Add Oracle Cloud auth to the Vault Agent (hashicorp#19260)

* Add Oracle Cloud auth to the Vault Agent * Use ParseDurationSecond to parse credential_poll_interval * Use os.UserHomeDir()
fopina · Mar 15, 2023 · 789406c · 789406c
1 parent 011de4a
commit 789406c
Show file tree

Hide file tree

Showing 6 changed files with 543 additions and 0 deletions.
diff --git a/changelog/19260.txt b/changelog/19260.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**agent/auto-auth:**: Add OCI (Oracle Cloud Infrastructure) auto-auth method
+```
diff --git a/command/agent.go b/command/agent.go
@@ -40,6 +40,7 @@ import (
 	"github.com/hashicorp/vault/command/agent/auth/jwt"
 	"github.com/hashicorp/vault/command/agent/auth/kerberos"
 	"github.com/hashicorp/vault/command/agent/auth/kubernetes"
+	"github.com/hashicorp/vault/command/agent/auth/oci"
 	"github.com/hashicorp/vault/command/agent/cache"
 	"github.com/hashicorp/vault/command/agent/cache/cacheboltdb"
 	"github.com/hashicorp/vault/command/agent/cache/cachememdb"
@@ -370,6 +371,8 @@ func (c *AgentCommand) Run(args []string) int {
 			method, err = kubernetes.NewKubernetesAuthMethod(authConfig)
 		case "approle":
 			method, err = approle.NewApproleAuthMethod(authConfig)
+		case "oci":
+			method, err = oci.NewOCIAuthMethod(authConfig, config.Vault.Address)
 		case "token_file":
 			method, err = token_file.NewTokenFileAuthMethod(authConfig)
 		case "pcf": // Deprecated.

diff --git a/command/agent/auth/oci/oci.go b/command/agent/auth/oci/oci.go
@@ -0,0 +1,262 @@
+package oci
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"net/http"
+	"net/url"
+	"os"
+	"os/user"
+	"path"
+	"sync"
+	"time"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/command/agent/auth"
+	"github.com/oracle/oci-go-sdk/common"
+	ociAuth "github.com/oracle/oci-go-sdk/common/auth"
+)
+
+const (
+	typeAPIKey   = "apikey"
+	typeInstance = "instance"
+
+	/*
+
+		IAM creds can be inferred from instance metadata or the container
+		identity service, and those creds expire at varying intervals with
+		new creds becoming available at likewise varying intervals. Let's
+		default to polling once a minute so all changes can be picked up
+		rather quickly. This is configurable, however.
+
+	*/
+	defaultCredCheckFreqSeconds = 60 * time.Second
+
+	defaultConfigFileName    = "config"
+	defaultConfigDirName     = ".oci"
+	configFilePathEnvVarName = "OCI_CONFIG_FILE"
+	secondaryConfigDirName   = ".oraclebmc"
+)
+
+func NewOCIAuthMethod(conf *auth.AuthConfig, vaultAddress string) (auth.AuthMethod, error) {
+	if conf == nil {
+		return nil, errors.New("empty config")
+	}
+	if conf.Config == nil {
+		return nil, errors.New("empty config data")
+	}
+
+	a := &ociMethod{
+		logger:       conf.Logger,
+		vaultAddress: vaultAddress,
+		mountPath:    conf.MountPath,
+		credsFound:   make(chan struct{}),
+		stopCh:       make(chan struct{}),
+	}
+
+	typeRaw, ok := conf.Config["type"]
+	if !ok {
+		return nil, errors.New("missing 'type' value")
+	}
+	authType, ok := typeRaw.(string)
+	if !ok {
+		return nil, errors.New("could not convert 'type' config value to string")
+	}
+
+	roleRaw, ok := conf.Config["role"]
+	if !ok {
+		return nil, errors.New("missing 'role' value")
+	}
+	a.role, ok = roleRaw.(string)
+	if !ok {
+		return nil, errors.New("could not convert 'role' config value to string")
+	}
+
+	// Check for an optional custom frequency at which we should poll for creds.
+	credCheckFreqSec := defaultCredCheckFreqSeconds
+	if checkFreqRaw, ok := conf.Config["credential_poll_interval"]; ok {
+		checkFreq, err := parseutil.ParseDurationSecond(checkFreqRaw)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse credential_poll_interval: %v", err)
+		}
+		credCheckFreqSec = checkFreq
+	}
+
+	switch {
+	case a.role == "":
+		return nil, errors.New("'role' value is empty")
+	case authType == "":
+		return nil, errors.New("'type' value is empty")
+	case authType != typeAPIKey && authType != typeInstance:
+		return nil, errors.New("'type' value is invalid")
+	case authType == typeAPIKey:
+		defaultConfigFile := getDefaultConfigFilePath()
+		homeFolder := getHomeFolder()
+		secondaryConfigFile := path.Join(homeFolder, secondaryConfigDirName, defaultConfigFileName)
+
+		environmentProvider := common.ConfigurationProviderEnvironmentVariables("OCI", "")
+		defaultFileProvider, _ := common.ConfigurationProviderFromFile(defaultConfigFile, "")
+		secondaryFileProvider, _ := common.ConfigurationProviderFromFile(secondaryConfigFile, "")
+
+		provider, _ := common.ComposingConfigurationProvider([]common.ConfigurationProvider{environmentProvider, defaultFileProvider, secondaryFileProvider})
+		a.configurationProvider = provider
+	case authType == typeInstance:
+		configurationProvider, err := ociAuth.InstancePrincipalConfigurationProvider()
+		if err != nil {
+			return nil, fmt.Errorf("failed to create instance principal configuration provider: %v", err)
+		}
+		a.configurationProvider = configurationProvider
+	}
+
+	// Do an initial population of the creds because we want to err right away if we can't
+	// even get a first set.
+	creds, err := a.configurationProvider.KeyID()
+	if err != nil {
+		return nil, err
+	}
+	a.lastCreds = creds
+
+	go a.pollForCreds(credCheckFreqSec)
+
+	return a, nil
+}
+
+type ociMethod struct {
+	logger       hclog.Logger
+	vaultAddress string
+	mountPath    string
+
+	configurationProvider common.ConfigurationProvider
+	role                  string
+
+	// These are used to share the latest creds safely across goroutines.
+	credLock  sync.Mutex
+	lastCreds string
+
+	// Notifies the outer environment that it should call Authenticate again.
+	credsFound chan struct{}
+
+	// Detects that the outer environment is closing.
+	stopCh chan struct{}
+}
+
+func (a *ociMethod) Authenticate(context.Context, *api.Client) (string, http.Header, map[string]interface{}, error) {
+	a.credLock.Lock()
+	defer a.credLock.Unlock()
+
+	a.logger.Trace("beginning authentication")
+
+	requestPath := fmt.Sprintf("/v1/%s/login/%s", a.mountPath, a.role)
+	requestURL := fmt.Sprintf("%s%s", a.vaultAddress, requestPath)
+
+	request, err := http.NewRequest("GET", requestURL, nil)
+	if err != nil {
+		return "", nil, nil, fmt.Errorf("error creating authentication request: %w", err)
+	}
+
+	request.Header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
+
+	signer := common.DefaultRequestSigner(a.configurationProvider)
+
+	err = signer.Sign(request)
+
+	if err != nil {
+		return "", nil, nil, fmt.Errorf("error signing authentication request: %w", err)
+	}
+
+	parsedVaultAddress, err := url.Parse(a.vaultAddress)
+	if err != nil {
+		return "", nil, nil, fmt.Errorf("unable to parse vault address: %w", err)
+	}
+
+	request.Header.Set("Host", parsedVaultAddress.Host)
+	request.Header.Set("(request-target)", fmt.Sprintf("%s %s", "get", requestPath))
+
+	data := map[string]interface{}{
+		"request_headers": request.Header,
+	}
+
+	return fmt.Sprintf("%s/login/%s", a.mountPath, a.role), nil, data, nil
+}
+
+func (a *ociMethod) NewCreds() chan struct{} {
+	return a.credsFound
+}
+
+func (a *ociMethod) CredSuccess() {}
+
+func (a *ociMethod) Shutdown() {
+	close(a.credsFound)
+	close(a.stopCh)
+}
+
+func (a *ociMethod) pollForCreds(frequency time.Duration) {
+	ticker := time.NewTicker(frequency)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-a.stopCh:
+			a.logger.Trace("shutdown triggered, stopping OCI auth handler")
+			return
+		case <-ticker.C:
+			if err := a.checkCreds(); err != nil {
+				a.logger.Warn("unable to retrieve current creds, retaining last creds", "error", err)
+			}
+		}
+	}
+}
+
+func (a *ociMethod) checkCreds() error {
+	a.credLock.Lock()
+	defer a.credLock.Unlock()
+
+	a.logger.Trace("checking for new credentials")
+	currentCreds, err := a.configurationProvider.KeyID()
+	if err != nil {
+		return err
+	}
+	// These will always have different pointers regardless of whether their
+	// values are identical, hence the use of DeepEqual.
+	if currentCreds == a.lastCreds {
+		a.logger.Trace("credentials are unchanged")
+		return nil
+	}
+	a.lastCreds = currentCreds
+	a.logger.Trace("new credentials detected, triggering Authenticate")
+	a.credsFound <- struct{}{}
+	return nil
+}
+
+func getHomeFolder() string {
+	current, e := user.Current()
+	if e != nil {
+		// Give up and try to return something sensible
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return ""
+		}
+		return home
+	}
+	return current.HomeDir
+}
+
+func getDefaultConfigFilePath() string {
+	homeFolder := getHomeFolder()
+	defaultConfigFile := path.Join(homeFolder, defaultConfigDirName, defaultConfigFileName)
+	if _, err := os.Stat(defaultConfigFile); err == nil {
+		return defaultConfigFile
+	}
+
+	// Read configuration file path from OCI_CONFIG_FILE env var
+	fallbackConfigFile, existed := os.LookupEnv(configFilePathEnvVarName)
+	if !existed {
+		return defaultConfigFile
+	}
+	if _, err := os.Stat(fallbackConfigFile); os.IsNotExist(err) {
+		return defaultConfigFile
+	}
+	return fallbackConfigFile
+}