dUl//DXXud +RcKM4MXINGy28s68kJur/G589Sk4/W3vsKu+G8npxXnWHSSaedaAj4czTLdUHfxd +15Ic+Z/0ZOQFQlFGq75SIvC1LSSGiIvO8kJrulyzgH+3dX5N7skAAwzQ/qQp+iOr +diO+hZ8tyLmsAvoDdb+wKOkGSInsYLkJCVjDebnowiS73flojwEW64Akz+5c1aA6 +eUDVjfQkts1dR/+FrPwTKZr9/CfLhQIDAQABAoICACiCJKFFOtvp+PcoU0mbmaC5 +MevXbBkMQ1VBkp9FJohshOHCz76UwIxCB259ax72+vonoYr4ioVL92iQ/7EAwwVz +sOR66xAyPLpFLmUHTW1ePP07mlONzmYWsvref4QxI5HCuoCeNu34mSsmgYi7te+x +qMznmMVHLTXM7VdRoHgsbbfg+5U60/xMmcMlgs/yhA8xEQ9Iei9MwvJ/W4YvORB2 +IvWrCp85hZLA63ssiMiTHaGXJ0d+I1PrjBr/ltj8ZC4lgqeS9NPSO8pKuCdH3jgU +9pMtdPN/nKxuxQXCqb3bPK62lorCd4Z33lT1bmXbjr7/OEGtD4UXOFQ+vgzcnQ+t +xHoy80ld9U8xy0U3+ePunALCdF+bpCcItC1vua7zNR/26CMHdhOUSSFqawsgXLWn +pI61yWg7NXzrDfXmi9koyO617lxF19/dB7l0948TBjYH6+E6eRvGcE19WR4a+PyS +qiEZsAO1NAc3/20FuIMApENyMk21GiImVTl8ZtFHJD5+QR41uPo+fHRIp4kKGZer +X4fSOaHxRRA2dD6wyAZkRRZtdTwrwNvJI5o7MGbL4yZOnwA1F8dKca8rNYCqxWup +YOmPAnhIXe9EKMcqmPppRtrqP9gMZXfHPZ77BqdEVgwRyzvqs8aFlnECzvf/Tv8x +Fe53dsO6MBuqEuCfrC0BAoIBAQDXNH4/FWXwpri1yoXcsRea6M5IcNouEvFLOzzv +CuNwnP3iw4zIPNrUlxB26q9+X4eoMsbLwWjR0O9/NuUw1VcT+tFd6HH3buw1jcqe +shO67vJC43w6Q+uPcsxLlwq1XrjcajZH6L/g1prONK/3+VTL31VPN74eoBO27HSG +2iJnziUIciJtzMo5i9M9fhyk2TCZu1VGbkpWWoHCzr9naSUwThDd/EimWzGT+KqD +d5xyPRdm5IrhkH9saT/eutckbi5pNUc8IF5yDg2Ct0AiTSdaF6I7XrmKRq+BR46V +gbYClj6e7FPCDa8zEBauKJUZmbAV24+swFi69qY3GYT3KEvpAoIBAQDUzniOXur2 +EYwqtPZ/DZpb31G4pAQ7duLbNhM/nbr8XET1bUkP8BWezcLAolf3oe48o9iE8M0j +Q5iE497xhVUR4tGhmg6kO06nJnnxTsjHSEtm1H1Pne0QwjpQ3IKDU+KRKpjkA21Y +1LkzoaHXsTCg8KeEi5m8t7f2sClkDTwSw/KZuD/QBo3nXDTzTT6LGurmxhizIft0 +mKT7LH9qQax7yVt/2uD03i+jZS5dEqpfzs2rG7xQRu25UjLJbNbQdOxZXbOURU0O +Wd7IjpgipZE8J5vHlLQF2Y03qZfzOJblVtO/aO+6HRp/bI8AgM+724Q4zNNPQOoi +ZRmxQR2dr+09AoIBAQCoL3wirQR4KLPeTyKCsVwzUpI0hw3cSC2PkAI1Bxts3SSF +3jHeI8EZt93EMfFpIBuS1ewLPWI/57vkffBsU660DKcnbwvyRhwQVnntwFovE6L9 +p29k0cP83cjPooFZ8Wcjy1YUqM+cVduyH/cOIyukESxIttW8dXoy0WTYJw4Qdkj2 +6swBZ7T7eE1kl3SnWJ3k50TjwDoUdrNGnfF0TfYkZD5GXm4gpNCARixshkQb+6aY +YTAwzI7pGPAzj22oKPvYeSzszpdBJ75jU/epVwbUH/hH0eXLLSboMBY8vZyTNPxH +k4Z599veWkp/XXP5B+VXj7ofVkuCAlUwZp9F0ZZRAoIBAAt91s7BW2jMS8hmm0UD +JAnABna1DLF1WwzBX8q4psdH6EVkkGR274Py0oh6e8uYh/foVSHgqwMzfEH42Cos +rApaOD3ExvOhbD7kegNI4Ni6E7BK2zV4brvP8Tw6nCWhWwPBzB3L/ZSlcBbUrJus +KtcWB8XFkBi7xwhgPOv1NwBAapJYe8GtCO6scQOOcUkru/GYUu8hb6W9NHOH1J2V +TE4m8nT2Cd3PPb1SEm3eOysPTNXnmoSvP9kZEjsEUJlTJwwwXikskNusiLZF1PtR ++4THEsd1RT9nnxOZaeYtcSCTTr3wWbmwJqUo5JP/YLhhQ0OZ8/M8qygOU5PZ01KX +lHUCggEAdYyTPNwQiOME/5sok87MLWhO3YKw1FkveRp/3a7TN/T125w9QBzhwKab +H0qwHomCCMXzo/jUg7MBKAiE6UFAq+n2hpOlHKtz7Vq+DsfianLTFoHT0AMA4xWV +S0OJ3c86aAgsv+mHLiIvKLR7mJIyYCVq5nUMHf8ejlTpqp2aJdhX8tQVlhjOhoWL +7KmHZrhuRmx/5jOlyVn5zq+pTnn9LoKaZjV3UOWwxGKy8DKOErmcpgaVqoELlwm0 +s9Kt7NDByXGwTUV4G5IR4BkHBslo3Ctf5Dvza1MZ1zKoSi5jPrVSHX11FOuiKzxz +qFytDTpc5XW9aeMwkOfk0ojvHGKjng== -----END PRIVATE KEY----- diff --git a/cert/oidc_provider.pem b/cert/oidc_provider.pem index f9850c6..fff4dfa 100644 --- a/cert/oidc_provider.pem +++ b/cert/oidc_provider.pem @@ -1,30 +1,31 @@ -----BEGIN CERTIFICATE----- -MIIFOzCCAyMCFFaPCvUziWw+8kv2dAXpy2fsF06YMA0GCSqGSIb3DQEBCwUAMFox -CzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2Zp -ZWxkMQwwCgYDVQQKDANEaXMxFjAUBgNVBAMMDW9pZGNfcHJvdmlkZXIwHhcNMjQx -MDE4MjEzMDMxWhcNMjUxMDE4MjEzMDMxWjBaMQswCQYDVQQGEwJVUzEPMA0GA1UE -CAwGRGVuaWFsMRQwEgYDVQQHDAtTcHJpbmdmaWVsZDEMMAoGA1UECgwDRGlzMRYw -FAYDVQQDDA1vaWRjX3Byb3ZpZGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -CgKCAgEAvpDqLHVjjxte8DAcAQFKdVnd7VUKOSlEbS+Ixfpfhnl5w+4+0FLOXmxv -UqHGmhmB+sWA9JHMPQy0NNCjKBD/HoN89BMwlynHz6Ja8mgAmscUUbgbhOLy34eM -P+MqmeR8Ilf+HWjmm2xEeW/CqWslZo3kwwgN4z82F2Fl35nP3xgtRhiHV50HlOa7 -X1kwSWeKSF57go4hOfmftX47c2IWYZRbNtUiai9SRv+MxLAF8JkfENVgAEN1QMMn -4uRtfx5AH8dqcuunYRW/PKuj8qZ56dPCG6TlsrqqE2/Qpp02Ki5YHF6vIR8JkGv+ -ypU2jf25bwn4oPbXO+GEYBRENj2x4tewApMnZkJJ47oCRxUKd7NTdHCdiCqOiSMp -cNxXebazxPsyj1kB8bbuL2NV7UnB96Sx7mdrR7aCup0ZeCUDbmBqapnv55Vyfiw5 -OP2lkP9xU4pPSOL/l5R3oAGtNi+K/OShNpyxN/CfX7q3Eph9SHG6+Vv74yQx5Ty0 -cUgP7sllvt9l6zO5pdfBJDEN8H7gMhuuT/qLf7I8a/gj18BfG4MAcSxoBk0eagi9 -hIrxqZzcHtzkbwkXSl+N/If1qZyu262EW+czOff57ARRfa9c8BAAYsXu2F8FhJv9 -FJZOB/evSQAz2p9RhchnzwkgiFPEiynK6c5RWNWSCjOEdF5QB1MCAwEAATANBgkq -hkiG9w0BAQsFAAOCAgEAE2UpjTnG1l21v9MW7Y9N4uGnPz2duwox+HsW+7AQxykA -UNIGijrsN6GNBg0/kNY+MG8TK4or80bAadcl7IUygJzxbX5XJnCrSqTPvPQC+REi -l6FRRYABHptfPwJncMgshrjds+uzmWqzVnlVjkWzG8jDKRMBid/VFFA/06zQ2W1Y -vFoTR9m8Urg+9tVYTnhu1IYCSGdRY8Q1nNxl03cJbkB5C72ijlKUNuMWPaDnFLI1 -7IXv6GPcjzmEBA13n8xBed3lXMWPzg2qEWIo/9srX3oweFA/IzY3yoXjM4cG363K -cxyrARNGo2uXLwvZUekMKMLipvjf7loBTO4Nd0YdA3reJY9lTT1zqtRUP+a+QC04 -8eDHpDIH3TIWPAfxHibygVos+Sbm9GO9JwWedJygPo/96vIDRb8t6qzLK6Zl3wLL -krQAHJ4ULMX2onw5u0SH3pMnbX7qgDqLbodIsSi8LNGE8id8GYT12CxhxSWu6Y4s -G4MAt0ep7vowkBwNOfCz4ImO1RWSGr+b5ujFU8JHaFai8cx4AYIvHWFZExWUOpwG -zAhsRXvZ8rQByVr37exhJhp+Mf5LBAg+5/611e/8IajZEaxqFBmpbdU153wv/7rd -FY3PO5VSbK/H5mGZ/yivuOuOppf2en19VA5j4nWy2W7+cYqOiViPymXEDXQcJBM= +MIIFXjCCA0agAwIBAgIUYyi2atzrE6o4ysyH+IXrV6hee4wwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3By +aW5nZmllbGQxDDAKBgNVBAoMA0RpczEWMBQGA1UEAwwNb2lkY19wcm92aWRlcjAe +Fw0yNDEwMTkwMDMzMzJaFw0yNTEwMTkwMDMzMzJaMFoxCzAJBgNVBAYTAlVTMQ8w +DQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQKDANE +aXMxFjAUBgNVBAMMDW9pZGNfcHJvdmlkZXIwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQCy5QoiHpIHiR+fayJljYLnWIHP2/rDj1M+UzcUJRXmqN9DV2Il +VspVVO/cwRjqpTnYBf9+LEGnPIcMJsixwj41qXEq2O/E4xqTJYyHEUsEero6qZnc +iO9eWHraEvKo7g4gZuM28EJz6pgliCd019FGYDLC3tautsMWZMxSO8Cvw+5o3Jej +GE9WihwmE7MWT49qxD99DzS21sZwYEsrqDcyW7HRCy71/0E2WR773C/WhxOKOdbZ +3a9wuyLAlM05U/8T5uWXNnM2okmii215B/YQEELvXvMulicgE58yx9K+Qd9TjLfY +r5UP3DOPLS+H1L7n0GARNFMdyZTUX9C58HBHadc3Pb9T0iJYmKPDoArNtjG5BpY3 +JmUHBRnJJG5bk9LP9J8ikYkt52ZNsGHt2cfgyP/bhqiEJeUPRUryTkUjduk4cDWr +4FM/OZMe1Hi4Qf8XQ+dUl//DXXudRcKM4MXINGy28s68kJur/G589Sk4/W3vsKu+ +G8npxXnWHSSaedaAj4czTLdUHfxd15Ic+Z/0ZOQFQlFGq75SIvC1LSSGiIvO8kJr +ulyzgH+3dX5N7skAAwzQ/qQp+iOrdiO+hZ8tyLmsAvoDdb+wKOkGSInsYLkJCVjD +ebnowiS73flojwEW64Akz+5c1aA6eUDVjfQkts1dR/+FrPwTKZr9/CfLhQIDAQAB +oxwwGjAYBgNVHREEETAPgg1vaWRjX3Byb3ZpZGVyMA0GCSqGSIb3DQEBCwUAA4IC +AQAa3MuerXgJghBZbNbGaFqunKo/E81ClACFOQks699rXbQPQzxFxr64OMaJ5KfK +19JpFIsHyLFZQq8fNYpKNnr5ifIzv+A/fGXJQc6WWtNrq44sDDaJNKM8+9DBtfmR +mOpmMLJ1dfaZZt9yKS19/ixgiNSTLP/PnM4/XZEdm0osmpkz2wjWEkXIv1CZ+XgN +ySpYv1JaTxkVXulzR1IiZIyYZTCgFWld/KEa9j21+1BLbS/9euo5a3XRu6s7P2aV +Fu/BQ1uWdEtYfMvQzxDbhkCTk+5I0VuT5pL1Nfcu+CiVdREWBFjY06oC9dXeMUTd +8cEoTDDAokgZA5DTBibvufogzJTASpAjvrLMD2rpq2yO3/4bK0nPe+FyNBKNyvsP +rM88ZUlzbcqkZSHbMWdxw+1dmDFR3pZjRXJU+1bnxQMwXGAt5ozCLcomC+9PA0tK +0HqRWQ2zxgnWPnrZA6vxqTrQFBM9/8p5bJbZj016ShpJvhrfPz5aMla1zeOSJcc5 +VoGtDxQKUkSexZwJh0QS4G1G/owQ+zn1UyLaCCvChWibXoWGF1tKIVymeam/Wpvu +65uMq4M0QhQnC9mkwNjDG+Kb1mS30uMFOq+q81HcEttbAuRpqEidpMm/tjy7nBCe +kcZexsSkGy128yeDU3D4Rai3AMsultw1wGMGWKLQ3laFvQ== -----END CERTIFICATE----- diff --git a/config/application.rb b/config/application.rb index e39537e..2e427b9 100644 --- a/config/application.rb +++ b/config/application.rb @@ -44,6 +44,7 @@ class Application < Rails::Application Clients::Vault.configure_as_oidc_client(config.astral.oidc_issuer, config.astral.oidc_client_id, config.astral.oidc_client_secret) + Clients::Vault.rotate_token end diff --git a/config/astral.yml b/config/astral.yml index 3f5264c..f6ebd43 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -39,7 +39,7 @@ shared: oidc_provider_ssl_cert: cert/oidc_provider.pem # oidc provider client cert if required (path to file) oidc_provider_ssl_client_cert: - oidc_provider_ssl_client_key: + oidc_provider_ssl_client_key: initial_user_name: test diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake index fdc8ba2..5cf5a3d 100644 --- a/lib/tasks/configure.rake +++ b/lib/tasks/configure.rake @@ -7,12 +7,15 @@ namespace :configure do cert_name = args[:cert_name] cert_name = "vault" if cert_name.nil? %x( - openssl req -new -newkey rsa:4096 -nodes \ + echo "subjectAltName=DNS:#{cert_name}" > /tmp/x + openssl req -new -newkey rsa:4096 -nodes \ -keyout cert/#{cert_name}.key -out cert/#{cert_name}.csr \ - -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{cert_name}" + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{cert_name}" \ + -addext "subjectAltName = DNS:#{cert_name}" \ + openssl x509 -req -days 365 -in cert/#{cert_name}.csr \ -signkey cert/#{cert_name}.key \ - -out cert/#{cert_name}.pem + -out cert/#{cert_name}.pem -extfile /tmp/x ) puts "SSL key for #{cert_name} created" end From 7ae52ba158b44e6b0adc1b173cf8222c0d0d0e35 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 11:40:38 -0700 Subject: [PATCH 59/65] fix for oidc_provider/ssl --- app/lib/clients/vault/oidc.rb | 2 +- app/lib/utils/oidc_provider.rb | 4 + cert/oidc_provider.csr | 48 ++++++------ cert/oidc_provider.key | 100 ++++++++++++------------- cert/oidc_provider.pem | 48 ++++++------ config/application.rb | 3 +- config/astral.yml | 9 ++- lib/tasks/configure.rake | 7 +- test/lib/clients/oidc_provider_test.rb | 10 ++- 9 files changed, 123 insertions(+), 108 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 5b4c026..980cbc1 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -25,7 +25,7 @@ def create_client_config(issuer, client_id, client_secret) client.logical.write("/sys/auth/oidc", type: "oidc") client.logical.write("auth/oidc/config", oidc_discovery_url: issuer, - oidc_discovery_ca_pem: File.read("/workspaces/astral/cert/oidc_provider.pem"), + oidc_discovery_ca_pem: File.read(Config[:oidc_provider_ssl_cert]), oidc_client_id: client_id, oidc_client_secret: client_secret, default_role: "default") diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index f6bc787..fa753de 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -28,6 +28,10 @@ def get_info vault_client.logical.read("identity/oidc/provider/astral") end + def get_issuer + Config[:oidc_provider_addr] + Config[:oidc_issuer] + end + private WEBAPP_NAME = "identity/oidc/client/astral" diff --git a/cert/oidc_provider.csr b/cert/oidc_provider.csr index 5e9b274..4386d8c 100644 --- a/cert/oidc_provider.csr +++ b/cert/oidc_provider.csr @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE REQUEST----- MIIEyjCCArICAQAwWjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIG A1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEWMBQGA1UEAwwNb2lkY19w -cm92aWRlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALLlCiIekgeJ -H59rImWNgudYgc/b+sOPUz5TNxQlFeao30NXYiVWylVU79zBGOqlOdgF/34sQac8 -hwwmyLHCPjWpcSrY78TjGpMljIcRSwR6ujqpmdyI715YetoS8qjuDiBm4zbwQnPq -mCWIJ3TX0UZgMsLe1q62wxZkzFI7wK/D7mjcl6MYT1aKHCYTsxZPj2rEP30PNLbW -xnBgSyuoNzJbsdELLvX/QTZZHvvcL9aHE4o51tndr3C7IsCUzTlT/xPm5Zc2czai -SaKLbXkH9hAQQu9e8y6WJyATnzLH0r5B31OMt9ivlQ/cM48tL4fUvufQYBE0Ux3J -lNRf0LnwcEdp1zc9v1PSIliYo8OgCs22MbkGljcmZQcFGckkbluT0s/0nyKRiS3n -Zk2wYe3Zx+DI/9uGqIQl5Q9FSvJORSN26ThwNavgUz85kx7UeLhB/xdD51SX/8Nd -e51Fwozgxcg0bLbyzryQm6v8bnz1KTj9be+wq74byenFedYdJJp51oCPhzNMt1Qd -/F3Xkhz5n/Rk5AVCUUarvlIi8LUtJIaIi87yQmu6XLOAf7d1fk3uyQADDND+pCn6 -I6t2I76Fny3IuawC+gN1v7Ao6QZIiexguQkJWMN5uejCJLvd+WiPARbrgCTP7lzV -oDp5QNWN9CS2zV1H/4Ws/BMpmv38J8uFAgMBAAGgKzApBgkqhkiG9w0BCQ4xHDAa -MBgGA1UdEQQRMA+CDW9pZGNfcHJvdmlkZXIwDQYJKoZIhvcNAQELBQADggIBABk6 -xvXozPpJX3BwzGkLjRgzkKQqMjCVoVSYJ5DBomNX4cSpdnbSdF3mkY6hyB8ldI/B -0XFwetlvIMndOpUPV/CwNYOlKiTcFbGtww3EFHcTW8Eqty+eCAUjUwK+3u9EayyA -m6W/ekkceBXTf5bLBNtO14WRY098Bm1P4qgOEtYiSL0ovlhuZmYxvoqbzc5i45E3 -n58O7nubACyKLse0Cwgdw2oW83rvBoTdzcSmxw8qT6QvCEftIeC0VeWRcT1l/NfE -1o4yTItsyJd3pgL6fp1+ly1uth2pD34sWB0lQVWMUgZDmJPF8dJmo+eHoamD4RE7 -Z/ssizSObnW5TXvHskXeS6bqU/XmY1rZ7gn68jzdlGEU4RgGChubUR+K0DNyYrKQ -1ZTIRibLgIAouY/m+dc4QQCUoq3XEpl/cUEbf/sG/Bn3FSfWCxNnNJ3tzchxb72f -54uNZXff2pM3y0/VbMQa5RXqYR83nlWNjQyYz6dgml5aV5KODjS/qqwh90AGad9x -zSnF+D25MOlPSxgUBeKPVuchasLAlUrR+YYouLRc+cpwyWDHapY3o9rk/Y2MRCdn -nWRA1KauztxrsH4PZKTV7LmTFhMFSMgCmWg6/fLQ0oum/SK2mPlA4gMTCNEEMiiJ -9Z/UqBM+C0p0EG7NID67mYtbvsEL7KLJr3Jy1sAP +cm92aWRlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL9vn3CPEeeX +hw+Ti+MF5jFTjVYjNXD05lPx8p2CapGBTU1qQTQBgtHzz6X/DfBZ6g+m/uDqtFIj +W4VrJ0SAT8Mn7ift4lPZB7cJJDiJ1rXYgkeISk1v9xchcpnPChS8WpsK37MS8sZX +1asuCQFWkRxCOIOcIHTGjYZ/CAupFUIR24AoA/ubtpegB/oiaVS8aRg+jq5o2t2g +X9/x25ZM+TXm9+Ofg43y7oc431qbLzih83EmG2Fxgku+4Swb2s6vHUCCggqn8Rz6 +b5sGl3SUxxXlw4+Eh2lXiOkI38VAXE9z4OpD08p+iaWGqyFRmw3798yAMCO9WUer +ty+PxFZ1G68GAeNmREE+xE1/fMvVQw+uQxQKJqUCfEHCujAQUWHzG/TDEytkzR4H +zPyOnDXLHX1GNBdRvp+hVCxdmXR4K7NMNNWuOs3g6s30BWA27Wic67AwDibLfUqu +Cq/2ifv2iim/lVhBF7gpaKsJxfsqAHggerEPVpIGQS3E7lTbVh+y5lQAGpzT517+ +JXCxh4qVyw7SWd/U0qvp0GogdcJDU4JUSMKSuAK/uvpLr+MxNxHWZZ1q4uxJvslj +7LAttKQi7V9ctk0jzgSyQNoY9xBPkQFvmO+7XNkJg11bWIxW94W37CNeyglFpbh0 +c2S7tQfVI14r/aQwewfBt16uDxPq/gNzAgMBAAGgKzApBgkqhkiG9w0BCQ4xHDAa +MBgGA1UdEQQRMA+CDW9pZGNfcHJvdmlkZXIwDQYJKoZIhvcNAQELBQADggIBAAH7 +kCGnejVLi30rOHlU/QjyaHBJYQsBf1vrhqrM7xNB+u7uXaZ6A13L6dVrgvosKNOs +PYeABtmD9viIwfQoXhqiaUIsx/1hnReOJVlBaLyG9cOJB1tsZ7udWCVEbfg7GmoW +RDX7+P/sb1MV2raXbp3EWT/uU6Ro8VIxyMyivRlk7ghEEJHsGyH8RvNZi00eZkw4 +n10smbMQKlDxDXAsrGp2ez9KXso84xvx3NqZXc/uO5SQcIfT4haWSsNBVavtYXd1 +0eQ6KoJ8ptImgPFmPo0c1m4Hg5hdlY5FTGE8vp4Zj1J2sbfxqA0vsqPQ6mNOLsRh +AOtED9rDeh/prTMp3agbkF/Janwt5O69JgbH4iJMLc6PwYs3/MOlcceIlmHMt7dI +MFtbTN0PyBQfVN3D417/UCFcY8LoIQLfyquKay5tQSByxdqK9g+0bfeMXjDHIo8u +xNlTrxQwzgzoNqNMYk4vGEELvwRLPBxcXF1jaQoXGZiH6pVXg5jqqDNSOiqQr/WV +Ox466J47DxGJBfbRMQqfQoaLTYWTVyhZSSYrTi1nwvXd2VaC7YIQVRwy6M4gEAG6 +W3DWkO9d1stGBL+PJlAgQ77vsAkKjINolcQYfigV+4Wt+4DTl5lUIW8hxM/C+DmN +uI9e5QlUbt850qrTOuNW8BOXbaPmBL4R0iDV9kzK -----END CERTIFICATE REQUEST----- diff --git a/cert/oidc_provider.key b/cert/oidc_provider.key index 7a72549..c35a8f5 100644 --- a/cert/oidc_provider.key +++ b/cert/oidc_provider.key @@ -1,52 +1,52 @@ -----BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCy5QoiHpIHiR+f -ayJljYLnWIHP2/rDj1M+UzcUJRXmqN9DV2IlVspVVO/cwRjqpTnYBf9+LEGnPIcM -Jsixwj41qXEq2O/E4xqTJYyHEUsEero6qZnciO9eWHraEvKo7g4gZuM28EJz6pgl -iCd019FGYDLC3tautsMWZMxSO8Cvw+5o3JejGE9WihwmE7MWT49qxD99DzS21sZw -YEsrqDcyW7HRCy71/0E2WR773C/WhxOKOdbZ3a9wuyLAlM05U/8T5uWXNnM2okmi -i215B/YQEELvXvMulicgE58yx9K+Qd9TjLfYr5UP3DOPLS+H1L7n0GARNFMdyZTU -X9C58HBHadc3Pb9T0iJYmKPDoArNtjG5BpY3JmUHBRnJJG5bk9LP9J8ikYkt52ZN -sGHt2cfgyP/bhqiEJeUPRUryTkUjduk4cDWr4FM/OZMe1Hi4Qf8XQ+dUl//DXXud -RcKM4MXINGy28s68kJur/G589Sk4/W3vsKu+G8npxXnWHSSaedaAj4czTLdUHfxd -15Ic+Z/0ZOQFQlFGq75SIvC1LSSGiIvO8kJrulyzgH+3dX5N7skAAwzQ/qQp+iOr -diO+hZ8tyLmsAvoDdb+wKOkGSInsYLkJCVjDebnowiS73flojwEW64Akz+5c1aA6 -eUDVjfQkts1dR/+FrPwTKZr9/CfLhQIDAQABAoICACiCJKFFOtvp+PcoU0mbmaC5 -MevXbBkMQ1VBkp9FJohshOHCz76UwIxCB259ax72+vonoYr4ioVL92iQ/7EAwwVz -sOR66xAyPLpFLmUHTW1ePP07mlONzmYWsvref4QxI5HCuoCeNu34mSsmgYi7te+x -qMznmMVHLTXM7VdRoHgsbbfg+5U60/xMmcMlgs/yhA8xEQ9Iei9MwvJ/W4YvORB2 -IvWrCp85hZLA63ssiMiTHaGXJ0d+I1PrjBr/ltj8ZC4lgqeS9NPSO8pKuCdH3jgU -9pMtdPN/nKxuxQXCqb3bPK62lorCd4Z33lT1bmXbjr7/OEGtD4UXOFQ+vgzcnQ+t -xHoy80ld9U8xy0U3+ePunALCdF+bpCcItC1vua7zNR/26CMHdhOUSSFqawsgXLWn -pI61yWg7NXzrDfXmi9koyO617lxF19/dB7l0948TBjYH6+E6eRvGcE19WR4a+PyS -qiEZsAO1NAc3/20FuIMApENyMk21GiImVTl8ZtFHJD5+QR41uPo+fHRIp4kKGZer -X4fSOaHxRRA2dD6wyAZkRRZtdTwrwNvJI5o7MGbL4yZOnwA1F8dKca8rNYCqxWup -YOmPAnhIXe9EKMcqmPppRtrqP9gMZXfHPZ77BqdEVgwRyzvqs8aFlnECzvf/Tv8x -Fe53dsO6MBuqEuCfrC0BAoIBAQDXNH4/FWXwpri1yoXcsRea6M5IcNouEvFLOzzv -CuNwnP3iw4zIPNrUlxB26q9+X4eoMsbLwWjR0O9/NuUw1VcT+tFd6HH3buw1jcqe -shO67vJC43w6Q+uPcsxLlwq1XrjcajZH6L/g1prONK/3+VTL31VPN74eoBO27HSG -2iJnziUIciJtzMo5i9M9fhyk2TCZu1VGbkpWWoHCzr9naSUwThDd/EimWzGT+KqD -d5xyPRdm5IrhkH9saT/eutckbi5pNUc8IF5yDg2Ct0AiTSdaF6I7XrmKRq+BR46V -gbYClj6e7FPCDa8zEBauKJUZmbAV24+swFi69qY3GYT3KEvpAoIBAQDUzniOXur2 -EYwqtPZ/DZpb31G4pAQ7duLbNhM/nbr8XET1bUkP8BWezcLAolf3oe48o9iE8M0j -Q5iE497xhVUR4tGhmg6kO06nJnnxTsjHSEtm1H1Pne0QwjpQ3IKDU+KRKpjkA21Y -1LkzoaHXsTCg8KeEi5m8t7f2sClkDTwSw/KZuD/QBo3nXDTzTT6LGurmxhizIft0 -mKT7LH9qQax7yVt/2uD03i+jZS5dEqpfzs2rG7xQRu25UjLJbNbQdOxZXbOURU0O -Wd7IjpgipZE8J5vHlLQF2Y03qZfzOJblVtO/aO+6HRp/bI8AgM+724Q4zNNPQOoi -ZRmxQR2dr+09AoIBAQCoL3wirQR4KLPeTyKCsVwzUpI0hw3cSC2PkAI1Bxts3SSF -3jHeI8EZt93EMfFpIBuS1ewLPWI/57vkffBsU660DKcnbwvyRhwQVnntwFovE6L9 -p29k0cP83cjPooFZ8Wcjy1YUqM+cVduyH/cOIyukESxIttW8dXoy0WTYJw4Qdkj2 -6swBZ7T7eE1kl3SnWJ3k50TjwDoUdrNGnfF0TfYkZD5GXm4gpNCARixshkQb+6aY -YTAwzI7pGPAzj22oKPvYeSzszpdBJ75jU/epVwbUH/hH0eXLLSboMBY8vZyTNPxH -k4Z599veWkp/XXP5B+VXj7ofVkuCAlUwZp9F0ZZRAoIBAAt91s7BW2jMS8hmm0UD -JAnABna1DLF1WwzBX8q4psdH6EVkkGR274Py0oh6e8uYh/foVSHgqwMzfEH42Cos -rApaOD3ExvOhbD7kegNI4Ni6E7BK2zV4brvP8Tw6nCWhWwPBzB3L/ZSlcBbUrJus -KtcWB8XFkBi7xwhgPOv1NwBAapJYe8GtCO6scQOOcUkru/GYUu8hb6W9NHOH1J2V -TE4m8nT2Cd3PPb1SEm3eOysPTNXnmoSvP9kZEjsEUJlTJwwwXikskNusiLZF1PtR -+4THEsd1RT9nnxOZaeYtcSCTTr3wWbmwJqUo5JP/YLhhQ0OZ8/M8qygOU5PZ01KX -lHUCggEAdYyTPNwQiOME/5sok87MLWhO3YKw1FkveRp/3a7TN/T125w9QBzhwKab -H0qwHomCCMXzo/jUg7MBKAiE6UFAq+n2hpOlHKtz7Vq+DsfianLTFoHT0AMA4xWV -S0OJ3c86aAgsv+mHLiIvKLR7mJIyYCVq5nUMHf8ejlTpqp2aJdhX8tQVlhjOhoWL -7KmHZrhuRmx/5jOlyVn5zq+pTnn9LoKaZjV3UOWwxGKy8DKOErmcpgaVqoELlwm0 -s9Kt7NDByXGwTUV4G5IR4BkHBslo3Ctf5Dvza1MZ1zKoSi5jPrVSHX11FOuiKzxz -qFytDTpc5XW9aeMwkOfk0ojvHGKjng== +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC/b59wjxHnl4cP +k4vjBeYxU41WIzVw9OZT8fKdgmqRgU1NakE0AYLR88+l/w3wWeoPpv7g6rRSI1uF +aydEgE/DJ+4n7eJT2Qe3CSQ4ida12IJHiEpNb/cXIXKZzwoUvFqbCt+zEvLGV9Wr +LgkBVpEcQjiDnCB0xo2GfwgLqRVCEduAKAP7m7aXoAf6ImlUvGkYPo6uaNrdoF/f +8duWTPk15vfjn4ON8u6HON9amy84ofNxJhthcYJLvuEsG9rOrx1AgoIKp/Ec+m+b +Bpd0lMcV5cOPhIdpV4jpCN/FQFxPc+DqQ9PKfomlhqshUZsN+/fMgDAjvVlHq7cv +j8RWdRuvBgHjZkRBPsRNf3zL1UMPrkMUCialAnxBwrowEFFh8xv0wxMrZM0eB8z8 +jpw1yx19RjQXUb6foVQsXZl0eCuzTDTVrjrN4OrN9AVgNu1onOuwMA4my31Krgqv +9on79oopv5VYQRe4KWirCcX7KgB4IHqxD1aSBkEtxO5U21YfsuZUABqc0+de/iVw +sYeKlcsO0lnf1NKr6dBqIHXCQ1OCVEjCkrgCv7r6S6/jMTcR1mWdauLsSb7JY+yw +LbSkIu1fXLZNI84EskDaGPcQT5EBb5jvu1zZCYNdW1iMVveFt+wjXsoJRaW4dHNk +u7UH1SNeK/2kMHsHwbderg8T6v4DcwIDAQABAoICAA6iZ9vg9AtyR/7m1qDKSKio +rHtTQbia4Ci2rEdiOudYrSIn50gkfW2zZ8JW1yfyl7QOnhlvl81Xqp1ubZgM/wv6 +N3iR9OVYCAD0D/LKhsFsBbmWL6fv0UHRasNbUnf3Vi3YDPXRkwGaoVjusf2KMpmo +bk2RV+HVc+g+Oc06ZcehOdh4NqW7Z5/7ueBjVQ4HQTl7PskSdvjOU8X45UJ+K+b0 ++ypJfXMSiS2JKXnxtxBrQQL7WMiANue3dds7XeTC+kd+MpbB8+q1Mmb1gAqHfRit +cd+8z+U7rdmytfiMTQI954nBGaW3OqqOuvJXHLVa97yIaCWzSenytJRMN0Qsu6rp +v7LDjTiMMfX2yGVhzx4epEwCs1AydIU2Rz+ldN7J0GOdoiajpN6+CmJfrlIUML7C +pRhLBzv4n7nj10UQRgDQa0LhkCwiAYv6NuRs/Oj3z1VqvsnDTXRA58WgVhzpW79o +AS3Pe0HiBo1bnbG+iPFTLp9OqkkHXiHznOx09VvkzP/cRRxvHhNakF1kizjb0B9D +kGUehj7ooeRcUdfxW/+vGzksqcaUKNr0LXykRIswd0BrSxvav81BLWa5Q+iLfhsf +RVAitgVZV/MVwGKgNlqZWWq/jvjkCnaato0pwnz5L9TrS4ROkpExzce2ho8OlfsB +sTBK9SPARortucRBFq5RAoIBAQDenMrJJ+xTt5+3mlNdaIf+wA+fhT+aQWKKnkdU +jmFrGLKIR9oGGfomSl+/pocZ1/vUsUqQumGqxACZg/CodPdU9x/Dg6weV4ho8Boe +4wuepAgbgrrNkM7EY8g7PHvJ/f2BUGPerkQhlblnbKwpqGAjRK6nf9zJTGq0w6hX +wHnf4xNsjdM0wbz0jIhCkaIff39Kb9sMvR03yzJhYDJeV3i19WbObtaDTHUx/OhN +L0vjU1+L8xvp12tSE7NghfCSLNqCuE8BMdpe8YBxbShGHcNT1P3yuTMIA0EcfsyS +ZGt+wD0KW1XfZzYyJVvgdkmPPDwCueZ0p7UGXWC3et4reXANAoIBAQDcJc+VCbof +JK/JZjE6NELrlN4/ITJsYiHPVcF0TPQhc0tS7J6j6Ui6G3narTzsMj6JVHUQWDId +ngsV4iqeMlXZzgvsZhs13ki5OyfZogYXGRhJeLGvRe2JLZJkjU8lqrCzj1zLahlR +R8jzpI6oUY9zC5K+AqrvIDrZcoOKIm4EbgNL3HbU4DfS1bdvcKzubVUXT99u5l87 +VJKwj+B3IJH+Pa27wUqXaiu6iFKWTRbwZEJxGcH46H3Ncfq5ONQYIMF8Qa0x7m4C +6vjj9p+MuLG09K/RVxS78C+aQbA33nw+2nHE7XGUstG/i/1lF9P7c5IvLpZhg3jh +dJqDXnTCVOF/AoIBACmHUoVIP1w2y0LzNU4drBEoP0HhF8ZtIDb/5AqwLRhPmS63 +SMMOoY33Hfmg1V9K3Z4GHQT24DV9Lyd0Z7blayacm35b2AYpCjeZYyYT8Rz9OM35 +C2RB+XDFtJroY6eBDIPNPXRTSj6Bsf7LVSrIUHcD3xk8TzH2YYmrXoJQU+wiboM3 +ygjzg46TkO/qPzZlEJgQWer8dLDt5U4pJfxXkRtQ1ob4QmhoIQzcQ3HyutODwDVZ +ewGawFileDcvhXufhnwQahys8jH4F6ARXwwFjWTcPSvExPJfuQvZ08wTk8InlruR +4mk01fVw5rzvFDX2ZLOVfpqQlsLDNMHF2CCAHRkCggEBAJfUYAEK71lxROdi2oqo +5opxZoIllBAZ8fV70Gs0c57qVEXBuXuUdbsdHgJKPl0sHeM64229VfsFN+IE1J28 +W2dW6vRES3nwbzmI6ef4Dbk6bnylh+45DSTx0CgXKUHyIeIE+tuztfhPyPD4Sgce +ERAoKDFxx5AaK1wy1TOcoUHe2dklGLOiW/3Ftbhe/nWF5Ayq4o8qxP03S+AHqqie +RvIQedSm75nT+IqyYDsWub5bd1Nnj1bqiXD6rg+2eNiXJrpa1Wc9aJQMmFEok0tL +SgxiQSvgogUoFryNl0pA4HG82IAXvqDuXyh7FOz27RVb1LNDryVbti/P6oy1xVMN +lWMCggEAEvT0AhjlbXrE9EKrfg27qMgL/gkwjCeDjnAIZXVCur8C+MBUTN/eRDZY +uDZU4ZWkE0Y04RPTNMlpVcBkHpXp2pn5pf0OlSWdoBVlI68SeV5Cr3kLO2kT+zf4 +wULf7DStzl2DJAjaa4+ORX/duo//+I0jIRUk1SFvkNryexz518QMHrSnYhXetdZZ +SRtY9qwB16JOqi4Kyer1X2DyE0Qr+i7rDw7XCeJ/YRA/M8JCk4rUi82Vjd2Kv6cV +RXkLGL2k2nEiK88Xxg+bYOp2Dwy5r7vxcRrbr6G9FkcU9UbxKRoK8dkdmEsjvlp5 +cXlsC3wuADNQnvoMNW1ZvKkhEubiwQ== -----END PRIVATE KEY----- diff --git a/cert/oidc_provider.pem b/cert/oidc_provider.pem index fff4dfa..1ab4bb7 100644 --- a/cert/oidc_provider.pem +++ b/cert/oidc_provider.pem @@ -1,31 +1,31 @@ -----BEGIN CERTIFICATE----- -MIIFXjCCA0agAwIBAgIUYyi2atzrE6o4ysyH+IXrV6hee4wwDQYJKoZIhvcNAQEL +MIIFXjCCA0agAwIBAgIUdMon1qlq3LN/qjQdwTOXVPmUs0QwDQYJKoZIhvcNAQEL BQAwWjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3By aW5nZmllbGQxDDAKBgNVBAoMA0RpczEWMBQGA1UEAwwNb2lkY19wcm92aWRlcjAe -Fw0yNDEwMTkwMDMzMzJaFw0yNTEwMTkwMDMzMzJaMFoxCzAJBgNVBAYTAlVTMQ8w +Fw0yNDEwMjExODE4MDBaFw0yNTEwMjExODE4MDBaMFoxCzAJBgNVBAYTAlVTMQ8w DQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQKDANE aXMxFjAUBgNVBAMMDW9pZGNfcHJvdmlkZXIwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCy5QoiHpIHiR+fayJljYLnWIHP2/rDj1M+UzcUJRXmqN9DV2Il -VspVVO/cwRjqpTnYBf9+LEGnPIcMJsixwj41qXEq2O/E4xqTJYyHEUsEero6qZnc -iO9eWHraEvKo7g4gZuM28EJz6pgliCd019FGYDLC3tautsMWZMxSO8Cvw+5o3Jej -GE9WihwmE7MWT49qxD99DzS21sZwYEsrqDcyW7HRCy71/0E2WR773C/WhxOKOdbZ -3a9wuyLAlM05U/8T5uWXNnM2okmii215B/YQEELvXvMulicgE58yx9K+Qd9TjLfY -r5UP3DOPLS+H1L7n0GARNFMdyZTUX9C58HBHadc3Pb9T0iJYmKPDoArNtjG5BpY3 -JmUHBRnJJG5bk9LP9J8ikYkt52ZNsGHt2cfgyP/bhqiEJeUPRUryTkUjduk4cDWr -4FM/OZMe1Hi4Qf8XQ+dUl//DXXudRcKM4MXINGy28s68kJur/G589Sk4/W3vsKu+ -G8npxXnWHSSaedaAj4czTLdUHfxd15Ic+Z/0ZOQFQlFGq75SIvC1LSSGiIvO8kJr -ulyzgH+3dX5N7skAAwzQ/qQp+iOrdiO+hZ8tyLmsAvoDdb+wKOkGSInsYLkJCVjD -ebnowiS73flojwEW64Akz+5c1aA6eUDVjfQkts1dR/+FrPwTKZr9/CfLhQIDAQAB +DwAwggIKAoICAQC/b59wjxHnl4cPk4vjBeYxU41WIzVw9OZT8fKdgmqRgU1NakE0 +AYLR88+l/w3wWeoPpv7g6rRSI1uFaydEgE/DJ+4n7eJT2Qe3CSQ4ida12IJHiEpN +b/cXIXKZzwoUvFqbCt+zEvLGV9WrLgkBVpEcQjiDnCB0xo2GfwgLqRVCEduAKAP7 +m7aXoAf6ImlUvGkYPo6uaNrdoF/f8duWTPk15vfjn4ON8u6HON9amy84ofNxJhth +cYJLvuEsG9rOrx1AgoIKp/Ec+m+bBpd0lMcV5cOPhIdpV4jpCN/FQFxPc+DqQ9PK +fomlhqshUZsN+/fMgDAjvVlHq7cvj8RWdRuvBgHjZkRBPsRNf3zL1UMPrkMUCial +AnxBwrowEFFh8xv0wxMrZM0eB8z8jpw1yx19RjQXUb6foVQsXZl0eCuzTDTVrjrN +4OrN9AVgNu1onOuwMA4my31Krgqv9on79oopv5VYQRe4KWirCcX7KgB4IHqxD1aS +BkEtxO5U21YfsuZUABqc0+de/iVwsYeKlcsO0lnf1NKr6dBqIHXCQ1OCVEjCkrgC +v7r6S6/jMTcR1mWdauLsSb7JY+ywLbSkIu1fXLZNI84EskDaGPcQT5EBb5jvu1zZ +CYNdW1iMVveFt+wjXsoJRaW4dHNku7UH1SNeK/2kMHsHwbderg8T6v4DcwIDAQAB oxwwGjAYBgNVHREEETAPgg1vaWRjX3Byb3ZpZGVyMA0GCSqGSIb3DQEBCwUAA4IC -AQAa3MuerXgJghBZbNbGaFqunKo/E81ClACFOQks699rXbQPQzxFxr64OMaJ5KfK -19JpFIsHyLFZQq8fNYpKNnr5ifIzv+A/fGXJQc6WWtNrq44sDDaJNKM8+9DBtfmR -mOpmMLJ1dfaZZt9yKS19/ixgiNSTLP/PnM4/XZEdm0osmpkz2wjWEkXIv1CZ+XgN -ySpYv1JaTxkVXulzR1IiZIyYZTCgFWld/KEa9j21+1BLbS/9euo5a3XRu6s7P2aV -Fu/BQ1uWdEtYfMvQzxDbhkCTk+5I0VuT5pL1Nfcu+CiVdREWBFjY06oC9dXeMUTd -8cEoTDDAokgZA5DTBibvufogzJTASpAjvrLMD2rpq2yO3/4bK0nPe+FyNBKNyvsP -rM88ZUlzbcqkZSHbMWdxw+1dmDFR3pZjRXJU+1bnxQMwXGAt5ozCLcomC+9PA0tK -0HqRWQ2zxgnWPnrZA6vxqTrQFBM9/8p5bJbZj016ShpJvhrfPz5aMla1zeOSJcc5 -VoGtDxQKUkSexZwJh0QS4G1G/owQ+zn1UyLaCCvChWibXoWGF1tKIVymeam/Wpvu -65uMq4M0QhQnC9mkwNjDG+Kb1mS30uMFOq+q81HcEttbAuRpqEidpMm/tjy7nBCe -kcZexsSkGy128yeDU3D4Rai3AMsultw1wGMGWKLQ3laFvQ== +AQCaQ4gL4hgiS8gLx4HOOonkPYwHY7VPK+6lElCiONEIfkgUacjn3TqV+iOiUY3l +JxBSEKFNiQc3Ci4XaS0hah2D0e49LlCRDJf2hMILmNF+D8dLF35Q6YLnppNnFOV0 +p77jUoPJTjmW7/beotwshR8TStVJLPm3Kq6vOcUicgcHtamBEwaAC0vzLsgTpWFE +/81ZCxfpomxHJ6akYTRd2um+e37XqVYokhMgl/9Tu5Pkw9/8+FSn/Jqt4dAz3Umh +vflygwPH1KvW3aexr4wb60Vw1qQyXaqu574GzdCjhQJgsNdhykCN4YdQvFnBxTB3 +kFk7k0sUWp1NUdZS9DWW0bbbjxnB3dhonqlrt/DnmB5FueE5Ugfad7f7jyZqZgCz +LbNlKuOPds1r729jnWSSVwCRMoFuplj7zJIHc1gz0LSw/XBy50Bjv3BaKM0j55R0 +LmzmaPOy2zXZ1dQJPuLv2U4lHGCGhJr6av5DbX2JFInYsv4tLeAXmovmNW9ALqe0 +CQhBxAJnYdCRDMyhEc7mwaxRSt/UTlcP7wQv9NY54Hsi0110dKwlrS57sWU7m+aL +JrpECjpKu8/gKzNhGlhZCq1MRyan0T8TXhxa7V/3fiI28QcUvDc9QdabmARGwvw1 +GF/pjzBjy0dhESHP9H8QgMqlv4FZX2YPe24GClLuBVeoQQ== -----END CERTIFICATE----- diff --git a/config/application.rb b/config/application.rb index 2e427b9..3265dbb 100644 --- a/config/application.rb +++ b/config/application.rb @@ -41,7 +41,8 @@ class Application < Rails::Application Clients::Vault.configure_kv Clients::Vault.configure_pki get_oidc_config - Clients::Vault.configure_as_oidc_client(config.astral.oidc_issuer, + issuer = OidcProvider.new.get_issuer + Clients::Vault.configure_as_oidc_client(issuer, config.astral.oidc_client_id, config.astral.oidc_client_secret) diff --git a/config/astral.yml b/config/astral.yml index f6ebd43..b60814f 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -32,9 +32,12 @@ shared: oidc_client_secret: oidc_redirect_uris: http://localhost:8250/oidc/callback oidc_provider_cert_name: cert/oidc_provider - oidc_issuer: https://oidc_provider:9443/v1/identity/oidc/provider/astral oidc_provider_addr: https://oidc_provider:9443 - # if oidc_provider_addr is https with self-signed cert, need to provide + + # This should just contain the issuer path, not the host:port, which should be in the "oidc_provider_addr" above: + oidc_issuer_path: /v1/identity/oidc/provider/astral + +# if oidc_provider_addr is https with self-signed cert, need to provide # CA cert (path to file) in "oidc_provider_ssl_cert" below: oidc_provider_ssl_cert: cert/oidc_provider.pem # oidc provider client cert if required (path to file) @@ -55,6 +58,8 @@ production: vault_create_root: false oidc_provider_addr: + + # This should just contain the issuer path, not the host:port, which should be in the "oidc_provider_addr" above: oidc_issuer: initial_user_name: diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake index 5cf5a3d..b5b6cfd 100644 --- a/lib/tasks/configure.rake +++ b/lib/tasks/configure.rake @@ -6,16 +6,17 @@ namespace :configure do task :ssl, [:cert_name] do |t, args| cert_name = args[:cert_name] cert_name = "vault" if cert_name.nil? + sanParam = "subjectAltName=DNS:#{cert_name}" %x( - echo "subjectAltName=DNS:#{cert_name}" > /tmp/x openssl req -new -newkey rsa:4096 -nodes \ -keyout cert/#{cert_name}.key -out cert/#{cert_name}.csr \ -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{cert_name}" \ - -addext "subjectAltName = DNS:#{cert_name}" \ + -addext #{sanParam} \ + echo #{sanParam} > /tmp/sanParam openssl x509 -req -days 365 -in cert/#{cert_name}.csr \ -signkey cert/#{cert_name}.key \ - -out cert/#{cert_name}.pem -extfile /tmp/x + -out cert/#{cert_name}.pem -extfile /tmp/sanParam ) puts "SSL key for #{cert_name} created" end diff --git a/test/lib/clients/oidc_provider_test.rb b/test/lib/clients/oidc_provider_test.rb index cc1985d..69996a5 100644 --- a/test/lib/clients/oidc_provider_test.rb +++ b/test/lib/clients/oidc_provider_test.rb @@ -3,12 +3,16 @@ class OidcProviderTest < ActiveSupport::TestCase setup do @provider = OidcProvider.new + @info = @provider.get_info end test ".get_info returns correct info" do - info = @provider.get_info - assert_equal Config[:oidc_issuer], info.data[:issuer] - assert_equal "email", info.data[:scopes_supported][0] + assert_equal "email", @info.data[:scopes_supported][0] + end + + test ".get_issuer returns correct issuer" do + issuer = @provider.get_issuer + assert_equal @info.data[:issuer], issuer end test ".get_client_info return correct info" do From 5e0eda03de121aeba3e194b806f4c83661e1dfdc Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 11:51:01 -0700 Subject: [PATCH 60/65] fixed issuer path --- app/lib/utils/oidc_provider.rb | 2 +- config/astral.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index fa753de..286b8de 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -29,7 +29,7 @@ def get_info end def get_issuer - Config[:oidc_provider_addr] + Config[:oidc_issuer] + Config[:oidc_provider_addr] + Config[:oidc_issuer_path] end private diff --git a/config/astral.yml b/config/astral.yml index b60814f..2aa86fd 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -60,7 +60,7 @@ production: oidc_provider_addr: # This should just contain the issuer path, not the host:port, which should be in the "oidc_provider_addr" above: - oidc_issuer: + oidc_issuer_path: initial_user_name: initial_user_password: From 350d2861b57199d041d22fbf83dabfdc1985dc75 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 12:00:50 -0700 Subject: [PATCH 61/65] add comment for oidcProvider tls --- config/astral.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/astral.yml b/config/astral.yml index 2aa86fd..adc2a9c 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -32,7 +32,9 @@ shared: oidc_client_secret: oidc_redirect_uris: http://localhost:8250/oidc/callback oidc_provider_cert_name: cert/oidc_provider - oidc_provider_addr: https://oidc_provider:9443 + + # set this to "https://oidc_provider:9443" for tls: + oidc_provider_addr: http://oidc_provider:8300 # This should just contain the issuer path, not the host:port, which should be in the "oidc_provider_addr" above: oidc_issuer_path: /v1/identity/oidc/provider/astral From dc4ece1b9d237d6f13858e0fd325239b30614181 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 13:17:19 -0700 Subject: [PATCH 62/65] fixed issuer --- app/lib/clients/vault/oidc.rb | 4 ++-- app/lib/utils/oidc_provider.rb | 2 +- config/application.rb | 2 +- test/lib/clients/oidc_provider_test.rb | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 980cbc1..ac1dd36 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -24,8 +24,8 @@ def get_oidc_client_config def create_client_config(issuer, client_id, client_secret) client.logical.write("/sys/auth/oidc", type: "oidc") client.logical.write("auth/oidc/config", - oidc_discovery_url: issuer, - oidc_discovery_ca_pem: File.read(Config[:oidc_provider_ssl_cert]), + oidc_discovery_url: issuer, + oidc_discovery_ca_pem: File.read(Config[:oidc_provider_ssl_cert]), oidc_client_id: client_id, oidc_client_secret: client_secret, default_role: "default") diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 286b8de..9c8c539 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -28,7 +28,7 @@ def get_info vault_client.logical.read("identity/oidc/provider/astral") end - def get_issuer + def self.get_configured_issuer Config[:oidc_provider_addr] + Config[:oidc_issuer_path] end diff --git a/config/application.rb b/config/application.rb index 3265dbb..6e4d80c 100644 --- a/config/application.rb +++ b/config/application.rb @@ -41,7 +41,7 @@ class Application < Rails::Application Clients::Vault.configure_kv Clients::Vault.configure_pki get_oidc_config - issuer = OidcProvider.new.get_issuer + issuer = OidcProvider.get_configured_issuer Clients::Vault.configure_as_oidc_client(issuer, config.astral.oidc_client_id, config.astral.oidc_client_secret) diff --git a/test/lib/clients/oidc_provider_test.rb b/test/lib/clients/oidc_provider_test.rb index 69996a5..9a2acac 100644 --- a/test/lib/clients/oidc_provider_test.rb +++ b/test/lib/clients/oidc_provider_test.rb @@ -10,8 +10,8 @@ class OidcProviderTest < ActiveSupport::TestCase assert_equal "email", @info.data[:scopes_supported][0] end - test ".get_issuer returns correct issuer" do - issuer = @provider.get_issuer + test "#get_issuer returns correct issuer" do + issuer = OidcProvider.get_configured_issuer assert_equal @info.data[:issuer], issuer end From 879b0db04aa2133143e13b969f52be634737d0e3 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 13:24:14 -0700 Subject: [PATCH 63/65] fixed comment --- test/lib/clients/oidc_provider_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/lib/clients/oidc_provider_test.rb b/test/lib/clients/oidc_provider_test.rb index 9a2acac..518a65d 100644 --- a/test/lib/clients/oidc_provider_test.rb +++ b/test/lib/clients/oidc_provider_test.rb @@ -10,7 +10,7 @@ class OidcProviderTest < ActiveSupport::TestCase assert_equal "email", @info.data[:scopes_supported][0] end - test "#get_issuer returns correct issuer" do + test "#get_configured_issuer returns correct issuer" do issuer = OidcProvider.get_configured_issuer assert_equal @info.data[:issuer], issuer end From 2f35777573ba7e104e4eabde5ee8951678575b61 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 13:24:53 -0700 Subject: [PATCH 64/65] rubocop --- lib/tasks/configure.rake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake index b5b6cfd..52fc1ad 100644 --- a/lib/tasks/configure.rake +++ b/lib/tasks/configure.rake @@ -3,7 +3,7 @@ require "rake" # Rake tasks for making a vault cert namespace :configure do desc "Make the server cert for vault" - task :ssl, [:cert_name] do |t, args| + task :ssl, [ :cert_name ] do |t, args| cert_name = args[:cert_name] cert_name = "vault" if cert_name.nil? sanParam = "subjectAltName=DNS:#{cert_name}" From 909516e869dc3b82739872b356ed94c2a1e392e8 Mon Sep 17 00:00:00 2001 From: George Jahad Date: Mon, 21 Oct 2024 14:18:58 -0700 Subject: [PATCH 65/65] fixed readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b732953..04fe05a 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ follows: OidcProvider.new.configure creates an OIDC provider and user on a separate dedicated Vault instance. The user created has a username/password/email address, that can be accessed with OIDC auth -from in the principal Vault instance. +from the principal Vault instance. Clients::Vault::configure_as_oidc_client creates an OIDC client on our Vault instance. It connects to that provider just