diff --git a/audit/entry_formatter.go b/audit/entry_formatter.go index 56611544ac..a57f013cf5 100644 --- a/audit/entry_formatter.go +++ b/audit/entry_formatter.go @@ -261,39 +261,39 @@ func mergeEnterpriseTokenMetadata(a *auth, req *logical.Request) error { return nil } - if req.EnterpriseTokenMetadata == "" && - req.EnterpriseTokenIssuer == "" && - req.EnterpriseTokenTransaction == "" && - len(req.EnterpriseTokenAudience) == 0 && - len(req.EnterpriseTokenAuthorizationDetails) == 0 { + if req.JwtUniqueId == "" && + req.JwtIssuer == "" && + req.JwtTransactionClaim == "" && + len(req.JwtAudienceClaim) == 0 && + len(req.JwtAuthorizationDetails) == 0 { return nil } if a.Metadata == nil { a.Metadata = make(map[string]string) } - if req.EnterpriseTokenMetadata != "" { - a.Metadata["enterprise_token_metadata"] = req.EnterpriseTokenMetadata + if req.JwtUniqueId != "" { + a.Metadata["jwt_unique_id"] = req.JwtUniqueId } - if req.EnterpriseTokenIssuer != "" { - a.Metadata["enterprise_token_issuer"] = req.EnterpriseTokenIssuer + if req.JwtIssuer != "" { + a.Metadata["jwt_issuer"] = req.JwtIssuer } - if req.EnterpriseTokenTransaction != "" { - a.Metadata["enterprise_token_transaction"] = req.EnterpriseTokenTransaction + if req.JwtTransactionClaim != "" { + a.Metadata["jwt_transaction_claim"] = req.JwtTransactionClaim } - if len(req.EnterpriseTokenAudience) > 0 { - audJSON, err := json.Marshal(req.EnterpriseTokenAudience) + if len(req.JwtAudienceClaim) > 0 { + audJSON, err := json.Marshal(req.JwtAudienceClaim) if err != nil { - return fmt.Errorf("unable to marshal enterprise token audience for audit: %w", err) + return fmt.Errorf("unable to marshal jwt audience for audit: %w", err) } - a.Metadata["enterprise_token_audience"] = string(audJSON) + a.Metadata["jwt_audience_claim"] = string(audJSON) } - if len(req.EnterpriseTokenAuthorizationDetails) > 0 { - authzJSON, err := json.Marshal(req.EnterpriseTokenAuthorizationDetails) + if len(req.JwtAuthorizationDetails) > 0 { + authzJSON, err := json.Marshal(req.JwtAuthorizationDetails) if err != nil { - return fmt.Errorf("unable to marshal enterprise token authorization details for audit: %w", err) + return fmt.Errorf("unable to marshal jwt authorization details for audit: %w", err) } - a.Metadata["enterprise_token_authorization_details"] = string(authzJSON) + a.Metadata["jwt_authorization_details"] = string(authzJSON) } return nil } diff --git a/audit/entry_formatter_test.go b/audit/entry_formatter_test.go index f1832daff8..b1040edbc8 100644 --- a/audit/entry_formatter_test.go +++ b/audit/entry_formatter_test.go @@ -73,7 +73,7 @@ const testFormatJSONEnterpriseTokenStrFmt = `{ "metadata": { "actor_entity_id": "actor-entity-789", "actor_entity_name": "actor-service", - "enterprise_token_metadata": "test-token-123" + "jwt_unique_id": "test-token-123" }, "entity_id": "foobarentity", "token_type": "service", @@ -599,7 +599,7 @@ func TestMergeEnterpriseTokenMetadata(t *testing.T) { ExpectedTransaction string }{ "metadata-present": { - Input: &logical.Request{ID: "req-1", EnterpriseTokenMetadata: "token-abc"}, + Input: &logical.Request{ID: "req-1", JwtUniqueId: "token-abc"}, ExpectedMetadata: "token-abc", }, "metadata-absent": { @@ -608,18 +608,18 @@ func TestMergeEnterpriseTokenMetadata(t *testing.T) { }, "issuer-present": { Input: &logical.Request{ - ID: "req-3", - EnterpriseTokenMetadata: "token-xyz", - EnterpriseTokenIssuer: "https://issuer.example.com", + ID: "req-3", + JwtUniqueId: "token-xyz", + JwtIssuer: "https://issuer.example.com", }, ExpectedMetadata: "token-xyz", ExpectedIssuer: "https://issuer.example.com", }, "transaction-present": { Input: &logical.Request{ - ID: "req-4", - EnterpriseTokenMetadata: "token-txn", - EnterpriseTokenTransaction: "txn-123", + ID: "req-4", + JwtUniqueId: "token-txn", + JwtTransactionClaim: "txn-123", }, ExpectedMetadata: "token-txn", ExpectedTransaction: "txn-123", @@ -648,17 +648,17 @@ func TestMergeEnterpriseTokenMetadata(t *testing.T) { require.Equal(t, want, got) } - assertMetadataField("enterprise_token_metadata", tc.ExpectedMetadata) - assertMetadataField("enterprise_token_issuer", tc.ExpectedIssuer) - assertMetadataField("enterprise_token_transaction", tc.ExpectedTransaction) + assertMetadataField("jwt_unique_id", tc.ExpectedMetadata) + assertMetadataField("jwt_issuer", tc.ExpectedIssuer) + assertMetadataField("jwt_transaction_claim", tc.ExpectedTransaction) }) } } // TestEntryFormatter_Process_JSON_EnterpriseToken verifies that enterprise token fields -// (actor_entity_id, actor_entity_name, enterprise_token_metadata, enterprise_token_issuer, -// enterprise_token_transaction, -// enterprise_token_audience, enterprise_token_authorization_details) are correctly +// (actor_entity_id, actor_entity_name, jwt_unique_id, jwt_issuer, +// jwt_transaction_claim, +// jwt_audience, jwt_authorization_details) are correctly // serialized into auth.metadata in the JSON audit output, and absent when not set. func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) { t.Parallel() @@ -692,13 +692,13 @@ func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) { TokenType: logical.TokenTypeDefault, }, Req: &logical.Request{ - Operation: logical.ReadOperation, - Path: "/cubbyhole/test", - EnterpriseTokenMetadata: "test-token-abc", - EnterpriseTokenIssuer: "https://issuer.example.com", - EnterpriseTokenTransaction: "txn-actor-1", - EnterpriseTokenAudience: []string{"vault"}, - EnterpriseTokenAuthorizationDetails: authzDetails, + Operation: logical.ReadOperation, + Path: "/cubbyhole/test", + JwtUniqueId: "test-token-abc", + JwtIssuer: "https://issuer.example.com", + JwtTransactionClaim: "txn-actor-1", + JwtAudienceClaim: []string{"vault"}, + JwtAuthorizationDetails: authzDetails, Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, @@ -721,12 +721,12 @@ func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) { TokenType: logical.TokenTypeDefault, }, Req: &logical.Request{ - Operation: logical.ReadOperation, - Path: "/cubbyhole/test", - EnterpriseTokenMetadata: "test-token-xyz", - EnterpriseTokenIssuer: "https://issuer.example.com", - EnterpriseTokenTransaction: "txn-base-1", - EnterpriseTokenAudience: []string{"vault"}, + Operation: logical.ReadOperation, + Path: "/cubbyhole/test", + JwtUniqueId: "test-token-xyz", + JwtIssuer: "https://issuer.example.com", + JwtTransactionClaim: "txn-base-1", + JwtAudienceClaim: []string{"vault"}, Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, @@ -781,11 +781,11 @@ func TestEntryFormatter_Process_JSON_EnterpriseToken(t *testing.T) { require.Equal(t, tc.WantActorEntityName, result.Auth.Metadata["actor_entity_name"]) require.NotNil(t, result.Request) - require.Equal(t, tc.WantMetadata, result.Auth.Metadata["enterprise_token_metadata"]) - require.Equal(t, tc.WantIssuer, result.Auth.Metadata["enterprise_token_issuer"]) - require.Equal(t, tc.WantTransaction, result.Auth.Metadata["enterprise_token_transaction"]) - require.Equal(t, tc.WantAudience, result.Auth.Metadata["enterprise_token_audience"]) - require.Equal(t, tc.WantAuthorizationDetails, result.Auth.Metadata["enterprise_token_authorization_details"]) + require.Equal(t, tc.WantMetadata, result.Auth.Metadata["jwt_unique_id"]) + require.Equal(t, tc.WantIssuer, result.Auth.Metadata["jwt_issuer"]) + require.Equal(t, tc.WantTransaction, result.Auth.Metadata["jwt_transaction_claim"]) + require.Equal(t, tc.WantAudience, result.Auth.Metadata["jwt_audience_claim"]) + require.Equal(t, tc.WantAuthorizationDetails, result.Auth.Metadata["jwt_authorization_details"]) }) } } @@ -816,12 +816,12 @@ func TestEntryFormatter_Process_Response_EnterpriseToken(t *testing.T) { TokenType: logical.TokenTypeDefault, }, Request: &logical.Request{ - Operation: logical.ReadOperation, - Path: "/secret/data/test", - EnterpriseTokenMetadata: "resp-token-abc", - EnterpriseTokenIssuer: "https://issuer.example.com", - EnterpriseTokenTransaction: "txn-response-1", - EnterpriseTokenAudience: []string{"vault", "api"}, + Operation: logical.ReadOperation, + Path: "/secret/data/test", + JwtUniqueId: "resp-token-abc", + JwtIssuer: "https://issuer.example.com", + JwtTransactionClaim: "txn-response-1", + JwtAudienceClaim: []string{"vault", "api"}, Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, @@ -864,18 +864,18 @@ func TestEntryFormatter_Process_Response_EnterpriseToken(t *testing.T) { require.NotNil(t, result.Auth) require.Equal(t, "actor-entity-456", result.Auth.Metadata["actor_entity_id"]) require.Equal(t, "actor-service", result.Auth.Metadata["actor_entity_name"]) - require.Equal(t, "resp-token-abc", result.Auth.Metadata["enterprise_token_metadata"]) - require.Equal(t, "https://issuer.example.com", result.Auth.Metadata["enterprise_token_issuer"]) - require.Equal(t, "txn-response-1", result.Auth.Metadata["enterprise_token_transaction"]) - require.Equal(t, `["vault","api"]`, result.Auth.Metadata["enterprise_token_audience"]) + require.Equal(t, "resp-token-abc", result.Auth.Metadata["jwt_unique_id"]) + require.Equal(t, "https://issuer.example.com", result.Auth.Metadata["jwt_issuer"]) + require.Equal(t, "txn-response-1", result.Auth.Metadata["jwt_transaction_claim"]) + require.Equal(t, `["vault","api"]`, result.Auth.Metadata["jwt_audience_claim"]) // Response auth must also have enterprise token fields in metadata require.NotNil(t, result.Response) require.NotNil(t, result.Response.Auth) - require.Equal(t, "resp-token-abc", result.Response.Auth.Metadata["enterprise_token_metadata"]) - require.Equal(t, "https://issuer.example.com", result.Response.Auth.Metadata["enterprise_token_issuer"]) - require.Equal(t, "txn-response-1", result.Response.Auth.Metadata["enterprise_token_transaction"]) - require.Equal(t, `["vault","api"]`, result.Response.Auth.Metadata["enterprise_token_audience"]) + require.Equal(t, "resp-token-abc", result.Response.Auth.Metadata["jwt_unique_id"]) + require.Equal(t, "https://issuer.example.com", result.Response.Auth.Metadata["jwt_issuer"]) + require.Equal(t, "txn-response-1", result.Response.Auth.Metadata["jwt_transaction_claim"]) + require.Equal(t, `["vault","api"]`, result.Response.Auth.Metadata["jwt_audience_claim"]) } // TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel verifies that @@ -905,13 +905,13 @@ func TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel(t *testi TokenType: logical.TokenTypeService, }, Request: &logical.Request{ - Operation: logical.ReadOperation, - Path: "/secret/data/test", - EnterpriseTokenMetadata: "test-token-123", - EnterpriseTokenIssuer: "https://issuer.example.com", - EnterpriseTokenTransaction: "txn-top-level-1", - EnterpriseTokenAudience: []string{"vault"}, - EnterpriseTokenAuthorizationDetails: []logical.AuthorizationDetail{{"type": "access"}}, + Operation: logical.ReadOperation, + Path: "/secret/data/test", + JwtUniqueId: "test-token-123", + JwtIssuer: "https://issuer.example.com", + JwtTransactionClaim: "txn-top-level-1", + JwtAudienceClaim: []string{"vault"}, + JwtAuthorizationDetails: []logical.AuthorizationDetail{{"type": "access"}}, Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, @@ -965,23 +965,23 @@ func TestEntryFormatter_EnterpriseTokenFieldsNotOnRequestOrAuthTopLevel(t *testi require.True(t, ok) require.Equal(t, "actor-service", entityName) - tokenMetadata, ok := metadataMap["enterprise_token_metadata"] + tokenMetadata, ok := metadataMap["jwt_unique_id"] require.True(t, ok) require.Equal(t, "test-token-123", tokenMetadata) - tokenIssuer, ok := metadataMap["enterprise_token_issuer"] + tokenIssuer, ok := metadataMap["jwt_issuer"] require.True(t, ok) require.Equal(t, "https://issuer.example.com", tokenIssuer) - tokenTransaction, ok := metadataMap["enterprise_token_transaction"] + tokenTransaction, ok := metadataMap["jwt_transaction_claim"] require.True(t, ok) require.Equal(t, "txn-top-level-1", tokenTransaction) - tokenAudience, ok := metadataMap["enterprise_token_audience"] + tokenAudience, ok := metadataMap["jwt_audience_claim"] require.True(t, ok) require.Equal(t, `["vault"]`, tokenAudience) - tokenAuthzDetails, ok := metadataMap["enterprise_token_authorization_details"] + tokenAuthzDetails, ok := metadataMap["jwt_authorization_details"] require.True(t, ok) require.Contains(t, tokenAuthzDetails, `"type":"access"`) } @@ -1296,9 +1296,9 @@ func TestEntryFormatter_Process_JSON(t *testing.T) { }, }, &logical.Request{ - Operation: logical.UpdateOperation, - Path: "/foo", - EnterpriseTokenMetadata: "test-token-123", + Operation: logical.UpdateOperation, + Path: "/foo", + JwtUniqueId: "test-token-123", Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, @@ -1749,12 +1749,12 @@ func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) { TokenType: logical.TokenTypeService, }, Request: &logical.Request{ - Operation: logical.ReadOperation, - Path: "/cubbyhole/test", - EnterpriseTokenMetadata: "test-token-abc", - EnterpriseTokenIssuer: "https://issuer.example.com", - EnterpriseTokenAudience: []string{"vault", "api"}, - EnterpriseTokenAuthorizationDetails: authzDetails, + Operation: logical.ReadOperation, + Path: "/cubbyhole/test", + JwtUniqueId: "test-token-abc", + JwtIssuer: "https://issuer.example.com", + JwtAudienceClaim: []string{"vault", "api"}, + JwtAuthorizationDetails: authzDetails, Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, @@ -1762,9 +1762,9 @@ func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) { } // Snapshot the enterprise token field values before processing. - wantMetadata := in.Request.EnterpriseTokenMetadata - wantIssuer := in.Request.EnterpriseTokenIssuer - wantAudience := append([]string(nil), in.Request.EnterpriseTokenAudience...) + wantMetadata := in.Request.JwtUniqueId + wantIssuer := in.Request.JwtIssuer + wantAudience := append([]string(nil), in.Request.JwtAudienceClaim...) e := fakeEvent(t, RequestType, in) @@ -1776,10 +1776,10 @@ func TestEntryFormatter_Process_NoMutation_WithEnterpriseToken(t *testing.T) { require.NotEqual(t, e2, e) // The original request's enterprise token fields must be unchanged. - require.Equal(t, wantMetadata, in.Request.EnterpriseTokenMetadata) - require.Equal(t, wantIssuer, in.Request.EnterpriseTokenIssuer) - require.Equal(t, wantAudience, in.Request.EnterpriseTokenAudience) - require.Equal(t, authzDetails, in.Request.EnterpriseTokenAuthorizationDetails) + require.Equal(t, wantMetadata, in.Request.JwtUniqueId) + require.Equal(t, wantIssuer, in.Request.JwtIssuer) + require.Equal(t, wantAudience, in.Request.JwtAudienceClaim) + require.Equal(t, authzDetails, in.Request.JwtAuthorizationDetails) } // which will currently cause a panic when a response is formatted due to the diff --git a/audit/hashstructure_test.go b/audit/hashstructure_test.go index b8396a3e6f..a44fefa5ff 100644 --- a/audit/hashstructure_test.go +++ b/audit/hashstructure_test.go @@ -435,18 +435,18 @@ func TestHashWalker_TimeStructs(t *testing.T) { // TestCopy_request_EnterpriseTokenFields verifies that copystructure.Copy // correctly deep-copies a logical.Request that carries enterprise token fields, -// including EnterpriseTokenAuthorizationDetails which is []map[string]any and +// including JwtAuthorizationDetails which is []map[string]any and // would silently lose data under a shallow copy. func TestCopy_request_EnterpriseTokenFields(t *testing.T) { expected := logical.Request{ Data: map[string]interface{}{ "foo": "bar", }, - EnterpriseTokenMetadata: "test-token-abc", - EnterpriseTokenIssuer: "https://issuer.example.com", - EnterpriseTokenTransaction: "txn-copy-1", - EnterpriseTokenAudience: []string{"vault", "api"}, - EnterpriseTokenAuthorizationDetails: []logical.AuthorizationDetail{ + JwtUniqueId: "test-token-abc", + JwtIssuer: "https://issuer.example.com", + JwtTransactionClaim: "txn-copy-1", + JwtAudienceClaim: []string{"vault", "api"}, + JwtAuthorizationDetails: []logical.AuthorizationDetail{ { "type": "vault:path_access", "path_constraint": "secret/data/users/alice", diff --git a/sdk/helper/consts/token_consts_ce.go b/sdk/helper/consts/token_consts_ce.go index ff9902fe0c..67fa136394 100644 --- a/sdk/helper/consts/token_consts_ce.go +++ b/sdk/helper/consts/token_consts_ce.go @@ -5,6 +5,6 @@ package consts -func GetEnterpriseTokenPrefix() string { +func GetOAuthJwtPrefix() string { return "unimplemented" } diff --git a/sdk/logical/request.go b/sdk/logical/request.go index c6155a3a9f..baeaa32735 100644 --- a/sdk/logical/request.go +++ b/sdk/logical/request.go @@ -141,25 +141,25 @@ type Request struct { // hashed. ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""` - // EnterpriseTokenMetadata stores enterprise token metadata. - EnterpriseTokenMetadata string `json:"enterprise_token_metadata" structs:"enterprise_token_metadata" mapstructure:"enterprise_token_metadata" sentinel:""` + // JwtUniqueId stores the unique id of JWTs used as part of OAuth authorization to Vault. + JwtUniqueId string `json:"jwt_unique_id" structs:"jwt_unique_id" mapstructure:"jwt_unique_id" sentinel:""` - // EnterpriseTokenIssuer stores the enterprise token issuer. - EnterpriseTokenIssuer string `json:"enterprise_token_issuer,omitempty" structs:"enterprise_token_issuer" mapstructure:"enterprise_token_issuer"` + // JwtIssuer stores the issuer of JWTs used as part of OAuth authorization to Vault. + JwtIssuer string `json:"jwt_issuer,omitempty" structs:"jwt_issuer" mapstructure:"jwt_issuer"` - // EnterpriseTokenTransaction stores the enterprise token transaction claim. - EnterpriseTokenTransaction string `json:"enterprise_token_transaction,omitempty" structs:"enterprise_token_transaction" mapstructure:"enterprise_token_transaction"` + // JwtTransactionClaim stores the transaction claim of JWTs used as part of OAuth authorization to Vault. + JwtTransactionClaim string `json:"jwt_transaction_claim,omitempty" structs:"jwt_transaction_claim" mapstructure:"jwt_transaction_claim"` - // EnterpriseTokenAudience stores enterprise token audience values. - EnterpriseTokenAudience []string `json:"enterprise_token_audience,omitempty" structs:"enterprise_token_audience" mapstructure:"enterprise_token_audience"` + // JwtAudienceClaim stores token audience values of JWTs used as part of OAuth authorization to Vault. + JwtAudienceClaim []string `json:"jwt_audience_claim,omitempty" structs:"jwt_audience_claim" mapstructure:"jwt_audience_claim"` - // EnterpriseTokenAuthorizationDetails stores enterprise token authorization details. - EnterpriseTokenAuthorizationDetails []AuthorizationDetail `json:"enterprise_token_authorization_details,omitempty" structs:"enterprise_token_authorization_details" mapstructure:"enterprise_token_authorization_details"` + // JwtAuthorizationDetails stores authorization details forr JWTs used as part of OAuth authorization to Vault. + JwtAuthorizationDetails []AuthorizationDetail `json:"jwt_authorization_details,omitempty" structs:"jwt_authorization_details" mapstructure:"jwt_authorization_details"` - // EnterpriseTokenAuthorizationDetailsPresent indicates whether the inbound - // enterprise token included an authorization_details claim at all. This lets + // JwtAuthorizationDetailsClaimPresent indicates whether the inbound + // JWT included an authorization_details claim at all. This lets // callers distinguish "claim missing" from "claim present but empty". - EnterpriseTokenAuthorizationDetailsPresent bool `json:"enterprise_token_authorization_details_present,omitempty" structs:"enterprise_token_authorization_details_present" mapstructure:"enterprise_token_authorization_details_present"` + JwtAuthorizationDetailsClaimPresent bool `json:"jwt_authorization_details_claim_present,omitempty" structs:"jwt_authorization_details_claim_present" mapstructure:"jwt_authorization_details_claim_present"` // ClientTokenAccessor is provided to the core so that the it can get // logged as part of request audit logging. diff --git a/vault/enterprise_token_lookup_ce.go b/vault/enterprise_token_lookup_ce.go index 0bca3dd7f4..e3ce9469a1 100644 --- a/vault/enterprise_token_lookup_ce.go +++ b/vault/enterprise_token_lookup_ce.go @@ -7,6 +7,6 @@ package vault import "errors" -func resolveEnterpriseTokenIDForLookup(_ string) (string, error) { +func resolveOAuthJwtIdForLookup(_ string) (string, error) { return "", errors.New("enterprise build required") } diff --git a/vault/expiration.go b/vault/expiration.go index b6e83c5ee0..70a39f6149 100644 --- a/vault/expiration.go +++ b/vault/expiration.go @@ -1856,7 +1856,7 @@ func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, te *logi ClientTokenType: logical.TokenTypeEnt, }, nil } - return nil, errors.New("enterprise token has no valid expiration time") + return nil, errors.New("JWT has no valid expiration time") } tokenNS, err := NamespaceByID(ctx, te.NamespaceID, m.core) @@ -2155,7 +2155,7 @@ func (m *ExpirationManager) revokeEntry(ctx context.Context, le *leaseEntry) err // ent tokens are managed by external IdPs and should not be revoked through Vault backends if le.ClientTokenType == logical.TokenTypeEnt { - return errors.New("enterprise tokens are managed by external IdPs and cannot be revoked by Vault") + return errors.New("JWTs are managed by external IdPs and cannot be revoked by Vault") } if err := m.tokenStore.revokeTree(ctx, le); err != nil { @@ -2209,7 +2209,7 @@ func (m *ExpirationManager) renewAuthEntry(ctx context.Context, req *logical.Req } if le.ClientTokenType == logical.TokenTypeEnt { - return logical.ErrorResponse("enterprise tokens cannot be renewed"), nil + return logical.ErrorResponse("JWTs cannot be renewed"), nil } auth := *le.Auth @@ -2354,7 +2354,7 @@ func (m *ExpirationManager) createIndexByToken(ctx context.Context, le *leaseEnt saltCtx := namespace.ContextWithNamespace(ctx, namespace.RootNamespace) // For enterprise token IDs, derive namespace context from the lease rather than // parsing token segments. - if IsEnterpriseTokenId(token) { + if IsOAuthJwtId(token) { ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID) if err != nil { return err @@ -2400,7 +2400,7 @@ func (m *ExpirationManager) createIndexByToken(ctx context.Context, le *leaseEnt func (m *ExpirationManager) indexByToken(ctx context.Context, le *leaseEntry) (*logical.StorageEntry, error) { tokenNS := namespace.RootNamespace saltCtx := namespace.ContextWithNamespace(ctx, tokenNS) - if IsEnterpriseTokenId(le.ClientToken) { + if IsOAuthJwtId(le.ClientToken) { ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID) if err != nil { return nil, err @@ -2444,7 +2444,7 @@ func (m *ExpirationManager) indexByToken(ctx context.Context, le *leaseEntry) (* func (m *ExpirationManager) removeIndexByToken(ctx context.Context, le *leaseEntry, token string) error { tokenNS := namespace.RootNamespace saltCtx := namespace.ContextWithNamespace(ctx, namespace.RootNamespace) - if IsEnterpriseTokenId(token) { + if IsOAuthJwtId(token) { ns, err := m.getNamespaceFromLeaseID(ctx, le.LeaseID) if err != nil { return err @@ -3062,7 +3062,7 @@ func (le *leaseEntry) renewable() (bool, error) { return false, nil case le.ClientTokenType == logical.TokenTypeEnt: - return false, fmt.Errorf("enterprise tokens cannot be renewed") + return false, fmt.Errorf("JWTs cannot be renewed") // Determine if the lease is expired case le.ExpireTime.Before(time.Now()): diff --git a/vault/request_handling.go b/vault/request_handling.go index 28dad843e7..7a586a9590 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -240,28 +240,28 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req return nil, nil, nil, nil, ErrInternalError } - var secondEntity *identity.Entity - if IsEnterpriseToken(req.ClientToken) { - isValidEnterpriseToken, tokenMetadataContainer, entity, actorEntity, chosenProfile, err := c.validateEnterpriseTokenAndFetchEntity(ctx, req.ClientToken) + var actorEntity *identity.Entity + if IsOAuthJwt(req.ClientToken) { + isValidEnterpriseJwt, tokenMetadataContainer, entity, jwtActor, chosenProfile, err := c.validateOAuthJwtAndFetchEntity(ctx, req.ClientToken) if err != nil { - c.logger.Error("failed to validate enterprise token", "error", err) + c.logger.Error("failed to validate jwt", "error", err) } - if !isValidEnterpriseToken { + if !isValidEnterpriseJwt { return nil, nil, nil, nil, logical.ErrPermissionDenied } - req.EnterpriseTokenMetadata = getEnterpriseTokenMetadata(tokenMetadataContainer) - req.EnterpriseTokenIssuer = getEnterpriseTokenIssuer(tokenMetadataContainer) - req.EnterpriseTokenTransaction = getEnterpriseTokenTransaction(tokenMetadataContainer) - req.EnterpriseTokenAudience = getEnterpriseTokenAudience(tokenMetadataContainer) - _, req.EnterpriseTokenAuthorizationDetailsPresent = tokenMetadataContainer["authorization_details"] - req.EnterpriseTokenAuthorizationDetails = getEnterpriseTokenAuthorizationDetails(tokenMetadataContainer) - secondEntity = actorEntity - err = c.createAndStoreEnterpriseTokenEntry(ctx, req, tokenMetadataContainer, entity, actorEntity, chosenProfile) + req.JwtUniqueId = getJwtUniqueId(tokenMetadataContainer) + req.JwtIssuer = getJwtIssuer(tokenMetadataContainer) + req.JwtTransactionClaim = getJwtTransaction(tokenMetadataContainer) + req.JwtAudienceClaim = getJwtAudience(tokenMetadataContainer) + _, req.JwtAuthorizationDetailsClaimPresent = tokenMetadataContainer["authorization_details"] + req.JwtAuthorizationDetails = getJwtAuthorizationDetails(tokenMetadataContainer) + actorEntity = jwtActor + err = c.createAndStoreOAuthJwtTokenEntry(ctx, req, tokenMetadataContainer, entity, jwtActor, chosenProfile) if err != nil { if c.perfStandby && errors.Is(err, logical.ErrReadOnly) { return nil, nil, nil, nil, logical.ErrPerfStandbyPleaseForward } - return nil, nil, nil, nil, multierror.Append(err, errors.New("failed in processing enterprise token")) + return nil, nil, nil, nil, multierror.Append(err, errors.New("failed in processing jwt")) } } @@ -270,8 +270,8 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req switch req.TokenEntry() { case nil: var err error - if IsEnterpriseToken(req.ClientToken) { - te, err = c.tokenStore.Lookup(ctx, getEnterpriseTokenId(req.EnterpriseTokenMetadata)) + if IsOAuthJwt(req.ClientToken) { + te, err = c.tokenStore.Lookup(ctx, getOAuthJwtId(req.JwtUniqueId)) } else { te, err = c.tokenStore.Lookup(ctx, req.ClientToken) } @@ -290,12 +290,12 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req return nil, nil, nil, nil, multierror.Append(logical.ErrPermissionDenied, logical.ErrInvalidToken) } - if secondEntity != nil { + if actorEntity != nil { if req.Auth == nil { req.Auth = &logical.Auth{} } - req.Auth.ActorEntityID = secondEntity.ID - req.Auth.ActorEntityName = secondEntity.Name + req.Auth.ActorEntityID = actorEntity.ID + req.Auth.ActorEntityName = actorEntity.Name } // CIDR checks bind all tokens except non-expiring root tokens @@ -348,15 +348,15 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req policyNames[nsID] = policyutil.SanitizePolicies(append(policyNames[nsID], nsPolicies...), false) } - var secondEntityPolicyNames map[string][]string - if secondEntity != nil { - c.logger.Debug("building separate ACL for second entity", "entity_id", secondEntity.ID) - secondEntityPolicyNames = make(map[string][]string) - secondEntityIdentityPolicies, err := c.fetchCeilingPolicies(ctx, secondEntity) + var actorEntityPolicyNames map[string][]string + if actorEntity != nil { + c.logger.Debug("building separate ACL for actor entity", "entity_id", actorEntity.ID) + actorEntityPolicyNames = make(map[string][]string) + actorEntityIdentityPolicies, err := c.fetchCeilingPolicies(ctx, actorEntity) if err != nil { return nil, nil, nil, nil, err } - allowOnly, err := c.allPoliciesAllowOnly(ctx, secondEntityIdentityPolicies) + allowOnly, err := c.allPoliciesAllowOnly(ctx, actorEntityIdentityPolicies) if err != nil { return nil, nil, nil, nil, ErrInternalError } @@ -364,8 +364,8 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req return nil, nil, nil, nil, logical.ErrPermissionDenied } // Store second entity policies separately - do NOT merge with primary entity's policies - for nsID, nsPolicies := range secondEntityIdentityPolicies { - secondEntityPolicyNames[nsID] = policyutil.SanitizePolicies(nsPolicies, false) + for nsID, nsPolicies := range actorEntityIdentityPolicies { + actorEntityPolicyNames[nsID] = policyutil.SanitizePolicies(nsPolicies, false) } } @@ -409,8 +409,8 @@ func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Req return nil, nil, nil, nil, ErrInternalError } - if secondEntity != nil { - newAcl, err := c.performSecondaryEntityTokenChecks(tokenCtx, acl, secondEntity, secondEntityPolicyNames) + if actorEntity != nil { + newAcl, err := c.performDelegationTokenChecks(tokenCtx, acl, actorEntity, actorEntityPolicyNames) if err != nil { return nil, nil, nil, nil, err } @@ -643,7 +643,7 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool auth.ActorEntityName = req.Auth.ActorEntityName } // Copy authorization details from the request to auth so plugins can access them. - auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails + auth.AuthorizationDetails = req.JwtAuthorizationDetails twoStepRecover := req.Operation == logical.RecoverOperation && req.RecoverSourcePath != "" && req.RecoverSourcePath != req.Path var alternateRecoverCapability *logical.Operation @@ -926,7 +926,7 @@ func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request if !ok { return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied } - if IsSSCToken(token.(string)) && !IsEnterpriseToken(token.(string)) { + if IsSSCToken(token.(string)) && !IsOAuthJwt(token.(string)) { token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby) // If we receive an error from CheckSSCToken, we can assume the token is bad somehow, and the client // should receive a 403 bad token error like they do for all other invalid tokens, unless the error @@ -1248,13 +1248,13 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp // these requests. if ctErr == nil && te != nil && te.Type == logical.TokenTypeEnt && !te.IsStorageBacked() && requiresMaterializedTokenState(req.Path) { - materializedReq, matErr := c.materializeEnterpriseTokenForUsage(ctx, req, auth, c.perfStandby) + materializedReq, matErr := c.materializeOAuthJwtForUsage(ctx, req, auth, c.perfStandby) if matErr != nil { if errors.Is(matErr, logical.ErrPerfStandbyPleaseForward) { restoreForwardingTokenHeaders(req) return nil, nil, matErr } - c.logger.Error("failed to materialize enterprise token for token endpoint", "request_path", req.Path, "error", matErr) + c.logger.Error("failed to materialize jwt for token endpoint", "request_path", req.Path, "error", matErr) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } @@ -1545,13 +1545,13 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp if registerLease { registerReq := req if te := req.TokenEntry(); te != nil && !te.IsStorageBacked() { - registerReq, err = c.materializeEnterpriseTokenForUsage(ctx, req, auth, c.perfStandby) + registerReq, err = c.materializeOAuthJwtForUsage(ctx, req, auth, c.perfStandby) if err != nil { if errors.Is(err, logical.ErrPerfStandbyPleaseForward) { restoreForwardingTokenHeaders(req) return nil, nil, err } - c.logger.Error("failed to materialize enterprise token for lease", "request_path", req.Path, "error", err) + c.logger.Error("failed to materialize jwt for lease", "request_path", req.Path, "error", err) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr } diff --git a/vault/request_handling_ce.go b/vault/request_handling_ce.go index 487740fa98..9471411cc3 100644 --- a/vault/request_handling_ce.go +++ b/vault/request_handling_ce.go @@ -15,43 +15,39 @@ import ( type OAuthResourceServerConfigProfile struct{} -func (c *Core) validateEnterpriseTokenAndFetchEntity(ctx context.Context, tokenString string) (bool, map[string]interface{}, *identity.Entity, *identity.Entity, *OAuthResourceServerConfigProfile, error) { +func (c *Core) validateOAuthJwtAndFetchEntity(ctx context.Context, tokenString string) (bool, map[string]interface{}, *identity.Entity, *identity.Entity, *OAuthResourceServerConfigProfile, error) { return false, nil, nil, nil, nil, errors.New("not implemented") } -func (c *Core) createAndStoreEnterpriseTokenEntry(ctx context.Context, req *logical.Request, allClaims map[string]interface{}, entity *identity.Entity, actorEntity *identity.Entity, chosenProfile *OAuthResourceServerConfigProfile) error { +func (c *Core) createAndStoreOAuthJwtTokenEntry(ctx context.Context, req *logical.Request, allClaims map[string]interface{}, entity *identity.Entity, actorEntity *identity.Entity, chosenProfile *OAuthResourceServerConfigProfile) error { return nil } -func isActivationFlagEnabledForEnterpriseToken(c *Core) bool { - return false -} - -func getEnterpriseTokenMetadata(_ map[string]interface{}) string { +func getJwtUniqueId(_ map[string]interface{}) string { return "" } -func getEnterpriseTokenIssuer(_ map[string]interface{}) string { +func getJwtIssuer(_ map[string]interface{}) string { return "" } -func getEnterpriseTokenTransaction(_ map[string]interface{}) string { +func getJwtTransaction(_ map[string]interface{}) string { return "" } -func getEnterpriseTokenAudience(_ map[string]interface{}) []string { +func getJwtAudience(_ map[string]interface{}) []string { return nil } -func getEnterpriseTokenAuthorizationDetails(_ map[string]interface{}) []logical.AuthorizationDetail { +func getJwtAuthorizationDetails(_ map[string]interface{}) []logical.AuthorizationDetail { return nil } -func (c *Core) materializeEnterpriseTokenForUsage(_ context.Context, req *logical.Request, _ *logical.Auth, _ bool) (*logical.Request, error) { +func (c *Core) materializeOAuthJwtForUsage(_ context.Context, req *logical.Request, _ *logical.Auth, _ bool) (*logical.Request, error) { return req, nil } -func (c *Core) performSecondaryEntityTokenChecks(_ context.Context, _ *ACL, _ *identity.Entity, _ map[string][]string) (*ACL, error) { +func (c *Core) performDelegationTokenChecks(_ context.Context, _ *ACL, _ *identity.Entity, _ map[string][]string) (*ACL, error) { return nil, errors.New("not implemented") } diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go index fe74be094e..541695caed 100644 --- a/vault/request_handling_test.go +++ b/vault/request_handling_test.go @@ -829,13 +829,13 @@ func TestAuth_AuthorizationDetails_CopiedFromRequest(t *testing.T) { auth := &logical.Auth{} req := &logical.Request{ - EnterpriseTokenAuthorizationDetails: details, + JwtAuthorizationDetails: details, } // Simulate the assignment performed in CheckToken. - auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails + auth.AuthorizationDetails = req.JwtAuthorizationDetails - require.Equal(t, details, auth.AuthorizationDetails, "auth.AuthorizationDetails must equal req.EnterpriseTokenAuthorizationDetails") + require.Equal(t, details, auth.AuthorizationDetails, "auth.AuthorizationDetails must equal req.JwtAuthorizationDetails") } // TestAuth_AuthorizationDetails_NilWhenAbsent verifies that auth.AuthorizationDetails is nil @@ -846,7 +846,7 @@ func TestAuth_AuthorizationDetails_NilWhenAbsent(t *testing.T) { auth := &logical.Auth{} req := &logical.Request{} - auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails + auth.AuthorizationDetails = req.JwtAuthorizationDetails require.Nil(t, auth.AuthorizationDetails) } diff --git a/vault/token_store.go b/vault/token_store.go index 93ffd8496a..d9adcac05d 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1166,7 +1166,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err if tokenNS.ID != namespace.RootNamespaceID || strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) || strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix) || - strings.HasPrefix(entry.ID, consts.GetEnterpriseTokenPrefix()) { + strings.HasPrefix(entry.ID, consts.GetOAuthJwtPrefix()) { if entry.CubbyholeID == "" { cubbyholeID, err := base62.Random(TokenLength) if err != nil { @@ -1518,7 +1518,7 @@ func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntr if id == "" { return nil, fmt.Errorf("cannot lookup blank token") } - normalizedID := normalizeEnterpriseTokenToID(id) + normalizedID := normalizeOAuthJwtToId(id) // If it starts with "b." it's a batch token if IsBatchToken(normalizedID) { @@ -1650,7 +1650,7 @@ func (ts *TokenStore) lookupInternal(ctx context.Context, id string, salted, tai // If possible, always use the token's namespace. If it doesn't match // the request namespace, ensure the request namespace is a child _, nsID := namespace.SplitIDFromString(id) - if nsID != "" || strings.HasPrefix(id, consts.GetEnterpriseTokenPrefix()) { + if nsID != "" || strings.HasPrefix(id, consts.GetOAuthJwtPrefix()) { tokenNS, err := NamespaceByID(ctx, nsID, ts.core) if err != nil { return nil, fmt.Errorf("failed to look up namespace from the token: %w", err) @@ -2683,9 +2683,9 @@ func (ts *TokenStore) handleCreate(ctx context.Context, req *logical.Request, d // handleCreateCommon handles the auth/token/create path for creation of new tokens func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Request, d *framework.FieldData, orphan bool, role *tsRoleEntry) (*logical.Response, error) { - normalizedClientToken := normalizeEnterpriseTokenToID(req.ClientToken) - if !orphan && IsEnterpriseTokenId(normalizedClientToken) { - return logical.ErrorResponse("enterprise tokens cannot create child tokens"), logical.ErrInvalidRequest + normalizedClientToken := normalizeOAuthJwtToId(req.ClientToken) + if !orphan && IsOAuthJwtId(normalizedClientToken) { + return logical.ErrorResponse("JWTs cannot create child tokens"), logical.ErrInvalidRequest } // Read the parent policy @@ -3355,9 +3355,9 @@ func (ts *TokenStore) handleRevokeTree(ctx context.Context, req *logical.Request } func (ts *TokenStore) revokeCommon(ctx context.Context, req *logical.Request, data *framework.FieldData, id string) (*logical.Response, error) { - normalizedID := normalizeEnterpriseTokenToID(id) - if IsEnterpriseTokenId(normalizedID) { - return logical.ErrorResponse("cannot revoke ent token"), nil + normalizedID := normalizeOAuthJwtToId(id) + if IsOAuthJwtId(normalizedID) { + return logical.ErrorResponse("cannot revoke JWTs"), nil } te, err := ts.Lookup(ctx, id) if err != nil { @@ -3403,9 +3403,9 @@ func (ts *TokenStore) handleRevokeOrphan(ctx context.Context, req *logical.Reque return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest } - normalizedID := normalizeEnterpriseTokenToID(id) - if IsEnterpriseTokenId(normalizedID) { - return logical.ErrorResponse("enterprise token cannot be revoked"), nil + normalizedID := normalizeOAuthJwtToId(id) + if IsOAuthJwtId(normalizedID) { + return logical.ErrorResponse("JWTs cannot be revoked"), nil } // Do a lookup. Among other things, that will ensure that this is either @@ -3445,15 +3445,15 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da if id == "" { return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest } - if IsEnterpriseToken(id) { + if IsOAuthJwt(id) { // If the token specified in the request body is different from the caller's // token, resolve the token ID based on the body token's claims (JTI) instead - // of req.EnterpriseTokenMetadata, otherwise we may silently return the caller's + // of req.JwtUniqueId, otherwise we may silently return the caller's // own token entry or fail for non-Enterprise token callers. if id == req.ClientToken { - id = getEnterpriseTokenId(req.EnterpriseTokenMetadata) + id = getOAuthJwtId(req.JwtUniqueId) } else { - resolvedID, err := resolveEnterpriseTokenIDForLookup(id) + resolvedID, err := resolveOAuthJwtIdForLookup(id) if err != nil { return logical.ErrorResponse("invalid token"), logical.ErrInvalidRequest } @@ -3571,9 +3571,9 @@ func (ts *TokenStore) handleRenew(ctx context.Context, req *logical.Request, dat if id == "" { return logical.ErrorResponse("missing token ID"), logical.ErrInvalidRequest } - normalizedID := normalizeEnterpriseTokenToID(id) - if IsEnterpriseTokenId(normalizedID) { - return logical.ErrorResponse("enterprise tokens cannot be renewed"), nil + normalizedID := normalizeOAuthJwtToId(id) + if IsOAuthJwtId(normalizedID) { + return logical.ErrorResponse("JWTs cannot be renewed"), nil } incrementRaw := data.Get("increment").(int) diff --git a/vault/token_store_ce.go b/vault/token_store_ce.go index 8685c7dbda..aafd7bb0f6 100644 --- a/vault/token_store_ce.go +++ b/vault/token_store_ce.go @@ -12,11 +12,11 @@ import ( "github.com/hashicorp/vault/helper/namespace" ) -func getEnterpriseTokenId(_ string) string { +func getOAuthJwtId(_ string) string { return "" } -func normalizeEnterpriseTokenToID(token string) string { +func normalizeOAuthJwtToId(token string) string { return token } diff --git a/vault/version_store_ce.go b/vault/version_store_ce.go index 2e0d8e3cd6..e99bbb3034 100644 --- a/vault/version_store_ce.go +++ b/vault/version_store_ce.go @@ -5,10 +5,10 @@ package vault -func IsEnterpriseToken(token string) bool { +func IsOAuthJwt(token string) bool { return false } -func IsEnterpriseTokenId(tokenID string) bool { +func IsOAuthJwtId(tokenID string) bool { return false }