Add OIDC config primitives

.devcontainer/devcontainer.json

@@ -17,7 +17,7 @@
 
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.
 	// This can be used to network with other containers or the host.
-	"forwardPorts": [3000, 5432, 8200],
+        "forwardPorts": [3000, 5432, 8200, 8300],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
 	"postCreateCommand": "bundle install && rake db:setup",

.devcontainer/docker-compose.yml

@@ -30,6 +30,15 @@ services:
       VAULT_DEV_ROOT_TOKEN_ID: root_token
       VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
 
+  oidc_provider:
+    image: hashicorp/vault:latest
+    restart: unless-stopped
+    ports:
+      - 8300:8300
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: root_token
+      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8300
+
   app_registry:
     image: node:latest
     restart: unless-stopped

README.md

@@ -61,3 +61,43 @@ docker build -t astral:latest .
 ```
 docker run -p 3000:3000 astral:latest
 ```
+# Logging into vault with OIDC
+
+The rails test's configure the OIDC provider, so if the tests pass,
+you can invoke the oidc login as follows:
+
+```
+  export VAULT_ADDR=http://127.0.0.1:8200; vault login -method=oidc
+```
+
+You should do this on your host machine, not in docker.  This will
+allow a browser window to open on your host.  When it does, select
+"username" option with user test/test.  (That is the username/pw
+configured by the rails tests.)
+
+When that succeeds, you should see something like the following in the cli:
+```
+Success! You are now authenticated
+.
+identity_policies    ["[email protected]"]
+.
+.
+```
+
+Note that "identity_policies" includes "[email protected]", which is the
+policy we created for this user.
+
+To make this work smoothly with the browser, you should add the
+following to the /etc/hosts file on your host:
+
+```
+  127.0.0.1	oidc_provider
+```
+
+Finally, if you run "rails test" a second time, it will recreate the
+provider settings, so you will need to clear the browser's
+"oidc_provider" cookie.  Otherwise you will see this error:
+
+```
+  * Vault login failed. Expired or missing OAuth state.
+```

app/lib/clients/vault.rb

@@ -5,6 +5,7 @@ class Vault
     extend Clients::Vault::Policy
     extend Clients::Vault::Entity
     extend Clients::Vault::EntityAlias
+    extend Clients::Vault::Oidc
 
     class_attribute :token
 

app/lib/clients/vault/oidc.rb

@@ -0,0 +1,151 @@
+=begin
+
+The purpose of this module is to assign a policy to an OIDC user, by
+mapping that user's email address to a policy we create.
+It works as follows:
+
+It creates an OIDC provider and user.  That user has a
+username/password/email addr, that can be accessed with OIDC auth.
+
+It creates an OIDC client which connects to that provider.  When a
+user tries to auth, the client connects to the provider, which opens
+up a browser window allowing the user to enter his username/password.
+
+On success, the provider returns an OIDC token, which includes the
+user's email addr.
+
+The client has been configured to map that email address to an entity
+in vault, which has the policy which we want the user to have.
+
+So the mapping goes from the email address on the provider, to the
+policy in vault.  The email addr may not be the best mapping to use.
+Some other piece of user info may ultimately be better used to map the
+user to the policy.  But we don't yet have a good understanding of
+different OIDC provider configurations, so this should be good enough
+for now
+
+Note that this provider is only meant to be used in our dev/test
+environment to excercise the client.  In a prod env, a real OIDC
+provider is configured in.
+
+=end
+module Clients
+  class Vault
+    module Oidc
+      def configure_oidc_provider
+        create_provider_webapp
+        create_provider_with_email_scope
+        create_entity_for_initial_user
+        create_userpass_for_initial_user
+        map_userpass_to_entity
+      end
+
+      def configure_oidc_client(issuer, client_id, client_secret)
+        create_client_config(issuer, client_id, client_secret)
+        create_default_policy_for_role
+        create_default_role(client_id)
+      end
+
+      def configure_oidc_user(name, email, policy)
+        client.sys.put_policy(email, policy)
+        put_entity(name, email)
+        put_entity_alias(name, email, "oidc")
+      end
+
+      private
+      cattr_accessor :client_id
+      cattr_accessor :client_secret
+      WEBAPP_NAME = "identity/oidc/client/astral"
+
+      def oidc_provider
+        ::Vault::Client.new(
+          address: "http://oidc_provider:8300",
+          token: token
+        )
+      end
+
+      def create_provider_webapp
+        oidc_provider.logical.write(
+          WEBAPP_NAME,
+          redirect_uris: get_redirect_uris,
+          assignments: "allow_all")
+        app = oidc_provider.logical.read(WEBAPP_NAME)
+        @@client_id = app.data[:client_id]
+        @@client_secret = app.data[:client_secret]
+      end
+
+      def create_provider_with_email_scope
+        oidc_provider.logical.write("identity/oidc/scope/email",
+                                    template: '{"email": {{identity.entity.metadata.email}}}')
+        oidc_provider.logical.write("identity/oidc/provider/astral",
+                                    issuer: "http://oidc_provider:8300",
+                                    allowed_client_ids: @@client_id,
+                                    scopes_supported: "email")
+      end
+
+      def create_entity_for_initial_user
+        oidc_provider.logical.write("identity/entity",
+                                    policies: "default",
+                                    name: Config[:initial_user][:name],
+                                    metadata: "email=#{Config[:initial_user][:email]}",
+                                    disabled: false)
+      end
+
+      def create_userpass_for_initial_user
+        oidc_provider.logical.delete("/sys/auth/userpass")
+        oidc_provider.logical.write("/sys/auth/userpass", type: "userpass")
+        oidc_provider.logical.write("/auth/userpass/users/#{Config[:initial_user][:name]}",
+                                    password: Config[:initial_user][:password])
+      end
+
+      def map_userpass_to_entity
+        entity = oidc_provider.logical.read(
+          "identity/entity/name/#{Config[:initial_user][:name]}")
+        entity_id = entity.data[:id]
+        auth_list = oidc_provider.logical.read("/sys/auth")
+        accessor = auth_list.data[:"userpass/"][:accessor]
+        oidc_provider.logical.write("identity/entity-alias",
+                                    name: Config[:initial_user][:name],
+                                    canonical_id: entity_id,
+                                    mount_accessor: accessor)
+      end
+
+      def create_client_config(issuer, client_id, client_secret)
+        client.logical.delete("/sys/auth/oidc")
+        client.logical.write("/sys/auth/oidc", type: "oidc")
+        client.logical.write("auth/oidc/config",
+                                   oidc_discovery_url: issuer,
+                                   oidc_client_id: client_id,
+                                   oidc_client_secret: client_secret,
+                                   default_role: "reader")
+      end
+
+      def create_default_policy_for_role
+        policy = <<-EOH
+              path "sys" {
+              policy = "read"
+              }
+              EOH
+        client.sys.put_policy("reader", policy)
+      end
+
+      def get_redirect_uris
+        # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris
+        redirect_uris = <<-EOH
+             http://localhost:8250/oidc/callback,
+             #{Config[:vault_addr]}/ui/vault/auth/oidc/oidc/callback,
+             EOH
+      end
+
+      def create_default_role(client_id)
+        client.logical.write(
+          "auth/oidc/role/reader",
+          bound_audiences: client_id,
+          allowed_redirect_uris: get_redirect_uris,
+          user_claim: "email",
+          oidc_scopes: "email",
+          token_policies: "reader")
+      end
+    end
+  end
+end

app/lib/clients/vault/policy.rb

@@ -20,6 +20,21 @@ def create_astral_policy
         path "#{kv_mount}/data/*" {
           capabilities = ["create", "read", "update", "delete", "list"]
         }
+        path "identity/entity" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
+        path "identity/entity/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
+        path "identity/entity-alias" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
+        path "/sys/auth" {
+          capabilities = ["read"]
+        }
+        path "/sys/policy/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
         HCL
 
         client.sys.put_policy("astral_policy", policy)

config/application.rb

@@ -40,6 +40,15 @@ class Application < Rails::Application
       Clients::Vault.token = Config[:vault_token]
       Clients::Vault.configure_kv
       Clients::Vault.configure_pki
+      issuer = config.astral.oidc_provider[:issuer]
+      client_id = config.astral.oidc_provider[:client_id]
+      client_secret = config.astral.oidc_provider[:client_secret]
+      if config.astral.configure_oidc_provider?
+        Clients::Vault.configure_oidc_provider
+        client_id = ::Clients::Vault::Oidc.client_id
+        client_secret = ::Clients::Vault::Oidc.client_secret
+      end
+      Clients::Vault.configure_oidc_client(issuer, client_id, client_secret) unless client_id.nil?
       Clients::Vault.rotate_token
     end
   end

config/astral.yml

@@ -19,9 +19,28 @@ shared:
   audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %>
 
 test:
+  configure_oidc_provider?: true
+  oidc_provider:
+    issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral"
+  initial_user:
+    name: "test"
+    password: "test"
+    email: "[email protected]"
   cert_ttl: <%= 24.hours.in_seconds %>
 
 development:
+  configure_oidc_provider?: true
+  oidc_provider:
+    issuer: "http://oidc_provider:8300/v1/identity/oidc/provider/astral"
+  initial_user:
+    name: "test"
+    password: "test"
+    email: "[email protected]"
 
 production:
   vault_create_root: false
+  configure_oidc_provider?: false
+  oidc_provider:
+    issuer:
+    client_id:
+    client_secret:

test/lib/clients/oidc_test.rb

@@ -0,0 +1,30 @@
+require "test_helper"
+
+# NOTE: these tests excercise the OIDC config but can't really verify a
+# successful OIDC login.  (Because that requires browser interaction.)
+# See the readme for how to use oidc login with the browser.
+
+class OIDCTest < ActiveSupport::TestCase
+  setup do
+    @client = Clients::Vault
+  end
+
+  test "#configure_oidc_user" do
+    @client.configure_oidc_user(Config[:initial_user][:name],
+                                Config[:initial_user][:email], get_test_policy)
+    entity = @client.read_entity(Config[:initial_user][:name])
+    assert_equal Config[:initial_user][:email], entity.data[:policies][0]
+    aliases = entity.data[:aliases]
+    assert aliases.find { |a| a[:name] == Config[:initial_user][:email] }
+  end
+
+  private
+
+  def get_test_policy
+    policy = <<-EOH
+           path "sys" {
+           policy = "read"
+           }
+           EOH
+  end
+end