Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

identity: adds generation of plugin identity tokens #25219

Merged
merged 11 commits into from
Feb 6, 2024
Merged

identity: adds generation of plugin identity tokens #25219

merged 11 commits into from
Feb 6, 2024

Conversation

austingebauer
Copy link
Contributor

This PR introduces generation of plugin identity tokens to the identity store. This allows plugins to consume them over the GenerateIdentityToken() method of the system view.

Other important aspects of this PR:

  • Prevents deletion of keys that are in use by a plugin mount
  • Lazily generates the OIDC default key if used at plugin mount time

I've added a test that generates JWTs, verifies their signatures, and validates a majority of claims. A test that integrates with a plugin consuming these tokens (AWS secret engine) will be added in a follow-up PR.

@austingebauer austingebauer added this to the 1.16.0-rc1 milestone Feb 5, 2024
@austingebauer austingebauer requested a review from a team as a code owner February 5, 2024 18:05
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Feb 5, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 5, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 5, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

tomhjp
tomhjp approved these changes Feb 6, 2024
View reviewed changes
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍 just a few small suggestions

changelog/25219.txt Outdated Show resolved Hide resolved
vault/identity_store_oidc.go Outdated Show resolved Hide resolved
vault/identity_store_oidc.go Outdated Show resolved Hide resolved
vault/logical_system.go Show resolved Hide resolved
@austingebauer @tomhjp
Update changelog/25219.txt
5601188 
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
fairclothjm
fairclothjm approved these changes Feb 6, 2024
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to Tom's suggestions, otherwise LGTM!

@austingebauer austingebauer merged commit 98bffbe into main Feb 6, 2024
83 checks passed
@austingebauer austingebauer deleted the generate-plugin-id-token branch February 6, 2024 23:14
Monkeychip pushed a commit that referenced this pull request Feb 7, 2024
@austingebauer @tomhjp @Monkeychip
identity: adds generation of plugin identity tokens (#25219)
62671ce 
* adds generation of plugin identity tokens

* adds constants

* fix namespace path when getting matching identity storage

* adds changelog

* adds godoc on test

* fix data race with default key generation by moving locks up

* Update changelog/25219.txt

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* use namespace from context instead of mount entry

* translate mount table entry from mounts to secret

* godoc on test

---------

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

@tomhjp tomhjp tomhjp approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.16.0-rc1
Development

Successfully merging this pull request may close these issues.
3 participants
@austingebauer @tomhjp @fairclothjm