Merge pull request #173 from wayfair/add-gcp-auth

Add gcp auth
hashicorp · Apr 29, 2018 · fcefc2a · fcefc2a
2 parents b1a79c4 + aed1d73
commit fcefc2a
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@
 *.gem
 *.rbc
 /.config
+/.vscode
 /coverage/
 /InstalledFiles
 /pkg/

diff --git a/lib/vault/api/auth.rb b/lib/vault/api/auth.rb
@@ -242,6 +242,28 @@ def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoin
       return secret
     end
 
+    # Authenticate via the GCP authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used
+    # for future requests.
+    #
+    # @example
+    #   Vault.auth.gcp("read-only", "jwt", "gcp") #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role
+    # @param [String] jwt
+    #   jwt returned by the instance identity metadata, or iam api
+    # @param [String] path optional
+    #   the path were the gcp auth backend is mounted
+    #
+    # @return [Secret]
+    def gcp(role, jwt, path = 'gcp')
+      payload = { role: role, jwt: jwt }
+      json = client.post("/v1/auth/#{CGI.escape(path)}/login", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
     # Authenticate via a TLS authentication method. If authentication is
     # successful, the resulting token will be stored on the client and used
     # for future requests.

diff --git a/spec/integration/api/auth_spec.rb b/spec/integration/api/auth_spec.rb
@@ -258,5 +258,42 @@ module Vault
         subject.auth.aws_iam('a_rolename', credentials_provider, 'iam_header_canary', 'https://sts.cn-north-1.amazonaws.com.cn')
       end
     end
+
+    describe "#gcp", vault: ">= 0.8.1" do
+      before(:context) do
+        vault_test_client.sys.enable_auth("gcp", "gcp", nil)
+        vault_test_client.post("/v1/auth/gcp/config", JSON.fast_generate("service_account" => "rspec_service_account"))
+        vault_test_client.post("/v1/auth/gcp/role/rspec_wrong_role", JSON.fast_generate("name" => "rspec_role", "project_id" => "wrong_project_id", "bound_service_accounts" => "\*", "type" => "iam"))
+        vault_test_client.post("/v1/auth/gcp/role/rspec_role", JSON.fast_generate("name" => "rspec_role", "project_id" => "project_id", "bound_service_accounts" => "\*", "type" => "iam"))
+      end
+
+      after(:context) do
+        vault_test_client.sys.disable_auth("gcp")
+      end
+
+      let!(:old_token) { subject.token }
+
+      let(:jwt) do
+        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJwcm9qZWN0X2lkIjoicHJvamVjdF9pZCJ9.TmuiSHtbLMZuw_LOzKWQ2vnC7BUvu2b4CeBXdxCDCXQ"
+      end
+
+      after do
+        subject.token = old_token
+      end
+
+      it "does not authenticate if project_id does not match" do
+        pending "gcp auth requires real resources and keys"
+
+        expect do
+          subject.auth.gcp("rspec_wrong_role", jwt)
+        end.to raise_error(Vault::HTTPClientError, /project_id doesn't match/)
+      end
+
+      it "authenticates and saves the token on the client" do
+        pending "gcp auth requires real resources and keys"
+
+        subject.auth.gcp("rspec_role", jwt)
+      end
+    end
   end
 end