Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      story #11239 generate dynamic credentials from HashiCorp Vault into a Tuleap instance
    Summary
    Empty
    generate dynamic credentials from HashiCorp Vault into a Tuleap instance
    I can temporarily connect as a site administrator to a Tuleap instance to help users
    •  Feature is available through a dedicated Tuleap plugin and a HashiCorp Vault plugin
    • Two REST routes are added in the Tuleap side:
      • POST (username, password, expiration, signature)
      • DELETE (username, signature)
    • All requests made to the REST routes are authenticated with public-key signatures
      • Private key is generated and stored directly and only in HashiCorp Vault
      • Public key is set in the configuration file of the plugin
      • Cryptography rely upon libsodium (Ed25519 signatures)
    • When the account expires or is revoked, the user is immediately logs out
    • It is not possible to recreate a user account that has been revoked (a call to the DELETE route) with the same username until it has reached the expiration date to avoid replay attacks
    • The HashiCorp Vault plugin only accepts to query a Tuleap instance over HTTPS
    • Tuleap plugin is not designed to handle queries from multiple HashiCorp Vault instances. If it happens credential creation request might fail.
    By Thomas Gerbet (tgerbet)
    (39 kB)
    sequence_vault_tuleap.png
    Empty
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #11239
    Thomas Gerbet (tgerbet)
    2018-03-28 09:47
    2018-03-05 15:05
    11569

    References
    Referencing story #11239

    Artifact

    rel #10994 9.19
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-03-26 14:54
    Using 443/TCP is not mandatory, Vault plugin is capable to handle host on different port. HTTPS is still mandatory though.
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-03-07 15:10
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-03-06 16:16
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes