Adding support for userpass vault auth backend

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

4 files changed, 193 insertions, 0 deletions

diff --git a/README.md b/README.md
index 1536b427..21ffadbc 100644
--- a/README.md
+++ b/README.md
@@ -583,6 +583,7 @@ This table describes the currently-supported authentication mechanisms and how t
 | ---: |--|
 | [`app-id`](https://www.vaultproject.io/docs/auth/app-id.html) | Environment variables `$VAULT_APP_ID` and `$VAULT_USER_ID` must be set to the appropriate values.<br/> If the backend is mounted to a different location, set `$VAULT_AUTH_APP_ID_MOUNT`. |
 | [`github`](https://www.vaultproject.io/docs/auth/github.html) | Environment variable `$VAULT_AUTH_GITHUB_TOKEN` must be set to an appropriate value.<br/> If the backend is mounted to a different location, set `$VAULT_AUTH_GITHUB_MOUNT`. |
+| [`userpass`](https://www.vaultproject.io/docs/auth/userpass.html) | Environment variables `$VAULT_AUTH_USERNAME` and `$VAULT_AUTH_PASSWORD` must be set to the appropriate values.<br/> If the backend is mounted to a different location, set `$VAULT_AUTH_USERPASS_MOUNT`. |
 | [`token`](https://www.vaultproject.io/docs/auth/token.html) | Determined from either the `$VAULT_TOKEN` environment variable, or read from the file `~/.vault-token` |
 
 To use a Vault datasource with a single secret, just use a URL of
diff --git a/vault/client.go b/vault/client.go
index 4dd7235e..546b0449 100644
--- a/vault/client.go
+++ b/vault/client.go
@@ -59,6 +59,9 @@ func getAuthStrategy() AuthStrategy {
 	if auth := NewGitHubAuthStrategy(); auth != nil {
 		return auth
 	}
+	if auth := NewUserPassAuthStrategy(); auth != nil {
+		return auth
+	}
 	if auth := NewTokenAuthStrategy(); auth != nil {
 		return auth
 	}
diff --git a/vault/userpass_strategy.go b/vault/userpass_strategy.go
new file mode 100644
index 00000000..e6561743
--- /dev/null
+++ b/vault/userpass_strategy.go
@@ -0,0 +1,106 @@
+package vault
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+)
+
+// UserPassAuthStrategy - an AuthStrategy that uses Vault's userpass authentication backend.
+type UserPassAuthStrategy struct {
+	Username string `json:"-"`
+	Password string `json:"password"`
+	Mount    string `json:"-"`
+	hc       *http.Client
+}
+
+// NewUserPassAuthStrategy - create an AuthStrategy that uses Vault's userpass auth
+// backend.
+func NewUserPassAuthStrategy() *UserPassAuthStrategy {
+	username := os.Getenv("VAULT_AUTH_USERNAME")
+	password := os.Getenv("VAULT_AUTH_PASSWORD")
+	mount := os.Getenv("VAULT_AUTH_USERPASS_MOUNT")
+	if mount == "" {
+		mount = "userpass"
+	}
+	if username != "" && password != "" {
+		return &UserPassAuthStrategy{username, password, mount, nil}
+	}
+	return nil
+}
+
+// GetHTTPClient configures the HTTP client with a timeout
+func (a *UserPassAuthStrategy) GetHTTPClient() *http.Client {
+	if a.hc == nil {
+		a.hc = &http.Client{Timeout: time.Second * 5}
+	}
+	return a.hc
+}
+
+// SetToken is a no-op for UserPassAuthStrategy as a token hasn't been acquired yet
+func (a *UserPassAuthStrategy) SetToken(req *http.Request) {
+	// no-op
+}
+
+// Do wraps http.Client.Do
+func (a *UserPassAuthStrategy) Do(req *http.Request) (*http.Response, error) {
+	hc := a.GetHTTPClient()
+	return hc.Do(req)
+}
+
+// GetToken - log in to the app-id auth backend and return the client token
+func (a *UserPassAuthStrategy) GetToken(addr *url.URL) (string, error) {
+	buf := new(bytes.Buffer)
+	json.NewEncoder(buf).Encode(&a)
+
+	u := &url.URL{}
+	*u = *addr
+	u.Path = "/v1/auth/" + a.Mount + "/login/" + a.Username
+	res, err := requestAndFollow(a, "POST", u, buf.Bytes())
+	if err != nil {
+		return "", err
+	}
+	response := &UserPassAuthResponse{}
+	err = json.NewDecoder(res.Body).Decode(response)
+	res.Body.Close()
+	if err != nil {
+		return "", err
+	}
+	if res.StatusCode != 200 {
+		err := fmt.Errorf("Unexpected HTTP status %d on AppId login to %s: %s", res.StatusCode, u, response)
+		return "", err
+	}
+	return response.Auth.ClientToken, nil
+}
+
+// Revokable -
+func (a *UserPassAuthStrategy) Revokable() bool {
+	return true
+}
+
+func (a *UserPassAuthStrategy) String() string {
+	return fmt.Sprintf("username: %s, password: %s, mount: %s", a.Username, a.Password, a.Mount)
+}
+
+// UserPassAuthResponse - the Auth response from /v1/auth/username/login
+type UserPassAuthResponse struct {
+	Auth struct {
+		ClientToken   string `json:"client_token"`
+		LeaseDuration int64  `json:"lease_duration"`
+		Metadata      struct {
+			Username string `json:"username"`
+		} `json:"metadata"`
+		Policies  []string `json:"policies"`
+		Renewable bool     `json:"renewable"`
+	} `json:"auth"`
+}
+
+func (a *UserPassAuthResponse) String() string {
+	buf := new(bytes.Buffer)
+	json.NewEncoder(buf).Encode(&a)
+	return string(buf.Bytes())
+}
diff --git a/vault/userpass_strategy_test.go b/vault/userpass_strategy_test.go
new file mode 100644
index 00000000..769832f7
--- /dev/null
+++ b/vault/userpass_strategy_test.go
@@ -0,0 +1,83 @@
+package vault
+
+import (
+	"net/url"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewUserPassAuthStrategy(t *testing.T) {
+	os.Unsetenv("VAULT_AUTH_USERNAME")
+	os.Unsetenv("VAULT_AUTH_PASSWORD")
+	assert.Nil(t, NewUserPassAuthStrategy())
+
+	os.Setenv("VAULT_AUTH_USERNAME", "foo")
+	assert.Nil(t, NewUserPassAuthStrategy())
+
+	os.Unsetenv("VAULT_AUTH_USERNAME")
+	os.Setenv("VAULT_AUTH_PASSWORD", "bar")
+	assert.Nil(t, NewUserPassAuthStrategy())
+
+	os.Setenv("VAULT_AUTH_USERNAME", "foo")
+	os.Setenv("VAULT_AUTH_PASSWORD", "bar")
+	auth := NewUserPassAuthStrategy()
+	assert.Equal(t, "foo", auth.Username)
+	assert.Equal(t, "bar", auth.Password)
+	assert.Equal(t, "userpass", auth.Mount)
+
+	os.Setenv("VAULT_AUTH_USERNAME", "foo")
+	os.Setenv("VAULT_AUTH_PASSWORD", "bar")
+	os.Setenv("VAULT_AUTH_USERPASS_MOUNT", "baz")
+	auth = NewUserPassAuthStrategy()
+	assert.Equal(t, "foo", auth.Username)
+	assert.Equal(t, "bar", auth.Password)
+	assert.Equal(t, "baz", auth.Mount)
+}
+
+func TestGetToken_UserPassErrorsGivenNetworkError(t *testing.T) {
+	server, client := setupErrorHTTP()
+	defer server.Close()
+
+	vaultURL, _ := url.Parse("http://vault:8200")
+
+	auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client}
+	_, err := auth.GetToken(vaultURL)
+	assert.Error(t, err)
+}
+
+func TestGetToken_UserPassErrorsGivenHTTPErrorStatus(t *testing.T) {
+	server, client := setupHTTP(500, "application/json; charset=utf-8", `{}`)
+	defer server.Close()
+
+	vaultURL, _ := url.Parse("http://vault:8200")
+
+	auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client}
+	_, err := auth.GetToken(vaultURL)
+	assert.Error(t, err)
+}
+
+func TestGetToken_UserPassErrorsGivenBadJSON(t *testing.T) {
+	server, client := setupHTTP(200, "application/json; charset=utf-8", `{`)
+	defer server.Close()
+
+	vaultURL, _ := url.Parse("http://vault:8200")
+
+	auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client}
+	_, err := auth.GetToken(vaultURL)
+	assert.Error(t, err)
+}
+
+func TestGetToken_UserPass(t *testing.T) {
+	server, client := setupHTTP(200, "application/json; charset=utf-8", `{"auth": {"client_token": "baz"}}`)
+	defer server.Close()
+
+	vaultURL, _ := url.Parse("http://vault:8200")
+
+	auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client}
+	token, err := auth.GetToken(vaultURL)
+	assert.NoError(t, err)
+
+	assert.Equal(t, "baz", token)
+}