Fix for arbitrary file reads vulnerabilities

[santoshpulluri]

Description

This PR fixes a security vulnerability in the Vault CA provider's authentication methods (Kubernetes, JWT, and AppRole) that allowed arbitrary file reads through path traversal attacks.

Root Cause:

The auth providers used os.ReadFile() directly on user-supplied file paths without proper validation, allowing attackers to read any file on the system by manipulating configuration parameters:

Solution

Implemented OS-level path traversal protection using Go's os.OpenRoot() function, which creates a chroot-like restriction preventing access outside designated directories.

Security Measures:

Whitelist Validation: Only allow file reads from pre-defined standard directories
OS-Level Enforcement: Use os.OpenRoot() to prevent path traversal and symlink escapes at the kernel level
Defense in Depth: Multiple layers of validation ensure security even if one layer has bugs

Allowed Directories:

1. Kubernetes Auth

   • /var/run/secrets/kubernetes.io/serviceaccount
   • /run/secrets/kubernetes.io/serviceaccount

2. JWT Auth

   • /var/run/secrets/kubernetes.io/serviceaccount
   • /run/secrets/kubernetes.io/serviceaccount
   • /var/run/secrets
   • /run/secrets

3. AppRole Auth:

   • /var/run/secrets/vault
   • /run/secrets/vault
   • /var/run/secrets
   • /run/secrets

Testing:

Tests use symbolic links from allowed directories to temporary test directories, respecting the security boundaries while enabling test execution.

[anilvpatel]

LGTM.

[hc-github-team-consul-core]

📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>