Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: validate JWT token on alias look ahead #114

Merged
merged 2 commits into from
Sep 29, 2021
Merged

fix: validate JWT token on alias look ahead #114

merged 2 commits into from
Sep 29, 2021

Conversation

benashz
Copy link
Contributor

@benashz benashz commented Sep 28, 2021
edited
Loading

This PR adds support for validating that a request's JWT token contains the required claims for the bound role.

Design of Change

Validate the JWT token against a known Vault role. If it is deemed to be invalid return an error.

Note: the token is not passed to Kubernetes token review API, as this is only needed for login.

@benashz
fix: validate JWT token on alias lookahead
16aa741 
- in order to ensure proper MFA for alias lookahead
@benashz benashz force-pushed the VAULT-3609/verify-jwt-on-alias-lookahead branch from bfe33c2 to ad78abe Compare September 28, 2021 17:22
calvn
calvn reviewed Sep 28, 2021
View reviewed changes
scripts/update_deps.sh Outdated
@@ -1,37 +0,0 @@
#!/bin/sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if the script changes should be a separate PR to make the backport/cherry-picking process easier.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point :)

Copy link
Contributor Author

@benashz benashz Sep 28, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Moved to #115

@benashz benashz force-pushed the VAULT-3609/verify-jwt-on-alias-lookahead branch from ad78abe to 16aa741 Compare September 28, 2021 19:16
tomhjp
tomhjp approved these changes Sep 29, 2021
View reviewed changes
path_login.go Show resolved Hide resolved
@benashz benashz requested a review from tomhjp September 29, 2021 13:31
@benashz benashz merged commit 838df50 into main Sep 29, 2021
benashz added a commit that referenced this pull request Sep 29, 2021
@benashz
fix: validate JWT token on alias look ahead (#114)
1b7f46f 
- in order to ensure proper validation for alias look ahead the provided
 JWT token must match the role's configuration.
@benashz benashz mentioned this pull request Sep 29, 2021
Merged
benashz added a commit that referenced this pull request Sep 29, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#116)
821e911 
- in order to ensure proper validation for alias look ahead the provided
 JWT token must match the role's configuration.
benashz added a commit that referenced this pull request Sep 29, 2021
@benashz
fix: validate JWT token on alias look ahead (#114)
80ca628 
- in order to ensure proper validation for alias look ahead the provided
 JWT token must match the role's configuration.

- partial backport dependencies include:
  79c7586
  21abc8d
This was referenced Sep 29, 2021
Merged
Merged
@calvn calvn deleted the VAULT-3609/verify-jwt-on-alias-lookahead branch September 30, 2021 18:03
benashz added a commit that referenced this pull request Sep 30, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#117)
f5e792a 
- in order to ensure proper validation for alias look ahead the provided
 JWT token must match the role's configuration.

- partial backport dependencies include:
  79c7586
  21abc8d
benashz added a commit that referenced this pull request Sep 30, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#117)
bb72092 
- in order to ensure proper validation for alias look ahead the provided
 JWT token must match the role's configuration.
- update expired JWT test data

- partial backport dependencies include:
  79c7586
  21abc8d
benashz added a commit that referenced this pull request Oct 1, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#117)
498c8d8 
- in order to ensure proper validation for alias look ahead the provided
  JWT token must match the role's configuration.
- update expired JWT test data

- partial backport dependencies include:
  79c7586
  21abc8d
@benashz benashz mentioned this pull request Oct 1, 2021
Merged
benashz added a commit that referenced this pull request Oct 1, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#117)
d10269c 
- in order to ensure proper validation for alias look ahead the provided
  JWT token must match the role's configuration.
- update expired JWT test data

- partial backport dependencies include:
  79c7586
  21abc8d
benashz added a commit that referenced this pull request Oct 1, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#117) (#119)
951af18 
- in order to ensure proper validation for alias look ahead the provided
  JWT token must match the role's configuration.

- partial backport dependencies include:
  79c7586
  21abc8d
@benashz benashz mentioned this pull request Oct 1, 2021
Merged
benashz added a commit that referenced this pull request Oct 1, 2021
@benashz
fix: validate JWT token on alias look ahead (#114) (#117) (#120)
a16fac6 
- in order to ensure proper validation for alias look ahead the provided
  JWT token must match the role's configuration.
- update expired JWT test data

- partial backport dependencies include:
  79c7586
  21abc8d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran approved these changes

@tomhjp tomhjp tomhjp approved these changes

@calvn calvn Awaiting requested review from calvn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@benashz @tvoran @calvn @tomhjp