lambda_vault_auth 0.0.0 → 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/lambda_vault_auth.rb +12 -22
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6e9794bac03588fc9ad7caf0d29aacdca294575705196667f9eee9c2fcf9bb3b
|
4
|
+
data.tar.gz: 2d4f4831c045a811ec11af35bbdc931bb5e9269ceab04c228e9f746f33705727
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dfa49c64e9d2b801503059d84cdd71ba80d7cb92247006b9b1997f05eb45ac2b0502c6fe234fb9dc14f3cf10714f05eb8cf5512d4a4f1239117c63b56e9f6315
|
7
|
+
data.tar.gz: c6cbf16a2a56e15c585ee10cf80a3d3e2d44616710175400e747171b3ee9c5906a55b9e790e1997305cbf69d51b659dbf68b58106bddc6d8533d210db1ff3f6e
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.0.
|
1
|
+
0.0.1
|
data/lib/lambda_vault_auth.rb
CHANGED
@@ -1,9 +1,6 @@
|
|
1
1
|
require 'aws-sdk-core'
|
2
2
|
require 'vault'
|
3
3
|
|
4
|
-
# TODO: support the advanced vault header in the signature, since it gives us better security
|
5
|
-
# VAULT_AUTH_HEADER_NAME = "X-Vault-AWS-IAM-Server-ID".freeze
|
6
|
-
|
7
4
|
# LambdaVaultAuth
|
8
5
|
class LambdaVaultAuth
|
9
6
|
# Internal class for Vault interactions
|
@@ -17,8 +14,9 @@ class LambdaVaultAuth
|
|
17
14
|
:renewal_window,
|
18
15
|
:ttl
|
19
16
|
|
20
|
-
|
21
|
-
|
17
|
+
DEFAULT_STS_URI = 'https://sts.amazonaws.com'.freeze
|
18
|
+
|
19
|
+
def initialize(env = ENV)
|
22
20
|
@client = new_client_from_environment(env)
|
23
21
|
|
24
22
|
# TODO: Make the following configurable
|
@@ -45,9 +43,13 @@ class LambdaVaultAuth
|
|
45
43
|
handle_token(auth_token.renew_self(ttl))
|
46
44
|
end
|
47
45
|
|
46
|
+
def login_route
|
47
|
+
"/v1/auth/#{@auth_provider}/login"
|
48
|
+
end
|
49
|
+
|
48
50
|
def new_client_from_environment(env)
|
49
51
|
addr = env.fetch('VAULT_ADDR')
|
50
|
-
|
52
|
+
@auth_header = env['VAULT_AUTH_HEADER'] # may be nil
|
51
53
|
@auth_provider = env.fetch('VAULT_AUTH_PROVIDER')
|
52
54
|
@auth_role = env.fetch('VAULT_AUTH_ROLE')
|
53
55
|
|
@@ -57,26 +59,15 @@ class LambdaVaultAuth
|
|
57
59
|
end
|
58
60
|
|
59
61
|
def authenticate!
|
60
|
-
|
62
|
+
secret = client.auth.aws_iam(@auth_role, Aws::CredentialProviderChain.new.resolve, @auth_header, DEFAULT_STS_URI, login_route)
|
61
63
|
|
62
|
-
|
63
|
-
'iam_http_request_method': req.http_method,
|
64
|
-
'iam_request_body': Base64.strict_encode64(req.body.read),
|
65
|
-
'iam_request_headers': Base64.strict_encode64(req.headers.to_h.to_json),
|
66
|
-
'iam_request_url': Base64.strict_encode64(req.endpoint.to_s),
|
67
|
-
'role': @auth_role
|
68
|
-
}
|
69
|
-
|
70
|
-
secret = client.logical.write("auth/#{@auth_provider}/login", data)
|
71
|
-
|
72
|
-
warn secret.warnings unless secret.warnings.empty?
|
64
|
+
warn secret.warnings unless secret.warnings.nil? or secret.warnings.empty?
|
73
65
|
|
74
66
|
handle_token(secret)
|
75
|
-
|
76
|
-
# create the required data to renew/validate
|
77
|
-
# populate the token on the client and hand that to the user
|
78
67
|
end
|
79
68
|
|
69
|
+
# create the required data to renew/validate
|
70
|
+
# populate the token on the client and hand that to the user
|
80
71
|
def handle_token(secret)
|
81
72
|
@auth_token = secret.auth
|
82
73
|
@ttl = secret.lease_duration
|
@@ -89,7 +80,6 @@ class LambdaVaultAuth
|
|
89
80
|
# to help manage the lifecycle of a vault and access the credentials
|
90
81
|
def self.vault
|
91
82
|
@vault ||= Vaulter.new
|
92
|
-
@sts ||= Aws::STS::Client.new
|
93
83
|
|
94
84
|
return @vault.client unless @vault.expired?
|
95
85
|
|