diff options
| -rw-r--r-- | README.md | 1 | ||||
| -rw-r--r-- | vault/client.go | 3 | ||||
| -rw-r--r-- | vault/userpass_strategy.go | 106 | ||||
| -rw-r--r-- | vault/userpass_strategy_test.go | 83 |
4 files changed, 193 insertions, 0 deletions
@@ -583,6 +583,7 @@ This table describes the currently-supported authentication mechanisms and how t | ---: |--| | [`app-id`](https://www.vaultproject.io/docs/auth/app-id.html) | Environment variables `$VAULT_APP_ID` and `$VAULT_USER_ID` must be set to the appropriate values.<br/> If the backend is mounted to a different location, set `$VAULT_AUTH_APP_ID_MOUNT`. | | [`github`](https://www.vaultproject.io/docs/auth/github.html) | Environment variable `$VAULT_AUTH_GITHUB_TOKEN` must be set to an appropriate value.<br/> If the backend is mounted to a different location, set `$VAULT_AUTH_GITHUB_MOUNT`. | +| [`userpass`](https://www.vaultproject.io/docs/auth/userpass.html) | Environment variables `$VAULT_AUTH_USERNAME` and `$VAULT_AUTH_PASSWORD` must be set to the appropriate values.<br/> If the backend is mounted to a different location, set `$VAULT_AUTH_USERPASS_MOUNT`. | | [`token`](https://www.vaultproject.io/docs/auth/token.html) | Determined from either the `$VAULT_TOKEN` environment variable, or read from the file `~/.vault-token` | To use a Vault datasource with a single secret, just use a URL of diff --git a/vault/client.go b/vault/client.go index 4dd7235e..546b0449 100644 --- a/vault/client.go +++ b/vault/client.go @@ -59,6 +59,9 @@ func getAuthStrategy() AuthStrategy { if auth := NewGitHubAuthStrategy(); auth != nil { return auth } + if auth := NewUserPassAuthStrategy(); auth != nil { + return auth + } if auth := NewTokenAuthStrategy(); auth != nil { return auth } diff --git a/vault/userpass_strategy.go b/vault/userpass_strategy.go new file mode 100644 index 00000000..e6561743 --- /dev/null +++ b/vault/userpass_strategy.go @@ -0,0 +1,106 @@ +package vault + +import ( + "bytes" + "encoding/json" + "fmt" + "net/http" + "net/url" + "os" + "time" +) + +// UserPassAuthStrategy - an AuthStrategy that uses Vault's userpass authentication backend. +type UserPassAuthStrategy struct { + Username string `json:"-"` + Password string `json:"password"` + Mount string `json:"-"` + hc *http.Client +} + +// NewUserPassAuthStrategy - create an AuthStrategy that uses Vault's userpass auth +// backend. +func NewUserPassAuthStrategy() *UserPassAuthStrategy { + username := os.Getenv("VAULT_AUTH_USERNAME") + password := os.Getenv("VAULT_AUTH_PASSWORD") + mount := os.Getenv("VAULT_AUTH_USERPASS_MOUNT") + if mount == "" { + mount = "userpass" + } + if username != "" && password != "" { + return &UserPassAuthStrategy{username, password, mount, nil} + } + return nil +} + +// GetHTTPClient configures the HTTP client with a timeout +func (a *UserPassAuthStrategy) GetHTTPClient() *http.Client { + if a.hc == nil { + a.hc = &http.Client{Timeout: time.Second * 5} + } + return a.hc +} + +// SetToken is a no-op for UserPassAuthStrategy as a token hasn't been acquired yet +func (a *UserPassAuthStrategy) SetToken(req *http.Request) { + // no-op +} + +// Do wraps http.Client.Do +func (a *UserPassAuthStrategy) Do(req *http.Request) (*http.Response, error) { + hc := a.GetHTTPClient() + return hc.Do(req) +} + +// GetToken - log in to the app-id auth backend and return the client token +func (a *UserPassAuthStrategy) GetToken(addr *url.URL) (string, error) { + buf := new(bytes.Buffer) + json.NewEncoder(buf).Encode(&a) + + u := &url.URL{} + *u = *addr + u.Path = "/v1/auth/" + a.Mount + "/login/" + a.Username + res, err := requestAndFollow(a, "POST", u, buf.Bytes()) + if err != nil { + return "", err + } + response := &UserPassAuthResponse{} + err = json.NewDecoder(res.Body).Decode(response) + res.Body.Close() + if err != nil { + return "", err + } + if res.StatusCode != 200 { + err := fmt.Errorf("Unexpected HTTP status %d on AppId login to %s: %s", res.StatusCode, u, response) + return "", err + } + return response.Auth.ClientToken, nil +} + +// Revokable - +func (a *UserPassAuthStrategy) Revokable() bool { + return true +} + +func (a *UserPassAuthStrategy) String() string { + return fmt.Sprintf("username: %s, password: %s, mount: %s", a.Username, a.Password, a.Mount) +} + +// UserPassAuthResponse - the Auth response from /v1/auth/username/login +type UserPassAuthResponse struct { + Auth struct { + ClientToken string `json:"client_token"` + LeaseDuration int64 `json:"lease_duration"` + Metadata struct { + Username string `json:"username"` + } `json:"metadata"` + Policies []string `json:"policies"` + Renewable bool `json:"renewable"` + } `json:"auth"` +} + +func (a *UserPassAuthResponse) String() string { + buf := new(bytes.Buffer) + json.NewEncoder(buf).Encode(&a) + return string(buf.Bytes()) +} diff --git a/vault/userpass_strategy_test.go b/vault/userpass_strategy_test.go new file mode 100644 index 00000000..769832f7 --- /dev/null +++ b/vault/userpass_strategy_test.go @@ -0,0 +1,83 @@ +package vault + +import ( + "net/url" + "os" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNewUserPassAuthStrategy(t *testing.T) { + os.Unsetenv("VAULT_AUTH_USERNAME") + os.Unsetenv("VAULT_AUTH_PASSWORD") + assert.Nil(t, NewUserPassAuthStrategy()) + + os.Setenv("VAULT_AUTH_USERNAME", "foo") + assert.Nil(t, NewUserPassAuthStrategy()) + + os.Unsetenv("VAULT_AUTH_USERNAME") + os.Setenv("VAULT_AUTH_PASSWORD", "bar") + assert.Nil(t, NewUserPassAuthStrategy()) + + os.Setenv("VAULT_AUTH_USERNAME", "foo") + os.Setenv("VAULT_AUTH_PASSWORD", "bar") + auth := NewUserPassAuthStrategy() + assert.Equal(t, "foo", auth.Username) + assert.Equal(t, "bar", auth.Password) + assert.Equal(t, "userpass", auth.Mount) + + os.Setenv("VAULT_AUTH_USERNAME", "foo") + os.Setenv("VAULT_AUTH_PASSWORD", "bar") + os.Setenv("VAULT_AUTH_USERPASS_MOUNT", "baz") + auth = NewUserPassAuthStrategy() + assert.Equal(t, "foo", auth.Username) + assert.Equal(t, "bar", auth.Password) + assert.Equal(t, "baz", auth.Mount) +} + +func TestGetToken_UserPassErrorsGivenNetworkError(t *testing.T) { + server, client := setupErrorHTTP() + defer server.Close() + + vaultURL, _ := url.Parse("http://vault:8200") + + auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client} + _, err := auth.GetToken(vaultURL) + assert.Error(t, err) +} + +func TestGetToken_UserPassErrorsGivenHTTPErrorStatus(t *testing.T) { + server, client := setupHTTP(500, "application/json; charset=utf-8", `{}`) + defer server.Close() + + vaultURL, _ := url.Parse("http://vault:8200") + + auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client} + _, err := auth.GetToken(vaultURL) + assert.Error(t, err) +} + +func TestGetToken_UserPassErrorsGivenBadJSON(t *testing.T) { + server, client := setupHTTP(200, "application/json; charset=utf-8", `{`) + defer server.Close() + + vaultURL, _ := url.Parse("http://vault:8200") + + auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client} + _, err := auth.GetToken(vaultURL) + assert.Error(t, err) +} + +func TestGetToken_UserPass(t *testing.T) { + server, client := setupHTTP(200, "application/json; charset=utf-8", `{"auth": {"client_token": "baz"}}`) + defer server.Close() + + vaultURL, _ := url.Parse("http://vault:8200") + + auth := &UserPassAuthStrategy{"foo", "bar", "userpass", client} + token, err := auth.GetToken(vaultURL) + assert.NoError(t, err) + + assert.Equal(t, "baz", token) +} |