scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 19:47:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add bound cidr checking at login time for remaining auths (#7046)

Browse Source
This commit is contained in:
Jeff Mitchell
2019-07-02 17:44:38 -04:00
committed by GitHub
parent 3ae451ec78
commit b918a156da
6 changed files with 40 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
builtin/credential/github/path_login.go
View File

@@ -9,6 +9,7 @@ import (
"github.com/google/go-github/github"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/cidrutil"
"github.com/hashicorp/vault/sdk/helper/policyutil"
"github.com/hashicorp/vault/sdk/logical"
)
@@ -148,6 +149,11 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, t
return nil, logical.ErrorResponse("configuration has not been set"), nil
}
// Check for a CIDR match.
if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, config.TokenBoundCIDRs) {
return nil, nil, logical.ErrPermissionDenied
}
if config.Organization == "" {
return nil, logical.ErrorResponse(
"organization not found in configuration"), nil