Skip to content

Commit

Permalink
Prepare revocation of ephemeral tokens
Browse files Browse the repository at this point in the history
If the plugin logs into Vault in the process of executing a task beyond
just logging in (i.e. not in e.g. the token_create lookup), the tokens
should be revoked at the end of the action to prevent them from leaking.

In order to support that, the authentication method needs to tell us
whether it created a fresh token (which we should revoke) or whether it
used a token provided by the caller (which we should not revoke).
  • Loading branch information
horazont committed Jul 28, 2022
1 parent b053a08 commit 4df4ec2
Show file tree
Hide file tree
Showing 9 changed files with 31 additions and 0 deletions.
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_approle.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,6 @@ def authenticate(self, client, use_token=True):
response = client.auth_approle(use_token=use_token, **params)

return response

def should_revoke_token(self):
return True
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_aws_iam.py
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,6 @@ def authenticate(self, client, use_token=True):
client.auth_aws_iam(use_token=use_token, **params)

return response

def should_revoke_token(self):
return True
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,6 @@ def authenticate(self, client, use_token=True):
client.token = response['auth']['client_token']

return response

def should_revoke_token(self):
return True
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_ldap.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,6 @@ def authenticate(self, client, use_token=True):
response = client.auth_ldap(use_token=use_token, **params)

return response

def should_revoke_token(self):
return True
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_none.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,6 @@ def validate(self):

def authenticate(self, client, use_token=False):
return None

def should_revoke_token(self):
return False
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_token.py
Original file line number Diff line number Diff line change
Expand Up @@ -111,3 +111,6 @@ def authenticate(self, client, use_token=True, lookup_self=False):
raise HashiVaultValueError("Invalid Vault Token Specified.")

return self._simulate_login_response(token, response)

def should_revoke_token(self):
return False
3 changes: 3 additions & 0 deletions plugins/module_utils/_auth_method_userpass.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,6 @@ def authenticate(self, client, use_token=True):
client.token = response['auth']['client_token']

return response

def should_revoke_token(self):
return True
7 changes: 7 additions & 0 deletions plugins/module_utils/_authenticator.py
Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,10 @@ def validate(self, *args, **kwargs):
def authenticate(self, *args, **kwargs):
method = self._get_method_object(kwargs.pop('method', None))
return method.authenticate(*args, **kwargs)

def should_revoke_token(self, **kwargs):
method = self._get_method_object(kwargs.pop('method', None))
return method.should_revoke_token(**kwargs)

def logout(self, client, **kwargs):
client.logout(revoke_token=self.should_revoke_token(**kwargs))
3 changes: 3 additions & 0 deletions plugins/module_utils/_hashi_vault_common.py
Original file line number Diff line number Diff line change
Expand Up @@ -249,3 +249,6 @@ def warn(self, message):

def deprecate(self, message, version=None, date=None, collection_name=None):
self._deprecator(message, version=version, date=date, collection_name=collection_name)

def should_revoke_token(self, **kwargs):
return False

0 comments on commit 4df4ec2

Please sign in to comment.