Merge remote-tracking branch 'refs/remotes/origin/main'

Author: taylow

README.md

@@ -39,7 +39,7 @@ you use the published checksums to verify integrity.
 
 ## Development Setup
 
-1. Build the plugin for your platform:
+1. Build the plugin for your platform (`os/arch`) e.g.:
 
   ```sh
   $ make darwin/arm64
@@ -131,16 +131,16 @@ When a token is successfully created, the plugin attach a policy that follows th
 You must then create a policy with that name in Vault that utilises the metadata stored in the alias. The following policy template will allow access to a KV secret at the path `secret/data/[namespace]/[object]*`:
 
 ```hcl
-path "secret/data/{{identity.entity.aliases.[auth plugin accessor].metadata.namespace}}/{{identity.entity.aliases.[auth plugin accessor].metadata.object}}*" {
+path "secret/data/{{identity.entity.aliases.auth_vault-plugin-auth-ory_e40b77a0.metadata.object}}*" {
   capabilities = ["create", "update", "read"]
 }
 
-path "secret/metadata/{{identity.entity.aliases.[auth plugin accessor].metadata.namespace}}/{{identity.entity.aliases.[auth plugin accessor].metadata.object}}}*" {
+path "secret/metadata/{{identity.entity.aliases.auth_vault-plugin-auth-ory_e40b77a0.metadata.object}}/" {
   capabilities = ["list"]
 }
 ```
 
-Being sure to replace `[auth plugin accessor]` with the accessor of the auth plugin found by running `vault auth list`.
+Being sure to replace `auth_vault-plugin-auth-ory_e40b77a0` with the accessor of the auth plugin found by running `vault auth list`.
 
 Alternatively, you can find the accessor by running the following command:
 

auth/ory_auth.go

@@ -0,0 +1,71 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/pkg/errors"
+)
+
+// NewOryAuth creates an OryAuth struct that can be passed into the client.Auth().Login
+// method to authenticate with Vault via the Ory auth plugin.
+//
+// The mount path should be the path that the plugin was mounted at (probably `ory`)
+// The namespace, object, and relation should reflect the resource being requested
+// The cookie should be the full cookie string, including the name and `=`
+// e.g. `ory_kratos_session=MyReallyLongSessionCookieString`
+func NewOryAuth(
+	mountPath, namespace, object, relation, cookie string,
+) (*OryAuth, error) {
+	switch {
+	case mountPath == "":
+		return nil, errors.New("no mount path provided")
+	case namespace == "":
+		return nil, errors.New("no namespace provided")
+	case object == "":
+		return nil, errors.New("no object provided")
+	case relation == "":
+		return nil, errors.New("no relation provided")
+	case cookie == "":
+		return nil, errors.New("no cookie provided")
+	}
+
+	return &OryAuth{
+		mountPath: mountPath,
+		namespace: namespace,
+		object:    object,
+		relation:  relation,
+		cookie:    cookie,
+	}, nil
+}
+
+// OryAuth is a Vault AuthMethod that can communicate to the Ory plugin
+type OryAuth struct {
+	mountPath string
+
+	namespace string
+	object    string
+	relation  string
+	cookie    string
+}
+
+// Login performs a login request to the Ory Vault auth plugin.
+func (a *OryAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	loginData := map[string]interface{}{
+		"namespace":             a.namespace,
+		"object":                a.object,
+		"relation":              a.relation,
+		"kratos_session_cookie": a.cookie,
+	}
+	path := fmt.Sprintf("auth/%s/login", a.mountPath)
+	resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to log in with Ory auth")
+	}
+
+	return resp, nil
+}

example/main.go

@@ -0,0 +1,83 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	ory "github.com/comnoco/vault-plugin-auth-ory/auth"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/pkg/errors"
+)
+
+func main() {
+	if err := run(); err != nil {
+		fmt.Println(err)
+		os.Exit(0)
+	}
+}
+
+func run() error {
+	secretName := "top_secret"
+	mountPath := "ory"
+	namespace := "secret"
+	object := "e00de7c2-1ee2-4508-b95c-c3c0d881d0cc"
+	relation := "viewer"
+	cookie := "ory_kratos_session=MTY3NzA4MzI4M3xQRTV3RUp2MHdWblNSaWtQcDhKMjdtLXBqSDJ2eGFQTm9NbktFX0dlNWlJaUV4U1hFdmhscVM0ZEIyU3dzMHJROVUxTjk2NkdqM0xoR3dJeXNmNEpFUFhHMC1Rc0hJa0VldEdnazk0OFlfaVpqc0J2Rng3cDNOVHZ5a0xnbDVRWF9haHZjMjMxRk9iQmhJYUVZMUdrZFNSN29NQmVzOGVvWGpBaVNVVk9ReHl0aGtWSlFjZ1FtZldvand2cjVSbndDWEtqVENOVkJJMGVQMHRfYXBoTE0wTXk5SXVDM2UyOFo2TDEtdENxWTRkb01KV2NwLV83bG10WTVEaXhBa0FENy1UOUxrSjE4TU0tfGvmo31B3VG9JarStNbFB7TXOV8dhbvTq1mhZaEI8HEN"
+	vaultAddr := "https://localhost:8200/"
+
+	vaultCfg := api.DefaultConfig()
+	vaultCfg.Address = vaultAddr
+	vault, err := api.NewClient(vaultCfg)
+	if err != nil {
+		return errors.Wrap(err, "unable to create Vault API Client")
+	}
+
+	auth, err := ory.NewOryAuth(
+		mountPath,
+		namespace,
+		object,
+		relation,
+		cookie,
+	)
+	if err != nil {
+		return errors.Wrap(err, "failed to make ory auth method")
+	}
+
+	sec, err := vault.Auth().Login(context.Background(), auth)
+	if err != nil {
+		return errors.Wrap(err, "failed to auth with ory")
+	}
+
+	fmt.Println("Token:", sec.Auth.ClientToken)
+	fmt.Println("Policies:", sec.Auth.Policies)
+
+	secrets, err := listSecrets(vault, object)
+	if err != nil {
+		return errors.Wrap(err, "failed to list secrets")
+	}
+
+	for _, secret := range secrets.Data {
+		fmt.Println("Secret metadata:", secret)
+	}
+
+	secret, err := readSecret(vault, object, secretName)
+	if err != nil {
+		return errors.Wrap(err, "failed to fetch secret")
+	}
+
+	fmt.Println("Secret:", secret)
+
+	return nil
+}
+
+func listSecrets(vault *api.Client, path string) (*api.Secret, error) {
+	apiCallPath := fmt.Sprintf("secret/metadata/%s", path)
+	return vault.Logical().List(apiCallPath)
+}
+
+func readSecret(vault *api.Client, path, secretName string) (*api.Secret, error) {
+	apiCallPath := fmt.Sprintf("secret/data/%s/%s", path, secretName)
+	return vault.Logical().Read(apiCallPath)
+}

example/secret_viewer

@@ -0,0 +1,9 @@
+# policy that allows objects with the secret_viewer relation to access all secrets within that path
+
+path "secret/data/{{identity.entity.aliases.auth_vault-plugin-auth-ory_e40b77a0.metadata.object}}*" {
+  capabilities = ["create", "update", "read"]
+}
+
+path "secret/metadata/{{identity.entity.aliases.auth_vault-plugin-auth-ory_e40b77a0.metadata.object}}/" {
+  capabilities = ["list"]
+}

version/version.go

@@ -2,7 +2,7 @@ package version
 
 import "fmt"
 
-const Version = "0.1.0"
+const Version = "0.1.1"
 
 var (
 	Name      string