lambda_vault_auth 0.0.0 → 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/lambda_vault_auth.rb +12 -22
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6e9794bac03588fc9ad7caf0d29aacdca294575705196667f9eee9c2fcf9bb3b
|
|
4
|
+
data.tar.gz: 2d4f4831c045a811ec11af35bbdc931bb5e9269ceab04c228e9f746f33705727
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dfa49c64e9d2b801503059d84cdd71ba80d7cb92247006b9b1997f05eb45ac2b0502c6fe234fb9dc14f3cf10714f05eb8cf5512d4a4f1239117c63b56e9f6315
|
|
7
|
+
data.tar.gz: c6cbf16a2a56e15c585ee10cf80a3d3e2d44616710175400e747171b3ee9c5906a55b9e790e1997305cbf69d51b659dbf68b58106bddc6d8533d210db1ff3f6e
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.0.
|
|
1
|
+
0.0.1
|
data/lib/lambda_vault_auth.rb
CHANGED
|
@@ -1,9 +1,6 @@
|
|
|
1
1
|
require 'aws-sdk-core'
|
|
2
2
|
require 'vault'
|
|
3
3
|
|
|
4
|
-
# TODO: support the advanced vault header in the signature, since it gives us better security
|
|
5
|
-
# VAULT_AUTH_HEADER_NAME = "X-Vault-AWS-IAM-Server-ID".freeze
|
|
6
|
-
|
|
7
4
|
# LambdaVaultAuth
|
|
8
5
|
class LambdaVaultAuth
|
|
9
6
|
# Internal class for Vault interactions
|
|
@@ -17,8 +14,9 @@ class LambdaVaultAuth
|
|
|
17
14
|
:renewal_window,
|
|
18
15
|
:ttl
|
|
19
16
|
|
|
20
|
-
|
|
21
|
-
|
|
17
|
+
DEFAULT_STS_URI = 'https://sts.amazonaws.com'.freeze
|
|
18
|
+
|
|
19
|
+
def initialize(env = ENV)
|
|
22
20
|
@client = new_client_from_environment(env)
|
|
23
21
|
|
|
24
22
|
# TODO: Make the following configurable
|
|
@@ -45,9 +43,13 @@ class LambdaVaultAuth
|
|
|
45
43
|
handle_token(auth_token.renew_self(ttl))
|
|
46
44
|
end
|
|
47
45
|
|
|
46
|
+
def login_route
|
|
47
|
+
"/v1/auth/#{@auth_provider}/login"
|
|
48
|
+
end
|
|
49
|
+
|
|
48
50
|
def new_client_from_environment(env)
|
|
49
51
|
addr = env.fetch('VAULT_ADDR')
|
|
50
|
-
|
|
52
|
+
@auth_header = env['VAULT_AUTH_HEADER'] # may be nil
|
|
51
53
|
@auth_provider = env.fetch('VAULT_AUTH_PROVIDER')
|
|
52
54
|
@auth_role = env.fetch('VAULT_AUTH_ROLE')
|
|
53
55
|
|
|
@@ -57,26 +59,15 @@ class LambdaVaultAuth
|
|
|
57
59
|
end
|
|
58
60
|
|
|
59
61
|
def authenticate!
|
|
60
|
-
|
|
62
|
+
secret = client.auth.aws_iam(@auth_role, Aws::CredentialProviderChain.new.resolve, @auth_header, DEFAULT_STS_URI, login_route)
|
|
61
63
|
|
|
62
|
-
|
|
63
|
-
'iam_http_request_method': req.http_method,
|
|
64
|
-
'iam_request_body': Base64.strict_encode64(req.body.read),
|
|
65
|
-
'iam_request_headers': Base64.strict_encode64(req.headers.to_h.to_json),
|
|
66
|
-
'iam_request_url': Base64.strict_encode64(req.endpoint.to_s),
|
|
67
|
-
'role': @auth_role
|
|
68
|
-
}
|
|
69
|
-
|
|
70
|
-
secret = client.logical.write("auth/#{@auth_provider}/login", data)
|
|
71
|
-
|
|
72
|
-
warn secret.warnings unless secret.warnings.empty?
|
|
64
|
+
warn secret.warnings unless secret.warnings.nil? or secret.warnings.empty?
|
|
73
65
|
|
|
74
66
|
handle_token(secret)
|
|
75
|
-
|
|
76
|
-
# create the required data to renew/validate
|
|
77
|
-
# populate the token on the client and hand that to the user
|
|
78
67
|
end
|
|
79
68
|
|
|
69
|
+
# create the required data to renew/validate
|
|
70
|
+
# populate the token on the client and hand that to the user
|
|
80
71
|
def handle_token(secret)
|
|
81
72
|
@auth_token = secret.auth
|
|
82
73
|
@ttl = secret.lease_duration
|
|
@@ -89,7 +80,6 @@ class LambdaVaultAuth
|
|
|
89
80
|
# to help manage the lifecycle of a vault and access the credentials
|
|
90
81
|
def self.vault
|
|
91
82
|
@vault ||= Vaulter.new
|
|
92
|
-
@sts ||= Aws::STS::Client.new
|
|
93
83
|
|
|
94
84
|
return @vault.client unless @vault.expired?
|
|
95
85
|
|