Skip to content

Commit

Permalink
Initial added classes
Browse files Browse the repository at this point in the history
  • Loading branch information
yuriytkach committed Jun 28, 2023
1 parent 1072ac2 commit d073178
Show file tree
Hide file tree
Showing 7 changed files with 104 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import io.quarkus.vault.runtime.client.PrivateVertxVaultClient;
import io.quarkus.vault.runtime.client.SharedVertxVaultClient;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalAppRoleAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalAwsIamAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalKubernetesAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalTokenAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalUserpassAuthMethod;
Expand Down Expand Up @@ -119,6 +120,7 @@ AdditionalBeanBuildItem registerAdditionalBeans() {
.addBeanClass(VaultInternalUserpassAuthMethod.class)
.addBeanClass(VaultInternalDynamicCredentialsSecretEngine.class)
.addBeanClass(VaultInternalPKISecretEngine.class)
.addBeanClass(VaultInternalAwsIamAuthMethod.class)
.build();
}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
package io.quarkus.vault.runtime.client.dto.auth;

import io.quarkus.vault.runtime.client.dto.AbstractVaultDTO;

/*
{
"request_id": "9e923c23-3a45-ff0f-a3ea-5fffd94f1e2f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "s.aWvAbfqWpoqPpbTebdwDEVuu",
"accessor": "abbJ8vD3JghuH37Up5d0SLYM",
"policies": [
"default",
"mypolicy"
],
"token_policies": [
"default",
"mypolicy"
],
"metadata": {
"role": "myapprole",
"service_account_name": "default",
"service_account_namespace": "vaultapp",
"service_account_secret_name": "default-token-qj4b5",
"service_account_uid": "27c26105-92d3-11e9-9202-025000000001"
},
"lease_duration": 7200,
"renewable": true,
"entity_id": "62f850bb-4835-a9ea-471b-006a92017128",
"token_type": "service",
"orphan": true
}
}
*/
public class VaultAwsIamAuth extends AbstractVaultDTO<Object, VaultAwsIamAuthAuth> {

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
package io.quarkus.vault.runtime.client.dto.auth;

public class VaultAwsIamAuthAuth extends AbstractVaultAuthAuth<VaultAwsIamAuthAuthMetadata> {
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package io.quarkus.vault.runtime.client.dto.auth;

import io.quarkus.vault.runtime.client.dto.VaultModel;

public class VaultAwsIamAuthAuthMetadata implements VaultModel {


}
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static io.quarkus.vault.runtime.LogConfidentialityLevel.LOW;
import static io.quarkus.vault.runtime.config.VaultAuthenticationType.APPROLE;
import static io.quarkus.vault.runtime.config.VaultAuthenticationType.AWS_IAM;
import static io.quarkus.vault.runtime.config.VaultAuthenticationType.KUBERNETES;
import static io.quarkus.vault.runtime.config.VaultAuthenticationType.USERPASS;

Expand All @@ -14,8 +15,6 @@
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;

import jakarta.inject.Singleton;

import org.jboss.logging.Logger;

import com.github.benmanes.caffeine.cache.Cache;
Expand All @@ -25,19 +24,22 @@
import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultClientException;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalAppRoleAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalAwsIamAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalKubernetesAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalTokenAuthMethod;
import io.quarkus.vault.runtime.client.authmethod.VaultInternalUserpassAuthMethod;
import io.quarkus.vault.runtime.client.backend.VaultInternalSystemBackend;
import io.quarkus.vault.runtime.client.dto.auth.AbstractVaultAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleGenerateNewSecretID;
import io.quarkus.vault.runtime.client.dto.auth.VaultAwsIamAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultKubernetesAuthAuth;
import io.quarkus.vault.runtime.client.dto.auth.VaultTokenCreate;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV1;
import io.quarkus.vault.runtime.client.dto.kv.VaultKvSecretV2;
import io.quarkus.vault.runtime.config.VaultAuthenticationType;
import io.quarkus.vault.runtime.config.VaultBootstrapConfig;
import io.smallrye.mutiny.Uni;
import jakarta.inject.Singleton;

/**
* Handles authentication. Supports revocation and renewal.
Expand All @@ -57,19 +59,22 @@ public class VaultAuthManager {
private VaultInternalKubernetesAuthMethod vaultInternalKubernetesAuthMethod;
private VaultInternalUserpassAuthMethod vaultInternalUserpassAuthMethod;
private VaultInternalTokenAuthMethod vaultInternalTokenAuthMethod;
private VaultInternalAwsIamAuthMethod vaultInternalAwsIamAuthMethod;

VaultAuthManager(VaultConfigHolder vaultConfigHolder,
VaultInternalSystemBackend vaultInternalSystemBackend,
VaultInternalAppRoleAuthMethod vaultInternalAppRoleAuthMethod,
VaultInternalKubernetesAuthMethod vaultInternalKubernetesAuthMethod,
VaultInternalUserpassAuthMethod vaultInternalUserpassAuthMethod,
VaultInternalTokenAuthMethod vaultInternalTokenAuthMethod) {
VaultInternalTokenAuthMethod vaultInternalTokenAuthMethod,
VaultInternalAwsIamAuthMethod vaultInternalAwsIamAuthMethod) {
this.vaultConfigHolder = vaultConfigHolder;
this.vaultInternalSystemBackend = vaultInternalSystemBackend;
this.vaultInternalAppRoleAuthMethod = vaultInternalAppRoleAuthMethod;
this.vaultInternalKubernetesAuthMethod = vaultInternalKubernetesAuthMethod;
this.vaultInternalUserpassAuthMethod = vaultInternalUserpassAuthMethod;
this.vaultInternalTokenAuthMethod = vaultInternalTokenAuthMethod;
this.vaultInternalAwsIamAuthMethod = vaultInternalAwsIamAuthMethod;
}

private VaultBootstrapConfig getConfig() {
Expand Down Expand Up @@ -171,8 +176,10 @@ private Uni<VaultToken> login(VaultClient vaultClient, VaultAuthenticationType t
} else if (type == APPROLE) {
String roleId = getConfig().authentication.appRole.roleId.get();
authRequest = getSecretId(vaultClient)
.flatMap(secretId -> vaultInternalAppRoleAuthMethod.login(vaultClient, roleId, secretId))
.map(r -> r.auth);
.flatMap(secretId -> vaultInternalAppRoleAuthMethod.login(vaultClient, roleId, secretId))
.map(r -> r.auth);
} else if (type == AWS_IAM){
authRequest = loginAwsIam(vaultClient);
} else {
throw new UnsupportedOperationException("unknown authType " + getConfig().getAuthenticationType());
}
Expand Down Expand Up @@ -237,6 +244,10 @@ private <T> Uni<String> unwrapWrappingTokenOnce(VaultClient vaultClient, String
});
}

private Uni<VaultAwsIamAuthAuth> loginAwsIam(final VaultClient vaultClient) {
return vaultInternalAwsIamAuthMethod.login(vaultClient).map(r -> r.auth);
}

private Uni<VaultKubernetesAuthAuth> loginKubernetes(VaultClient vaultClient) {
String jwt = new String(read(getConfig().authentication.kubernetes.jwtTokenPath), StandardCharsets.UTF_8);
log.debug("authenticate with jwt at: " + getConfig().authentication.kubernetes.jwtTokenPath + " => "
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package io.quarkus.vault.runtime.client.authmethod;

import io.quarkus.vault.runtime.VaultConfigHolder;
import io.quarkus.vault.runtime.client.VaultClient;
import io.quarkus.vault.runtime.client.VaultInternalBase;
import io.quarkus.vault.runtime.client.dto.auth.VaultAwsIamAuth;
import io.smallrye.mutiny.Uni;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;

@Singleton
public class VaultInternalAwsIamAuthMethod extends VaultInternalBase {

@Inject
private VaultConfigHolder vaultConfigHolder;

@Override
protected String opNamePrefix() {
return super.opNamePrefix() + " [AUTH (aws iam)]";
}

public Uni<VaultAwsIamAuth> login(final VaultClient vaultClient) {
return null;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ public enum VaultAuthenticationType {
* <p>
* https://www.vaultproject.io/api/auth/approle/index.html
*/
APPROLE
APPROLE,


AWS_IAM,

}

0 comments on commit d073178

Please sign in to comment.