-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathauth_approle.go
129 lines (106 loc) · 4.05 KB
/
auth_approle.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
// Copyright 2021 Outreach Corporation. All Rights Reserved.
//
// Description: Stores functions to interact with basic /auth/approle endpoints
package vault_client //nolint:revive // Why: We're using - in the name
import (
"context"
"net/http"
"path"
"time"
"github.com/getoutreach/gobox/pkg/cfg"
)
// ApproleAuthMethod implements a AuthMethod backed by an approle
type ApproleAuthMethod struct {
c *Client
roleID cfg.SecretData
secretID cfg.SecretData
}
// NewApproleAuthMethod returns a new ApproleAuthMethod based on the provided
// roleID and secretID.
func NewApproleAuthMethod(roleID, secretID cfg.SecretData) *ApproleAuthMethod {
return &ApproleAuthMethod{
roleID: roleID,
secretID: secretID,
}
}
func (a *ApproleAuthMethod) Options(o *Options) {
a.c = New(WithAddress(o.Host))
}
// GetToken returns a token for the current approle
func (a *ApproleAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error) {
resp, err := a.c.ApproleLogin(ctx, a.roleID, a.secretID)
if err != nil {
return "", time.Now(), err
}
return resp.Auth.ClientToken,
time.Now().Add(time.Second * time.Duration(resp.Auth.LeaseDuration)), nil
}
// ApproleLoginResponse is a response returned by ApproleLogin
type ApproleLoginResponse struct {
Auth struct {
// LeaseDuration is how long this token lives for in seconds
LeaseDuration int `json:"lease_duration"`
// Accessor is an accessor that can be used to lookup this token
Accessor string `json:"accessor"`
// ClientToken is the actual token
ClientToken cfg.SecretData `json:"client_token"`
// TokenPolicies is a list of policies that are attached to this token
TokenPolicies []string `json:"token_policies"`
} `json:"auth"`
}
// ApproleLogin creates a new VAULT_TOKEN using the provided approle credentials
func (c *Client) ApproleLogin(ctx context.Context, roleID, secretID cfg.SecretData) (*ApproleLoginResponse, error) {
var resp ApproleLoginResponse
err := c.doRequest(ctx, http.MethodPost, "auth/approle/login", map[string]string{
"role_id": string(roleID),
"secret_id": string(secretID),
}, &resp)
return &resp, err
}
// CreateApproleOptions are options to provide to CreateApprole, docs:
// https://www.vaultproject.io/api/auth/approle#parameters
type CreateApproleOptions struct {
// Name is the name of the approle to create
Name string `json:"-"`
TokenTTL string `json:"token_ttl,omitempty"`
TokenMaxTTL string `json:"token_max_ttl,omitempty"`
TokenPolicies []string `json:"token_policies,omitempty"`
Period int `json:"period,omitempty"`
BindSecretID bool `json:"bind_secret_id,omitempty"`
}
// CreateApprole creates a new approle in Vault
func (c *Client) CreateApprole(ctx context.Context, opts *CreateApproleOptions) error {
return c.doRequest(ctx, http.MethodPost, path.Join("auth/approle/role", opts.Name), opts, nil)
}
// GetApproleRoleID returns the role-id for a given approle
func (c *Client) GetApproleRoleID(ctx context.Context, name string) (cfg.SecretData, error) {
var resp struct {
Data struct {
RoleID string `json:"role_id"`
} `json:"data"`
}
err := c.doRequest(ctx, http.MethodGet, path.Join("auth/approle/role", name, "role-id"), nil, &resp)
if err != nil {
return "", err
}
return cfg.SecretData(resp.Data.RoleID), nil
}
// CreateApproleSecretIDResponse is a new secret_id created
// by CreateApproleSecretID. See docs here:
// https://www.vaultproject.io/api/auth/approle#sample-response-4
type CreateApproleSecretIDResponse struct {
SecretIDAccessor string `json:"secret_id_accessor"`
SecretID cfg.SecretData `json:"secret_id"`
SecretIDTTL int `json:"secret_id_ttl"`
}
// CreateApproleSecretID creates a new secret_id for a given approle
func (c *Client) CreateApproleSecretID(ctx context.Context, name string) (*CreateApproleSecretIDResponse, error) {
resp := struct {
Data CreateApproleSecretIDResponse `json:"data"`
}{}
err := c.doRequest(ctx, http.MethodPost, path.Join("auth/approle/role", name, "secret-id"), nil, &resp)
if err != nil {
return nil, err
}
return &resp.Data, nil
}