migrate gostint auth to mongodb from short life-span vault token to approle.

Author: gbevan

README.md

@@ -64,11 +64,12 @@ vault login # to get a <token>
 
 # Request a MongoDB secret engine token for gostint to request an ephemeral
 # time-bound username/password pair.
-token=$(curl -s \
-  --request POST \
-  --header 'X-Vault-Token: <token>' \
-  --data '{"policies": ["gostint-mongodb-auth"], "ttl": "10m", "num_uses": 2}' \
-  ${VAULT_ADDR}/v1/auth/token/create | jq .auth.client_token -r)
+# TODO: this token is deprecated - Use Approle instead (gostint-run)
+# token=$(curl -s \
+#   --request POST \
+#   --header 'X-Vault-Token: <token>' \
+#   --data '{"policies": ["gostint-mongodb-auth"], "ttl": "10m", "num_uses": 2}' \
+#   ${VAULT_ADDR}/v1/auth/token/create | jq .auth.client_token -r)
 
 # Get gostint's AppRole RoleId from the Vault
 roleid=`curl -s --header 'X-Vault-Token: root' \
@@ -80,8 +81,9 @@ docker run --init -d \
   --privileged=true \
   -v /srv/gostint-1/etc:/var/lib/gostint \
   -e VAULT_ADDR="$VAULT_ADDR" \
-  -e GOSTINT_DBAUTH_TOKEN="$token" \
   -e GOSTINT_ROLEID="$roleid" \
+  -e GOSTINT_RUN_ROLEID="$runroleid" \
+  -e GOSTINT_RUN_SECRETID="$runsecretid" \
   -e GOSTINT_DBURL=your-db-host:27017
   goethite/gostint
 ```
@@ -208,7 +210,7 @@ To run the BATS test suite (in another terminal session):
 ## LICENSE - GPLv3
 
 ```
-Copyright 2018 Graham Lee Bevan <graham.bevan@ntlworld.com>
+Copyright 2018-2019 Graham Lee Bevan <graham.bevan@ntlworld.com>
 
 gostint is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

approle/approle.go

@@ -26,7 +26,7 @@ import (
 	"github.com/hashicorp/vault/api"
 )
 
-// Authenticate using our AppRoleID and given SecretID with Vault
+// Authenticate using our AppRoleID and given wrapped SecretID with Vault
 func Authenticate(appRoleID string, wrapSecretID string) (string, *api.Client, error) {
 	/////////////////////////////////////
 	// AppRole Authenticate
@@ -47,7 +47,25 @@ func Authenticate(appRoleID string, wrapSecretID string) (string, *api.Client, e
 	if err != nil {
 		return "", &api.Client{}, fmt.Errorf("Request failed to unwrap the token to retrieve the SecretID - POSSIBLE SECURITY/INTERCEPTION ALERT!!!: THIS REQUEST MAY HAVE BEEN TAMPERED WITH, error: %s", err)
 	}
-	secretID := secret.Data["secret_id"]
+	secretID := secret.Data["secret_id"].(string)
+
+	return auth(appRoleID, secretID)
+}
+
+// AuthenticatePushMode using our AppRoleID and given SecretID with Vault
+func AuthenticatePushMode(appRoleID string, secretID string) (string, *api.Client, error) {
+	/////////////////////////////////////
+	// AppRole Authenticate PUSH Mode
+	return auth(appRoleID, secretID)
+}
+
+func auth(appRoleID string, secretID string) (string, *api.Client, error) {
+	client, err := api.NewClient(&api.Config{
+		Address: os.Getenv("VAULT_ADDR"),
+	})
+	if err != nil {
+		return "", &api.Client{}, fmt.Errorf("Failed create vault client api: %s", err)
+	}
 
 	// Authenticate this request using AppRole RoleID and SecretID
 	data := map[string]interface{}{

main.go

@@ -27,6 +27,7 @@ import (
 	"runtime"
 	"strconv"
 
+	"github.com/gbevan/gostint/approle"
 	"github.com/gbevan/gostint/health"
 	"github.com/gbevan/gostint/jobqueues"
 	"github.com/gbevan/gostint/logmsg"
@@ -41,7 +42,6 @@ import (
 	"github.com/go-chi/chi"
 	"github.com/go-chi/chi/middleware"
 	"github.com/go-chi/render"
-	"github.com/hashicorp/vault/api"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
@@ -75,16 +75,27 @@ func GetAppRoleID() string {
 // Gododir/main.go tasks "default" -> "gettoken").
 func getDbCreds() (string, string, error) {
 	// new Vault API Client
-	client, err := api.NewClient(&api.Config{
-		Address: os.Getenv("VAULT_ADDR"),
-	})
+	// client, err := api.NewClient(&api.Config{
+	// 	Address: os.Getenv("VAULT_ADDR"),
+	// })
+	// if err != nil {
+	// 	return "", "", err
+	// }
+
+	// Authenticate with Vault using passed one-time token
+	// client.SetToken(os.Getenv("GOSTINT_DBAUTH_TOKEN"))
+	// os.Setenv("GOSTINT_DBAUTH_TOKEN", "")
+
+	// Authenticate with vault using gostint-run(time) approle
+	token, client, err := approle.AuthenticatePushMode(
+		os.Getenv("GOSTINT_RUN_ROLEID"),
+		os.Getenv("GOSTINT_RUN_SECRETID"),
+	)
 	if err != nil {
 		return "", "", err
 	}
 
-	// Authenticate with Vault using passed one-time token
-	client.SetToken(os.Getenv("GOSTINT_DBAUTH_TOKEN"))
-	os.Setenv("GOSTINT_DBAUTH_TOKEN", "")
+	client.SetToken(token)
 
 	// Get MongoDB ephemeral credentials
 	secretValues, err := client.Logical().Read("database/creds/gostint-dbauth-role")

scripts/init_main.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-GOVER="1.11.3"
+GOVER="1.12.4"
 NODEVER="10"
 DOCKERVER="18.06.1~ce~3-0~ubuntu"  # match Dockerfile
 
@@ -22,7 +22,7 @@ apt install -y \
   curl \
   software-properties-common \
   bats \
-  uuid
+  uuid uuid-runtime
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
 apt-key fingerprint 0EBFCD88
 add-apt-repository \

scripts/init_vault.sh

@@ -4,6 +4,7 @@
 VAULTVER=1.1.0
 
 GOSTINT_ROLENAME="gostint-role"
+GOSTINT_RUN_ROLENAME="gostint-run-role"
 
 # Install and start Vault server in dev mode
 wget -qO /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULTVER}/vault_${VAULTVER}_linux_amd64.zip && \
@@ -92,7 +93,7 @@ curl -s \
   --data '{"policy": "path \"transit/decrypt/'$GOSTINT_ROLENAME'\" {\n  capabilities = [\"update\"]\n}"}' \
   ${VAULT_ADDR}/v1/sys/policy/gostint-approle-transit-decrypt-gostint
 
-# Create named role for gostint
+# Create named AppRole for gostint
 echo '=== Create approle role for gostint ======================'
 vault write auth/approle/role/$GOSTINT_ROLENAME \
   secret_id_ttl=24h \
@@ -106,6 +107,23 @@ vault write auth/approle/role/$GOSTINT_ROLENAME \
 export GOSTINT_ROLEID=`vault read -format=yaml -field=data auth/approle/role/$GOSTINT_ROLENAME/role-id | awk '{print $2;}'`
 echo -e "export GOSTINT_ROLEID=$GOSTINT_ROLEID\nexport GOSTINT_ROLENAME=$GOSTINT_ROLENAME" | tee -a .bashrc
 
+# Create named PUSH Mode AppRole for gostint-run
+echo '=== Create approle role for gostint-run =================='
+GOSTINT_RUN_SECRETID=$(uuidgen)
+vault write auth/approle/role/$GOSTINT_RUN_ROLENAME \
+  token_num_uses=2 \
+  token_ttl=20m \
+  token_max_ttl=30m \
+  policies="gostint-mongodb-auth"
+
+echo '=== Add secret-id to gostint-run ========================='
+vault write auth/approle/role/$GOSTINT_RUN_ROLENAME/custom-secret-id \
+  secret_id=$GOSTINT_RUN_SECRETID
+
+# Get RoleID for gostint-run
+export GOSTINT_RUN_ROLEID=`vault read -format=yaml -field=data auth/approle/role/$GOSTINT_RUN_ROLENAME/role-id | awk '{print $2;}'`
+echo -e "export GOSTINT_RUN_ROLEID=$GOSTINT_RUN_ROLEID\nexport GOSTINT_RUN_ROLENAME=$GOSTINT_RUN_ROLENAME\nexport GOSTINT_RUN_SECRETID=$GOSTINT_RUN_SECRETID" | tee -a .bashrc
+
 echo '=== Allow CORS for UI Development ========================'
 curl -s \
   --request PUT \