Allow TLS certificate to authenticate against the named certificate role

Fixes #874

Signed-off-by: Issam El-atif <[email protected]>

Author: ielatif

docs/modules/ROOT/pages/authentication.adoc

@@ -399,6 +399,7 @@ spring.cloud.vault:
         key-store-password: changeit
         key-store-type: JKS
         cert-auth-path: cert
+        role: my-dev-role
 ----
 
 See also: https://www.vaultproject.io/docs/auth/cert.html[Vault Documentation: Using the Cert auth backend]

spring-cloud-vault-config/src/main/java/org/springframework/cloud/vault/config/ClientAuthenticationFactory.java

@@ -378,11 +378,14 @@ private ClientAuthentication pcfAuthentication(VaultProperties vaultProperties)
 
 	private ClientAuthentication certificateAuthentication(VaultProperties vaultProperties) {
 
-		ClientCertificateAuthenticationOptions options = ClientCertificateAuthenticationOptions.builder()
-			.path(vaultProperties.getSsl().getCertAuthPath())
-			.build();
+		ClientCertificateAuthenticationOptions.ClientCertificateAuthenticationOptionsBuilder optionsBuilder = ClientCertificateAuthenticationOptions
+			.builder();
+		optionsBuilder.path(vaultProperties.getSsl().getCertAuthPath());
+		if (StringUtils.hasText(vaultProperties.getSsl().getRole())) {
+			optionsBuilder.role(vaultProperties.getSsl().getRole());
+		}
 
-		return new ClientCertificateAuthentication(options, this.restOperations);
+		return new ClientCertificateAuthentication(optionsBuilder.build(), this.restOperations);
 	}
 
 	private ClientAuthentication tokenAuthentication(VaultProperties vaultProperties) {

spring-cloud-vault-config/src/main/java/org/springframework/cloud/vault/config/VaultProperties.java

@@ -42,6 +42,7 @@
  * @author Michal Budzyn
  * @author Grenville Wilson
  * @author Mårten Svantesson
+ * @author Issam El-atif
  */
 @ConfigurationProperties(VaultProperties.PREFIX)
 public class VaultProperties implements EnvironmentAware {
@@ -1152,6 +1153,13 @@ public static class Ssl {
 		 */
 		private String certAuthPath = "cert";
 
+		/**
+		 * Name of the role against which the login is being attempted.
+		 *
+		 * @since 5.0
+		 */
+		private String role = "";
+
 		/**
 		 * List of enabled SSL/TLS protocol.
 		 * @since 3.0.2
@@ -1226,6 +1234,14 @@ public void setCertAuthPath(String certAuthPath) {
 			this.certAuthPath = certAuthPath;
 		}
 
+		public String getRole() {
+			return role;
+		}
+
+		public void setRole(String role) {
+			this.role = role;
+		}
+
 		public List<String> getEnabledProtocols() {
 			return this.enabledProtocols;
 		}

spring-cloud-vault-config/src/test/java/org/springframework/cloud/vault/config/VaultConfigTlsCertAuthenticationTests.java

@@ -26,15 +26,20 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-import org.springframework.beans.factory.annotation.Value;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.WebApplicationType;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.boot.test.system.CapturedOutput;
+import org.springframework.boot.test.system.OutputCaptureExtension;
 import org.springframework.cloud.vault.util.Settings;
 import org.springframework.cloud.vault.util.VaultRule;
+import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.vault.core.VaultOperations;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.springframework.cloud.vault.util.Settings.findWorkDir;
 
 /**
@@ -44,18 +49,19 @@
  * referenced with {@code ../work/keystore.jks}.
  *
  * @author Mark Paluch
+ * @author Issam El-atif
  */
-
-@SpringBootTest(classes = VaultConfigTlsCertAuthenticationTests.TestApplication.class,
-		properties = { "spring.cloud.vault.authentication=cert",
-				"spring.cloud.vault.ssl.key-store=file:../work/client-cert.jks",
-				"spring.cloud.vault.ssl.key-store-password=changeit",
-				"spring.cloud.vault.application-name=VaultConfigTlsCertAuthenticationTests",
-				"spring.cloud.vault.reactive.enabled=false", "spring.cloud.bootstrap.enabled=true" })
+@ExtendWith(OutputCaptureExtension.class)
 public class VaultConfigTlsCertAuthenticationTests {
 
-	@Value("${vault.value}")
-	String configValue;
+	SpringApplication app = new SpringApplicationBuilder().sources(TestConfig.class)
+			.web(WebApplicationType.NONE)
+			.build();
+
+	private static VaultOperations vaultOperations;
+
+	private static final String certificate = Files.contentOf(new File(findWorkDir(), "ca/certs/client.cert.pem"),
+			StandardCharsets.US_ASCII);
 
 	@BeforeAll
 	public static void beforeClass() {
@@ -69,7 +75,7 @@ public static void beforeClass() {
 			vaultRule.prepare().mountAuth(vaultProperties.getSsl().getCertAuthPath());
 		}
 
-		VaultOperations vaultOperations = vaultRule.prepare().getVaultOperations();
+		vaultOperations = vaultRule.prepare().getVaultOperations();
 
 		String rules = "{ \"name\": \"testpolicy\",\n" //
 				+ "  \"path\": {\n" //
@@ -82,10 +88,6 @@ public static void beforeClass() {
 		vaultOperations.write("secret/" + VaultConfigTlsCertAuthenticationTests.class.getSimpleName(),
 				Collections.singletonMap("vault.value", "foo"));
 
-		File workDir = findWorkDir();
-
-		String certificate = Files.contentOf(new File(workDir, "ca/certs/client.cert.pem"), StandardCharsets.US_ASCII);
-
 		Map<String, String> role = new HashMap<>();
 		role.put("certificate", certificate);
 		role.put("policies", "testpolicy");
@@ -94,16 +96,53 @@ public static void beforeClass() {
 	}
 
 	@Test
-	public void contextLoads() {
-		assertThat(this.configValue).isEqualTo("foo");
+	void authenticateUsingTlsCertificate() {
+		ConfigurableApplicationContext context = this.app.run("--spring.cloud.vault.authentication=cert",
+				"--spring.cloud.vault.ssl.key-store=file:../work/client-cert.jks",
+				"--spring.cloud.vault.ssl.key-store-password=changeit",
+				"--spring.cloud.vault.application-name=VaultConfigTlsCertAuthenticationTests",
+				"--spring.cloud.vault.reactive.enabled=false", "--spring.cloud.bootstrap.enabled=true");
+
+		assertThat(context.getEnvironment().getProperty("vault.value")).isEqualTo("foo");
 	}
 
-	@SpringBootApplication
-	public static class TestApplication {
+	@Test
+	void authenticateUsingNamedCertificateRole() {
+		Map<String, String> anotherRole = new HashMap<>();
+		anotherRole.put("certificate", certificate);
+		vaultOperations.write("auth/cert/certs/another-role", anotherRole);
 
-		public static void main(String[] args) {
-			SpringApplication.run(TestApplication.class, args);
-		}
+		ConfigurableApplicationContext context = this.app.run("--spring.cloud.vault.authentication=cert",
+				"--spring.cloud.vault.ssl.key-store=file:../work/client-cert.jks",
+				"--spring.cloud.vault.ssl.key-store-password=changeit", "--spring.cloud.vault.ssl.role=my-role",
+				"--spring.cloud.vault.application-name=VaultConfigTlsCertAuthenticationTests",
+				"--spring.cloud.vault.reactive.enabled=false", "--spring.cloud.bootstrap.enabled=true");
+
+		assertThat(context.getEnvironment().getProperty("vault.value")).isEqualTo("foo");
+
+		vaultOperations.delete("auth/cert/certs/another-role");
+	}
+
+	@Test
+	void authenticationFailsWhenMultipleCertsAndNoNamedRole(CapturedOutput capturedOutput) {
+		Map<String, String> anotherRole = new HashMap<>();
+		anotherRole.put("certificate", certificate);
+		vaultOperations.write("auth/cert/certs/another-role", anotherRole);
+
+		ConfigurableApplicationContext context = this.app.run("--spring.cloud.vault.authentication=cert",
+				"--spring.cloud.vault.ssl.key-store=file:../work/client-cert.jks",
+				"--spring.cloud.vault.ssl.key-store-password=changeit",
+				"--spring.cloud.vault.application-name=VaultConfigTlsCertAuthenticationTests",
+				"--spring.cloud.vault.reactive.enabled=false", "--spring.cloud.bootstrap.enabled=true");
+
+		assertThat(capturedOutput.getOut()).contains("org.springframework.vault.VaultException: Status 403 Forbidden");
+		assertNull(context.getEnvironment().getProperty("vault.value"));
+
+		vaultOperations.delete("auth/cert/certs/another-role");
+	}
+
+	@TestConfiguration
+	public static class TestConfig {
 
 	}