hashicorp · NLRemco · Oct 28, 2021 · Oct 28, 2021 · Oct 28, 2021
@@ -9,7 +9,6 @@ import (
 	"errors"
 	"io/ioutil"
 
-	"github.com/briankassouf/jose/jws"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -29,23 +28,13 @@ func pathConfig(b *kubeAuthBackend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.",
 			},
-
 			"kubernetes_ca_cert": {
 				Type:        framework.TypeString,
 				Description: "PEM encoded CA cert for use by the TLS client used to talk with the API.",
 				DisplayAttrs: &framework.DisplayAttributes{
 					Name: "Kubernetes CA Certificate",
 				},
 			},
-			"token_reviewer_jwt": {
-				Type: framework.TypeString,
-				Description: `A service account JWT used to access the
-TokenReview API to validate other JWTs during login. If not set
-the JWT used for login will be used to access the API.`,
-				DisplayAttrs: &framework.DisplayAttributes{
-					Name: "Token Reviewer JWT",
-				},
-			},
 			"pem_keys": {
 				Type: framework.TypeCommaStringSlice,
 				Description: `Optional list of PEM-formated public keys or certificates
@@ -95,7 +84,7 @@ then this plugin will use kubernetes.io/serviceaccount as the default issuer.
 	}
 }
 
-// pathConfigWrite handles create and update commands to the config
+// pathConfigRead handles read commands of the config
 func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	if config, err := b.config(ctx, req.Storage); err != nil {
 		return nil, err
@@ -127,10 +116,8 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 
 	disableLocalJWT := data.Get("disable_local_ca_jwt").(bool)
 	localCACert := []byte{}
-	localTokenReviewer := []byte{}
 	if !disableLocalJWT {
 		localCACert, _ = ioutil.ReadFile(localCACertPath)
-		localTokenReviewer, _ = ioutil.ReadFile(localJWTPath)
 	}
 	pemList := data.Get("pem_keys").([]string)
 	caCert := data.Get("kubernetes_ca_cert").(string)
@@ -144,25 +131,11 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		}
 	}
 
-	tokenReviewer := data.Get("token_reviewer_jwt").(string)
-	if !disableLocalJWT && len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 {
-		tokenReviewer = string(localTokenReviewer)
-	}
-
-	if len(tokenReviewer) > 0 {
-		// Validate it's a JWT
-		_, err := jws.ParseJWT([]byte(tokenReviewer))
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	config := &kubeConfig{
 		PublicKeys:           make([]interface{}, len(pemList)),
 		PEMKeys:              pemList,
 		Host:                 host,
 		CACert:               caCert,
-		TokenReviewerJWT:     tokenReviewer,
 		Issuer:               issuer,
 		DisableISSValidation: disableIssValidation,
 		DisableLocalCAJwt:    disableLocalJWT,
@@ -199,8 +172,6 @@ type kubeConfig struct {
 	Host string `json:"host"`
 	// CACert is the CA Cert to use to call into the kubernetes API
 	CACert string `json:"ca_cert"`
-	// TokenReviewJWT is the bearer to use during the TokenReview API call
-	TokenReviewerJWT string `json:"token_reviewer_jwt"`
 	// Issuer is the claim that specifies who issued the token
 	Issuer string `json:"issuer"`
 	// DisableISSValidation is optional parameter to allow to skip ISS validation

@@ -184,7 +184,6 @@ func TestConfig(t *testing.T) {
 		PEMKeys:              []string{},
 		Host:                 "host",
 		CACert:               testCACert,
-		TokenReviewerJWT:     jwtData,
 		DisableISSValidation: true,
 		DisableLocalCAJwt:    false,
 	}
@@ -354,7 +353,6 @@ func TestConfig_LocalCaJWT(t *testing.T) {
 				PEMKeys:              []string{},
 				Host:                 "host",
 				CACert:               testLocalCACert,
-				TokenReviewerJWT:     testLocalJWT,
 				DisableISSValidation: true,
 				DisableLocalCAJwt:    false,
 			},
@@ -369,7 +367,6 @@ func TestConfig_LocalCaJWT(t *testing.T) {
 				PEMKeys:              []string{},
 				Host:                 "host",
 				CACert:               testCACert,
-				TokenReviewerJWT:     testLocalJWT,
 				DisableISSValidation: true,
 				DisableLocalCAJwt:    false,
 			},
@@ -384,7 +381,6 @@ func TestConfig_LocalCaJWT(t *testing.T) {
 				PEMKeys:              []string{},
 				Host:                 "host",
 				CACert:               testLocalCACert,
-				TokenReviewerJWT:     jwtData,
 				DisableISSValidation: true,
 				DisableLocalCAJwt:    false,
 			},
@@ -400,7 +396,6 @@ func TestConfig_LocalCaJWT(t *testing.T) {
 				PEMKeys:              []string{},
 				Host:                 "host",
 				CACert:               testCACert,
-				TokenReviewerJWT:     "",
 				DisableISSValidation: true,
 				DisableLocalCAJwt:    true,
 			},

@@ -81,13 +81,8 @@ func (t *tokenReviewAPI) Review(ctx context.Context, jwt string, aud []string) (
 		return nil, err
 	}
 
-	// If we have a configured TokenReviewer JWT use it as the bearer, otherwise
-	// try to use the passed in JWT.
-	bearer := fmt.Sprintf("Bearer %s", jwt)
-	if len(t.config.TokenReviewerJWT) > 0 {
-		bearer = fmt.Sprintf("Bearer %s", t.config.TokenReviewerJWT)
-	}
-	bearer = strings.TrimSpace(bearer)
+	// Use the passed in JWT token for the token review
+	bearer := strings.TrimSpace(fmt.Sprintf("Bearer %s", jwt))
 
 	// Set the JWT as the Bearer token
 	req.Header.Set("Authorization", bearer)