Skip to content

Commit

Permalink
support custom vault endpoints paths
Browse files Browse the repository at this point in the history
  • Loading branch information
@mkaczanowski
mkaczanowski committed Nov 11, 2024
1 parent 9984d79 commit 1b1b87a
Show file tree
Hide file tree
Showing 8 changed files with 63 additions and 10 deletions.
1 change: 1 addition & 0 deletions src/commands/hashicorp/pubkey.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ impl Runnable for PubkeyCommand {
&cfg.adapter.vault_addr,
&signing_key.auth.access_token(),
&self.key_name,
cfg.adapter.endpoints,
cfg.adapter.vault_cacert,
cfg.adapter.vault_skip_verify,
cfg.adapter.cache_pk,
Expand Down
1 change: 1 addition & 0 deletions src/commands/hashicorp/test.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ impl Runnable for TestCommand {
&cfg.adapter.vault_addr,
&signing_key.auth.access_token(),
&self.key_name,
cfg.adapter.endpoints,
cfg.adapter.vault_cacert,
cfg.adapter.vault_skip_verify,
cfg.adapter.cache_pk,
Expand Down
2 changes: 2 additions & 0 deletions src/commands/hashicorp/upload.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ impl UploadCommand {
.auth
.access_token(),
&self.key_name,
config.adapter.endpoints.to_owned(),
config.adapter.vault_cacert.to_owned(),
config.adapter.vault_skip_verify.to_owned(),
config.adapter.cache_pk,
Expand Down Expand Up @@ -284,6 +285,7 @@ mod tests {
vault_cacert: None,
vault_skip_verify: Some(false),
cache_pk: Some(false),
endpoints: None,
},
keys: [SigningKeyConfig {
chain_id: tendermint::chain::Id::try_from(CHAIN_ID).unwrap(),
Expand Down
1 change: 1 addition & 0 deletions src/commands/hashicorp/util.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ pub fn read_config(config_path: &Option<PathBuf>, key_name: &str) -> HashiCorpCo
vault_cacert,
vault_skip_verify,
cache_pk: Some(false),
endpoints: None,
},
}
}
Expand Down
33 changes: 32 additions & 1 deletion src/config/provider/hashicorp.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,35 @@ impl AuthConfig {
}
}

/// Configuration for an individual YubiHSM
/// Endpoints configuration for Hashicorp Vault instance
#[derive(Clone, Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct VaultEndpointConfig {
/// HashiCorp Vault API endpoint path to retrieve public keys etc.
pub keys: String,

/// HashiCorp Vault API endpoint path to perform a handshake
pub hand_shake: String,

/// HashiCorp Vault API endpoint path to recieve a wrapping key
pub wrapping_key: String,

/// HashiCorp Vault API endpoint path to sign a message (e.g. prevote)
pub sign: String,
}

impl Default for VaultEndpointConfig {
fn default() -> Self {
VaultEndpointConfig {
keys: "/v1/transit/keys".into(),
hand_shake: "/v1/auth/token/lookup-self".into(),
wrapping_key: "/v1/transit/wrapping_key".into(),
sign: "/v1/transit/sign".into(),
}
}
}

/// Configuration for Hashicorp Vault instance
#[derive(Clone, Deserialize, Debug)]
#[serde(deny_unknown_fields)]
pub struct AdapterConfig {
Expand All @@ -60,6 +88,9 @@ pub struct AdapterConfig {

/// Enable tmkms in-memory public key caching. Vault API returns all key versions which may be expensive, in such case you can cache the public key and return it from tmkms cache
pub cache_pk: Option<bool>,

/// Endpoints configuration for Vault core operations
pub endpoints: Option<VaultEndpointConfig>,
}

/// Signing key configuration
Expand Down
1 change: 1 addition & 0 deletions src/keyring/providers/hashicorp.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ pub fn init(
&config.adapter.vault_addr,
&key_config.auth.access_token(),
&key_config.key,
config.adapter.endpoints.to_owned(),
config.adapter.vault_cacert.to_owned(),
config.adapter.vault_skip_verify.to_owned(),
config.adapter.cache_pk,
Expand Down
8 changes: 7 additions & 1 deletion src/keyring/providers/hashicorp/client.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
use super::error::Error;
use crate::keyring::ed25519;
use crate::keyring::providers::hashicorp::vault_client::{CreateKeyType, VaultClient};
use crate::config::provider::hashicorp::VaultEndpointConfig;
use abscissa_core::prelude::*;

pub(crate) struct TendermintValidatorApp {
Expand All @@ -20,11 +21,12 @@ impl TendermintValidatorApp {
api_endpoint: &str,
token: &str,
key_name: &str,
endpoints: Option<VaultEndpointConfig>,
ca_cert: Option<String>,
skip_verify: Option<bool>,
enable_pk_cache: Option<bool>,
) -> Result<Self, Error> {
let vault_client = VaultClient::new(api_endpoint, token, ca_cert, skip_verify);
let vault_client = VaultClient::new(api_endpoint, token, endpoints, ca_cert, skip_verify);

let app = TendermintValidatorApp {
vault_client,
Expand Down Expand Up @@ -119,6 +121,7 @@ mod tests {
TEST_KEY_NAME,
None,
None,
None,
Some(false),
);

Expand All @@ -141,6 +144,7 @@ mod tests {
TEST_KEY_NAME,
None,
None,
None,
Some(true),
)
.expect("Failed to connect");
Expand Down Expand Up @@ -190,6 +194,7 @@ mod tests {
TEST_KEY_NAME,
None,
None,
None,
Some(false),
)
.expect("Failed to connect");
Expand Down Expand Up @@ -235,6 +240,7 @@ mod tests {
TEST_KEY_NAME,
None,
None,
None,
Some(false),
)
.expect("Failed to connect");
Expand Down
26 changes: 18 additions & 8 deletions src/keyring/providers/hashicorp/vault_client.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ use ureq::Agent;
use crate::keyring::ed25519;
use serde::{Deserialize, Serialize};
use serde_json::Value;
use crate::config::provider::hashicorp::VaultEndpointConfig;

use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
use rustls::pki_types::{pem::PemObject, CertificateDer, ServerName, UnixTime};
Expand Down Expand Up @@ -167,6 +168,7 @@ impl ServerCertVerifier for NoVerification {
pub(crate) struct VaultClient {
agent: Agent,
api_endpoint: String,
endpoints: VaultEndpointConfig,
token: String,
}

Expand All @@ -177,6 +179,7 @@ impl VaultClient {
pub fn new(
api_endpoint: &str,
token: &str,
endpoints: Option<VaultEndpointConfig>,
ca_cert: Option<String>,
skip_verify: Option<bool>,
) -> Self {
Expand Down Expand Up @@ -227,6 +230,7 @@ impl VaultClient {

VaultClient {
api_endpoint: api_endpoint.into(),
endpoints: endpoints.unwrap_or_default(),
agent,
token: token.into(),
}
Expand All @@ -246,8 +250,8 @@ impl VaultClient {
let data = if let Some(data) = self
.agent
.get(&format!(
"{}/v1/transit/keys/{}",
self.api_endpoint, key_name
"{}{}/{}",
self.api_endpoint, self.endpoints.keys, key_name
))
.set(VAULT_TOKEN, &self.token)
.call()?
Expand Down Expand Up @@ -311,7 +315,10 @@ impl VaultClient {
pub fn hand_shake(&self) -> Result<(), Error> {
let _ = self
.agent
.get(&format!("{}/v1/auth/token/lookup-self", self.api_endpoint))
.get(&format!(
"{}{}",
self.api_endpoint, self.endpoints.hand_shake,
))
.set(VAULT_TOKEN, &self.token)
.call()
.map_err(|e| {
Expand Down Expand Up @@ -345,8 +352,8 @@ impl VaultClient {
let data = if let Some(data) = self
.agent
.post(&format!(
"{}/v1/transit/sign/{}",
self.api_endpoint, key_name
"{}{}/{}",
self.api_endpoint, self.endpoints.sign, key_name
))
.set(VAULT_TOKEN, &self.token)
.send_json(body)?
Expand Down Expand Up @@ -397,7 +404,10 @@ impl VaultClient {

let data = if let Some(data) = self
.agent
.get(&format!("{}/v1/transit/wrapping_key", self.api_endpoint))
.get(&format!(
"{}{}",
self.api_endpoint, self.endpoints.wrapping_key
))
.set(VAULT_TOKEN, &self.token)
.call()?
.into_json::<Root<PublicKeyResponse>>()?
Expand Down Expand Up @@ -428,8 +438,8 @@ impl VaultClient {
let _ = self
.agent
.post(&format!(
"{}/v1/transit/keys/{}/import",
self.api_endpoint, key_name
"{}{}/{}/import",
self.api_endpoint, self.endpoints.keys, key_name
))
.set(VAULT_TOKEN, &self.token)
.send_json(body)?;
Expand Down

0 comments on commit 1b1b87a

Please sign in to comment.