Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for client cert credential type #20425

Merged
merged 27 commits into from
May 30, 2023

Conversation

Zlaticanin
Copy link
Contributor

@Zlaticanin Zlaticanin commented Apr 28, 2023

This PR adds functionality to the ClientCertificateGenerator struct. Specifically, the newClientCertificateGenerator and generate methods have been implemented. These methods use a given configuration and an expiration date to create a client certificate. The newClientCertificateGenerator method sets default values if they are not provided in the configuration and validates the input parameters. The generate method generates the certificate using the configuration and the expiration date.

More details in RFC here

Dynamic Role Usage:

vault write database-mongodbatlas/roles/my-dynamic-certificate-role \
    db_name=my-mongodbatlas-database \
    creation_statements='{"database_name": "$external", "x509Type":
	"CUSTOMER", "roles":
	[{"databaseName":"sample_training","roleName":"readWrite"}]}' \
    default_ttl="1h" \
    credential_type="client_certificate" \
    credential_config=ca_cert="$(cat path/to/ca_cert.pem)" \
    credential_config=ca_private_key="$(cat path/to/private_key.pem)" \
    credential_config=key_type="rsa" \
    credential_config=key_bits=2048 \
    credential_config=signature_bits=256 \
    credential_config=common_name_template="{{.DisplayName}}_{{.RoleName}}

PR on MongoDB Atlas Secrets Engine: hashicorp/vault-plugin-database-mongodbatlas#52

@Zlaticanin Zlaticanin changed the title poc: client cert credential type client cert credential type Apr 28, 2023
@austingebauer austingebauer self-requested a review April 28, 2023 20:38
@Zlaticanin Zlaticanin marked this pull request as ready for review May 16, 2023 16:37
@Zlaticanin Zlaticanin requested review from a team and removed request for a team May 16, 2023 16:37
@Zlaticanin Zlaticanin changed the title client cert credential type Add support for client cert credential type May 16, 2023
@Zlaticanin Zlaticanin requested a review from cipherboy May 16, 2023 22:18
@@ -121,6 +121,7 @@ func newUserReqToProto(req NewUserRequest) (*proto.NewUserRequest, error) {
CredentialType: int32(req.CredentialType),
Password: req.Password,
PublicKey: req.PublicKey,
Subject: req.Subject,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wanted to note that we should manually test running the mongodb atlas plugin as an external plugin before merging this. I remember hitting some non-obvious errors when introducing new fields for the snowflake keypair credential type. Happy to help with this!

@Zlaticanin Zlaticanin added this to the 1.14 milestone May 22, 2023
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thank you both @austingebauer and @Zlaticanin for the walk through on the call :)

builtin/logical/database/credentials.go Outdated Show resolved Hide resolved
builtin/logical/database/credentials.go Outdated Show resolved Hide resolved
builtin/logical/database/credentials.go Outdated Show resolved Hide resolved
builtin/logical/database/credentials.go Show resolved Hide resolved
builtin/logical/database/credentials.go Outdated Show resolved Hide resolved
builtin/logical/database/credentials.go Outdated Show resolved Hide resolved
builtin/logical/database/credentials.go Show resolved Hide resolved
builtin/logical/database/credentials.go Show resolved Hide resolved
Copy link
Contributor

@raymonstah raymonstah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor comment about testing for specific errors, but ✅

t.Run(tt.name, func(t *testing.T) {
got, err := newClientCertificateGenerator(tt.args.config)
if tt.wantErr {
assert.Error(t, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It would be good to specific about the exact error instead of just the presence of an error.

changelog/20425.txt Outdated Show resolved Hide resolved
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Had 1 nit about potentially adding a test, but LGTM otherwise. Great work! 🎉

return cg, nil
}

func (cg *ClientCertificateGenerator) generate(r io.Reader, expiration time.Time, userMeta dbplugin.UsernameMetadata) (*certutil.CertBundle, string, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: is it possible to write a test for this? Understand if it is hard to do with the SDK 🙏🏼

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll create a separate task for this, it will require some more time

Zlaticanin and others added 2 commits May 26, 2023 10:30
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Great job, @MilenaHC 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants