•  
      story #11239 generate dynamic credentials from HashiCorp Vault into a Tuleap instance
    Summary
    Empty
    generate dynamic credentials from HashiCorp Vault into a Tuleap instance
    I can temporarily connect as a site administrator to a Tuleap instance to help users
    •  Feature is available through a dedicated Tuleap plugin and a HashiCorp Vault plugin
    • Two REST routes are added in the Tuleap side:
      • POST (username, password, expiration, signature)
      • DELETE (username, signature)
    • All requests made to the REST routes are authenticated with public-key signatures
      • Private key is generated and stored directly and only in HashiCorp Vault
      • Public key is set in the configuration file of the plugin
      • Cryptography rely upon libsodium (Ed25519 signatures)
    • When the account expires or is revoked, the user is immediately logs out
    • It is not possible to recreate a user account that has been revoked (a call to the DELETE route) with the same username until it has reached the expiration date to avoid replay attacks
    • The HashiCorp Vault plugin only accepts to query a Tuleap instance over HTTPS
    • Tuleap plugin is not designed to handle queries from multiple HashiCorp Vault instances. If it happens credential creation request might fail.
    Empty
    Status
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #11239
    Thomas Gerbet (tgerbet)
    2018-03-28 09:47
    2018-03-05 15:05
    11322

    References
    Referencing story #11239

    Artifact Tracker v5

    Git commit

    tuleap/tuleap/stable

    Follow-ups