feat: dynamic usernames

[TJM]

Support using dynamic usernames with vault Username Templates.

[TJM]

As soon as I try to add the template, things get ugly, we are very far behind on the SDK version. If I can't make it work with the older version we are using, then I will have to upgrade all the other modules as well. 🤞

[alexhung]

As soon as I try to add the template, things get ugly, we are very far behind on the SDK version. If I can't make it work with the older version we are using, then I will have to upgrade all the other modules as well. 🤞

That is on my road map so if you get to this first, be my guess! 😄

[TJM]

Current POC functionality:

• DEFAULT, current functionality (after make setup):

[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/token/test
Key                Value
---                -----
lease_id           artifactory/token/test/xFQp4bBihnOCVi0GCTq4vhVU
lease_duration     2h
lease_renewable    true
access_token       eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJLMXptbEVTR2xpZlZXMnFtczdORmxpVENfVVMwYzVncTZBbzIyZUc5UHhjIn0.eyJzdWIiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxXC91c2Vyc1wvdGVzdC11c2VyIiwic2NwIjoiYXBwbGllZC1wZXJtaXNzaW9uc1wvZ3JvdXBzOnJlYWRlcnMiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxIiwiaWF0IjoxNjc4MzEyNTUzLCJqdGkiOiIyNTBhNzdjMC1jMTVkLTQwMmQtOWIxNi05YzA2ODE5ZTk5ZmQifQ.LCdktZ3gK1Wd1IB19lL3zi9HIwN7Y57eQsqxknoQX3iLWiam_Vrlk-7acIkCLqrvkJy40AZz7Kxp8foaeZvWqpVgdymji8KzYb9NTr_8T6KARlzfVVb_p_TQ77adS5ZL0sXABXbgTMBbQ4a2n0WtkMM7z3h4KJuVDjSN7Xbxcs_Qur7s82EqGThPQM6zv28KlXSU5mwEe7Qnu23Us5Og3U6x7p0p9Znr9GpnFq3jV_4TugYC1Yj2hPT2addQ_08OwvjdtkkNbJIMxG3eXF0V3yv8GlzK1aR1xeJsNXTxqOtU8FUnlt-PfefjVOehv_y0kvKNkhHpxo3_JdeJlm8LSg
role               test
scope              applied-permissions/groups:readers
token_id           250a77c0-c15d-402d-9b16-9c06819e99fd
username           test-user

• UNSET the static username for the role (same as not setting it in the first place:

[tmcneely@local artifactory-secrets-plugin]$ vault write artifactory/roles/test username=""
Success! Data written to: artifactory/roles/test

• New operation, generate a dynamic username (for now its a static string, for PoC):

[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/token/test            
Key                Value
---                -----
lease_id           artifactory/token/test/XgQHjbIRzV0tPjNYETqF1dpK
lease_duration     2h
lease_renewable    true
access_token       eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJLMXptbEVTR2xpZlZXMnFtczdORmxpVENfVVMwYzVncTZBbzIyZUc5UHhjIn0.eyJzdWIiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxXC91c2Vyc1wvZnV0dXJlLXRlbXBsYXRlLXVzZXIiLCJzY3AiOiJhcHBsaWVkLXBlcm1pc3Npb25zXC9ncm91cHM6cmVhZGVycyIsImF1ZCI6IipAKiIsImlzcyI6ImpmYWNAMDFndHl6N3IybjJjcW0wYXp3NHdzaDAxcnEiLCJpYXQiOjE2NzgzMTI2MDYsImp0aSI6ImI5MmZmZWUwLTk4NjAtNDM5NS1hYTAyLWRlNzc0ZGYzMmJmYyJ9.iDKt1JFD2r6x6soHlPknq_I-uaXUYr1hYPVT0_6tPAcz0d_1x-yTnIopX4ModlhL9miulgKG9ShohR2No4BU4VA52t6oJtpkQ1-Oy_NEykac1HShwIi8cPLUUn4uX3tRJaKenyvNvILqh6yMlp2_jdQ350c9McUav_LszgcGOTXZEVpfmTQIie4sO1IaIyjtt9ZTCY0rdyT_xu9jePqk7kSbGA2UyhE2wYS2lOprC5R75cZkUu2Pvmgf_phlLF3xdkKInUPJzPvIXnlvLu353CoJ1-XmW8j9xqY2wkR_gncOyVeWUAq9SnahGpPzGXGi7xP2acjpb3GxsU8S294AjA
role               test
scope              applied-permissions/groups:readers
token_id           b92ffee0-9860-4395-aa02-de774df32bfc
username           future-template-user

[TJM]

New version:

[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/token/test             
Key                Value
---                -----
lease_id           artifactory/token/test/ts3UvVwJpIqS2f7Sx5EZpa0q
lease_duration     2h
lease_renewable    true
access_token       eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJLMXptbEVTR2xpZlZXMnFtczdORmxpVENfVVMwYzVncTZBbzIyZUc5UHhjIn0.eyJzdWIiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxXC91c2Vyc1wvdi10ZXN0LXkybWdrcGxyY28yaHVtY3V5d3B5Iiwic2NwIjoiYXBwbGllZC1wZXJtaXNzaW9uc1wvZ3JvdXBzOnJlYWRlcnMiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxIiwiaWF0IjoxNjc4MzE5MTMzLCJqdGkiOiJiYzFlMmI1YS03ZjAyLTRlMmMtYTIwOC03MGI4NzVjZjFkODAifQ.eZpJ3yb2jtp94ey2O9biLeS-BuWvvakYY8N0YIqCJLVdthqgOKVzt0vXisHi1k65hUyv2w1ZG74iJA4HG6yu8ph5cqUlcq9hHAX0WpjSWhPpIOcKs16FiyAF2GvSr5MbfIMa_xZsuQ2UOtWUCNq8U4OEym9ktf2FJbEcs8atEkxpkSUSD7T8GuVQiToDyI_kDbaPqzVLbyYpzHZJzV4sIa4ITdOmPRhsBaTnjecKRy1C5Hc5gdyotH_FHdGpDmSEPMoXwi5z7YVDPFVD1gyhxlRqWo-uUj9H56f-wBqbPlVuOgXKCDninPVgKQqEY5mvtfDe3ifTzwhUSIDqL8eFUA
role               test
scope              applied-permissions/groups:readers
token_id           bc1e2b5a-7f02-4e2c-a208-70b875cf1d80
username           v-test-y2mgkPlrco2humCUYWPY

Also, customizable templates:

[tmcneely@local artifactory-secrets-plugin]$ vault write artifactory/config/admin username_template='{{printf "v_%s_%s_%s_%s" (.DisplayName | truncate 8) (.RoleName | truncate 8) (random 20) (unix_time) | truncate 256}}'
Success! Data written to: artifactory/config/admin
[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/token/test
Key                Value
---                -----
lease_id           artifactory/token/test/XOhLnCo7BqeIuo3FfVeoABwh
lease_duration     2h
lease_renewable    true
access_token       eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJLMXptbEVTR2xpZlZXMnFtczdORmxpVENfVVMwYzVncTZBbzIyZUc5UHhjIn0.eyJzdWIiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxXC91c2Vyc1wvdl9fdGVzdF9tMHF3dTk1ZWx5c3dmdWQ2bDY0el8xNjc4MzE5MjczIiwic2NwIjoiYXBwbGllZC1wZXJtaXNzaW9uc1wvZ3JvdXBzOnJlYWRlcnMiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmFjQDAxZ3R5ejdyMm4yY3FtMGF6dzR3c2gwMXJxIiwiaWF0IjoxNjc4MzE5MjczLCJqdGkiOiJmOGM3ZDU1Ni00OTViLTRkM2YtODlkYS0yYTk2YzU5ZDQwMmUifQ.MYkJzsQixPdLan63KHxb0uBN4zukYC6CXxxSbcoxc2w-OO9wLIfnjNVSfcn8OEjO03lzHbnaScjtXbZtKqBuTjwv4gbQUHNqwf-utWX7mGard-47QAkv2Th_ljTV1otpeGMerbWLnxwVmgZSxJGf9mR9W8xfQo0H-F25ENd35-ctpyjR3w1OCCpJd5bHXKnUFjFEYozT9KwjjsSMP75y341ySKh8uIYrezbvpcqRyT9grEFA0-vS2vAS_5Uv765yNPka5O7QPaiJM0phgAyeGpsFFNAkcIpfVcyf1nEfgy6XKvPdKHvpsYq748YCr7jjlGUrufUxPAXMk9MSfttU_Q
role               test
scope              applied-permissions/groups:readers
token_id           f8c7d556-495b-4d3f-89da-2a96c59d402e
username           v__test_M0Qwu95ELYSWFuD6l64Z_1678319273
[tmcneely@local artifactory-secrets-plugin]$ 

I am still not sure what to put for some of the fields, nor whether it will survive a reboot (99% sure it wont). So, still in draft, but getting closer to "MVP" :)

[alexhung]

@TJM I'm assuming that those access_token are not valid ones but you may want to sanitize them before posting here 😄

[TJM]

@TJM I'm assuming that those access_token are not valid ones but you may want to sanitize them before posting here 😄

They are for my localhost artifactory-jcr. I wanted to leave them in to show how artifactory itself handled the request.

[TJM]

LGTM

And thanks so much for improving the README!

You're welcome.

The only outstanding item seems to be for the UsernameMetadata.DisplayName.

I set this to req.DisplayName, it is up to the users how they want to use/format it ;)

[TJM]

One final example of it working...

[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/token/test
Key                Value
---                -----
lease_id           artifactory/token/test/nrQRRjmD3I6CdJELcftH7CyT
lease_duration     2h
lease_renewable    true
access_token       eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJraExwVVNkUzBqVWdkUVd4RVB3RDdnXzhEbTNkZnBGenhYUlM5OWY4enN3In0.eyJzdWIiOiJqZmFjQDAxZ3ZlMGIzMHpodDI3MDcxbTQwZWEwdGY3XC91c2Vyc1wvdi10ZXN0LXNvaDhwcHRpIiwic2NwIjoiYXBwbGllZC1wZXJtaXNzaW9uc1wvZ3JvdXBzOnJlYWRlcnMiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmFjQDAxZ3ZlMGIzMHpodDI3MDcxbTQwZWEwdGY3IiwiaWF0IjoxNjc4NzI4ODY0LCJqdGkiOiJjZTllOWI0ZC1jYTRjLTQwZDctOTVmMS1iMDBiYmVmMjhmODYifQ.bJBwXGuj29DcKQaSjjaXKaJJY9sER-QsoJeo4ACcKvB0U7o6zCdY2dLPC-RTSyu9pL3x-R_HkhKwOVS68yghqJSz8xS-SFzShQCCD8ZPieNOnHDSUSW5GqYLRfdEVYbplYwV4Um2g42wK9yEREJspkYI_9axOXusOmrNu2Al9QF8sC4wqCZb6EIBmOChKWCx7KfixRKzdfFn5Zkow-wuVcOEzgDqoYGa4_fKsXmSOuqilijT2gS4XjiGwxn86PfRMEajY7RrRJCKCUSrH5m1ZkeBqJfEp17d6xJqEfyWuVjNewINe413r6B9jS_EtzjVo_HImhzKeacwzP9lQjjCDA
role               test
scope              applied-permissions/groups:readers
token_id           ce9e9b4d-ca4c-40d7-95f1-b00bbef28f86
username           v-test-SOH8PPTI
[tmcneely@local artifactory-secrets-plugin]$ vault write artifactory/config/admin username_template="v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}"
Success! Data written to: artifactory/config/admin
[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/token/test
Key                Value
---                -----
lease_id           artifactory/token/test/zE0sPBVruQGIKCDWF6lkgAVO
lease_duration     2h
lease_renewable    true
access_token       eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJraExwVVNkUzBqVWdkUVd4RVB3RDdnXzhEbTNkZnBGenhYUlM5OWY4enN3In0.eyJzdWIiOiJqZmFjQDAxZ3ZlMGIzMHpodDI3MDcxbTQwZWEwdGY3XC91c2Vyc1wvdl9yb290X3Rlc3RfMXp6OWhmZHd1eV8xNjc4NzI5MDI3Iiwic2NwIjoiYXBwbGllZC1wZXJtaXNzaW9uc1wvZ3JvdXBzOnJlYWRlcnMiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmFjQDAxZ3ZlMGIzMHpodDI3MDcxbTQwZWEwdGY3IiwiaWF0IjoxNjc4NzI5MDI3LCJqdGkiOiI4MzI2ZjQ5My1kMWIwLTQxOWQtYTE4NC0zZDUyZTM3OTk5YzAifQ.fYZudScmqUGWesAl3SrG_2_kGuV6Pfio4QcEYt_8T6IxVCg5jO2JYCBHDOy0L3ZKQicJyOxwzeeSNNFvV2VWqfmxI3KKI4rrkOLr66teg5Tk6nmAff6b66q_rJJFl-bqsmu3Kh1fMQ2nSQbmLY3WvSLxxiylPPi5CNN2u2ZWub4Xw22a0LV83WfdRkwbfI4giFjgpyjRhHAY-VS4dEBr-7VgJYflvBNIy5IGugJR8Yfbpqfgb2Gw2s5z_5Veu2nt_HF1_kbawifFoqWtEHmwWmlQLBC8lY1iVSZ3qLVHmXqFL5a7Pv1rfx6iLb1yrnW7aXkqmuRcwaqHz9jO-0aOmA
role               test
scope              applied-permissions/groups:readers
token_id           8326f493-d1b0-419d-a184-3d52e37999c0
username           v_root_test_1Zz9hfDwuY_1678729027
[tmcneely@local artifactory-secrets-plugin]$

ALSO:

[tmcneely@local artifactory-secrets-plugin]$ vault read artifactory/config/admin
Key                    Value
---                    -----
access_token_sha256    ab702c64a58c1ca1e32937fc97df9c75bc2ae81656923fdb3a4cfaec0d2f2ba4
scope                  applied-permissions/admin
token_id               6555c55f-335a-4f87-9bcb-96907cca4b23
url                    http://localhost:8082
username               admin
username_template      v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}
version                7.55.2

[TJM]

FYI, depending on the order these are merged, the other may have to be manually rebased, since they touch some of the same files.

[alexhung]

The other PR is already merged. So you should resolve merge conflict in this branch/PR.

[TJM]

Rebased, had to change the b.suppportForceRevocable to use the new b.checkVersion (with the saved version), as expected. Let me know if I should compress the commits further, or they can be squashed on merge ;)

[TJM]

Fixes #46

[alexhung]

@TJM Let @shrajfr12 and I know when this PR is ready for review again.

[TJM]

@alexhung / @shrajfr12 - Should be good to go. I ran a quick test with make setup but I think testing is something we need to dig deeper into ;)

Screenshot from jwt.io showing the dynamic username and expiration date (max_ttl) :)

[alexhung]

@TJM We are planning to add acceptance testing in Q2.