allow for wrapped vault auth tokens

[kheina]

TODO: needs automated testing, but tested locally using boundary dev and vault running in docker

successful unwrapping of a vault token within boundary

~/codebase/boundary % export BOUNDARY_VAULT_TOKEN=$(vault token create \
    -format=json \
    -no-default-policy=true \
    -policy="boundary-controller" \
    -policy="cred" \
    -policy="ssh" \
    -orphan=true \
    -period=24h \
    -renewable=true \
    -wrap-ttl=600000 \
    | jq -r '.wrap_info.token')

~/codebase/boundary % curl \
    $VAULT_ADDR/v1/sys/wrapping/lookup \
    -d "{ \"token\": \"$BOUNDARY_VAULT_TOKEN\" }" \
    | jq
{
  "request_id": "4ab1c0a4-3182-4787-1296-853817fd6d3c",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "creation_path": "auth/token/create",
    "creation_time": "2024-06-10T23:32:46.599011514Z",
    "creation_ttl": 600000
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

~/codebase/boundary % boundary credential-stores create vault \
    -vault-address $VAULT_ADDR \
    -vault-token=$BOUNDARY_VAULT_TOKEN \
    -scope-id=$PROJECT_ID \
    -vault-token-wrapped=true

Credential Store information:
  Created Time:        Mon, 10 Jun 2024 19:32:54 EDT
  ID:                  csvlt_fKeGc7nWxH
  Type:                vault
  Updated Time:        Mon, 10 Jun 2024 19:32:54 EDT
  Version:             1

  Scope:
    ID:                p_PMLRKyXakh
    Name:
    Parent Scope ID:   o_dyRaQYISOg
    Type:              project

  Authorized Actions:
    read
    update
    delete
    no-op

  Authorized Actions on Credential Store's Collections:
    credential-libraries:
      create
      list

  Attributes:
    Address:           http://127.0.0.1:8200
    Token HMAC:        A72rYxItfdUG4K8jZAyrOGPaej6GbnjAwhmt4dB9uGQ
    Token Status:      current

token was unwrapped by an attacker and rejected

~/codebase/boundary % export BOUNDARY_VAULT_TOKEN=$(vault token create \
    -format=json \
    -no-default-policy=true \
    -policy="boundary-controller" \
    -policy="cred" \
    -policy="ssh" \
    -orphan=true \
    -period=24h \
    -renewable=true \
    -wrap-ttl=600000 \
    | jq -r '.wrap_info.token')

~/codebase/boundary % curl \
    $VAULT_ADDR/v1/sys/wrapping/lookup \
    -d "{ \"token\": \"$BOUNDARY_VAULT_TOKEN\" }" \
    | jq
{
  "request_id": "57147327-5287-cf83-7d69-2e28b2b6f4b1",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "creation_path": "auth/token/create",
    "creation_time": "2024-06-10T23:42:47.442755083Z",
    "creation_ttl": 600000
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

~/codebase/boundary % export UNWRAPPED_TOKEN=$(VAULT_TOKEN=$BOUNDARY_VAULT_TOKEN \
    vault unwrap \
    -format=json \
    | jq -r '.auth.client_token')

~/codebase/boundary % export REWRAPPED_TOKEN=$(curl \
    --header "X-Vault-Token: $UNWRAPPED_TOKEN" \
    --header "X-Vault-Wrap-TTL: 6000" \
    -X POST $VAULT_ADDR/v1/sys/wrapping/wrap \
    -d "{ \"auth\": { \"client_token\": \"$UNWRAPPED_TOKEN\" } }" \
    | jq -r '.wrap_info.token')

~/codebase/boundary % boundary credential-stores create vault \
    -vault-address $VAULT_ADDR \
    -vault-token=$REWRAPPED_TOKEN \
    -scope-id=$PROJECT_ID \
    -vault-token-wrapped=true

Error from controller when performing create on vault-type credential store

Error information:
  Kind:                Internal
  Message:             credentialstores.(Service).createInRepo: unable to create credential store:
  vault.(Repository).CreateCredentialStore: vault.(CredentialStore).Unwrap: vault token creation
  path did not match the expected path
  Status:              500
  context:             Error from controller when performing create on vault-type credential store

[kheina]

this definitely shouldn't be in this pr, but makes it easier for when you're working without internet