Affected by GO-2023-1633 and 9 other vulnerabilities

GO-2023-1633: Nomad Job Submitter Privilege Escalation Using Workload Identity in github.com/hashicorp/nomad

GO-2023-1707: HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad

GO-2023-1899: Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad

GO-2024-2669: API token secret ID leak to Sentinel in github.com/hashicorp/nomad

GO-2024-2670: ACL security vulnerability in github.com/hashicorp/nomad

GO-2024-3073: Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad

GO-2024-3262: Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad

GO-2024-3354: Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad

GO-2025-3510: Unintentional exposure of the workload identity token and client secret in logs in github.com/hashicorp/nomad

GO-2025-3758: Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad

oidc

package

v1.5.0 Latest Latest Go to latest Published: Mar 1, 2023 License: MPL-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/nomad

Links

Open Source Insights

Documentation ¶

Index ¶

func SelectorData(am *structs.ACLAuthMethod, idClaims, userClaims map[string]interface{}) (*structs.ACLAuthClaims, error)
type Binder
- func NewBinder(store BinderStateStore) *Binder
- func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, identity *Identity) (*Bindings, error)
type BinderStateStore
type Bindings
- func (b *Bindings) None() bool
type CallbackServer
- func NewCallbackServer(addr string) (*CallbackServer, error)
type Identity
- func NewIdentity(authMethodConfig *structs.ACLAuthMethodConfig, ...) *Identity
type ProviderCache
- func NewProviderCache() *ProviderCache

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func SelectorData ¶

func SelectorData(
	am *structs.ACLAuthMethod, idClaims, userClaims map[string]interface{}) (*structs.ACLAuthClaims, error)

SelectorData returns the data for go-bexpr for selector evaluation.

Types ¶

type Binder ¶

type Binder struct {
	// contains filtered or unexported fields
}

Binder is responsible for collecting the ACL roles and policies to be assigned to a token generated as a result of "logging in" via an auth method.

It does so by applying the auth method's configured binding rules.

func NewBinder ¶

func NewBinder(store BinderStateStore) *Binder

NewBinder creates a Binder with the given state store.

func (*Binder) Bind ¶

func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, identity *Identity) (*Bindings, error)

Bind collects the ACL roles and policies to be assigned to the created token.

type BinderStateStore ¶

type BinderStateStore interface {
	GetACLBindingRulesByAuthMethod(ws memdb.WatchSet, authMethod string) (memdb.ResultIterator, error)
	GetACLRoleByName(ws memdb.WatchSet, roleName string) (*structs.ACLRole, error)
	ACLPolicyByName(ws memdb.WatchSet, name string) (*structs.ACLPolicy, error)
}

BinderStateStore is the subset of state store methods used by the binder.

type Bindings ¶

type Bindings struct {
	Management bool
	Roles      []*structs.ACLTokenRoleLink
	Policies   []string
}

Bindings contains the ACL roles and policies to be assigned to the created token.

func (*Bindings) None ¶

func (b *Bindings) None() bool

None indicates that the resulting bindings would not give the created token access to any resources.

type CallbackServer ¶

type CallbackServer struct {
	// contains filtered or unexported fields
}

CallbackServer is started with NewCallbackServer and creates an HTTP server for handling loopback OIDC auth redirects.

func NewCallbackServer ¶

func NewCallbackServer(addr string) (*CallbackServer, error)

NewCallbackServer creates and starts a new local HTTP server for OIDC authentication to redirect to. This is used to capture the necessary information to complete the authentication.

func (*CallbackServer) Close ¶

func (s *CallbackServer) Close() error

Close cleans up and shuts down the server. On close, errors may be sent to ErrorCh and should be ignored.

func (*CallbackServer) ErrorCh ¶

func (s *CallbackServer) ErrorCh() <-chan error

ErrorCh returns a channel where any errors are sent. Errors may be sent after Close and should be disregarded.

func (*CallbackServer) Nonce ¶

func (s *CallbackServer) Nonce() string

Nonce returns a generated nonce that can be used for the request.

func (*CallbackServer) RedirectURI ¶

func (s *CallbackServer) RedirectURI() string

RedirectURI is the redirect URI that should be provided for the auth.

func (*CallbackServer) ServeHTTP ¶

func (s *CallbackServer) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServeHTTP implements http.Handler and handles the callback request. This isn't usually used directly; use the server address instead.

func (*CallbackServer) SuccessCh ¶

func (s *CallbackServer) SuccessCh() <-chan *api.ACLOIDCCompleteAuthRequest

SuccessCh returns a channel that gets sent a partially completed request to complete the OIDC auth with the Nomad server.

type Identity ¶

type Identity struct {
	// Claims is the format of this Identity suitable for selection
	// with a binding rule.
	Claims interface{}

	// ClaimMappings is the format of this Identity suitable for interpolation in a
	// bind name within a binding rule.
	ClaimMappings map[string]string
}

func NewIdentity ¶

func NewIdentity(
	authMethodConfig *structs.ACLAuthMethodConfig, authClaims *structs.ACLAuthClaims) *Identity

NewIdentity builds a new Identity that can be used to generate bindings via Bind for ACL token creation.

type ProviderCache ¶

type ProviderCache struct {
	// contains filtered or unexported fields
}

ProviderCache is a cache for OIDC providers. OIDC providers are something you don't want to recreate per-request since they make HTTP requests when they're constructed.

The ProviderCache purges a provider under two scenarios: (1) the provider config is updated, and it is different and (2) after a set amount of time (see cacheExpiry for value) in case the remote provider configuration changed.

func NewProviderCache ¶

func NewProviderCache() *ProviderCache

NewProviderCache should be used to initialize a provider cache. This will start up background resources to manage the cache.

func (*ProviderCache) Delete ¶

func (c *ProviderCache) Delete(name string)

Delete force deletes a single auth method from the cache by name.

func (*ProviderCache) Get ¶

func (c *ProviderCache) Get(authMethod *structs.ACLAuthMethod) (*oidc.Provider, error)

Get returns the OIDC provider for the given auth method configuration. This will initialize the provider if it isn't already in the cache or if the configuration changed.

func (*ProviderCache) Shutdown ¶

func (c *ProviderCache) Shutdown()

Shutdown stops any long-lived cache process and informs each OIDC provider that they are done. This should be called whenever the Nomad server is shutting down.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL