Merge pull request #50 from b-social/master

Support aws IAM authentication
amperity · Mar 31, 2021 · 61a852f · 61a852f
2 parents eb9508d + ef2b1a3
commit 61a852f
Show file tree

Hide file tree

Showing 5 changed files with 146 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,5 @@ pom.xml.asc
 *.class
 /.lein-*
 /.nrepl-port
+.idea/
+*.iml
diff --git a/src/vault/authenticate.clj b/src/vault/authenticate.clj
@@ -132,3 +132,35 @@
            :content-type :json
            :accept :json
            :as :json})))))
+
+
+(defmethod authenticate* :aws-iam
+  [client _ credentials]
+  (let [{:keys [api-path http-request-method request-url request-body request-headers
+                role]} credentials
+        api-path (or api-path (str "/v1/auth/aws/" (:auth-mount-point client) "login"))]
+    (when-not http-request-method
+      (throw (IllegalArgumentException. "AWS auth credentials must include :http-request-method")))
+    (when-not request-url
+      (throw (IllegalArgumentException. "AWS auth credentials must include :request-url")))
+    (when-not request-body
+      (throw (IllegalArgumentException. "AWS auth credentials must include :request-body")))
+    (when-not request-headers
+      (throw (IllegalArgumentException. "AWS auth credentials must include :request-headers")))
+    (when-not role
+      (throw (IllegalArgumentException. "AWS auth credentials must include :role")))
+    (api-auth!
+      (str "AWS auth role=" role)
+      (:auth client)
+      (api-util/do-api-request
+        :post (str (:api-url client) api-path)
+        (merge
+          (:http-opts client)
+          {:form-params {:iam_http_request_method http-request-method
+                         :iam_request_url request-url
+                         :iam_request_body request-body
+                         :iam_request_headers request-headers
+                         :role role}
+           :content-type :json
+           :accept :json
+           :as :json})))))
diff --git a/src/vault/client/http.clj b/src/vault/client/http.clj
@@ -144,8 +144,8 @@
 
   (revoke-token!
     [this]
-    (when-let [token (:client-token @auth)]
-      (.revoke-token! this token)))
+    (let [response (api-util/api-request this :post "auth/token/revoke-self" {})]
+      (= 204 (:status response))))
 
 
   (revoke-token!

diff --git a/src/vault/core.clj b/src/vault/core.clj
@@ -20,7 +20,8 @@
     - `:ldap {:username \"LDAP username\", :password \"hunter2\"}`
     - `:k8s {:jwt \"...\", :role \"...\"}`
     - `:app-id {:app \"foo-service-dev\", :user \"...\"}`
-    - `:app-role {:role-id \"...\", :secret-id \"...\"}")
+    - `:app-role {:role-id \"...\", :secret-id \"...\"}
+    - `:aws-iam {:http-request-method \"...\", :request-url \"...\", :request-body \"...\", :request-headers \"...\", :role \"...\"}`")
 
   (status
     [client]

diff --git a/test/vault/client/http_test.clj b/test/vault/client/http_test.clj
@@ -90,3 +90,111 @@
               (vault/authenticate! client :k8s {:jwt "fake-jwt-goes-here"})))
         (is (empty? @api-requests))
         (is (empty? @api-auths))))))
+
+
+(deftest authenticate-via-aws
+  (testing "When all parameters are specified"
+    (let [client (http-client example-url)
+          api-requests (atom [])
+          api-auths (atom [])]
+      (with-redefs [api-util/do-api-request (fn [& args]
+                                              (swap! api-requests conj args)
+                                              :do-api-request-response)
+                    authenticate/api-auth! (fn [& args]
+                                             (swap! api-auths conj args)
+                                             :api-auth!-response)]
+        (vault/authenticate! client :aws-iam {:role "my-role"
+                                              :http-request-method "POST"
+                                              :request-url "fake.sts.com"
+                                              :request-body "FakeAction&Version=1"
+                                              :request-headers "{'foo':'bar'}"})
+        (is (= [[:post
+                 (str example-url "/v1/auth/aws/login")
+                 {:form-params {:iam_http_request_method "POST"
+                                :iam_request_url "fake.sts.com"
+                                :iam_request_body "FakeAction&Version=1"
+                                :iam_request_headers "{'foo':'bar'}"
+                                :role "my-role"}
+                  :content-type :json
+                  :accept :json
+                  :as :json}]]
+               @api-requests))
+        (is (= [["AWS auth role=my-role"
+                 (:auth client)
+                 :do-api-request-response]]
+               @api-auths)))))
+  (testing "When no http-request-method is specified"
+    (let [client (http-client example-url)
+          api-requests (atom [])
+          api-auths (atom [])]
+      (with-redefs [api-util/do-api-request (fn [& args]
+                                              (swap! api-requests conj args))
+                    authenticate/api-auth! (fn [& args]
+                                             (swap! api-auths conj args))]
+        (is (thrown? IllegalArgumentException
+              (vault/authenticate! client :aws-iam {:role "my-role"
+                                                    :request-url "fake.sts.com"
+                                                    :request-body "FakeAction&Version=1"
+                                                    :request-headers "{'foo':'bar'}"})))
+        (is (empty? @api-requests))
+        (is (empty? @api-auths)))))
+  (testing "When no request-url is specified"
+    (let [client (http-client example-url)
+          api-requests (atom [])
+          api-auths (atom [])]
+      (with-redefs [api-util/do-api-request (fn [& args]
+                                              (swap! api-requests conj args))
+                    authenticate/api-auth! (fn [& args]
+                                             (swap! api-auths conj args))]
+        (is (thrown? IllegalArgumentException
+              (vault/authenticate! client :aws-iam {:role "my-role"
+                                                    :http-request-method "POST"
+                                                    :request-body "FakeAction&Version=1"
+                                                    :request-headers "{'foo':'bar'}"})))
+        (is (empty? @api-requests))
+        (is (empty? @api-auths)))))
+  (testing "When no request-body is specified"
+    (let [client (http-client example-url)
+          api-requests (atom [])
+          api-auths (atom [])]
+      (with-redefs [api-util/do-api-request (fn [& args]
+                                              (swap! api-requests conj args))
+                    authenticate/api-auth! (fn [& args]
+                                             (swap! api-auths conj args))]
+        (is (thrown? IllegalArgumentException
+              (vault/authenticate! client :aws-iam {:role "my-role"
+                                                    :http-request-method "POST"
+                                                    :request-url "fake.sts.com"
+                                                    :request-headers "{'foo':'bar'}"})))
+        (is (empty? @api-requests))
+        (is (empty? @api-auths)))))
+  (testing "When no request-headers is specified"
+    (let [client (http-client example-url)
+          api-requests (atom [])
+          api-auths (atom [])]
+      (with-redefs [api-util/do-api-request (fn [& args]
+                                              (swap! api-requests conj args))
+                    authenticate/api-auth! (fn [& args]
+                                             (swap! api-auths conj args))]
+        (is (thrown? IllegalArgumentException
+              (vault/authenticate! client :aws-iam {:role "my-role"
+                                                    :http-request-method "POST"
+                                                    :request-url "fake.sts.com"
+                                                    :request-body "FakeAction&Version=1"})))
+        (is (empty? @api-requests))
+        (is (empty? @api-auths)))))
+  (testing "When no role is specified"
+    (let [client (http-client example-url)
+          api-requests (atom [])
+          api-auths (atom [])]
+      (with-redefs [api-util/do-api-request (fn [& args]
+                                              (swap! api-requests conj args))
+                    authenticate/api-auth! (fn [& args]
+                                             (swap! api-auths conj args))]
+        (is (thrown? IllegalArgumentException
+              (vault/authenticate! client :aws-iam {:http-request-method "POST"
+                                                    :request-url "fake.sts.com"
+                                                    :request-body "FakeAction&Version=1"
+                                                    :request-headers "{'foo':'bar'}"})))
+        (is (empty? @api-requests))
+        (is (empty? @api-auths))))))