From 24a188706e656dfe9b6d727e1a4668cbc28851af Mon Sep 17 00:00:00 2001 From: saville Date: Mon, 20 Jun 2022 20:43:49 -0600 Subject: [PATCH] Add configuration to credentials to enable using limited policies --- README.md | 9 ++--- ...actVaultTokenCredentialWithExpiration.java | 36 +++++++++++++++---- .../VaultAppRoleCredential/credentials.jelly | 3 ++ .../help-usePolicies.html | 5 +++ .../VaultAwsIamCredential/credentials.jelly | 3 ++ .../help-usePolicies.html | 5 +++ .../VaultGCPCredential/credentials.jelly | 3 ++ .../VaultGCPCredential/help-usePolicies.html | 5 +++ .../credentials.jelly | 3 ++ .../help-usePolicies.html | 5 +++ .../credentials.jelly | 3 ++ .../help-usePolicies.html | 5 +++ ...aultTokenCredentialWithExpirationTest.java | 1 + 13 files changed, 76 insertions(+), 10 deletions(-) create mode 100644 src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/help-usePolicies.html create mode 100644 src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/help-usePolicies.html create mode 100644 src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/help-usePolicies.html create mode 100644 src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/help-usePolicies.html create mode 100644 src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/help-usePolicies.html diff --git a/README.md b/README.md index 99e2e580..734d16a1 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,8 @@ This is just a short introduction, please refer to [Hashicorp itself](https://ww ### Isolating policies for different jobs It may be desirable to have jobs or folders with separate Vault policies allocated. This may be done -with the optional `policies` configuration option combined with AppRole authentication. The workflow -would look like this: +with the optional `policies` configuration option combined with authentication such as the AppRole +credential. The process is the following: * The Jenkins job attempts to retrieve a secret from Vault * The AppRole authentication is used to retrieve a new token (if the old one has not expired yet) * The Vault plugin then uses the `policies` configuration value with job info to come up with a list of policies @@ -30,8 +30,9 @@ would look like this: The policies list may be templatized with values that can come from each job in order to customize policies per job or folder. See the `policies` configuration help for more information on available -tokens to use in the configuration. Please note that the AppRole should have all policies configured -as `token_policies` and not `identity_policies`, as job-specific tokens inherit all +tokens to use in the configuration. The `Limit Token Policies` option must also be enabled on the +auth credential. Please note that the AppRole (or other authentication method) should have all policies +configured as `token_policies` and not `identity_policies`, as job-specific tokens inherit all `identity_policies` automatically. ### What about other backends? diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java b/src/main/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java index 7eda0eee..37733446 100644 --- a/src/main/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java +++ b/src/main/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java @@ -7,6 +7,7 @@ import com.bettercloud.vault.api.Auth.TokenRequest; import com.cloudbees.plugins.credentials.CredentialsScope; import com.datapipe.jenkins.vault.exception.VaultPluginException; +import edu.umd.cs.findbugs.annotations.CheckForNull; import edu.umd.cs.findbugs.annotations.NonNull; import java.util.Calendar; import java.util.HashMap; @@ -14,6 +15,7 @@ import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; +import org.kohsuke.stapler.DataBoundSetter; public abstract class AbstractVaultTokenCredentialWithExpiration extends AbstractVaultTokenCredential { @@ -21,6 +23,27 @@ public abstract class AbstractVaultTokenCredentialWithExpiration protected final static Logger LOGGER = Logger .getLogger(AbstractVaultTokenCredentialWithExpiration.class.getName()); + @CheckForNull + private Boolean usePolicies; + + /** + * Get if the configured policies should be used or not. + * @return true if the policies should be used, false or null otherwise + */ + @CheckForNull + public Boolean getUsePolicies() { + return usePolicies; + } + + /** + * Set if the configured policies are used or not. + * @param usePolicies true if policies should be used, false otherwise + */ + @DataBoundSetter + public void setUsePolicies(Boolean usePolicies) { + this.usePolicies = usePolicies; + } + private Map tokenExpiry; private Map tokenCache; @@ -43,13 +66,14 @@ protected Auth getVaultAuth(@NonNull Vault vault) { } /** - * Retrieves a new token with specific policies if a list of requested policies is provided. + * Retrieves a new child token with specific policies if this credential is configured to use + * policies and a list of requested policies is provided. * @param vault the vault instance * @param policies the policies list - * @return the new token or null if no policies are defined + * @return the new token or null if it cannot be provisioned */ - protected String getTokenWithPolicies(Vault vault, List policies) { - if (policies == null || policies.isEmpty()) { + protected String getChildToken(Vault vault, List policies) { + if (usePolicies == null || !usePolicies || policies == null || policies.isEmpty()) { return null; } Auth auth = getVaultAuth(vault); @@ -59,7 +83,7 @@ protected String getTokenWithPolicies(Vault vault, List policies) { new Object[] {policies}); return auth.createToken(tokenRequest).getAuthClientToken(); } catch (VaultException e) { - throw new VaultPluginException("Could not retrieve token with policies from vault", e); + throw new VaultPluginException("Could not retrieve token with policies from Vault", e); } } @@ -90,7 +114,7 @@ public Vault authorizeWithVault(VaultConfig config, List policies) { config.token(tokenCache.get(cacheKey)); // After current token is configured, try to retrieve a new child token with limited policies - String childToken = getTokenWithPolicies(vault, policies); + String childToken = getChildToken(vault, policies); if (childToken != null) { // A new token was generated, put it in the cache and configure vault tokenCache.put(cacheKey, childToken); diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/credentials.jelly index 678f41e7..48324f51 100644 --- a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/credentials.jelly +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/credentials.jelly @@ -13,5 +13,8 @@ + + + diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/help-usePolicies.html b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/help-usePolicies.html new file mode 100644 index 00000000..5a31f35d --- /dev/null +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAppRoleCredential/help-usePolicies.html @@ -0,0 +1,5 @@ +
+ If checked and policies are defined in the Vault plugin configuration, a child token will be + provisioned after authenticating with Vault with only the configured policies. See the Vault + plugin configuration policies for more information. +
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/credentials.jelly index bd772bd9..05ad09a4 100644 --- a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/credentials.jelly +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/credentials.jelly @@ -13,6 +13,9 @@ + + + diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/help-usePolicies.html b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/help-usePolicies.html new file mode 100644 index 00000000..5a31f35d --- /dev/null +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential/help-usePolicies.html @@ -0,0 +1,5 @@ +
+ If checked and policies are defined in the Vault plugin configuration, a child token will be + provisioned after authenticating with Vault with only the configured policies. See the Vault + plugin configuration policies for more information. +
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/credentials.jelly index e316b4db..62d36c75 100644 --- a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/credentials.jelly +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/credentials.jelly @@ -10,5 +10,8 @@ + + + diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/help-usePolicies.html b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/help-usePolicies.html new file mode 100644 index 00000000..5a31f35d --- /dev/null +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGCPCredential/help-usePolicies.html @@ -0,0 +1,5 @@ +
+ If checked and policies are defined in the Vault plugin configuration, a child token will be + provisioned after authenticating with Vault with only the configured policies. See the Vault + plugin configuration policies for more information. +
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/credentials.jelly index c29a7919..003e6b36 100644 --- a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/credentials.jelly +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/credentials.jelly @@ -10,5 +10,8 @@ + + + diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/help-usePolicies.html b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/help-usePolicies.html new file mode 100644 index 00000000..5a31f35d --- /dev/null +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultGithubTokenCredential/help-usePolicies.html @@ -0,0 +1,5 @@ +
+ If checked and policies are defined in the Vault plugin configuration, a child token will be + provisioned after authenticating with Vault with only the configured policies. See the Vault + plugin configuration policies for more information. +
diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/credentials.jelly b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/credentials.jelly index effb1fdd..b9b15ce6 100644 --- a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/credentials.jelly +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/credentials.jelly @@ -10,6 +10,9 @@ + + + diff --git a/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/help-usePolicies.html b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/help-usePolicies.html new file mode 100644 index 00000000..5a31f35d --- /dev/null +++ b/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/help-usePolicies.html @@ -0,0 +1,5 @@ +
+ If checked and policies are defined in the Vault plugin configuration, a child token will be + provisioned after authenticating with Vault with only the configured policies. See the Vault + plugin configuration policies for more information. +
diff --git a/src/test/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpirationTest.java b/src/test/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpirationTest.java index 89b13c23..5de5926b 100644 --- a/src/test/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpirationTest.java +++ b/src/test/java/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpirationTest.java @@ -158,6 +158,7 @@ static class ExampleVaultTokenCredentialWithExpiration extends protected ExampleVaultTokenCredentialWithExpiration(Vault vault) { super(CredentialsScope.GLOBAL, "id", "description"); this.vault = vault; + this.setUsePolicies(true); } @Override