google

package module

v0.0.0-...-b921fb9 Latest Latest Go to latest Published: Jul 8, 2020 License: MPL-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/noname8753/vault-plugin-auth-google

Links

Open Source Insights

README ¶

HashiCorp Vault plugin for Google Auth.

A HashiCorp Vault plugin for Google Auth.

This fork supports direct mapping of policies to users. If domain or user to allowed_ it will map the policy=default automatically. ("default" policy is built-in to vault)

directory service/google group usage has been removed

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

Compile the plugin from source.

Move the compiled plugin into Vault's configured plugin_directory:

$ mv vault-plugin-auth-google /etc/vault/plugins/vault-plugin-auth-google

Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-plugin-auth-google" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/auth/vault-plugin-auth-google \
    sha_256="${SHA256}" \
    command="vault-plugin-auth-google"

Mount the auth method:

#(Had to enable in both paths at the moment)

$ vault auth enable \
    -path="google" \
    -plugin-name="vault-plugin-auth-google" plugin

$ vault auth enable \
    -path="auth/google" \
    -plugin-name="vault-plugin-auth-google" plugin

$ vault read auth/google/config

 Key                              Value
 ---                              -----
 allowed_domains                  []
 allowed_groups                   <nil>
 allowed_users                    []
 cli_client_id                    <>
 cli_client_secret                <redacted>
 cli_max_ttl                      0s
 cli_ttl                          0s
 web_client_id                    <>
 web_client_secret                <redacted>
 web_max_ttl                      0s
 web_redirect_url                 n/a
 web_ttl                          0s

```sh
vault path-help auth/google

## DESCRIPTION

The Google credential provider allows you to authenticate with Google.

Documentation can be found at https://github.com/noname8753/vault-plugin-auth-google.

## PATHS

The following paths are supported by this backend. To view help for
any of the paths below, use the help command with any route matching
the path pattern. Note that depending on the policy of your auth token,
you may or may not be able to access certain paths.

  ^cli_code_url$


  ^config$


  ^login$


  ^users/(?P<name>.+)$
      Map username/email to policy.
      vault write auth/google/users/someuser@someemail.com policies=default

  ^users/?$
      This endpoint allows you to create, read, update, and delete configuration

  ^web_code_url$

Create an OAuth client ID in the Google Cloud Console, of type "Other".

Configure the auth method:

$ vault write auth/google/config \
    web_client_id=<GOOGLE_CLIENT_ID> \
    web_client_secret=<GOOGLE_CLIENT_SECRET>

$ vault write auth/google/config \
    cli_client_id=<GOOGLE_CLIENT_ID> \
    cli_client_secret=<GOOGLE_CLIENT_SECRET>

Allow domains/users -> You do not have to set allowed_domains AND add a user from said domain to allowed_users

vault write auth/google/config allowed_domains="someotherdomain.com"
vault write auth/google/config allowed_users="someuser@someemail.com"

Set allowed callback (if using web redirect/compliing the webui with the patches) - Optional

vault write auth/google/config web_redirect_url="http://127.0.0.1:8200"

Write a policy

vault policy write admin admin-policy.hcl

Attach said policy to user

vault write auth/google/users/someuser@ssomeemail.com policies=admin

or

vault write auth/google/users/someuser@ssomeemail.com policies=admin,default

Login using Google credentials (NB we use open to navigate to the Google Auth URL to get the code). (No token is returned if user has no attached policy)

$ open $(vault read -field=url auth/google/cli_code_url)
$ vault write auth/google/login code=$GOOGLE_CODE

Notes

If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.

e.g.
```
$ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin
```
When building remember your target platform.

e.g. on MacOS targeting Linux:
```
GOOS=linux make
```
You may need to set api_addr

This can be set at the top level for a standalone setup, or in a ha_storage stanza.

License

This code is licensed under the MPLv2 license.

Documentation ¶

Overview ¶

Credit to https://github.com/simonswine/vault-plugin-auth-google

Index ¶

func Backend() *backend
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
type UserEntry
type UserProvider

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Backend ¶

func Backend() *backend

func Factory ¶

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Types ¶

type UserEntry ¶

type UserEntry struct {
	Policies []string
}

type UserProvider ¶

type UserProvider interface {
	// contains filtered or unexported methods
}

UserProvider does the authentication of user with oauth2

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
vault-plugin-auth-google

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL