Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP Azure Auth Against Multiple Identities #14136

Closed
wants to merge 1 commit into from
Closed

WIP Azure Auth Against Multiple Identities #14136

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 36 additions & 7 deletions command/agent/auth/azure/azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,7 @@ import (
"io/ioutil"
"net/http"

cleanhttp "github.com/hashicorp/go-cleanhttp"
hclog "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/agent/auth"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/helper/useragent"
Expand All @@ -27,9 +25,10 @@ const (
type azureMethod struct {
logger hclog.Logger
mountPath string

role string
resource string
clientID string
objectID string
role string
resource string
}

func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
Expand Down Expand Up @@ -73,7 +72,7 @@ func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
return a, nil
}

func (a *azureMethod) Authenticate(ctx context.Context, client *api.Client) (retPath string, header http.Header, retData map[string]interface{}, retErr error) {
func (a *azureMethod) Authenticate(ctx context.Context) (retPath string, header http.Header, retData map[string]interface{}, retErr error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this needs the client parameter to satisfy the AuthMethod interface, which is returned from NewAzureAuthMethod() above.

But since it's not used in this function, maybe just use a blank identifier?

Suggested change
func (a *azureMethod) Authenticate(ctx context.Context) (retPath string, header http.Header, retData map[string]interface{}, retErr error) {
func (a *azureMethod) Authenticate(ctx context.Context, _ *api.Client) (retPath string, header http.Header, retData map[string]interface{}, retErr error) {

a.logger.Trace("beginning authentication")

// Fetch instance data
Expand Down Expand Up @@ -154,7 +153,7 @@ func getMetadataInfo(ctx context.Context, endpoint, resource string) ([]byte, er
req.Header.Set("User-Agent", useragent.String())
req = req.WithContext(ctx)

client := cleanhttp.DefaultClient()
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("error fetching metadata from %s: %w", endpoint, err)
Expand All @@ -176,3 +175,33 @@ func getMetadataInfo(ctx context.Context, endpoint, resource string) ([]byte, er

return body, nil
}

func verifyIdentity(ctx context.Context) (retPath string, header http.Header, retData map[string]interface{}, retErr error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function doesn't seem to be called anywhere, where should this be called? Does the return values need to be named here?


// after given IDMS given access token we want to only auth with a particular given client and object id
// example curl https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-09-01 -H "Authorization: Bearer <ACCESS TOKEN>"

// Fetch instance data
var instance struct {
Compute struct {
Name string
ResourceGroupName string
SubscriptionID string
VMScaleSetName string
}
}

body, err := getMetadataInfo(ctx, instanceEndpoint, "")
if err != nil {
retErr = err
return
}

err = jsonutil.DecodeJSON(body, &instance)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we decode the JSON body into instance, but the object is scoped to this function, should that be returned instead? I also see that retData remains empty and not assigned, should this be set somewhere?

if err != nil {
retErr = fmt.Errorf("error parsing instance metadata response: %w", err)
return
}

return
}