Add Alibaba auth method #8
Conversation
arn.go
Outdated
| "strings" | ||
| ) | ||
|
|
||
| func parse(a string) (*arn, error) { |
There was a problem hiding this comment.
Something like parseARN(s string) would be more self-descriptive.
There was a problem hiding this comment.
I can update that! Yeah that would make a lot more sense. :-)
path_login.go
Outdated
| return nil, fmt.Errorf(`unable to parse entity's arn %s due to %s`, callerIdentity.Arn, err) | ||
| } | ||
| if parsedARN.Type != arnTypeAssumedRole { | ||
| // We haven't tested with other arn types and would like to understand and test these use cases before blindly |
There was a problem hiding this comment.
I'd probably remove this comment.
There was a problem hiding this comment.
OK, I have it in two places so I'll strip it in both. I wasn't sure if it'd seem helpful or terse.
path_login.go
Outdated
| if arn == "" { | ||
| return nil, errors.New("unable to retrieve arn from metadata during renewal") | ||
| } | ||
| roleName := req.Auth.InternalData["role_name"].(string) |
There was a problem hiding this comment.
Use the if roleName, ok := ... pattern instead so the type assertion doesn't panic if "role_name" isn't present.
There was a problem hiding this comment.
Oh good catch. I actually copy pasta'd that code from here: https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/path_login.go#L929. That may be a bug we should fix in Vault too.
path_role.go
Outdated
| }, | ||
| "arn": { | ||
| Type: framework.TypeString, | ||
| Description: `arn of the RAM principals to bind to this role.`, |
There was a problem hiding this comment.
Should this be "principal"?
There was a problem hiding this comment.
Actually I should probably take the word "principal" out because while there is a principal ID mentioned in the Alibaba docs, it's not an entity that's at the forefront of how people using this auth method will be thinking. Rewriting that to, "ARN of the RAM to bind to this role."
path_login.go
Outdated
|
|
||
| parsedARN, err := parse(callerIdentity.Arn) | ||
| if err != nil { | ||
| return nil, fmt.Errorf(`unable to parse entity's arn %s due to %s`, callerIdentity.Arn, err) |
There was a problem hiding this comment.
Yeah, but this and the next do differ from the rest, so I'll update them to match.
path_login.go
Outdated
| // We haven't tested with other arn types and would like to understand and test these use cases before blindly | ||
| // granting access so we don't create a security vulnerability. Please open a ticket describing your use case | ||
| // for another arn type to get that started. | ||
| return nil, fmt.Errorf(`only role arn types are supported at this time, but %s was provided`, callerIdentity.Arn) |
path_login.go
Outdated
| if response.StatusCode != 200 { | ||
| b, err := ioutil.ReadAll(response.Body) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error reading reponse body: %s", err) |
There was a problem hiding this comment.
What? You don't know about the less-known child of a response, a reponse?
path_role.go
Outdated
| }, | ||
| "arn": { | ||
| Type: framework.TypeString, | ||
| Description: `arn of the RAM principals to bind to this role.`, |
There was a problem hiding this comment.
Fixed the backtickathon.
| } | ||
| } | ||
|
|
||
| func pathListRoles(b *backend) *framework.Path { |
There was a problem hiding this comment.
Why support both role/ and roles/? Just role/ seems pretty common.
There was a problem hiding this comment.
Because AWS does? /shrug :-)
I must admit I do like the approach because I think in the CLI it makes sense to type $ vault list roles; whereas in the API I think it makes sense to GET /alibaba/role and expect a list back. Gives the user choice of either.
I also must admit I think it's odd there are two *framework.Path objects for the two endpoints, when it would be possible to make a regex that matched both. However, since the AWS code did it that way I did too because I thought it might be preferred for some reason.
There was a problem hiding this comment.
You might want to survey some other backends as AWS might be the exception. Personally, I like one way mainly because when I see two different paths (docs/path-help/etc.) I'm going to want to know what is different between them and which I need to use.
If you stick with two, I'd go with the roles?/ regex method vs. a separate path.
There was a problem hiding this comment.
Oh man, that's a tough one, because I see it done different ways. For instance, the AWS auth method does it this way (ex. GET /role/elk, LIST /roles, LIST /role), but the AppRole auth method does it differently (ex. GET /role/elk, LIST /role), and the ActiveDirectory secrets backend does it differently (ex. GET /roles/elk, LIST /roles).
I must say that I like the last the best, but you raise a very good point and I will check in with the team about this because consistency would increase usability.
There was a problem hiding this comment.
Jeff thinks the way it currently is is the current best practice. However, more of the team may or may not weigh in.
There was a problem hiding this comment.
It's all a mess. Whatever we decided in standup :-)
There was a problem hiding this comment.
I asked Chris about it after standup today in our 1:1 and we decided to leave it as-is for now.
There was a problem hiding this comment.
The reason for leaving this alone was it matched how "roles" were defined across the other auth methods, not that we decided anything. I think the general rule should probably be in context of the thing being developed. For examples, most, if not all, auth methods use "role", let's go with that. That does not generally mean that we should use singular vs plural names for paths just that in the context of auth methods, that seemed the most right.
path_role.go
Outdated
| func (b *backend) operationRoleCreate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
|
|
||
| roleName := data.Get("role").(string) | ||
| if roleName == "" { |
There was a problem hiding this comment.
Can this ever be true? If not present the route shouldn't match.
There was a problem hiding this comment.
Oh! Yes, you're absolutely right. Will strip that out. Less is more.
path_role.go
Outdated
| func (b *backend) operationRoleUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
|
|
||
| roleName := data.Get("role").(string) | ||
| if roleName == "" { |
There was a problem hiding this comment.
Can this ever be true? If not present the route shouldn't match.
path_role.go
Outdated
| // We haven't tested with other arn types and would like to understand and test these use cases before blindly | ||
| // granting access so we don't create a security vulnerability. Please open a ticket describing your use case | ||
| // for another arn type to get that started. | ||
| return nil, fmt.Errorf(`only role arn types are supported at this time, but %s was provided`, entry.ARN) |
There was a problem hiding this comment.
Will fix.
path_role.go
Outdated
|
|
||
| func (b *backend) operationRoleDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { | ||
| roleName := data.Get("role").(string) | ||
| if roleName == "" { |
There was a problem hiding this comment.
Can this ever be true? If not present the route shouldn't match.
path_role.go
Outdated
| Pattern: "role/" + framework.GenericNameRegex("role"), | ||
| Fields: map[string]*framework.FieldSchema{ | ||
| "role": { | ||
| Type: framework.TypeString, |
There was a problem hiding this comment.
Probably want this to be the new framework.TypeLowerCaseString
There was a problem hiding this comment.
Very good point. To make sure this was safe to do, I tried to create a couple roles in Alibaba with the same name but different casing. It turned out I couldn't, which is good because the arn is always lower case, and things could have gotten weird with matching role names to arn names. I'll lower-case it, it should be safe.
role_manager.go
Outdated
| if roleName == "" { | ||
| return nil, errors.New("missing role name") | ||
| } | ||
| entry, err := s.Get(ctx, "role/"+strings.ToLower(roleName)) |
There was a problem hiding this comment.
Can eliminate ToLower if the roles are lowercase type in path_role.go
There was a problem hiding this comment.
Thanks! Yeah I ended up stripping that in a whole bunch of places.
role_manager.go
Outdated
| func (m *RoleManager) Delete(ctx context.Context, s logical.Storage, roleName string) error { | ||
| m.roleMutex.Lock() | ||
| defer m.roleMutex.Unlock() | ||
| return s.Delete(ctx, "role/"+strings.ToLower(roleName)) |
There was a problem hiding this comment.
Can eliminate ToLower if the roles are lowercase type in path_role.go
role_manager.go
Outdated
| if roleEntry == nil { | ||
| return errors.New("nil role entry") | ||
| } | ||
| entry, err := logical.StorageEntryJSON("role/"+strings.ToLower(roleName), roleEntry) |
There was a problem hiding this comment.
Can eliminate ToLower if the roles are lowercase type in path_role.go
role_manager.go
Outdated
| ) | ||
|
|
||
| type RoleManager struct { | ||
| roleMutex sync.RWMutex |
There was a problem hiding this comment.
I think so.
Without it, one thread could read a role, another could update it, and then the previously read into memory role that's now outdated could be acted upon.
If we think that's harmless, we could do away with it because the mutex does cause a performance hit. And it could be argued that the mutex doesn't really solve that because while it prevents concurrent writes to the same object, it doesn't enforce the proper order of operations unless the lock is awarded based on the timestamp of when it was requested... and there's no promise of that.
There was a problem hiding this comment.
And technically, I don't think a role that's read from storage, even if it's the same role, will have the same pointer as one on a different thread. So without the mutex, the -race flag still won't pick up a race.
There was a problem hiding this comment.
Yeah, I see a mix of lock usage for role type operations, with probably more not using them. Thoughts on this @briankassouf ?
But assuming we did want to lock for some operations, does this approach achieve that? For example, after I call roleMgr.Read() I have a role but the mutex is unlocked and another goroutine could update the role before I complete whatever I needed to do. Where I've see locking, it is at a higher level, like at the start of pathRoleUpdate with a defer lock.unlock().
There was a problem hiding this comment.
Hm, that's a good point. Yes, I did reduce the amount of code inside the mutex.
I think I'll just do away with it since it adds complexity, yet its value is negotiable since it doesn't necessarily ensure operations occur in any proper order. I mean, yes, while you could get funny outcomes from two competing threads mutating and/or reading the same role, you could also get funny outcomes from using a mutex the whole way through but having them happen in an odd order.
In edge cases where two actors are working upon the same role at the same time, neither actor would have knowledge of the other or would be surprised by an outcome effected by lacking mutexes.
So, yeah, stripping it.
path_role.go
Outdated
| return nil, fmt.Errorf("role name must match arn name of %s", arn.RoleName) | ||
| } | ||
| if entry.ARN.Type != arnTypeRole { | ||
| // We haven't tested with other arn types and would like to understand and test these use cases before blindly |
path_login.go
Outdated
| if err != nil { | ||
| return nil, fmt.Errorf(`unable to parse entity's arn %s due to %s`, callerIdentity.Arn, err) | ||
| return nil, fmt.Errorf("unable to parseARN entity's arn %s due to %s", callerIdentity.Arn, err) |
There was a problem hiding this comment.
Overzealous search and replace 🙂
There was a problem hiding this comment.
Hunted these down and fixed them!
path_role.go
Outdated
| if err != nil { | ||
| return nil, fmt.Errorf("unable to parse arn %s: %s", arn, err) | ||
| return nil, fmt.Errorf("unable to parseARN arn %s: %s", arn, err) |
There was a problem hiding this comment.
Overzealous search and replace 🙂
path_role.go
Outdated
| if err != nil { | ||
| return nil, fmt.Errorf("unable to parse arn %s: %s", arn, err) | ||
| return nil, fmt.Errorf("unable to parseARN arn %s: %s", arn, err) |
There was a problem hiding this comment.
Overzealous search and replace 🙂
path_login.go
Outdated
| } | ||
| headers, err := parseHeaders(b64Header) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error parsing identity_request_headers: %v", err) |
There was a problem hiding this comment.
Please use errwrap here and in the blocks below.
path_login.go
Outdated
|
|
||
| response, err := b.getCallerIdentityClient.Do(request) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error making request: %s", err) |
There was a problem hiding this comment.
Thanks! I grepped for all my uses of Errorf and went through each of them and anything that had an err involved, I used errwrap.Wrapf instead, so I got the ones you pointed out, and the rest of them too. Just pushed that up.
path_login.go
Outdated
| if b64Url == "" { | ||
| return nil, errors.New("missing identity_request_url") | ||
| } | ||
| identityReqUrl, err := base64.StdEncoding.DecodeString(b64Url) |
There was a problem hiding this comment.
nit: golint would prefer identityReqURL
|
This PR is currently blocked by hashicorp/vault#4993 adding a header field type. |
arn.go
Outdated
| return nil, fmt.Errorf("unrecognized arn: contains %d colon-separated fields, expected 5", len(outerFields)) | ||
| } | ||
| if outerFields[0] != "acs" { | ||
| return nil, errors.New("unrecognized arn: does not begin with \"acs:\"") |
There was a problem hiding this comment.
You can use backticks here to avoid having to escape quotes
| } | ||
|
|
||
| u := base64.StdEncoding.EncodeToString([]byte(getCallerIdentityRequest.URL.String())) | ||
| b, err := json.Marshal(getCallerIdentityRequest.Header) |
There was a problem hiding this comment.
Once the headers PR lands this should just embed the Header directly and let it be JSON encoded, then decoded by TypeHeader.
There was a problem hiding this comment.
Cool! I just updated that PR to support b64 and pushed the changes. When it's merged I'll add it to this PR, and then to AWS auth.
| Type: framework.TypeString, | ||
| Description: "Base64-encoded full URL against which to make the Alibaba request.", | ||
| }, | ||
| "identity_request_headers": { |
There was a problem hiding this comment.
TypeHeader (just adding this as a reminder!)
path_login.go
Outdated
| "role_name": parsedARN.RoleName, | ||
| }, | ||
| InternalData: map[string]interface{}{ | ||
| "role_name": parsedARN.RoleName, |
There was a problem hiding this comment.
This is duplicated between here and Metadata -- only need one.
path_login.go
Outdated
| Description: `Base64-encoded JSON representation of the request headers. | ||
| This must include the headers over which Alibaba has included a signature.`, | ||
| Type: framework.TypeHeader, | ||
| Description: `The request headers. This must include the headers over which Alibaba |
There was a problem hiding this comment.
Just a reminder that I'm going to do that in an immediate follow-on PR when this is merged. Going to do it all at once so I don't miss anything.
path_login.go
Outdated
| @@ -60,19 +60,12 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat | |||
| return nil, errwrap.Wrapf("error parsing identity_request_url: {{err}}", err) | |||
| } | |||
|
|
|||
| b64Header := data.Get("identity_request_headers").(string) | |||
| if b64Header == "" { | |||
| header := data.Get("identity_request_headers").(http.Header) | |||
There was a problem hiding this comment.
headers seems more accurate since this is a collection.
Add Alibaba auth method
Add Alibaba auth method
This PR adds the logical code itself for the Alibaba auth method.
The approach mimics that of the AWS IAM auth method.