Re-read JWT file for every authentication (#491)

ramondeklein · web-flow · commit 2e4e7be2b9da · 2024-11-25T14:44:31.000+01:00
* Re-read JWT file for every authentication

* fix lint issues

* fix unit test
diff --git a/cmd/kes/identity.go b/cmd/kes/identity.go
@@ -500,15 +500,15 @@ func infoIdentityCmd(args []string) {
 			cli.Fatal(err)
 		}
 		year, month, day := info.CreatedAt.Date()
-		hour, min, sec := info.CreatedAt.Clock()
+		hour, minute, sec := info.CreatedAt.Clock()
 
 		fmt.Println(
 			faint.Render(fmt.Sprintf("%-11s", "Identity")),
 			identityStyle.Render(info.Identity.String()),
 		)
 		fmt.Println(
 			faint.Render(fmt.Sprintf("%-11s", "Created At")),
-			fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, min, sec),
+			fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, minute, sec),
 		)
 		if info.IsAdmin {
 			fmt.Println(faint.Render(fmt.Sprintf("%-11s", "Role")), "Admin")
@@ -520,13 +520,13 @@ func infoIdentityCmd(args []string) {
 		}
 		if info.Policy != "" {
 			year, month, day := policy.CreatedAt.Date()
-			hour, min, sec := policy.CreatedAt.Clock()
+			hour, minute, sec := policy.CreatedAt.Clock()
 
 			fmt.Println()
 			fmt.Println(faint.Render(fmt.Sprintf("%-11s", "Policy")), policyStyle.Render(info.Policy))
 			fmt.Println(
 				faint.Render(fmt.Sprintf("%-11s", "Created At")),
-				fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, min, sec),
+				fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, minute, sec),
 			)
 			if len(policy.Allow) > 0 {
 				fmt.Println(faint.Render(fmt.Sprintf("%-11s", "Allow")))
@@ -547,7 +547,7 @@ func infoIdentityCmd(args []string) {
 			cli.Fatal(err)
 		}
 		year, month, day := info.CreatedAt.Date()
-		hour, min, sec := info.CreatedAt.Clock()
+		hour, minute, sec := info.CreatedAt.Clock()
 
 		fmt.Println(
 			faint.Render(fmt.Sprintf("%-11s", "Identity")),
@@ -558,7 +558,7 @@ func infoIdentityCmd(args []string) {
 		}
 		fmt.Println(
 			faint.Render(fmt.Sprintf("%-11s", "Created At")),
-			fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, min, sec),
+			fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, minute, sec),
 		)
 		if info.IsAdmin {
 			fmt.Println(faint.Render(fmt.Sprintf("%-11s", "Role")), "Admin")
diff --git a/cmd/kes/key.go b/cmd/kes/key.go
@@ -251,12 +251,12 @@ func describeKeyCmd(args []string) {
 	}
 
 	year, month, day := info.CreatedAt.Date()
-	hour, min, sec := info.CreatedAt.Clock()
+	hour, minute, sec := info.CreatedAt.Clock()
 
 	buf := &strings.Builder{}
 	fmt.Fprintf(buf, "%-11s %s\n", "Name", info.Name)
 	fmt.Fprintf(buf, "%-11s %s\n", "Algorithm", info.Algorithm)
-	fmt.Fprintf(buf, "%-11s %04d-%02d-%02d %02d:%02d:%02d\n", "Date", year, month, day, hour, min, sec)
+	fmt.Fprintf(buf, "%-11s %04d-%02d-%02d %02d:%02d:%02d\n", "Date", year, month, day, hour, minute, sec)
 	fmt.Fprintf(buf, "%-11s %s", "Owner", info.CreatedBy)
 	fmt.Print(buf)
 }
diff --git a/cmd/kes/log.go b/cmd/kes/log.go
@@ -135,11 +135,11 @@ func printAuditLog(stream *kes.AuditStream) {
 	for stream.Next() {
 		event := stream.Event()
 		var (
-			hour, min, sec = event.Timestamp.Clock()
-			status         = strconv.Itoa(event.StatusCode)
-			identity       = identityStyle.Render(event.ClientIdentity.String())
-			apiPath        = apiStyle.Render(event.APIPath)
-			latency        = event.ResponseTime
+			hour, minute, sec = event.Timestamp.Clock()
+			status            = strconv.Itoa(event.StatusCode)
+			identity          = identityStyle.Render(event.ClientIdentity.String())
+			apiPath           = apiStyle.Render(event.APIPath)
+			latency           = event.ResponseTime
 		)
 
 		if event.StatusCode == http.StatusOK {
@@ -167,7 +167,7 @@ func printAuditLog(stream *kes.AuditStream) {
 		}
 		ipAddr = ipStyle.Render(ipAddr)
 
-		fmt.Printf(format, hour, min, sec, status, identity, ipAddr, apiPath, latency)
+		fmt.Printf(format, hour, minute, sec, status, identity, ipAddr, apiPath, latency)
 	}
 	if err := stream.Close(); err != nil {
 		if errors.Is(err, context.Canceled) {
diff --git a/cmd/kes/policy.go b/cmd/kes/policy.go
@@ -224,10 +224,10 @@ func infoPolicyCmd(args []string) {
 		fmt.Println(faint.Render(fmt.Sprintf("%-11s", "Name")), policyStyle.Render(name))
 		if !info.CreatedAt.IsZero() {
 			year, month, day := info.CreatedAt.Local().Date()
-			hour, min, sec := info.CreatedAt.Local().Clock()
+			hour, minute, sec := info.CreatedAt.Local().Clock()
 			fmt.Println(
 				faint.Render(fmt.Sprintf("%-11s", "Date")),
-				fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, min, sec),
+				fmt.Sprintf("%04d-%02d-%02d %02d:%02d:%02d", year, month, day, hour, minute, sec),
 			)
 		}
 		if !info.CreatedBy.IsUnknown() {
@@ -335,8 +335,8 @@ func showPolicyCmd(args []string) {
 		header := tui.NewStyle().Bold(true).Foreground(Cyan)
 		if !policy.CreatedAt.IsZero() {
 			year, month, day := policy.CreatedAt.Local().Date()
-			hour, min, sec := policy.CreatedAt.Local().Clock()
-			fmt.Printf("\n%s %04d-%02d-%02d %02d:%02d:%02d\n", header.Render("Created at:"), year, month, day, hour, min, sec)
+			hour, minute, sec := policy.CreatedAt.Local().Clock()
+			fmt.Printf("\n%s %04d-%02d-%02d %02d:%02d:%02d\n", header.Render("Created at:"), year, month, day, hour, minute, sec)
 		}
 		if !policy.CreatedBy.IsUnknown() {
 			fmt.Println(header.Render("Created by:"), policy.CreatedBy)
diff --git a/internal/keystore/vault/client.go b/internal/keystore/vault/client.go
@@ -7,7 +7,9 @@ package vault
 import (
 	"context"
 	"errors"
+	"os"
 	"path"
+	"strings"
 	"sync/atomic"
 	"time"
 
@@ -104,9 +106,18 @@ func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
 			client = client.WithNamespace(login.Namespace)
 		}
 
+		jwt := login.JWT
+		if strings.ContainsRune(jwt, '/') || strings.ContainsRune(jwt, os.PathSeparator) {
+			jwtBytes, err := os.ReadFile(jwt)
+			if err != nil {
+				return nil, err
+			}
+			jwt = string(jwtBytes)
+		}
+
 		secret, err := client.Logical().WriteWithContext(ctx, path.Join("auth", login.Engine, "login"), map[string]interface{}{
 			"role": login.Role,
-			"jwt":  login.JWT,
+			"jwt":  jwt,
 		})
 		if secret == nil && err == nil {
 			// The Vault SDK eventually returns no error but also no
diff --git a/kesconf/config.go b/kesconf/config.go
@@ -447,11 +447,11 @@ func ymlToKeyStore(y *ymlFile) (KeyStore, error) {
 			// We always check for '/' and the OS-specific one make cover cases where
 			// a path is specified using '/' but the underlying OS is e.g. windows.
 			if jwt := y.KeyStore.Vault.Kubernetes.JWT.Value; strings.ContainsRune(jwt, '/') || strings.ContainsRune(jwt, os.PathSeparator) {
-				b, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value)
+				_, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value)
 				if err != nil {
 					return nil, fmt.Errorf("kesconf: failed to read vault kubernetes JWT from '%s': %v", y.KeyStore.Vault.Kubernetes.JWT.Value, err)
 				}
-				y.KeyStore.Vault.Kubernetes.JWT.Value = string(b)
+				// postpone resolving the JWT until actually logging in
 			}
 		}
 		if y.KeyStore.Vault.Transit != nil {
diff --git a/kesconf/config_test.go b/kesconf/config_test.go
@@ -175,7 +175,7 @@ func TestReadServerConfigYAML_VaultWithK8S_JWTFile(t *testing.T) {
 		Prefix     = "tenant-2"
 		K8SEngine  = "kubernetes"
 		K8SRole    = "default"
-		K8SJWT     = "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJQbGNNeTdBeXdLQmZMaGw2N1dFZkJvUmtsdnVvdkxXWGsteTc5TmJPeGMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteS1uYW1lc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoibXktc2VydmljZS1hY2NvdW50LXRva2VuLXA5NWRyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiYmViZGE2LTViMDUtNGFlNC05Yjg2LTBkODE0NWMwNzdhNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpteS1uYW1lc3BhY2U6bXktc2VydmljZS1hY2NvdW50In0.dnvJE3LU7L8XxsIOwea3lUZAULdwAjV9_crHFLKBGNxEu70lk3MQmUbGTEFvawryArmxMa1bWF9wbK1GHEsNipDgWAmc0rmBYByP_ahlf9bI2EEzpaGU5s194csB_eG7kvfi1AHED_nkVTfvCjIJM-9oGICCjDJcoNOP1NAXICFmqvWfXl6SY3UoZvtzUOcH9-0hbARY3p6V5pPecW4Dm-yGub9PKZLJNzv7GxChM-uvBvHAt6o0UBIL4iSy6Bx2l91ojB-RSkm_oy0W9gKi9ZFQPgyvcvQnEfjoGdvNGlOEdFEdXvl-dP6iLBPnZ5xwhAk8lK0oOONWvQg6VDNd9w"
+		K8SJWTFile = "./testdata/vault-k8s-service-account"
 	)
 
 	config, err := ReadFile(Filename)
@@ -203,8 +203,8 @@ func TestReadServerConfigYAML_VaultWithK8S_JWTFile(t *testing.T) {
 	if vault.Kubernetes.Engine != K8SEngine {
 		t.Fatalf("Invalid K8S engine: got '%s' - want '%s'", vault.Kubernetes.Engine, K8SEngine)
 	}
-	if vault.Kubernetes.JWT != K8SJWT {
-		t.Fatalf("Invalid K8S JWT: got '%s' - want '%s'", vault.Kubernetes.JWT, K8SJWT)
+	if vault.Kubernetes.JWT != K8SJWTFile {
+		t.Fatalf("Invalid K8S JWT: got '%s' - want '%s'", vault.Kubernetes.JWT, K8SJWTFile)
 	}
 	if vault.Kubernetes.Role != K8SRole {
 		t.Fatalf("Invalid K8S role: got '%s' - want'%s'", vault.Kubernetes.Role, K8SRole)

Original file line number	Diff line number	Diff line change
`@@ -251,12 +251,12 @@ func describeKeyCmd(args []string) {`
`251`	`251`	`}`
`252`	`252`
`253`	`253`	`year, month, day := info.CreatedAt.Date()`
`254`		`- hour, min, sec := info.CreatedAt.Clock()`
	`254`	`+ hour, minute, sec := info.CreatedAt.Clock()`
`255`	`255`
`256`	`256`	`buf := &strings.Builder{}`
`257`	`257`	`fmt.Fprintf(buf, "%-11s %s\n", "Name", info.Name)`
`258`	`258`	`fmt.Fprintf(buf, "%-11s %s\n", "Algorithm", info.Algorithm)`
`259`		`- fmt.Fprintf(buf, "%-11s %04d-%02d-%02d %02d:%02d:%02d\n", "Date", year, month, day, hour, min, sec)`
	`259`	`+ fmt.Fprintf(buf, "%-11s %04d-%02d-%02d %02d:%02d:%02d\n", "Date", year, month, day, hour, minute, sec)`
`260`	`260`	`fmt.Fprintf(buf, "%-11s %s", "Owner", info.CreatedBy)`
`261`	`261`	`fmt.Print(buf)`
`262`	`262`	`}`
Original file line number	Diff line number	Diff line change
`@@ -447,11 +447,11 @@ func ymlToKeyStore(y *ymlFile) (KeyStore, error) {`
`447`	`447`	`// We always check for '/' and the OS-specific one make cover cases where`
`448`	`448`	`// a path is specified using '/' but the underlying OS is e.g. windows.`
`449`	`449`	`if jwt := y.KeyStore.Vault.Kubernetes.JWT.Value; strings.ContainsRune(jwt, '/') \|\| strings.ContainsRune(jwt, os.PathSeparator) {`
`450`		`- b, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value)`
	`450`	`+ _, err := os.ReadFile(y.KeyStore.Vault.Kubernetes.JWT.Value)`
`451`	`451`	`if err != nil {`
`452`	`452`	`return nil, fmt.Errorf("kesconf: failed to read vault kubernetes JWT from '%s': %v", y.KeyStore.Vault.Kubernetes.JWT.Value, err)`
`453`	`453`	`}`
`454`		`- y.KeyStore.Vault.Kubernetes.JWT.Value = string(b)`
	`454`	`+ // postpone resolving the JWT until actually logging in`
`455`	`455`	`}`
`456`	`456`	`}`
`457`	`457`	`if y.KeyStore.Vault.Transit != nil {`
Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,7 @@ func TestReadServerConfigYAML_VaultWithK8S_JWTFile(t *testing.T) {`
`175`	`175`	`Prefix = "tenant-2"`
`176`	`176`	`K8SEngine = "kubernetes"`
`177`	`177`	`K8SRole = "default"`
`178`		- K8SJWT = "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJQbGNNeTdBeXdLQmZMaGw2N1dFZkJvUmtsdnVvdkxXWGsteTc5TmJPeGMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteS1uYW1lc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoibXktc2VydmljZS1hY2NvdW50LXRva2VuLXA5NWRyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdiYmViZGE2LTViMDUtNGFlNC05Yjg2LTBkODE0NWMwNzdhNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpteS1uYW1lc3BhY2U6bXktc2VydmljZS1hY2NvdW50In0.dnvJE3LU7L8XxsIOwea3lUZAULdwAjV9_crHFLKBGNxEu70lk3MQmUbGTEFvawryArmxMa1bWF9wbK1GHEsNipDgWAmc0rmBYByP_ahlf9bI2EEzpaGU5s194csB_eG7kvfi1AHED_nkVTfvCjIJM-9oGICCjDJcoNOP1NAXICFmqvWfXl6SY3UoZvtzUOcH9-0hbARY3p6V5pPecW4Dm-yGub9PKZLJNzv7GxChM-uvBvHAt6o0UBIL4iSy6Bx2l91ojB-RSkm_oy0W9gKi9ZFQPgyvcvQnEfjoGdvNGlOEdFEdXvl-dP6iLBPnZ5xwhAk8lK0oOONWvQg6VDNd9w"
	`178`	`+ K8SJWTFile = "./testdata/vault-k8s-service-account"`
`179`	`179`	`)`
`180`	`180`
`181`	`181`	`config, err := ReadFile(Filename)`
`@@ -203,8 +203,8 @@ func TestReadServerConfigYAML_VaultWithK8S_JWTFile(t *testing.T) {`
`203`	`203`	`if vault.Kubernetes.Engine != K8SEngine {`
`204`	`204`	`t.Fatalf("Invalid K8S engine: got '%s' - want '%s'", vault.Kubernetes.Engine, K8SEngine)`
`205`	`205`	`}`
`206`		`- if vault.Kubernetes.JWT != K8SJWT {`
`207`		`- t.Fatalf("Invalid K8S JWT: got '%s' - want '%s'", vault.Kubernetes.JWT, K8SJWT)`
	`206`	`+ if vault.Kubernetes.JWT != K8SJWTFile {`
	`207`	`+ t.Fatalf("Invalid K8S JWT: got '%s' - want '%s'", vault.Kubernetes.JWT, K8SJWTFile)`
`208`	`208`	`}`
`209`	`209`	`if vault.Kubernetes.Role != K8SRole {`
`210`	`210`	`t.Fatalf("Invalid K8S role: got '%s' - want'%s'", vault.Kubernetes.Role, K8SRole)`