•  
      story #11239 generate dynamic credentials from HashiCorp Vault into a Tuleap instance
    Summary
    Empty
    generate dynamic credentials from HashiCorp Vault into a Tuleap instance
    I can temporarily connect as a site administrator to a Tuleap instance to help users
    •  Feature is available through a dedicated Tuleap plugin and a HashiCorp Vault plugin
    • Two REST routes are added in the Tuleap side:
      • POST (username, password, expiration, signature)
      • DELETE (username, signature)
    • All requests made to the REST routes are authenticated with public-key signatures
      • Private key is generated and stored directly and only in HashiCorp Vault
      • Public key is set in the configuration file of the plugin
      • Cryptography rely upon libsodium (Ed25519 signatures)
    • When the account expires or is revoked, the user is immediately logs out
    • It is not possible to recreate a user account that has been revoked (a call to the DELETE route) with the same username until it has reached the expiration date to avoid replay attacks
    • The HashiCorp Vault plugin only accepts to query a Tuleap instance over HTTPS
    • Tuleap plugin is not designed to handle queries from multiple HashiCorp Vault instances. If it happens credential creation request might fail.
    Empty
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #11239
    Thomas Gerbet (tgerbet)
    2018-03-28 09:47
    2018-03-05 15:05
    11569

    References
    Referencing story #11239

    Artifact Tracker v5

    rel #10994 9.19

    Git commit

    tuleap/tuleap/stable

    Introduce the dynamic credentials plugin 5b1de3822c
    A set of credentials can be created dynamically from the REST route 9284ecf6cf
    Authenticate requests made the dynamic credentials REST API 8ebd589caa
    empty.php should stay empty 02e3a03f0d
    A set of credential managed by the dynamic credentials plugin can be revoked 26c2710e90
    empty.php should stay empty (again) d495a98f0d
    Add access control headers on every routes of the dynamic credentials plugin 0b081076f2
    Potential fatal error when signature is wrong on dynamic credentials REST routes c5ffa8cb61
    Dynamic credential can be used to login on the instance a363342f02
    "Jamais deux sans trois" 3d08274604
    Realname of the dynamic user can be configured 8d39151500
    Daily cleanup of the expired credentials from the database fc43e2cbd0
    Fatal error when revoking a credential before the expiration date 41a1f9b952
    Package the dynamic credentials plugin 933f6b28fc
    Fix unresolvable dependency of the dynamic credentials plugin c3bbb108b5

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-03-26 14:54
    Using 443/TCP is not mandatory, Vault plugin is capable to handle host on different port. HTTPS is still mandatory though.

    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-03-07 15:10
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-03-06 16:16
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes