mirror of
https://github.com/hashicorp/vault.git
synced 2026-06-14 03:11:07 -04:00
* rename enterprise token for readability/clarity * more updates * test fix * whoops * further updates * fix errors * update error message * more rename * typo * whoops * remaining fix Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
This commit is contained in:
Vault Automation
GitHub
parent
c7f782bf7e
commit
bfb5cd6ead
13 changed files with 192 additions and 196 deletions
|
|
@ -261,39 +261,39 @@ func mergeEnterpriseTokenMetadata(a *auth, req *logical.Request) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
if req.EnterpriseTokenMetadata == "" &&
|
||||
req.EnterpriseTokenIssuer == "" &&
|
||||
req.EnterpriseTokenTransaction == "" &&
|
||||
len(req.EnterpriseTokenAudience) == 0 &&
|
||||
len(req.EnterpriseTokenAuthorizationDetails) == 0 {
|
||||
if req.JwtUniqueId == "" &&
|
||||
req.JwtIssuer == "" &&
|
||||
req.JwtTransactionClaim == "" &&
|
||||
len(req.JwtAudienceClaim) == 0 &&
|
||||
len(req.JwtAuthorizationDetails) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
if a.Metadata == nil {
|
||||
a.Metadata = make(map[string]string)
|
||||
}
|
||||
if req.EnterpriseTokenMetadata != "" {
|
||||
a.Metadata["enterprise_token_metadata"] = req.EnterpriseTokenMetadata
|
||||
if req.JwtUniqueId != "" {
|
||||
a.Metadata["jwt_unique_id"] = req.JwtUniqueId
|
||||
}
|
||||
if req.EnterpriseTokenIssuer != "" {
|
||||
a.Metadata["enterprise_token_issuer"] = req.EnterpriseTokenIssuer
|
||||
if req.JwtIssuer != "" {
|
||||
a.Metadata["jwt_issuer"] = req.JwtIssuer
|
||||
}
|
||||
if req.EnterpriseTokenTransaction != "" {
|
||||
a.Metadata["enterprise_token_transaction"] = req.EnterpriseTokenTransaction
|
||||
if req.JwtTransactionClaim != "" {
|
||||
a.Metadata["jwt_transaction_claim"] = req.JwtTransactionClaim
|
||||
}
|
||||
if len(req.EnterpriseTokenAudience) > 0 {
|
||||
audJSON, err := json.Marshal(req.EnterpriseTokenAudience)
|
||||
if len(req.JwtAudienceClaim) > 0 {
|
||||
audJSON, err := json.Marshal(req.JwtAudienceClaim)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to marshal enterprise token audience for audit: %w", err)
|
||||
return fmt.Errorf("unable to marshal jwt audience for audit: %w", err)
|
||||
}
|
||||
a.Metadata["enterprise_token_audience"] = string(audJSON)
|
||||
a.Metadata["jwt_audience_claim"] = string(audJSON)
|
||||
}
|
||||
if len(req.EnterpriseTokenAuthorizationDetails) > 0 {
|
||||
authzJSON, err := json.Marshal(req.EnterpriseTokenAuthorizationDetails)
|
||||
if len(req.JwtAuthorizationDetails) > 0 {
|
||||
authzJSON, err := json.Marshal(req.JwtAuthorizationDetails)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to marshal enterprise token authorization details for audit: %w", err)
|
||||
return fmt.Errorf("unable to marshal jwt authorization details for audit: %w", err)
|
||||
}
|
||||
a.Metadata["enterprise_token_authorization_details"] = string(authzJSON)
|
||||
a.Metadata["jwt_authorization_details"] = string(authzJSON)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ const testFormatJSONEnterpriseTokenStrFmt = `{
|
|||
"metadata": {
|
||||
"actor_entity_id": "actor-entity-789",
|
||||
"actor_entity_name": "actor-service",
|
||||
"enterprise_token_metadata": "test-token-123"
|
||||
"jwt_unique_id": "test-token-123"
|
||||
},
|
||||
"entity_id": "foobarentity",
|
||||
"token_type": "service",
|
||||
|
|
@ -599,7 +599,7 @@ func TestMergeEnterpriseTokenMetadata(t *testing.T) {
|
|||
ExpectedTransaction string
|
||||
}{
|
||||
"metadata-present": {
|
||||
Input: &logical.Request{ID: "req-1", EnterpriseTokenMetadata: "token-abc"},
|
||||
Input: &logical.Request{ID: "req-1", JwtUniqueId: "token-abc"},
|
||||
ExpectedMetadata: "token-abc",
|
||||
},
|
||||
"metadata-absent": {
|
||||
|
|
@ -608,18 +608,18 @@ func TestMergeEnterpriseTokenMetadata(t *testing.T) {
|
|||
},
|
||||
"issuer-present": {
|
||||
Input: &logical.Request{
|
||||
ID: "req-3",
|
||||
EnterpriseTokenMetadata: "token-xyz",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
ID: "req-3",
|
||||
JwtUniqueId: "token-xyz",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
},
|
||||
ExpectedMetadata: "token-xyz",
|
||||
ExpectedIssuer: "https://issuer.example.com",
|
||||
},
|
||||
"transaction-present": {
|
||||
Input: &logical.Request{
|
||||
ID: "req-4",
|
||||
EnterpriseTokenMetadata: "token-txn",
|
||||
EnterpriseTokenTransaction: "txn-123",
|
||||
ID: "req-4",
|
||||
JwtUniqueId: "token-txn",
|
||||
JwtTransactionClaim: "txn-123",
|
||||
},
|
||||
ExpectedMetadata: "token-txn",
|
||||
ExpectedTransaction: "txn-123",
|
||||
|
|
@ -648,17 +648,17 @@ func TestMergeEnterpriseTokenMetadata(t *testing.T) {
|
|||
require.Equal(t, want, got)
|
||||
}
|
||||
|
||||
assertMetadataField("enterprise_token_metadata", tc.ExpectedMetadata)
|
||||
assertMetadataField("enterprise_token_issuer", tc.ExpectedIssuer)
|
||||
assertMetadataField("enterprise_token_transaction", tc.ExpectedTransaction)
|
||||
assertMetadataField("jwt_unique_id", tc.ExpectedMetadata)
|
||||
assertMetadataField("jwt_issuer", tc.ExpectedIssuer)
|
||||
assertMetadataField("jwt_transaction_claim", tc.ExpectedTransaction)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestEntryFormatter_Process_JSON_EnterpriseToken verifies that enterprise token fields
|
||||
// (actor_entity_id, actor_entity_name, enterprise_token_metadata, enterprise_token_issuer,
|
||||
// enterprise_token_transaction,
|
||||
// enterprise_token_audience, enterprise_token_authorization_details) are correctly
|
||||
// (actor_entity_id, actor_entity_name, jwt_unique_id, jwt_issuer,
|
||||
// jwt_transaction_claim,
|
||||
// jwt_audience, jwt_authorization_details) are correctly
|
||||
// serialized into auth.metadata in the JSON audit output, and absent when not set.
|
||||
func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
|
@ -692,13 +692,13 @@ func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) {
|
|||
TokenType: logical.TokenTypeDefault,
|
||||
},
|
||||
Req: &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/cubbyhole/test",
|
||||
EnterpriseTokenMetadata: "test-token-abc",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
EnterpriseTokenTransaction: "txn-actor-1",
|
||||
EnterpriseTokenAudience: []string{"vault"},
|
||||
EnterpriseTokenAuthorizationDetails: authzDetails,
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/cubbyhole/test",
|
||||
JwtUniqueId: "test-token-abc",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
JwtTransactionClaim: "txn-actor-1",
|
||||
JwtAudienceClaim: []string{"vault"},
|
||||
JwtAuthorizationDetails: authzDetails,
|
||||
Connection: &logical.Connection{
|
||||
RemoteAddr: "127.0.0.1",
|
||||
},
|
||||
|
|
@ -721,12 +721,12 @@ func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) {
|
|||
TokenType: logical.TokenTypeDefault,
|
||||
},
|
||||
Req: &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/cubbyhole/test",
|
||||
EnterpriseTokenMetadata: "test-token-xyz",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
EnterpriseTokenTransaction: "txn-base-1",
|
||||
EnterpriseTokenAudience: []string{"vault"},
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/cubbyhole/test",
|
||||
JwtUniqueId: "test-token-xyz",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
JwtTransactionClaim: "txn-base-1",
|
||||
JwtAudienceClaim: []string{"vault"},
|
||||
Connection: &logical.Connection{
|
||||
RemoteAddr: "127.0.0.1",
|
||||
},
|
||||
|
|
@ -781,11 +781,11 @@ func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) {
|
|||
require.Equal(t, tc.WantActorEntityName, result.Auth.Metadata["actor_entity_name"])
|
||||
|
||||
require.NotNil(t, result.Request)
|
||||
require.Equal(t, tc.WantMetadata, result.Auth.Metadata["enterprise_token_metadata"])
|
||||
require.Equal(t, tc.WantIssuer, result.Auth.Metadata["enterprise_token_issuer"])
|
||||
require.Equal(t, tc.WantTransaction, result.Auth.Metadata["enterprise_token_transaction"])
|
||||
require.Equal(t, tc.WantAudience, result.Auth.Metadata["enterprise_token_audience"])
|
||||
require.Equal(t, tc.WantAuthorizationDetails, result.Auth.Metadata["enterprise_token_authorization_details"])
|
||||
require.Equal(t, tc.WantMetadata, result.Auth.Metadata["jwt_unique_id"])
|
||||
require.Equal(t, tc.WantIssuer, result.Auth.Metadata["jwt_issuer"])
|
||||
require.Equal(t, tc.WantTransaction, result.Auth.Metadata["jwt_transaction_claim"])
|
||||
require.Equal(t, tc.WantAudience, result.Auth.Metadata["jwt_audience_claim"])
|
||||
require.Equal(t, tc.WantAuthorizationDetails, result.Auth.Metadata["jwt_authorization_details"])
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
@ -816,12 +816,12 @@ func TestEntryFormatter_Process_Response_EnterpriseToken(t *testing.T) {
|
|||
TokenType: logical.TokenTypeDefault,
|
||||
},
|
||||
Request: &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/secret/data/test",
|
||||
EnterpriseTokenMetadata: "resp-token-abc",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
EnterpriseTokenTransaction: "txn-response-1",
|
||||
EnterpriseTokenAudience: []string{"vault", "api"},
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/secret/data/test",
|
||||
JwtUniqueId: "resp-token-abc",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
JwtTransactionClaim: "txn-response-1",
|
||||
JwtAudienceClaim: []string{"vault", "api"},
|
||||
Connection: &logical.Connection{
|
||||
RemoteAddr: "127.0.0.1",
|
||||
},
|
||||
|
|
@ -864,18 +864,18 @@ func TestEntryFormatter_Process_Response_EnterpriseToken(t *testing.T) {
|
|||
require.NotNil(t, result.Auth)
|
||||
require.Equal(t, "actor-entity-456", result.Auth.Metadata["actor_entity_id"])
|
||||
require.Equal(t, "actor-service", result.Auth.Metadata["actor_entity_name"])
|
||||
require.Equal(t, "resp-token-abc", result.Auth.Metadata["enterprise_token_metadata"])
|
||||
require.Equal(t, "https://issuer.example.com", result.Auth.Metadata["enterprise_token_issuer"])
|
||||
require.Equal(t, "txn-response-1", result.Auth.Metadata["enterprise_token_transaction"])
|
||||
require.Equal(t, `["vault","api"]`, result.Auth.Metadata["enterprise_token_audience"])
|
||||
require.Equal(t, "resp-token-abc", result.Auth.Metadata["jwt_unique_id"])
|
||||
require.Equal(t, "https://issuer.example.com", result.Auth.Metadata["jwt_issuer"])
|
||||
require.Equal(t, "txn-response-1", result.Auth.Metadata["jwt_transaction_claim"])
|
||||
require.Equal(t, `["vault","api"]`, result.Auth.Metadata["jwt_audience_claim"])
|
||||
|
||||
// Response auth must also have enterprise token fields in metadata
|
||||
require.NotNil(t, result.Response)
|
||||
require.NotNil(t, result.Response.Auth)
|
||||
require.Equal(t, "resp-token-abc", result.Response.Auth.Metadata["enterprise_token_metadata"])
|
||||
require.Equal(t, "https://issuer.example.com", result.Response.Auth.Metadata["enterprise_token_issuer"])
|
||||
require.Equal(t, "txn-response-1", result.Response.Auth.Metadata["enterprise_token_transaction"])
|
||||
require.Equal(t, `["vault","api"]`, result.Response.Auth.Metadata["enterprise_token_audience"])
|
||||
require.Equal(t, "resp-token-abc", result.Response.Auth.Metadata["jwt_unique_id"])
|
||||
require.Equal(t, "https://issuer.example.com", result.Response.Auth.Metadata["jwt_issuer"])
|
||||
require.Equal(t, "txn-response-1", result.Response.Auth.Metadata["jwt_transaction_claim"])
|
||||
require.Equal(t, `["vault","api"]`, result.Response.Auth.Metadata["jwt_audience_claim"])
|
||||
}
|
||||
|
||||
// TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel verifies that
|
||||
|
|
@ -905,13 +905,13 @@ func TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel(t *testi
|
|||
TokenType: logical.TokenTypeService,
|
||||
},
|
||||
Request: &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/secret/data/test",
|
||||
EnterpriseTokenMetadata: "test-token-123",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
EnterpriseTokenTransaction: "txn-top-level-1",
|
||||
EnterpriseTokenAudience: []string{"vault"},
|
||||
EnterpriseTokenAuthorizationDetails: []logical.AuthorizationDetail{{"type": "access"}},
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/secret/data/test",
|
||||
JwtUniqueId: "test-token-123",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
JwtTransactionClaim: "txn-top-level-1",
|
||||
JwtAudienceClaim: []string{"vault"},
|
||||
JwtAuthorizationDetails: []logical.AuthorizationDetail{{"type": "access"}},
|
||||
Connection: &logical.Connection{
|
||||
RemoteAddr: "127.0.0.1",
|
||||
},
|
||||
|
|
@ -965,23 +965,23 @@ func TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel(t *testi
|
|||
require.True(t, ok)
|
||||
require.Equal(t, "actor-service", entityName)
|
||||
|
||||
tokenMetadata, ok := metadataMap["enterprise_token_metadata"]
|
||||
tokenMetadata, ok := metadataMap["jwt_unique_id"]
|
||||
require.True(t, ok)
|
||||
require.Equal(t, "test-token-123", tokenMetadata)
|
||||
|
||||
tokenIssuer, ok := metadataMap["enterprise_token_issuer"]
|
||||
tokenIssuer, ok := metadataMap["jwt_issuer"]
|
||||
require.True(t, ok)
|
||||
require.Equal(t, "https://issuer.example.com", tokenIssuer)
|
||||
|
||||
tokenTransaction, ok := metadataMap["enterprise_token_transaction"]
|
||||
tokenTransaction, ok := metadataMap["jwt_transaction_claim"]
|
||||
require.True(t, ok)
|
||||
require.Equal(t, "txn-top-level-1", tokenTransaction)
|
||||
|
||||
tokenAudience, ok := metadataMap["enterprise_token_audience"]
|
||||
tokenAudience, ok := metadataMap["jwt_audience_claim"]
|
||||
require.True(t, ok)
|
||||
require.Equal(t, `["vault"]`, tokenAudience)
|
||||
|
||||
tokenAuthzDetails, ok := metadataMap["enterprise_token_authorization_details"]
|
||||
tokenAuthzDetails, ok := metadataMap["jwt_authorization_details"]
|
||||
require.True(t, ok)
|
||||
require.Contains(t, tokenAuthzDetails, `"type":"access"`)
|
||||
}
|
||||
|
|
@ -1296,9 +1296,9 @@ func TestEntryFormatter_Process_JSON(t *testing.T) {
|
|||
},
|
||||
},
|
||||
&logical.Request{
|
||||
Operation: logical.UpdateOperation,
|
||||
Path: "/foo",
|
||||
EnterpriseTokenMetadata: "test-token-123",
|
||||
Operation: logical.UpdateOperation,
|
||||
Path: "/foo",
|
||||
JwtUniqueId: "test-token-123",
|
||||
Connection: &logical.Connection{
|
||||
RemoteAddr: "127.0.0.1",
|
||||
},
|
||||
|
|
@ -1749,12 +1749,12 @@ func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) {
|
|||
TokenType: logical.TokenTypeService,
|
||||
},
|
||||
Request: &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/cubbyhole/test",
|
||||
EnterpriseTokenMetadata: "test-token-abc",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
EnterpriseTokenAudience: []string{"vault", "api"},
|
||||
EnterpriseTokenAuthorizationDetails: authzDetails,
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "/cubbyhole/test",
|
||||
JwtUniqueId: "test-token-abc",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
JwtAudienceClaim: []string{"vault", "api"},
|
||||
JwtAuthorizationDetails: authzDetails,
|
||||
Connection: &logical.Connection{
|
||||
RemoteAddr: "127.0.0.1",
|
||||
},
|
||||
|
|
@ -1762,9 +1762,9 @@ func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) {
|
|||
}
|
||||
|
||||
// Snapshot the enterprise token field values before processing.
|
||||
wantMetadata := in.Request.EnterpriseTokenMetadata
|
||||
wantIssuer := in.Request.EnterpriseTokenIssuer
|
||||
wantAudience := append([]string(nil), in.Request.EnterpriseTokenAudience...)
|
||||
wantMetadata := in.Request.JwtUniqueId
|
||||
wantIssuer := in.Request.JwtIssuer
|
||||
wantAudience := append([]string(nil), in.Request.JwtAudienceClaim...)
|
||||
|
||||
e := fakeEvent(t, RequestType, in)
|
||||
|
||||
|
|
@ -1776,10 +1776,10 @@ func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) {
|
|||
require.NotEqual(t, e2, e)
|
||||
|
||||
// The original request's enterprise token fields must be unchanged.
|
||||
require.Equal(t, wantMetadata, in.Request.EnterpriseTokenMetadata)
|
||||
require.Equal(t, wantIssuer, in.Request.EnterpriseTokenIssuer)
|
||||
require.Equal(t, wantAudience, in.Request.EnterpriseTokenAudience)
|
||||
require.Equal(t, authzDetails, in.Request.EnterpriseTokenAuthorizationDetails)
|
||||
require.Equal(t, wantMetadata, in.Request.JwtUniqueId)
|
||||
require.Equal(t, wantIssuer, in.Request.JwtIssuer)
|
||||
require.Equal(t, wantAudience, in.Request.JwtAudienceClaim)
|
||||
require.Equal(t, authzDetails, in.Request.JwtAuthorizationDetails)
|
||||
}
|
||||
|
||||
// which will currently cause a panic when a response is formatted due to the
|
||||
|
|
|
|||
|
|
@ -435,18 +435,18 @@ func TestHashWalker_TimeStructs(t *testing.T) {
|
|||
|
||||
// TestCopy_request_EnterpriseTokenFields verifies that copystructure.Copy
|
||||
// correctly deep-copies a logical.Request that carries enterprise token fields,
|
||||
// including EnterpriseTokenAuthorizationDetails which is []map[string]any and
|
||||
// including JwtAuthorizationDetails which is []map[string]any and
|
||||
// would silently lose data under a shallow copy.
|
||||
func TestCopy_request_EnterpriseTokenFields(t *testing.T) {
|
||||
expected := logical.Request{
|
||||
Data: map[string]interface{}{
|
||||
"foo": "bar",
|
||||
},
|
||||
EnterpriseTokenMetadata: "test-token-abc",
|
||||
EnterpriseTokenIssuer: "https://issuer.example.com",
|
||||
EnterpriseTokenTransaction: "txn-copy-1",
|
||||
EnterpriseTokenAudience: []string{"vault", "api"},
|
||||
EnterpriseTokenAuthorizationDetails: []logical.AuthorizationDetail{
|
||||
JwtUniqueId: "test-token-abc",
|
||||
JwtIssuer: "https://issuer.example.com",
|
||||
JwtTransactionClaim: "txn-copy-1",
|
||||
JwtAudienceClaim: []string{"vault", "api"},
|
||||
JwtAuthorizationDetails: []logical.AuthorizationDetail{
|
||||
{
|
||||
"type": "vault:path_access",
|
||||
"path_constraint": "secret/data/users/alice",
|
||||
|
|
|
|||
|
|
@ -5,6 +5,6 @@
|
|||
|
||||
package consts
|
||||
|
||||
func GetEnterpriseTokenPrefix() string {
|
||||
func GetOAuthJwtPrefix() string {
|
||||
return "unimplemented"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -141,25 +141,25 @@ type Request struct {
|
|||
// hashed.
|
||||
ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""`
|
||||
|
||||
// EnterpriseTokenMetadata stores enterprise token metadata.
|
||||
EnterpriseTokenMetadata string `json:"enterprise_token_metadata" structs:"enterprise_token_metadata" mapstructure:"enterprise_token_metadata" sentinel:""`
|
||||
// JwtUniqueId stores the unique id of JWTs used as part of OAuth authorization to Vault.
|
||||
JwtUniqueId string `json:"jwt_unique_id" structs:"jwt_unique_id" mapstructure:"jwt_unique_id" sentinel:""`
|
||||
|
||||
// EnterpriseTokenIssuer stores the enterprise token issuer.
|
||||
EnterpriseTokenIssuer string `json:"enterprise_token_issuer,omitempty" structs:"enterprise_token_issuer" mapstructure:"enterprise_token_issuer"`
|
||||
// JwtIssuer stores the issuer of JWTs used as part of OAuth authorization to Vault.
|
||||
JwtIssuer string `json:"jwt_issuer,omitempty" structs:"jwt_issuer" mapstructure:"jwt_issuer"`
|
||||
|
||||
// EnterpriseTokenTransaction stores the enterprise token transaction claim.
|
||||
EnterpriseTokenTransaction string `json:"enterprise_token_transaction,omitempty" structs:"enterprise_token_transaction" mapstructure:"enterprise_token_transaction"`
|
||||
// JwtTransactionClaim stores the transaction claim of JWTs used as part of OAuth authorization to Vault.
|
||||
JwtTransactionClaim string `json:"jwt_transaction_claim,omitempty" structs:"jwt_transaction_claim" mapstructure:"jwt_transaction_claim"`
|
||||
|
||||
// EnterpriseTokenAudience stores enterprise token audience values.
|
||||
EnterpriseTokenAudience []string `json:"enterprise_token_audience,omitempty" structs:"enterprise_token_audience" mapstructure:"enterprise_token_audience"`
|
||||
// JwtAudienceClaim stores token audience values of JWTs used as part of OAuth authorization to Vault.
|
||||
JwtAudienceClaim []string `json:"jwt_audience_claim,omitempty" structs:"jwt_audience_claim" mapstructure:"jwt_audience_claim"`
|
||||
|
||||
// EnterpriseTokenAuthorizationDetails stores enterprise token authorization details.
|
||||
EnterpriseTokenAuthorizationDetails []AuthorizationDetail `json:"enterprise_token_authorization_details,omitempty" structs:"enterprise_token_authorization_details" mapstructure:"enterprise_token_authorization_details"`
|
||||
// JwtAuthorizationDetails stores authorization details forr JWTs used as part of OAuth authorization to Vault.
|
||||
JwtAuthorizationDetails []AuthorizationDetail `json:"jwt_authorization_details,omitempty" structs:"jwt_authorization_details" mapstructure:"jwt_authorization_details"`
|
||||
|
||||
// EnterpriseTokenAuthorizationDetailsPresent indicates whether the inbound
|
||||
// enterprise token included an authorization_details claim at all. This lets
|
||||
// JwtAuthorizationDetailsClaimPresent indicates whether the inbound
|
||||
// JWT included an authorization_details claim at all. This lets
|
||||
// callers distinguish "claim missing" from "claim present but empty".
|
||||
EnterpriseTokenAuthorizationDetailsPresent bool `json:"enterprise_token_authorization_details_present,omitempty" structs:"enterprise_token_authorization_details_present" mapstructure:"enterprise_token_authorization_details_present"`
|
||||
JwtAuthorizationDetailsClaimPresent bool `json:"jwt_authorization_details_claim_present,omitempty" structs:"jwt_authorization_details_claim_present" mapstructure:"jwt_authorization_details_claim_present"`
|
||||
|
||||
// ClientTokenAccessor is provided to the core so that the it can get
|
||||
// logged as part of request audit logging.
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@ package vault
|
|||
|
||||
import "errors"
|
||||
|
||||
func resolveEnterpriseTokenIDForLookup(_ string) (string, error) {
|
||||
func resolveOAuthJwtIdForLookup(_ string) (string, error) {
|
||||
return "", errors.New("enterprise build required")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1856,7 +1856,7 @@ func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, te *logi
|
|||
ClientTokenType: logical.TokenTypeEnt,
|
||||
}, nil
|
||||
}
|
||||
return nil, errors.New("enterprise token has no valid expiration time")
|
||||
return nil, errors.New("JWT has no valid expiration time")
|
||||
}
|
||||
|
||||
tokenNS, err := NamespaceByID(ctx, te.NamespaceID, m.core)
|
||||
|
|
@ -2155,7 +2155,7 @@ func (m *ExpirationManager) revokeEntry(ctx context.Context, le *leaseEntry) err
|
|||
|
||||
// ent tokens are managed by external IdPs and should not be revoked through Vault backends
|
||||
if le.ClientTokenType == logical.TokenTypeEnt {
|
||||
return errors.New("enterprise tokens are managed by external IdPs and cannot be revoked by Vault")
|
||||
return errors.New("JWTs are managed by external IdPs and cannot be revoked by Vault")
|
||||
}
|
||||
|
||||
if err := m.tokenStore.revokeTree(ctx, le); err != nil {
|
||||
|
|
@ -2209,7 +2209,7 @@ func (m *ExpirationManager) renewAuthEntry(ctx context.Context, req *logical.Req
|
|||
}
|
||||
|
||||
if le.ClientTokenType == logical.TokenTypeEnt {
|
||||
return logical.ErrorResponse("enterprise tokens cannot be renewed"), nil
|
||||
return logical.ErrorResponse("JWTs cannot be renewed"), nil
|
||||
}
|
||||
|
||||
auth := *le.Auth
|
||||
|
|
@ -2354,7 +2354,7 @@ func (m *ExpirationManager) createIndexByToken(ctx context.Context, le *leaseEnt
|
|||
saltCtx := namespace.ContextWithNamespace(ctx, namespace.RootNamespace)
|
||||
// For enterprise token IDs, derive namespace context from the lease rather than
|
||||
// parsing token segments.
|
||||
if IsEnterpriseTokenId(token) {
|
||||
if IsOAuthJwtId(token) {
|
||||
ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -2400,7 +2400,7 @@ func (m *ExpirationManager) createIndexByToken(ctx context.Context, le *leaseEnt
|
|||
func (m *ExpirationManager) indexByToken(ctx context.Context, le *leaseEntry) (*logical.StorageEntry, error) {
|
||||
tokenNS := namespace.RootNamespace
|
||||
saltCtx := namespace.ContextWithNamespace(ctx, tokenNS)
|
||||
if IsEnterpriseTokenId(le.ClientToken) {
|
||||
if IsOAuthJwtId(le.ClientToken) {
|
||||
ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -2444,7 +2444,7 @@ func (m *ExpirationManager) indexByToken(ctx context.Context, le *leaseEntry) (*
|
|||
func (m *ExpirationManager) removeIndexByToken(ctx context.Context, le *leaseEntry, token string) error {
|
||||
tokenNS := namespace.RootNamespace
|
||||
saltCtx := namespace.ContextWithNamespace(ctx, namespace.RootNamespace)
|
||||
if IsEnterpriseTokenId(token) {
|
||||
if IsOAuthJwtId(token) {
|
||||
ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -3062,7 +3062,7 @@ func (le *leaseEntry) renewable() (bool, error) {
|
|||
return false, nil
|
||||
|
||||
case le.ClientTokenType == logical.TokenTypeEnt:
|
||||
return false, fmt.Errorf("enterprise tokens cannot be renewed")
|
||||
return false, fmt.Errorf("JWTs cannot be renewed")
|
||||
|
||||
// Determine if the lease is expired
|
||||
case le.ExpireTime.Before(time.Now()):
|
||||
|
|
|
|||
|
|
@ -240,28 +240,28 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
|||
return nil, nil, nil, nil, ErrInternalError
|
||||
}
|
||||
|
||||
var secondEntity *identity.Entity
|
||||
if IsEnterpriseToken(req.ClientToken) {
|
||||
isValidEnterpriseToken, tokenMetadataContainer, entity, actorEntity, chosenProfile, err := c.validateEnterpriseTokenAndFetchEntity(ctx, req.ClientToken)
|
||||
var actorEntity *identity.Entity
|
||||
if IsOAuthJwt(req.ClientToken) {
|
||||
isValidEnterpriseJwt, tokenMetadataContainer, entity, jwtActor, chosenProfile, err := c.validateOAuthJwtAndFetchEntity(ctx, req.ClientToken)
|
||||
if err != nil {
|
||||
c.logger.Error("failed to validate enterprise token", "error", err)
|
||||
c.logger.Error("failed to validate jwt", "error", err)
|
||||
}
|
||||
if !isValidEnterpriseToken {
|
||||
if !isValidEnterpriseJwt {
|
||||
return nil, nil, nil, nil, logical.ErrPermissionDenied
|
||||
}
|
||||
req.EnterpriseTokenMetadata = getEnterpriseTokenMetadata(tokenMetadataContainer)
|
||||
req.EnterpriseTokenIssuer = getEnterpriseTokenIssuer(tokenMetadataContainer)
|
||||
req.EnterpriseTokenTransaction = getEnterpriseTokenTransaction(tokenMetadataContainer)
|
||||
req.EnterpriseTokenAudience = getEnterpriseTokenAudience(tokenMetadataContainer)
|
||||
_, req.EnterpriseTokenAuthorizationDetailsPresent = tokenMetadataContainer["authorization_details"]
|
||||
req.EnterpriseTokenAuthorizationDetails = getEnterpriseTokenAuthorizationDetails(tokenMetadataContainer)
|
||||
secondEntity = actorEntity
|
||||
err = c.createAndStoreEnterpriseTokenEntry(ctx, req, tokenMetadataContainer, entity, actorEntity, chosenProfile)
|
||||
req.JwtUniqueId = getJwtUniqueId(tokenMetadataContainer)
|
||||
req.JwtIssuer = getJwtIssuer(tokenMetadataContainer)
|
||||
req.JwtTransactionClaim = getJwtTransaction(tokenMetadataContainer)
|
||||
req.JwtAudienceClaim = getJwtAudience(tokenMetadataContainer)
|
||||
_, req.JwtAuthorizationDetailsClaimPresent = tokenMetadataContainer["authorization_details"]
|
||||
req.JwtAuthorizationDetails = getJwtAuthorizationDetails(tokenMetadataContainer)
|
||||
actorEntity = jwtActor
|
||||
err = c.createAndStoreOAuthJwtTokenEntry(ctx, req, tokenMetadataContainer, entity, jwtActor, chosenProfile)
|
||||
if err != nil {
|
||||
if c.perfStandby && errors.Is(err, logical.ErrReadOnly) {
|
||||
return nil, nil, nil, nil, logical.ErrPerfStandbyPleaseForward
|
||||
}
|
||||
return nil, nil, nil, nil, multierror.Append(err, errors.New("failed in processing enterprise token"))
|
||||
return nil, nil, nil, nil, multierror.Append(err, errors.New("failed in processing jwt"))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -270,8 +270,8 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
|||
switch req.TokenEntry() {
|
||||
case nil:
|
||||
var err error
|
||||
if IsEnterpriseToken(req.ClientToken) {
|
||||
te, err = c.tokenStore.Lookup(ctx, getEnterpriseTokenId(req.EnterpriseTokenMetadata))
|
||||
if IsOAuthJwt(req.ClientToken) {
|
||||
te, err = c.tokenStore.Lookup(ctx, getOAuthJwtId(req.JwtUniqueId))
|
||||
} else {
|
||||
te, err = c.tokenStore.Lookup(ctx, req.ClientToken)
|
||||
}
|
||||
|
|
@ -290,12 +290,12 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
|||
return nil, nil, nil, nil, multierror.Append(logical.ErrPermissionDenied, logical.ErrInvalidToken)
|
||||
}
|
||||
|
||||
if secondEntity != nil {
|
||||
if actorEntity != nil {
|
||||
if req.Auth == nil {
|
||||
req.Auth = &logical.Auth{}
|
||||
}
|
||||
req.Auth.ActorEntityID = secondEntity.ID
|
||||
req.Auth.ActorEntityName = secondEntity.Name
|
||||
req.Auth.ActorEntityID = actorEntity.ID
|
||||
req.Auth.ActorEntityName = actorEntity.Name
|
||||
}
|
||||
|
||||
// CIDR checks bind all tokens except non-expiring root tokens
|
||||
|
|
@ -348,15 +348,15 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
|||
policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false)
|
||||
}
|
||||
|
||||
var secondEntityPolicyNames map[string][]string
|
||||
if secondEntity != nil {
|
||||
c.logger.Debug("building separate ACL for second entity", "entity_id", secondEntity.ID)
|
||||
secondEntityPolicyNames = make(map[string][]string)
|
||||
secondEntityIdentityPolicies, err := c.fetchCeilingPolicies(ctx, secondEntity)
|
||||
var actorEntityPolicyNames map[string][]string
|
||||
if actorEntity != nil {
|
||||
c.logger.Debug("building separate ACL for actor entity", "entity_id", actorEntity.ID)
|
||||
actorEntityPolicyNames = make(map[string][]string)
|
||||
actorEntityIdentityPolicies, err := c.fetchCeilingPolicies(ctx, actorEntity)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
}
|
||||
allowOnly, err := c.allPoliciesAllowOnly(ctx, secondEntityIdentityPolicies)
|
||||
allowOnly, err := c.allPoliciesAllowOnly(ctx, actorEntityIdentityPolicies)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, ErrInternalError
|
||||
}
|
||||
|
|
@ -364,8 +364,8 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
|||
return nil, nil, nil, nil, logical.ErrPermissionDenied
|
||||
}
|
||||
// Store second entity policies separately - do NOT merge with primary entity's policies
|
||||
for nsID, nsPolicies := range secondEntityIdentityPolicies {
|
||||
secondEntityPolicyNames[nsID] = policyutil.SanitizePolicies(nsPolicies, false)
|
||||
for nsID, nsPolicies := range actorEntityIdentityPolicies {
|
||||
actorEntityPolicyNames[nsID] = policyutil.SanitizePolicies(nsPolicies, false)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -409,8 +409,8 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req
|
|||
return nil, nil, nil, nil, ErrInternalError
|
||||
}
|
||||
|
||||
if secondEntity != nil {
|
||||
newAcl, err := c.performSecondaryEntityTokenChecks(tokenCtx, acl, secondEntity, secondEntityPolicyNames)
|
||||
if actorEntity != nil {
|
||||
newAcl, err := c.performDelegationTokenChecks(tokenCtx, acl, actorEntity, actorEntityPolicyNames)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
}
|
||||
|
|
@ -643,7 +643,7 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool
|
|||
auth.ActorEntityName = req.Auth.ActorEntityName
|
||||
}
|
||||
// Copy authorization details from the request to auth so plugins can access them.
|
||||
auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
|
||||
auth.AuthorizationDetails = req.JwtAuthorizationDetails
|
||||
|
||||
twoStepRecover := req.Operation == logical.RecoverOperation && req.RecoverSourcePath != "" && req.RecoverSourcePath != req.Path
|
||||
var alternateRecoverCapability *logical.Operation
|
||||
|
|
@ -926,7 +926,7 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request
|
|||
if !ok {
|
||||
return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
|
||||
}
|
||||
if IsSSCToken(token.(string)) && !IsEnterpriseToken(token.(string)) {
|
||||
if IsSSCToken(token.(string)) && !IsOAuthJwt(token.(string)) {
|
||||
token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
|
||||
// If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client
|
||||
// should receive a 403 bad token error like they do for all other invalid tokens, unless the error
|
||||
|
|
@ -1248,13 +1248,13 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
|
|||
// these requests.
|
||||
if ctErr == nil && te != nil && te.Type == logical.TokenTypeEnt && !te.IsStorageBacked() &&
|
||||
requiresMaterializedTokenState(req.Path) {
|
||||
materializedReq, matErr := c.materializeEnterpriseTokenForUsage(ctx, req, auth, c.perfStandby)
|
||||
materializedReq, matErr := c.materializeOAuthJwtForUsage(ctx, req, auth, c.perfStandby)
|
||||
if matErr != nil {
|
||||
if errors.Is(matErr, logical.ErrPerfStandbyPleaseForward) {
|
||||
restoreForwardingTokenHeaders(req)
|
||||
return nil, nil, matErr
|
||||
}
|
||||
c.logger.Error("failed to materialize enterprise token for token endpoint", "request_path", req.Path, "error", matErr)
|
||||
c.logger.Error("failed to materialize jwt for token endpoint", "request_path", req.Path, "error", matErr)
|
||||
retErr = multierror.Append(retErr, ErrInternalError)
|
||||
return nil, auth, retErr
|
||||
}
|
||||
|
|
@ -1545,13 +1545,13 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
|
|||
if registerLease {
|
||||
registerReq := req
|
||||
if te := req.TokenEntry(); te != nil && !te.IsStorageBacked() {
|
||||
registerReq, err = c.materializeEnterpriseTokenForUsage(ctx, req, auth, c.perfStandby)
|
||||
registerReq, err = c.materializeOAuthJwtForUsage(ctx, req, auth, c.perfStandby)
|
||||
if err != nil {
|
||||
if errors.Is(err, logical.ErrPerfStandbyPleaseForward) {
|
||||
restoreForwardingTokenHeaders(req)
|
||||
return nil, nil, err
|
||||
}
|
||||
c.logger.Error("failed to materialize enterprise token for lease", "request_path", req.Path, "error", err)
|
||||
c.logger.Error("failed to materialize jwt for lease", "request_path", req.Path, "error", err)
|
||||
retErr = multierror.Append(retErr, ErrInternalError)
|
||||
return nil, auth, retErr
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,43 +15,39 @@ import (
|
|||
|
||||
type OAuthResourceServerConfigProfile struct{}
|
||||
|
||||
func (c *Core) validateEnterpriseTokenAndFetchEntity(ctx context.Context, tokenString string) (bool, map[string]interface{}, *identity.Entity, *identity.Entity, *OAuthResourceServerConfigProfile, error) {
|
||||
func (c *Core) validateOAuthJwtAndFetchEntity(ctx context.Context, tokenString string) (bool, map[string]interface{}, *identity.Entity, *identity.Entity, *OAuthResourceServerConfigProfile, error) {
|
||||
return false, nil, nil, nil, nil, errors.New("not implemented")
|
||||
}
|
||||
|
||||
func (c *Core) createAndStoreEnterpriseTokenEntry(ctx context.Context, req *logical.Request, allClaims map[string]interface{}, entity *identity.Entity, actorEntity *identity.Entity, chosenProfile *OAuthResourceServerConfigProfile) error {
|
||||
func (c *Core) createAndStoreOAuthJwtTokenEntry(ctx context.Context, req *logical.Request, allClaims map[string]interface{}, entity *identity.Entity, actorEntity *identity.Entity, chosenProfile *OAuthResourceServerConfigProfile) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func isActivationFlagEnabledForEnterpriseToken(c *Core) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func getEnterpriseTokenMetadata(_ map[string]interface{}) string {
|
||||
func getJwtUniqueId(_ map[string]interface{}) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func getEnterpriseTokenIssuer(_ map[string]interface{}) string {
|
||||
func getJwtIssuer(_ map[string]interface{}) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func getEnterpriseTokenTransaction(_ map[string]interface{}) string {
|
||||
func getJwtTransaction(_ map[string]interface{}) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func getEnterpriseTokenAudience(_ map[string]interface{}) []string {
|
||||
func getJwtAudience(_ map[string]interface{}) []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func getEnterpriseTokenAuthorizationDetails(_ map[string]interface{}) []logical.AuthorizationDetail {
|
||||
func getJwtAuthorizationDetails(_ map[string]interface{}) []logical.AuthorizationDetail {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Core) materializeEnterpriseTokenForUsage(_ context.Context, req *logical.Request, _ *logical.Auth, _ bool) (*logical.Request, error) {
|
||||
func (c *Core) materializeOAuthJwtForUsage(_ context.Context, req *logical.Request, _ *logical.Auth, _ bool) (*logical.Request, error) {
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func (c *Core) performSecondaryEntityTokenChecks(_ context.Context, _ *ACL, _ *identity.Entity, _ map[string][]string) (*ACL, error) {
|
||||
func (c *Core) performDelegationTokenChecks(_ context.Context, _ *ACL, _ *identity.Entity, _ map[string][]string) (*ACL, error) {
|
||||
return nil, errors.New("not implemented")
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -829,13 +829,13 @@ func TestAuth_AuthorizationDetails_CopiedFromRequest(t *testing.T) {
|
|||
|
||||
auth := &logical.Auth{}
|
||||
req := &logical.Request{
|
||||
EnterpriseTokenAuthorizationDetails: details,
|
||||
JwtAuthorizationDetails: details,
|
||||
}
|
||||
|
||||
// Simulate the assignment performed in CheckToken.
|
||||
auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
|
||||
auth.AuthorizationDetails = req.JwtAuthorizationDetails
|
||||
|
||||
require.Equal(t, details, auth.AuthorizationDetails, "auth.AuthorizationDetails must equal req.EnterpriseTokenAuthorizationDetails")
|
||||
require.Equal(t, details, auth.AuthorizationDetails, "auth.AuthorizationDetails must equal req.JwtAuthorizationDetails")
|
||||
}
|
||||
|
||||
// TestAuth_AuthorizationDetails_NilWhenAbsent verifies that auth.AuthorizationDetails is nil
|
||||
|
|
@ -846,7 +846,7 @@ func TestAuth_AuthorizationDetails_NilWhenAbsent(t *testing.T) {
|
|||
auth := &logical.Auth{}
|
||||
req := &logical.Request{}
|
||||
|
||||
auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
|
||||
auth.AuthorizationDetails = req.JwtAuthorizationDetails
|
||||
|
||||
require.Nil(t, auth.AuthorizationDetails)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1166,7 +1166,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
|
|||
if tokenNS.ID != namespace.RootNamespaceID ||
|
||||
strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) ||
|
||||
strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix) ||
|
||||
strings.HasPrefix(entry.ID, consts.GetEnterpriseTokenPrefix()) {
|
||||
strings.HasPrefix(entry.ID, consts.GetOAuthJwtPrefix()) {
|
||||
if entry.CubbyholeID == "" {
|
||||
cubbyholeID, err := base62.Random(TokenLength)
|
||||
if err != nil {
|
||||
|
|
@ -1518,7 +1518,7 @@ func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntr
|
|||
if id == "" {
|
||||
return nil, fmt.Errorf("cannot lookup blank token")
|
||||
}
|
||||
normalizedID := normalizeEnterpriseTokenToID(id)
|
||||
normalizedID := normalizeOAuthJwtToId(id)
|
||||
|
||||
// If it starts with "b." it's a batch token
|
||||
if IsBatchToken(normalizedID) {
|
||||
|
|
@ -1650,7 +1650,7 @@ func (ts *TokenStore) lookupInternal(ctx context.Context, id string, salted, tai
|
|||
// If possible, always use the token's namespace. If it doesn't match
|
||||
// the request namespace, ensure the request namespace is a child
|
||||
_, nsID := namespace.SplitIDFromString(id)
|
||||
if nsID != "" || strings.HasPrefix(id, consts.GetEnterpriseTokenPrefix()) {
|
||||
if nsID != "" || strings.HasPrefix(id, consts.GetOAuthJwtPrefix()) {
|
||||
tokenNS, err := NamespaceByID(ctx, nsID, ts.core)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to look up namespace from the token: %w", err)
|
||||
|
|
@ -2683,9 +2683,9 @@ func (ts *TokenStore) handleCreate(ctx context.Context, req *logical.Request, d
|
|||
|
||||
// handleCreateCommon handles the auth/token/create path for creation of new tokens
|
||||
func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Request, d *framework.FieldData, orphan bool, role *tsRoleEntry) (*logical.Response, error) {
|
||||
normalizedClientToken := normalizeEnterpriseTokenToID(req.ClientToken)
|
||||
if !orphan && IsEnterpriseTokenId(normalizedClientToken) {
|
||||
return logical.ErrorResponse("enterprise tokens cannot create child tokens"), logical.ErrInvalidRequest
|
||||
normalizedClientToken := normalizeOAuthJwtToId(req.ClientToken)
|
||||
if !orphan && IsOAuthJwtId(normalizedClientToken) {
|
||||
return logical.ErrorResponse("JWTs cannot create child tokens"), logical.ErrInvalidRequest
|
||||
}
|
||||
|
||||
// Read the parent policy
|
||||
|
|
@ -3355,9 +3355,9 @@ func (ts *TokenStore) handleRevokeTree(ctx context.Context, req *logical.Request
|
|||
}
|
||||
|
||||
func (ts *TokenStore) revokeCommon(ctx context.Context, req *logical.Request, data *framework.FieldData, id string) (*logical.Response, error) {
|
||||
normalizedID := normalizeEnterpriseTokenToID(id)
|
||||
if IsEnterpriseTokenId(normalizedID) {
|
||||
return logical.ErrorResponse("cannot revoke ent token"), nil
|
||||
normalizedID := normalizeOAuthJwtToId(id)
|
||||
if IsOAuthJwtId(normalizedID) {
|
||||
return logical.ErrorResponse("cannot revoke JWTs"), nil
|
||||
}
|
||||
te, err := ts.Lookup(ctx, id)
|
||||
if err != nil {
|
||||
|
|
@ -3403,9 +3403,9 @@ func (ts *TokenStore) handleRevokeOrphan(ctx context.Context, req *logical.Reque
|
|||
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
|
||||
}
|
||||
|
||||
normalizedID := normalizeEnterpriseTokenToID(id)
|
||||
if IsEnterpriseTokenId(normalizedID) {
|
||||
return logical.ErrorResponse("enterprise token cannot be revoked"), nil
|
||||
normalizedID := normalizeOAuthJwtToId(id)
|
||||
if IsOAuthJwtId(normalizedID) {
|
||||
return logical.ErrorResponse("JWTs cannot be revoked"), nil
|
||||
}
|
||||
|
||||
// Do a lookup. Among other things, that will ensure that this is either
|
||||
|
|
@ -3445,15 +3445,15 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
|
|||
if id == "" {
|
||||
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
|
||||
}
|
||||
if IsEnterpriseToken(id) {
|
||||
if IsOAuthJwt(id) {
|
||||
// If the token specified in the request body is different from the caller's
|
||||
// token, resolve the token ID based on the body token's claims (JTI) instead
|
||||
// of req.EnterpriseTokenMetadata, otherwise we may silently return the caller's
|
||||
// of req.JwtUniqueId, otherwise we may silently return the caller's
|
||||
// own token entry or fail for non-Enterprise token callers.
|
||||
if id == req.ClientToken {
|
||||
id = getEnterpriseTokenId(req.EnterpriseTokenMetadata)
|
||||
id = getOAuthJwtId(req.JwtUniqueId)
|
||||
} else {
|
||||
resolvedID, err := resolveEnterpriseTokenIDForLookup(id)
|
||||
resolvedID, err := resolveOAuthJwtIdForLookup(id)
|
||||
if err != nil {
|
||||
return logical.ErrorResponse("invalid token"), logical.ErrInvalidRequest
|
||||
}
|
||||
|
|
@ -3571,9 +3571,9 @@ func (ts *TokenStore) handleRenew(ctx context.Context, req *logical.Request, dat
|
|||
if id == "" {
|
||||
return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest
|
||||
}
|
||||
normalizedID := normalizeEnterpriseTokenToID(id)
|
||||
if IsEnterpriseTokenId(normalizedID) {
|
||||
return logical.ErrorResponse("enterprise tokens cannot be renewed"), nil
|
||||
normalizedID := normalizeOAuthJwtToId(id)
|
||||
if IsOAuthJwtId(normalizedID) {
|
||||
return logical.ErrorResponse("JWTs cannot be renewed"), nil
|
||||
}
|
||||
incrementRaw := data.Get("increment").(int)
|
||||
|
||||
|
|
|
|||
|
|
@ -12,11 +12,11 @@ import (
|
|||
"github.com/hashicorp/vault/helper/namespace"
|
||||
)
|
||||
|
||||
func getEnterpriseTokenId(_ string) string {
|
||||
func getOAuthJwtId(_ string) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func normalizeEnterpriseTokenToID(token string) string {
|
||||
func normalizeOAuthJwtToId(token string) string {
|
||||
return token
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,10 +5,10 @@
|
|||
|
||||
package vault
|
||||
|
||||
func IsEnterpriseToken(token string) bool {
|
||||
func IsOAuthJwt(token string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func IsEnterpriseTokenId(tokenID string) bool {
|
||||
func IsOAuthJwtId(tokenID string) bool {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue