Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for creating child tokens for token credential binding #338

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add support for creating child tokens for token credential binding #338

wants to merge 3 commits into from

Conversation

bluesliverx
Copy link
Contributor

@bluesliverx bluesliverx commented Sep 17, 2024
edited
Loading

Fixes #339

@bluesliverx bluesliverx changed the title Simplify VaultTokenCredentialBindingIT Support creating child tokens for token credential binding Sep 19, 2024
@bluesliverx bluesliverx mentioned this pull request Sep 19, 2024
Open
@bluesliverx bluesliverx changed the title Support creating child tokens for token credential binding Add support for creating child tokens for token credential binding Sep 19, 2024
bluesliverx
bluesliverx commented Sep 19, 2024
View reviewed changes
src/main/java/com/datapipe/jenkins/vault/VaultAccessor.java
@@ -161,7 +161,7 @@ private static StringSubstitutor getPolicyTokenSubstitutor(EnvVars envVars) {
return new StringSubstitutor(valueMap);
}

protected static List<String> generatePolicies(String policies, EnvVars envVars) {
public static List<String> generatePolicies(String policies, EnvVars envVars) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Necessary to use this method in the vault token credential binding code.

bluesliverx
bluesliverx commented Sep 19, 2024
View reviewed changes
src/main/java/com/datapipe/jenkins/vault/credentials/VaultCredential.java
@@ -21,4 +21,22 @@ public String getName(@NonNull VaultCredential credentials) {
return credentials.getDescription();
}
}

final class VaultAuthorizationResult {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class was needed to return the actual token from authorizeWithVault instead of requiring another call to Vault to lookup the token after the fact (since it is unretrievable from a configured Vault class instance).

@bluesliverx
Copy link
Contributor Author

bluesliverx commented Sep 19, 2024
edited
Loading

@jetersen could I get a review here? This should be ready now. We'll start using in production tomorrow via a local build, but in my tests in a stage Jenkins environment this is working as expected.

Cancel that, I found at least one issue in our prod environment, looking into it now.

@bluesliverx
Copy link
Contributor Author

@jetersen this is ready for review now. We've been using this in our prod environment for at least a week now and it has been very stable (and has correctly limited access when child tokens are enabled).

@bluesliverx
Copy link
Contributor Author

@jetersen any chance I can get a review here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

VaultTokenCredentialBinding should create child tokens if limited policies are configured
1 participant
@bluesliverx