Fix non-wrapped token generation

It's more efficient to ask for the token "unwrapped" for the get go instead of unwrapping it conditionally afterwards. Signed-off-by: Félix Cantournet <[email protected]>
fcantournet · May 18, 2017 · ed62fd1 · ed62fd1
1 parent 4c645f8
commit ed62fd1
Showing 1 changed file with 19 additions and 13 deletions.
diff --git a/vault/vault.go b/vault/vault.go
@@ -37,31 +37,40 @@ func InitVaultClient(generatortokenpath, role string) (*Client, error) {
 // Gets token data
 func (c *Client) GetTokenData(policies []string, poduid string, unwrap bool) (string, []byte, error) {
 
-	wrappedInfo, err := c.getTokenForPolicy(policies, poduid)
+	if unwrap {
+		// We override the default WrappingLookupFunction which honors the VAULT_WRAP_TTL env variable
+		c.vc.SetWrappingLookupFunc(func(_, _ string) string { return "" })
+	}
+
+	secret, err := c.getTokenForPolicy(policies, poduid)
 	if err != nil {
 		return "", []byte{}, err
 	}
+	if secret == nil {
+		return "", []byte{}, fmt.Errorf("Got nil secret when getting token")
+	}
+
 	if unwrap {
-		secret, err := c.vc.Logical().Unwrap(wrappedInfo.Token)
-		if err != nil {
-			return "", []byte{}, fmt.Errorf("Couldn't unwrap token: %v", err)
-		}
 		metadata, err := json.Marshal(secret)
 		if err != nil {
 			return "", []byte{}, fmt.Errorf("Cloudn't marshall metadata: %v", err)
 		}
 		return secret.Auth.ClientToken, metadata, nil
 	}
+	// else we want a wrapped token :
+	if secret.WrapInfo == nil {
+		return "", []byte{}, fmt.Errorf("got unwrapped token ! Set VAULT_WRAP_TTL in kubelet environment")
+	}
 
-	metadata, err := json.Marshal(wrappedInfo)
+	metadata, err := json.Marshal(secret.WrapInfo)
 	if err != nil {
 		return "", []byte{}, fmt.Errorf("Couldn't marshal vault response: %v", err)
 	}
-	return wrappedInfo.Token, metadata, nil
+	return secret.WrapInfo.Token, metadata, nil
 }
 
 // GetTokenForPolicy gets a wrapped token from Vault scoped with given policy
-func (c *Client) getTokenForPolicy(policies []string, poduid string) (*vaultapi.SecretWrapInfo, error) {
+func (c *Client) getTokenForPolicy(policies []string, poduid string) (*vaultapi.Secret, error) {
 
 	metadata := map[string]string{
 		"poduid":  poduid,
@@ -72,14 +81,11 @@ func (c *Client) getTokenForPolicy(policies []string, poduid string) (*vaultapi.
 		Metadata: metadata,
 	}
 
-	wrapped, err := c.vc.Auth().Token().CreateWithRole(&req, c.role)
+	secret, err := c.vc.Auth().Token().CreateWithRole(&req, c.role)
 	if err != nil {
 		return nil, fmt.Errorf("Couldn't create scoped token for policies %v : %v", req.Policies, err)
 	}
-	if wrapped.WrapInfo == nil {
-		return wrapped.WrapInfo, fmt.Errorf("got unwrapped token ! Use VAULT_WRAP_TTL")
-	}
-	return wrapped.WrapInfo, nil
+	return secret, nil
 
 }