Merge pull request BetterCloud#90 from dshva/aws-login

Implement AWS login

Author: steve-perkins

src/main/java/com/bettercloud/vault/api/Auth.java

@@ -535,6 +535,231 @@ public AuthResponse loginByLDAP(final String username, final String password, fi
         return loginByUserPass(username, password, mount);
     }
 
+    /**
+     * <p>Basic login operation to authenticate to a AWS backend using EC2 authentication.  Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final AuthResponse response = vault.auth().loginByAwsEc2("my-role", "identity", "signature", "nonce", null);
+     *
+     * final String token = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param role Name of the role against which the login is being attempted. If role is not specified, then the login endpoint
+     *             looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login if using the ec2
+     *             auth method, or the "friendly name" (i.e., role name or username) of the IAM principal authenticated.
+     *             If a matching role is not found, login fails.
+     * @param identity Base64 encoded EC2 instance identity document.
+     * @param signature Base64 encoded SHA256 RSA signature of the instance identity document.
+     * @param nonce Client nonce used for authentication. If null, a new nonce will be generated by Vault
+     * @return The auth token, with additional response metadata
+     * @throws VaultException If any error occurs, or unexpected response received from Vault
+     */
+    public AuthResponse loginByAwsEc2(final String role, final String identity, final String signature, final String nonce, final String awsAuthMount) throws VaultException {
+        int retryCount = 0;
+
+        final String mount = awsAuthMount != null ? awsAuthMount : "aws";
+        while (true) {
+            try {
+                // HTTP request to Vault
+                final JsonObject request = Json.object().add("identity", identity)
+                        .add("signature", signature);
+                if(role != null) {
+                    request.add("role", role);
+                }
+                if(nonce != null) {
+                    request.add("nonce", nonce);
+                }
+                final String requestJson = request.toString();
+                final RestResponse restResponse = new Rest()//NOPMD
+                        .url(config.getAddress() + "/v1/auth/" + mount + "/login")
+                        .body(requestJson.getBytes("UTF-8"))
+                        .connectTimeoutSeconds(config.getOpenTimeout())
+                        .readTimeoutSeconds(config.getReadTimeout())
+                        .sslVerification(config.getSslConfig().isVerify())
+                        .sslContext(config.getSslConfig().getSslContext())
+                        .post();
+
+                // Validate restResponse
+                if (restResponse.getStatus() != 200) {
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(), restResponse.getStatus());
+                }
+                final String mimeType = restResponse.getMimeType() == null ? "null" : restResponse.getMimeType();
+                if (!mimeType.equals("application/json")) {
+                    throw new VaultException("Vault responded with MIME type: " + mimeType, restResponse.getStatus());
+                }
+                return new AuthResponse(restResponse, retryCount);
+            } catch (Exception e) {
+                // If there are retries to perform, then pause for the configured interval and then execute the loop again...
+                if (retryCount < config.getMaxRetries()) {
+                    retryCount++;
+                    try {
+                        final int retryIntervalMilliseconds = config.getRetryIntervalMilliseconds();
+                        Thread.sleep(retryIntervalMilliseconds);
+                    } catch (InterruptedException e1) {
+                        e1.printStackTrace();
+                    }
+                } else if (e instanceof VaultException) {
+                    // ... otherwise, give up.
+                    throw (VaultException) e;
+                } else {
+                    throw new VaultException(e);
+                }
+            }
+        }
+    }
+
+    /**
+     * <p>Basic login operation to authenticate to a AWS backend using EC2 authentication.  Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final AuthResponse response = vault.auth().loginByAwsEc2("my-role", "pkcs7", "nonce", null);
+     *
+     * final String token = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param role Name of the role against which the login is being attempted. If role is not specified, then the login endpoint
+     *             looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login if using the ec2
+     *             auth method, or the "friendly name" (i.e., role name or username) of the IAM principal authenticated.
+     *             If a matching role is not found, login fails.
+     * @param pkcs7 PKCS7 signature of the identity document with all \n characters removed.
+     * @param nonce Client nonce used for authentication. If null, a new nonce will be generated by Vault
+     * @return The auth token, with additional response metadata
+     * @throws VaultException If any error occurs, or unexpected response received from Vault
+     */
+    public AuthResponse loginByAwsEc2(final String role, final String pkcs7, final String nonce, final String awsAuthMount) throws VaultException {
+        int retryCount = 0;
+
+        final String mount = awsAuthMount != null ? awsAuthMount : "aws";
+        while (true) {
+            try {
+                // HTTP request to Vault
+                final JsonObject request = Json.object().add("pkcs7", pkcs7);
+                if(role != null) {
+                    request.add("role", role);
+                }
+                if(nonce != null) {
+                    request.add("nonce", nonce);
+                }
+                final String requestJson = request.toString();
+                final RestResponse restResponse = new Rest()//NOPMD
+                        .url(config.getAddress() + "/v1/auth/" + mount + "/login")
+                        .body(requestJson.getBytes("UTF-8"))
+                        .connectTimeoutSeconds(config.getOpenTimeout())
+                        .readTimeoutSeconds(config.getReadTimeout())
+                        .sslVerification(config.getSslConfig().isVerify())
+                        .sslContext(config.getSslConfig().getSslContext())
+                        .post();
+
+                // Validate restResponse
+                if (restResponse.getStatus() != 200) {
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(), restResponse.getStatus());
+                }
+                final String mimeType = restResponse.getMimeType() == null ? "null" : restResponse.getMimeType();
+                if (!mimeType.equals("application/json")) {
+                    throw new VaultException("Vault responded with MIME type: " + mimeType, restResponse.getStatus());
+                }
+                return new AuthResponse(restResponse, retryCount);
+            } catch (Exception e) {
+                // If there are retries to perform, then pause for the configured interval and then execute the loop again...
+                if (retryCount < config.getMaxRetries()) {
+                    retryCount++;
+                    try {
+                        final int retryIntervalMilliseconds = config.getRetryIntervalMilliseconds();
+                        Thread.sleep(retryIntervalMilliseconds);
+                    } catch (InterruptedException e1) {
+                        e1.printStackTrace();
+                    }
+                } else if (e instanceof VaultException) {
+                    // ... otherwise, give up.
+                    throw (VaultException) e;
+                } else {
+                    throw new VaultException(e);
+                }
+            }
+        }
+    }
+
+    /**
+     * <p>Basic login operation to authenticate to a AWS backend using IAM authentication.  Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final AuthResponse response = vault.auth().loginByAwsIam("my-role", "pkcs7", "nonce", null);
+     *
+     * final String token = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param role Name of the role against which the login is being attempted. If role is not specified, then the login endpoint
+     *             looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login if using the ec2
+     *             auth method, or the "friendly name" (i.e., role name or username) of the IAM principal authenticated.
+     *             If a matching role is not found, login fails.
+     * @param iamRequestUrl PKCS7 signature of the identity document with all \n characters removed.Base64-encoded HTTP URL used in the signed request.
+     *                      Most likely just aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8= (base64-encoding of https://sts.amazonaws.com/) as most requests will
+     *                      probably use POST with an empty URI.
+     * @param iamRequestBody Base64-encoded body of the signed request. Most likely QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ== which is
+     *                          the base64 encoding of Action=GetCallerIdentity&Version=2011-06-15.
+     * @param iamRequestHeaders
+     * @return The auth token, with additional response metadata
+     * @throws VaultException If any error occurs, or unexpected response received from Vault
+     */
+    public AuthResponse loginByAwsIam(final String role, final String iamRequestUrl, final String iamRequestBody, final String iamRequestHeaders, final String awsAuthMount) throws VaultException {
+        int retryCount = 0;
+
+        final String mount = awsAuthMount != null ? awsAuthMount : "aws";
+        while (true) {
+            try {
+                // HTTP request to Vault
+                final JsonObject request = Json.object().add("iam_request_url", iamRequestUrl)
+                        .add("iam_request_body", iamRequestBody)
+                        .add("iam_request_headers", iamRequestHeaders)
+                        .add("iam_request_method", "POST");
+                if(role != null) {
+                    request.add("role", role);
+                }
+                final String requestJson = request.toString();
+                final RestResponse restResponse = new Rest()//NOPMD
+                        .url(config.getAddress() + "/v1/auth/" + mount + "/login")
+                        .body(requestJson.getBytes("UTF-8"))
+                        .connectTimeoutSeconds(config.getOpenTimeout())
+                        .readTimeoutSeconds(config.getReadTimeout())
+                        .sslVerification(config.getSslConfig().isVerify())
+                        .sslContext(config.getSslConfig().getSslContext())
+                        .post();
+
+                // Validate restResponse
+                if (restResponse.getStatus() != 200) {
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(), restResponse.getStatus());
+                }
+                final String mimeType = restResponse.getMimeType() == null ? "null" : restResponse.getMimeType();
+                if (!mimeType.equals("application/json")) {
+                    throw new VaultException("Vault responded with MIME type: " + mimeType, restResponse.getStatus());
+                }
+                return new AuthResponse(restResponse, retryCount);
+            } catch (Exception e) {
+                // If there are retries to perform, then pause for the configured interval and then execute the loop again...
+                if (retryCount < config.getMaxRetries()) {
+                    retryCount++;
+                    try {
+                        final int retryIntervalMilliseconds = config.getRetryIntervalMilliseconds();
+                        Thread.sleep(retryIntervalMilliseconds);
+                    } catch (InterruptedException e1) {
+                        e1.printStackTrace();
+                    }
+                } else if (e instanceof VaultException) {
+                    // ... otherwise, give up.
+                    throw (VaultException) e;
+                } else {
+                    throw new VaultException(e);
+                }
+            }
+        }
+    }
+
     /**
     * <p>Basic login operation to authenticate to an github backend.  Example usage:</p>
     *

src/test-integration/java/com/bettercloud/vault/api/AuthBackendAwsTests.java

@@ -0,0 +1,114 @@
+package com.bettercloud.vault.api;
+
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.json.Json;
+import com.bettercloud.vault.json.JsonObject;
+import com.bettercloud.vault.vault.VaultTestUtils;
+import com.bettercloud.vault.vault.mock.AuthRequestValidatingMockVault;
+import org.apache.commons.io.IOUtils;
+import org.eclipse.jetty.server.Server;
+import org.junit.Test;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.HashSet;
+import java.util.function.Predicate;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+public class AuthBackendAwsTests {
+
+    private JsonObject readRequestBody(HttpServletRequest request) {
+        try {
+            StringBuilder requestBuffer = new StringBuilder();
+            IOUtils.readLines(request.getReader()).forEach(requestBuffer::append);
+            return Json.parse(requestBuffer.toString()).asObject();
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    @Test
+    public void testLoginByAwsEc2() throws Exception {
+        final Predicate<HttpServletRequest> isValidEc2pkcs7Request = (request) -> {
+            JsonObject requestBody = readRequestBody(request);
+            return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
+                  requestBody.getString("pkcs7", "") == "pkcs7";
+        };
+
+        final Predicate<HttpServletRequest> isValidEc2IdRequest = (request) -> {
+            JsonObject requestBody = readRequestBody(request);
+            return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
+                    requestBody.getString("identity", "") == "identity" &&
+                    requestBody.getString("signature", "") == "signature";
+        };
+
+        final Predicate<HttpServletRequest> isValidEc2IamRequest = (request) -> {
+            JsonObject requestBody = readRequestBody(request);
+            return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
+                    requestBody.getString("iam_http_request_method", "") == "POST" &&
+                    requestBody.getString("iam_http_request_url", "") == "url" &&
+                    requestBody.getString("iam_http_request_body", "") == "body" &&
+                    requestBody.getString("iam_http_request_headers", "") == "headers";
+        };
+
+        final AuthRequestValidatingMockVault mockVault =  new AuthRequestValidatingMockVault(new HashSet<Predicate<HttpServletRequest>>() {{
+            add(isValidEc2pkcs7Request);
+            add(isValidEc2IdRequest);
+        }});
+
+        final Server server = VaultTestUtils.initHttpMockVault(mockVault);
+        server.start();
+
+        final VaultConfig vaultConfig = new VaultConfig()
+                .address("http://127.0.0.1:8999")
+                .build();
+        final Vault vault = new Vault(vaultConfig);
+
+        final String token1 = vault.auth()
+                .loginByAwsEc2("role","pkcs7",null,null)
+                .getAuthClientToken();
+
+        assertNotNull(token1);
+        assertEquals("c9368254-3f21-aded-8a6f-7c818e81b17a", token1.trim());
+
+        final String token2 = vault.auth()
+                .loginByAwsEc2("role","identity","signature", null, null)
+                .getAuthClientToken();
+
+        assertNotNull(token2);
+        assertEquals("c9368254-3f21-aded-8a6f-7c818e81b17a", token2.trim());
+    }
+
+    @Test
+    public void testLoginByAwsIam() throws Exception {
+        final Predicate<HttpServletRequest> isValidEc2IamRequest = (request) -> {
+            JsonObject requestBody = readRequestBody(request);
+            return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
+                    requestBody.getString("iam_http_request_method", "") == "POST" &&
+                    requestBody.getString("iam_http_request_url", "") == "url" &&
+                    requestBody.getString("iam_http_request_body", "") == "body" &&
+                    requestBody.getString("iam_http_request_headers", "") == "headers";
+        };
+
+        final AuthRequestValidatingMockVault mockVault =  new AuthRequestValidatingMockVault(new HashSet<Predicate<HttpServletRequest>>() {{
+            add(isValidEc2IamRequest);
+        }});
+
+        final Server server = VaultTestUtils.initHttpMockVault(mockVault);
+        server.start();
+
+        final VaultConfig vaultConfig = new VaultConfig()
+                .address("http://127.0.0.1:8999")
+                .build();
+        final Vault vault = new Vault(vaultConfig);
+
+        final String token = vault.auth()
+                .loginByAwsIam("role","url","body","headers",null)
+                .getAuthClientToken();
+
+        assertNotNull(token);
+        assertEquals("c9368254-3f21-aded-8a6f-7c818e81b17a", token.trim());
+    }
+}