Merge pull request #63 from rundeck-plugins/RUN-3556-Hahsicorp-Vault-Revision-of-Authentication-backend-CERT-implementation-fix

Run 3556 hahsicorp vault revision of authentication backend cert implementation fix

Author: edbaltra

README.md

@@ -83,7 +83,10 @@ rundeck.storage.provider.[index].config.namespace=namespace
 ```
 rundeck.storage.provider.[index].config.authNamespace=namespace
 ```
-
+* **certAuthMount**:  Cert Auth Mount name, The mount name of the TLS Certificate authentication back end for cert authentication.
+```
+rundeck.storage.provider.[index].config.certAuthMount=mount-name
+```
 
 * **keyStoreFile**: Key store file
 A Java keystore, containing a client certificate that's registered with Vault's TLS Certificate auth backend.
@@ -103,6 +106,10 @@ rundeck.storage.provider.[index].config.keyStoreFilePassword=/path/keyStoreFileP
 ```
 rundeck.storage.provider.[index].config.trustStoreFile=/path/trustStoreFile
 ```
+* **trustStoreFilePassword**: Truststore file password. The password needed to access the truststore.
+```
+rundeck.storage.provider.[index].config.trustStoreFilePassword=trustStorePassword
+```
 
 * **pemFile**: PEM file. The path of a file containing an X.509 certificate, in unencrypted PEM format with UTF-8 encoding.
 
@@ -244,7 +251,23 @@ curl --header "X-Vault-Token: $TOKEN" http://localhost:8200/v1/auth/approle/role
 curl --header "X-Vault-Token: $TOKEN" --request POST http://localhost:8200/v1/auth/approle/role/rundeck/secret-id | jq
 ```
 
+#### **Using CERT authentication**
 
+```
+rundeck.storage.provider.1.type=vault-storage
+rundeck.storage.provider.1.path=keys
+rundeck.storage.provider.1.config.prefix=app
+rundeck.storage.provider.1.config.address=$VAULT_URL
+rundeck.storage.provider.1.config.authBackend=cert
+rundeck.storage.provider.1.config.secretBackend=kv
+rundeck.storage.provider.1.config.engineVersion=2
+rundeck.storage.provider.1.config.certAuthMount=tls-auth
+rundeck.storage.provider.1.config.keyStoreFile=$KEYSTORE_FILE
+rundeck.storage.provider.1.config.keyStoreFilePassword=$KEYSTORE_PASSWORD
+rundeck.storage.provider.1.config.trustStoreFile=$TRUSTSTORE_FILE
+rundeck.storage.provider.1.config.truststoreFilePassword=$TRUSTSTORE_PASSWORD
+rundeck.storage.provider.1.config.validateSsl=true
+```
 ## Vault API versions
 
 Since version 1.3.1, this plugin can work with `kV Secrets Engine - Version 2`. 

build.gradle

@@ -47,7 +47,7 @@ dependencies {
     // add any third-party jar dependencies you wish to include in the plugin
     // using the `pluginLibs` configuration as shown here:
 
-    pluginLibs group: 'com.bettercloud', name: 'vault-java-driver', version: '5.1.0', ext: 'jar'
+    pluginLibs group: 'io.github.jopenlibs', name: 'vault-java-driver', version: '6.2.0', ext: 'jar'
 
 
     //the compile dependency won't add the rundeck-core jar to the plugin contents

src/main/java/io/github/valfadeev/rundeck/plugin/vault/ConfigOptions.java

@@ -15,6 +15,7 @@ class ConfigOptions {
     static final String VAULT_KEY_STORE_FILE = "keyStoreFile";
     static final String VAULT_KEY_STORE_FILE_PASSWORD = "keyStoreFilePassword";
     static final String VAULT_TRUST_STORE_FILE = "trustStoreFile";
+    static final String VAULT_TRUST_STORE_FILE_PASSWORD = "trustStoreFilePassword";
     static final String VAULT_CLIENT_PEM_FILE = "clientPemFile";
     static final String VAULT_CLIENT_KEY_PEM_FILE = "clientKeyPemFile";
     static final String VAULT_USERPASS_AUTH_MOUNT = "userpassAuthMount";
@@ -28,5 +29,6 @@ class ConfigOptions {
     static final String VAULT_STORAGE_BEHAVIOUR = "storageBehaviour";
     static final String VAULT_ENGINE_VERSION = "engineVersion";
     static final String VAULT_AUTH_NAMESPACE = "authNamespace";
+    static final String VAULT_CERT_AUTH_MOUNT = "certAuthMount";
 
 }

src/main/java/io/github/valfadeev/rundeck/plugin/vault/KeyObject.java

@@ -1,6 +1,6 @@
 package io.github.valfadeev.rundeck.plugin.vault;
 
-import com.bettercloud.vault.api.Logical;
+import io.github.jopenlibs.vault.api.Logical;
 import com.dtolabs.rundeck.core.storage.ResourceMeta;
 import org.rundeck.storage.api.Path;
 import org.rundeck.storage.impl.ResourceBase;

src/main/java/io/github/valfadeev/rundeck/plugin/vault/KeyObjectBuilder.java

@@ -1,8 +1,8 @@
 package io.github.valfadeev.rundeck.plugin.vault;
 
-import com.bettercloud.vault.VaultException;
-import com.bettercloud.vault.api.Logical;
-import com.bettercloud.vault.response.LogicalResponse;
+import io.github.jopenlibs.vault.VaultException;
+import io.github.jopenlibs.vault.api.Logical;
+import io.github.jopenlibs.vault.response.LogicalResponse;
 import org.rundeck.storage.api.Path;
 import org.rundeck.storage.api.PathUtil;
 

src/main/java/io/github/valfadeev/rundeck/plugin/vault/RundeckKey.java

@@ -1,8 +1,8 @@
 package io.github.valfadeev.rundeck.plugin.vault;
 
-import com.bettercloud.vault.VaultException;
-import com.bettercloud.vault.api.Logical;
-import com.bettercloud.vault.response.LogicalResponse;
+import io.github.jopenlibs.vault.VaultException;
+import io.github.jopenlibs.vault.api.Logical;
+import io.github.jopenlibs.vault.response.LogicalResponse;
 import com.dtolabs.rundeck.core.storage.ResourceMeta;
 import com.dtolabs.rundeck.core.storage.ResourceMetaBuilder;
 import com.dtolabs.rundeck.core.storage.StorageUtil;

src/main/java/io/github/valfadeev/rundeck/plugin/vault/VaultClientProvider.java

@@ -1,40 +1,50 @@
 package io.github.valfadeev.rundeck.plugin.vault;
 
 import java.io.File;
+import java.io.FileInputStream;
+import java.security.KeyStore;
 import java.util.Properties;
 
-import com.bettercloud.vault.SslConfig;
-import com.bettercloud.vault.Vault;
-import com.bettercloud.vault.VaultConfig;
-import com.bettercloud.vault.VaultException;
-import com.bettercloud.vault.api.Auth;
+import io.github.jopenlibs.vault.SslConfig;
+import io.github.jopenlibs.vault.Vault;
+import io.github.jopenlibs.vault.VaultConfig;
+import io.github.jopenlibs.vault.VaultException;
+import io.github.jopenlibs.vault.api.Auth;
 import com.dtolabs.rundeck.core.plugins.configuration.ConfigurationException;
 
 import static io.github.valfadeev.rundeck.plugin.vault.ConfigOptions.*;
 import static io.github.valfadeev.rundeck.plugin.vault.SupportedAuthBackends.*;
 
-class VaultClientProvider {
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-    private Properties configuration;
+class VaultClientProvider {
+    private static final Logger LOG = LoggerFactory.getLogger(VaultClientProvider.class);
+    private final Properties configuration;
 
     VaultClientProvider(Properties configuration) {
         this.configuration = configuration;
     }
 
     Vault getVaultClient() throws ConfigurationException {
-        final Integer vaultMaxRetries = Integer.parseInt(configuration.getProperty(VAULT_MAX_RETRIES));
-        final Integer vaultRetryIntervalMilliseconds = Integer.parseInt(configuration.getProperty(VAULT_RETRY_INTERVAL_MILLISECONDS));
+        LOG.debug("[vault] getVaultClient(): start, address='{}'", configuration.getProperty(VAULT_ADDRESS));
+        final int vaultMaxRetries = Integer.parseInt(configuration.getProperty(VAULT_MAX_RETRIES));
+        final int vaultRetryIntervalMilliseconds = Integer.parseInt(configuration.getProperty(VAULT_RETRY_INTERVAL_MILLISECONDS));
         final Integer vaultEngineVersion = Integer.parseInt(configuration.getProperty(VAULT_ENGINE_VERSION));
 
         VaultConfig vaultConfig = getVaultConfig();
 
         try {
             String authToken = getVaultAuthToken();
+            LOG.debug("[vault] got auth token? {}", (authToken != null && !authToken.isEmpty()));
             vaultConfig.token(authToken).build();
-            return new Vault(vaultConfig, vaultEngineVersion)
-                    .withRetries(vaultMaxRetries,
-                            vaultRetryIntervalMilliseconds);
+            LOG.debug("[vault] building Vault client with engineVersion={} retries={} interval={}ms",
+                    vaultEngineVersion, vaultMaxRetries, vaultRetryIntervalMilliseconds);
+            return Vault.create(vaultConfig, vaultEngineVersion).withRetries(vaultMaxRetries,
+                    vaultRetryIntervalMilliseconds);
+
         } catch (VaultException e) {
+            LOG.debug("[vault] getVaultClient(): VaultException: {}", e.getMessage(), e);
             throw new ConfigurationException(String.format("Encountered error while "
                     + "building Vault configuration: %s", e.getMessage()));
         }
@@ -58,11 +68,13 @@ protected VaultConfig getVaultConfig() throws ConfigurationException {
             try {
                 vaultConfig.nameSpace(nameSpace);
             } catch (VaultException e) {
+                LOG.debug("[vault] error building namespace configuration: {}", e.getMessage(), e);
                 throw new ConfigurationException(
                         String.format("Encountered error while building namespace configuration: %s", e.getMessage()));
             }
         }
 
+        LOG.debug("[vault] built VaultConfig for address='{}', namespace='{}'", vaultAddress, nameSpace);
         return vaultConfig;
     }
 
@@ -73,19 +85,39 @@ private SslConfig getSslConfig() throws ConfigurationException {
         sslConfig.verify(vaultVerifySsl);
 
         final String vaultTrustStoreFile = configuration.getProperty(VAULT_TRUST_STORE_FILE);
+        final String vaultTrustStoreFilePassword = configuration.getProperty(VAULT_TRUST_STORE_FILE_PASSWORD);
+
         if (vaultTrustStoreFile != null) {
             try {
-                sslConfig.trustStoreFile(new File(vaultTrustStoreFile));
-            } catch (VaultException e) {
-                throw new ConfigurationException(String.format("Encountered error while building ssl configuration: %s", e.getMessage()));
+                LOG.debug("[vault] using trustStoreFile={}", vaultTrustStoreFile);
+                File trustFile = new File(vaultTrustStoreFile);
+                LOG.debug("[vault] trustStoreFile exists={}, readable={}, size={}",
+                        trustFile.exists(), trustFile.canRead(), trustFile.length());
+
+                // load JKS with password, then provide in-memory KeyStore to the driver
+                try (FileInputStream in = new FileInputStream(trustFile)) {
+                    KeyStore ts = KeyStore.getInstance("JKS"); // keep default type
+                    if (vaultTrustStoreFilePassword == null) {
+                        throw new ConfigurationException("vault.trustStoreFilePassword is required for JKS truststores");
+                    }
+                    ts.load(in, vaultTrustStoreFilePassword.toCharArray());
+                    sslConfig.trustStore(ts);
+                }
+
+                LOG.debug("[vault] trustStore (JKS) loaded and applied successfully");
+            } catch (Exception e) {
+                LOG.debug("[vault] error setting trustStore (JKS): {}", e.getMessage(), e);
+                throw new ConfigurationException("Encountered error while building ssl configuration: " + e.getMessage());
             }
         } else  {
             final String vaultPemFile = configuration.getProperty(VAULT_PEM_FILE);
             if (vaultPemFile != null) {
                 try {
+                    LOG.debug("[vault] using pemFile={}", vaultPemFile);
                     sslConfig.pemFile(new File(vaultPemFile));
                 }
                 catch (VaultException e) {
+                    LOG.debug("[vault] error setting pemFile: {}", e.getMessage(), e);
                     throw new ConfigurationException(
                             String.format("Encountered error while building "
                                             + "ssl configuration: %s",
@@ -109,9 +141,11 @@ private SslConfig getSslConfig() throws ConfigurationException {
                 final String vaultClientKeyPemFile = configuration.getProperty(VAULT_CLIENT_KEY_PEM_FILE);
                 if (vaultClientPemFile != null && vaultClientKeyPemFile != null) {
                     try {
+                        LOG.debug("[vault] using keyStoreFile={}", vaultKeyStoreFile);
                         sslConfig.clientPemFile(new File(vaultClientPemFile))
                                 .clientKeyPemFile(new File(vaultClientKeyPemFile));
                     } catch (VaultException e) {
+                        LOG.debug("[vault] error setting client cert/key: {}", e.getMessage(), e);
                         throw new ConfigurationException(String.format("Encountered error while building ssl configuration: %s", e.getMessage()));
                     }
                 }
@@ -121,6 +155,7 @@ private SslConfig getSslConfig() throws ConfigurationException {
         try {
             sslConfig.build();
         } catch (VaultException e) {
+            LOG.debug("[vault] error building SslConfig: {}", e.getMessage(), e);
             throw new ConfigurationException(String.format("Encountered error while building ssl configuration: %s", e.getMessage()));
         }
 
@@ -131,19 +166,26 @@ private String getVaultAuthToken() throws ConfigurationException, VaultException
         final String vaultAuthBackend = configuration.getProperty(VAULT_AUTH_BACKEND);
         final String vaultAuthNameSpace = configuration.getProperty(VAULT_AUTH_NAMESPACE);
 
+        LOG.debug("[vault] getVaultAuthToken(): backend='{}', authNamespace='{}'",
+                vaultAuthBackend, vaultAuthNameSpace);
+
+
         final String authToken;
         final String msg = "Must specify %s when auth backend is %s";
 
         if (vaultAuthBackend.equals(TOKEN)) {
+            LOG.debug("[vault] auth=TOKEN");
             authToken = configuration.getProperty(VAULT_TOKEN);
             if (authToken == null) {
+                LOG.debug("[vault] missing token for TOKEN backend");
                 throw new ConfigurationException(
                         String.format(
                                 msg,
                                 VAULT_TOKEN,
                                 vaultAuthBackend
                         )
                 );
+
             }
             return authToken;
         }
@@ -153,16 +195,18 @@ private String getVaultAuthToken() throws ConfigurationException, VaultException
         if(vaultAuthNameSpace!=null && !vaultAuthNameSpace.isEmpty()){
             vaultAuthConfig.nameSpace(vaultAuthNameSpace);
         }
-        final Auth vaultAuth = new Vault(vaultAuthConfig).auth();
+        final Auth vaultAuth = Vault.create(vaultAuthConfig).auth();
 
         switch (vaultAuthBackend) {
 
             case APPROLE:
+                LOG.debug("[vault] auth=APPROLE");
                 final String vaultApproleId = configuration.getProperty(VAULT_APPROLE_ID);
                 final String vaultApproleSecretId = configuration.getProperty(VAULT_APPROLE_SECRET_ID);
                 final String vaultApproleAuthMount = configuration.getProperty(VAULT_APPROLE_AUTH_MOUNT);
 
                 if (vaultApproleId == null || vaultApproleSecretId == null) {
+                    LOG.debug("[vault] missing AppRole id/secret");
                     throw new ConfigurationException(
                             String.format(
                                     msg,
@@ -179,17 +223,21 @@ private String getVaultAuthToken() throws ConfigurationException, VaultException
                             vaultApproleAuthMount,
                             vaultApproleId,
                             vaultApproleSecretId).getAuthClientToken();
+                    LOG.debug("[vault] AppRole login success? {}", (authToken != null));
 
                 } catch (VaultException e) {
+                    LOG.debug("[vault] AppRole login failed: {}", e.getMessage(), e);
                     throw new ConfigurationException(
                             String.format("Encountered error while authenticating with %s: %s", vaultAuthBackend, e.getLocalizedMessage())
                     );
                 }
                 break;
 
             case GITHUB:
+                LOG.debug("[vault] auth=GITHUB");
                 final String vaultGithubToken = configuration.getProperty(VAULT_GITHUB_TOKEN);
                 if (vaultGithubToken == null) {
+                    LOG.debug("[vault] missing github token");
                     throw new ConfigurationException(
                             String.format(msg,
                                     VAULT_GITHUB_TOKEN,
@@ -202,8 +250,10 @@ private String getVaultAuthToken() throws ConfigurationException, VaultException
                     authToken = vaultAuth
                             .loginByGithub(vaultGithubToken)
                             .getAuthClientToken();
+                    LOG.debug("[vault] GitHub login success? {}", (authToken != null));
 
                 } catch (VaultException e) {
+                    LOG.debug("[vault] GitHub login failed: {}", e.getMessage(), e);
                     throw new ConfigurationException(
                             String.format("Encountered error while authenticating with %s",
                                     vaultAuthBackend)
@@ -212,10 +262,12 @@ private String getVaultAuthToken() throws ConfigurationException, VaultException
                 break;
 
             case USERPASS:
+                LOG.debug("[vault] auth=USERPASS");
                 final String vaultUserpassAuthMount = configuration.getProperty(VAULT_USERPASS_AUTH_MOUNT);
                 final String vaultUsername = configuration.getProperty(VAULT_USERNAME);
                 final String vaultPassword = configuration.getProperty(VAULT_PASSWORD);
                 if (vaultUsername == null || vaultPassword == null) {
+                    LOG.debug("[vault] missing user/password");
                     throw new ConfigurationException(
                             String.format(msg,
                                     String.join(", ",
@@ -229,16 +281,35 @@ private String getVaultAuthToken() throws ConfigurationException, VaultException
                     authToken = vaultAuth
                             .loginByUserPass(vaultUsername, vaultPassword, vaultUserpassAuthMount)
                             .getAuthClientToken();
+                    LOG.debug("[vault] UserPass login success? {}", (authToken != null));
 
                 } catch (VaultException e) {
+                    LOG.debug("[vault] UserPass login failed: {}", e.getMessage(), e);
                     throw new ConfigurationException(
                             String.format("Encountered error while authenticating with %s",
                                     vaultAuthBackend)
                     );
                 }
                 break;
 
+            case CERT:
+                LOG.debug("[vault] auth=CERT");
+                final String configured = configuration.getProperty(VAULT_CERT_AUTH_MOUNT);
+                final String mount = (configured == null || configured.isEmpty()) ? "cert" : configured;
+                try {
+                    authToken = vaultAuth.loginByCert(mount).getAuthClientToken();
+
+                } catch (VaultException e) {
+                    LOG.debug("[vault] Cert login failed: {}", e.getMessage(), e);
+                    throw new ConfigurationException(
+                            String.format("Encountered error while authenticating with %s at mount '%s': %s",
+                                    vaultAuthBackend, mount, e.getLocalizedMessage()));
+                }
+                break;
+
+
             default:
+                LOG.debug("[vault] unsupported auth backend='{}'", vaultAuthBackend);
                 throw new ConfigurationException(
                         String.format("Unsupported auth backend: %s", vaultAuthBackend));
 

src/main/java/io/github/valfadeev/rundeck/plugin/vault/VaultKey.java

@@ -1,8 +1,8 @@
 package io.github.valfadeev.rundeck.plugin.vault;
 
-import com.bettercloud.vault.VaultException;
-import com.bettercloud.vault.api.Logical;
-import com.bettercloud.vault.response.LogicalResponse;
+import io.github.jopenlibs.vault.VaultException;
+import io.github.jopenlibs.vault.api.Logical;
+import io.github.jopenlibs.vault.response.LogicalResponse;
 import com.dtolabs.rundeck.core.storage.ResourceMeta;
 import com.dtolabs.rundeck.core.storage.ResourceMetaBuilder;
 import com.dtolabs.rundeck.core.storage.StorageUtil;