Support arbitrary mount point for JWT/OIDC

abedra · Oct 7, 2023 · c444895 · c444895
1 parent 8fe252a
commit c444895
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 21 deletions.
diff --git a/example/authentication/jwt/Makefile b/example/authentication/jwt/Makefile
@@ -1,22 +1,18 @@
 default: example
 
 example.o: example.cpp
-	g++ -Wall -Wno-unused-private-field -std=c++17 -I../../../include -c -I/opt/homebrew/opt/[email protected]/include ../../../lib/json.hpp example.cpp
+	g++ -Wall -Wno-deprecated-declarations -std=c++17 -I../../../include -c ../../../lib/json.hpp example.cpp
 
 example: example.o
-	g++ -L../../../cmake-build-debug -L/opt/homebrew/opt/[email protected]/lib example.o -o example -lvault -lcurl -lssl -lcrypto
-
-.PHONY: macos
-macos:
-	install_name_tool -change @rpath/libvault.0.dylib ../../../cmake-build-debug/libvault.0.dylib example
+	g++ -L../../../cmake-build-debug example.o -o example -lvault -lcurl -lssl -lcrypto
 
 .PHONY: clean
 clean:
 	rm -f example.o example
 
 .PHONY: vault
 vault:
-	docker run -p 8200:8200 vault
+	docker run -p 8200:8200 hashicorp/vault:latest
 
 .PHONY: keypair
 keypair:

diff --git a/example/authentication/jwt/example.cpp b/example/authentication/jwt/example.cpp
@@ -29,26 +29,27 @@ Vault::Jwt makeJwt(const std::filesystem::path &publicKeyPath,
 
 Vault::Client setup(const Vault::Client &rootClient,
                     const std::filesystem::path &publicKeyPath,
-                    const std::filesystem::path &privateKeyPath) {
+                    const std::filesystem::path &privateKeyPath,
+                    const Vault::Path &path) {
   Vault::Sys::Auth authAdmin{rootClient};
-  Vault::JwtOidc jwtAdmin{rootClient};
+  Vault::JwtOidc jwtAdmin{rootClient, path};
 
-  enableJwtAuthentication(authAdmin);
+  enableJwtAuthentication(authAdmin, path);
   createRole(jwtAdmin);
   configureJwtAuthentication(jwtAdmin, read(publicKeyPath));
 
   Vault::RoleId role{"example"};
   Vault::Jwt jwt = makeJwt(publicKeyPath, privateKeyPath);
 
-  return getJwtClient(role, jwt);
+  return getJwtClient(role, jwt, path);
 }
 
-void cleanup(const Vault::Client &rootClient) {
+void cleanup(const Vault::Client &rootClient, const Vault::Path &path) {
   Vault::Sys::Auth authAdmin{rootClient};
-  Vault::JwtOidc jwtAdmin{rootClient};
+  Vault::JwtOidc jwtAdmin{rootClient, path};
 
   deleteRole(jwtAdmin);
-  disableJwtAuthentication(authAdmin);
+  disableJwtAuthentication(authAdmin, path);
 }
 
 int main(void) {
@@ -60,15 +61,19 @@ int main(void) {
   }
   Vault::Token rootToken{rootTokenEnv};
   Vault::Client rootClient = getRootClient(rootToken);
+  Vault::Path path{"jwt"};
   Vault::Client jwtClient =
-      setup(rootClient, std::filesystem::path{"public.pem"},
-            std::filesystem::path{"private.pem"});
+      setup(rootClient, 
+            std::filesystem::path{"public.pem"},
+            std::filesystem::path{"private.pem"},
+            path
+      );
 
   if (jwtClient.is_authenticated()) {
     std::cout << "Authenticated: " << jwtClient.getToken() << std::endl;
   } else {
     std::cout << "Unable to authenticate" << std::endl;
   }
 
-  cleanup(rootClient);
+  cleanup(rootClient, path);
 }
diff --git a/example/shared/shared.h b/example/shared/shared.h
@@ -28,8 +28,9 @@ inline Vault::Client getAppRoleClient(const Vault::RoleId &roleId,
 }
 
 inline Vault::Client getJwtClient(const Vault::RoleId &role,
-                                  const Vault::Jwt &jwt) {
-  Vault::JwtStrategy authStrategy{role, jwt};
+                                  const Vault::Jwt &jwt,
+                                  const Vault::Path &path) {
+  Vault::JwtStrategy authStrategy{role, jwt, path};
   Vault::Config config =
       Vault::ConfigBuilder().withDebug(false).withTlsEnabled(false).build();
   Vault::HttpErrorCallback httpErrorCallback = [&](std::string err) {
@@ -133,11 +134,23 @@ enableJwtAuthentication(const Vault::Sys::Auth &authAdmin) {
                           Vault::Parameters{{"type", "jwt"}});
 }
 
+inline std::optional<std::string>
+enableJwtAuthentication(const Vault::Sys::Auth &authAdmin, 
+                        const Vault::Path &path) {
+  return authAdmin.enable(path, Vault::Parameters{{"type", "jwt"}});
+}
+
 inline std::optional<std::string>
 disableJwtAuthentication(const Vault::Sys::Auth &authAdmin) {
   return authAdmin.disable(Vault::Path{"jwt"});
 }
 
+inline std::optional<std::string>
+disableJwtAuthentication(const Vault::Sys::Auth &authAdmin, 
+                         const Vault::Path &path) {
+  return authAdmin.disable(path);
+}
+
 inline std::optional<std::string>
 configureJwtAuthentication(const Vault::JwtOidc &jwtAdmin,
                            std::string publicKeyString) {

diff --git a/include/VaultClient.h b/include/VaultClient.h
@@ -1995,7 +1995,8 @@ class GitHub {
 
 class JwtOidc {
 public:
-  explicit JwtOidc(const Client &client) : client_(client) {}
+  explicit JwtOidc(const Client &client) : client_(client), mount_(Path{"jwt"}) {}
+  JwtOidc(const Client &client, Path path) : client_(client), mount_(std::move(path)) {}
 
   std::optional<std::string> configure(const Parameters &parameters) const;
   [[nodiscard]] std::optional<std::string> readConfig() const;
@@ -2014,6 +2015,7 @@ class JwtOidc {
   [[nodiscard]] Url getUrl(const Path &path) const;
 
   const Client &client_;
+  const Path mount_;
 };
 
 class Kerberos {

diff --git a/src/auth/JwtOidc.cpp b/src/auth/JwtOidc.cpp
@@ -42,5 +42,5 @@ Vault::JwtOidc::jwtLogin(const Parameters &parameters) const {
 }
 
 Vault::Url Vault::JwtOidc::getUrl(const Path &path) const {
-  return client_.getUrl("/v1/auth/jwt/", path);
+  return client_.getUrl("/v1/auth/" + mount_ + "/", path);
 }