| // Copyright (c) HashiCorp, Inc. |
| // SPDX-License-Identifier: MPL-2.0 |
| |
| package gcp |
| |
| import ( |
| "context" |
| "encoding/json" |
| "fmt" |
| "io/ioutil" |
| "net/http" |
| "net/url" |
| "time" |
| |
| "cloud.google.com/go/compute/metadata" |
| credentials "cloud.google.com/go/iam/credentials/apiv1" |
| "github.com/hashicorp/vault/api" |
| credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1" |
| ) |
| |
| type GCPAuth struct { |
| roleName string |
| mountPath string |
| authType string |
| serviceAccountEmail string |
| } |
| |
| var _ api.AuthMethod = (*GCPAuth)(nil) |
| |
| type LoginOption func(a *GCPAuth) error |
| |
| const ( |
| iamType = "iam" |
| gceType = "gce" |
| defaultMountPath = "gcp" |
| defaultAuthType = gceType |
| identityMetadataURL = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" |
| ) |
| |
| // NewGCPAuth initializes a new GCP auth method interface to be |
| // passed as a parameter to the client.Auth().Login method. |
| // |
| // Supported options: WithMountPath, WithIAMAuth, WithGCEAuth |
| func NewGCPAuth(roleName string, opts ...LoginOption) (*GCPAuth, error) { |
| if roleName == "" { |
| return nil, fmt.Errorf("no role name provided for login") |
| } |
| |
| a := &GCPAuth{ |
| mountPath: defaultMountPath, |
| authType: defaultAuthType, |
| roleName: roleName, |
| } |
| |
| // Loop through each option |
| for _, opt := range opts { |
| // Call the option giving the instantiated |
| // *GCPAuth as the argument |
| err := opt(a) |
| if err != nil { |
| return nil, fmt.Errorf("error with login option: %w", err) |
| } |
| } |
| |
| // return the modified auth struct instance |
| return a, nil |
| } |
| |
| // Login sets up the required request body for the GCP auth method's /login |
| // endpoint, and performs a write to it. This method defaults to the "gce" |
| // auth type unless NewGCPAuth is called with WithIAMAuth(). |
| func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { |
| if ctx == nil { |
| ctx = context.Background() |
| } |
| |
| loginData := map[string]interface{}{ |
| "role": a.roleName, |
| } |
| switch a.authType { |
| case gceType: |
| jwt, err := a.getJWTFromMetadataService(client.Address()) |
| if err != nil { |
| return nil, fmt.Errorf("unable to retrieve JWT from GCE metadata service: %w", err) |
| } |
| loginData["jwt"] = jwt |
| case iamType: |
| jwtResp, err := a.signJWT() |
| if err != nil { |
| return nil, fmt.Errorf("unable to sign JWT for authenticating to GCP: %w", err) |
| } |
| loginData["jwt"] = jwtResp.SignedJwt |
| } |
| |
| path := fmt.Sprintf("auth/%s/login", a.mountPath) |
| resp, err := client.Logical().WriteWithContext(ctx, path, loginData) |
| if err != nil { |
| return nil, fmt.Errorf("unable to log in with GCP auth: %w", err) |
| } |
| |
| return resp, nil |
| } |
| |
| func WithMountPath(mountPath string) LoginOption { |
| return func(a *GCPAuth) error { |
| a.mountPath = mountPath |
| return nil |
| } |
| } |
| |
| func WithIAMAuth(serviceAccountEmail string) LoginOption { |
| return func(a *GCPAuth) error { |
| a.serviceAccountEmail = serviceAccountEmail |
| a.authType = iamType |
| return nil |
| } |
| } |
| |
| func WithGCEAuth() LoginOption { |
| return func(a *GCPAuth) error { |
| a.authType = gceType |
| return nil |
| } |
| } |
| |
| // generate signed JWT token from GCP IAM. |
| func (a *GCPAuth) signJWT() (*credentialspb.SignJwtResponse, error) { |
| ctx := context.Background() |
| iamClient, err := credentials.NewIamCredentialsClient(ctx) // can pass option.WithCredentialsFile("path/to/creds.json") as second param if GOOGLE_APPLICATION_CREDENTIALS env var not set |
| if err != nil { |
| return nil, fmt.Errorf("unable to initialize IAM credentials client: %w", err) |
| } |
| defer iamClient.Close() |
| |
| resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", a.serviceAccountEmail) |
| jwtPayload := map[string]interface{}{ |
| "aud": fmt.Sprintf("vault/%s", a.roleName), |
| "sub": a.serviceAccountEmail, |
| "exp": time.Now().Add(time.Minute * 10).Unix(), |
| } |
| |
| payloadBytes, err := json.Marshal(jwtPayload) |
| if err != nil { |
| return nil, fmt.Errorf("unable to marshal jwt payload to json: %w", err) |
| } |
| |
| signJWTReq := &credentialspb.SignJwtRequest{ |
| Name: resourceName, |
| Payload: string(payloadBytes), |
| } |
| |
| jwtResp, err := iamClient.SignJwt(ctx, signJWTReq) |
| if err != nil { |
| return nil, fmt.Errorf("unable to sign JWT: %w", err) |
| } |
| |
| return jwtResp, nil |
| } |
| |
| func (a *GCPAuth) getJWTFromMetadataService(vaultAddress string) (string, error) { |
| if !metadata.OnGCE() { |
| return "", fmt.Errorf("GCE metadata service not available") |
| } |
| |
| // build request to metadata server |
| c := &http.Client{} |
| req, err := http.NewRequest(http.MethodGet, identityMetadataURL, nil) |
| if err != nil { |
| return "", fmt.Errorf("error creating http request: %w", err) |
| } |
| |
| req.Header.Add("Metadata-Flavor", "Google") |
| q := url.Values{} |
| q.Add("audience", fmt.Sprintf("%s/vault/%s", vaultAddress, a.roleName)) |
| q.Add("format", "full") |
| req.URL.RawQuery = q.Encode() |
| resp, err := c.Do(req) |
| if err != nil { |
| return "", fmt.Errorf("error making request to metadata service: %w", err) |
| } |
| defer resp.Body.Close() |
| |
| // get jwt from response |
| body, err := ioutil.ReadAll(resp.Body) |
| jwt := string(body) |
| if err != nil { |
| return "", fmt.Errorf("error reading response from metadata service: %w", err) |
| } |
| |
| return jwt, nil |
| } |
