Skip to content

Commit

Permalink
feat: add support for Vault AppRole auth (#2)
Browse files Browse the repository at this point in the history
  • Loading branch information
thomasgouveia committed Jun 15, 2023
1 parent 6700e36 commit 72bd801
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 0 deletions.
51 changes: 51 additions & 0 deletions pkg/vaultauth/approle.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
package vaultauth

import (
"context"
"errors"

"github.com/hashicorp/vault-client-go"
"github.com/hashicorp/vault-client-go/schema"
)

var (
ErrRoleIdMustNotBeEmpty = errors.New("vault/auth/approle: the role-id must not be empty")
ErrSecretIdMustNotBeEmpty = errors.New("vault/auth/approle: the secret-id must not be empty")
)

// approleStrategy defines the configuration that should be attached
// to the command in order to configure the AppRole authentication.
type approleStrategy struct {
MountPath string `flag.name:"approle.mount-path" flag.default:"approle" flag.desc:"The path to the AppRole authentication method in your Vault."`
RoleId string `flag.name:"approle.role-id" flag.desc:"The identifier of the role to use to perform the login."`
SecretId string `flag.name:"approle.secret-id" flag.desc:"The secret identifier of the role to use to perform the login."`
}

// Ensure the implementation satisfies the interface.
var (
_ vaultLoginStrategy = &approleStrategy{}
)

// login performs the login using the AppRole authentication method on Vault.
func (s *approleStrategy) login(ctx context.Context, client *vault.Client) (*vault.ResponseAuth, error) {
if s.RoleId == "" {
return nil, ErrRoleIdMustNotBeEmpty
}

if s.SecretId == "" {
return nil, ErrSecretIdMustNotBeEmpty
}

opts := []vault.RequestOption{vault.WithMountPath(s.MountPath)}
req := schema.AppRoleLoginRequest{
RoleId: s.RoleId,
SecretId: s.SecretId,
}

resp, err := client.Auth.AppRoleLogin(ctx, req, opts...)
if err != nil {
return nil, err
}

return resp.Auth, nil
}
2 changes: 2 additions & 0 deletions pkg/vaultauth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ type AuthMethod string
const (
Token AuthMethod = "token"
Userpass AuthMethod = "userpass"
AppRole AuthMethod = "approle"
)

// vaultLoginStrategy defines the common interface between all the authentication
Expand All @@ -31,6 +32,7 @@ type vaultLoginStrategy interface {
var strategies = map[AuthMethod]vaultLoginStrategy{
Token: &tokenStrategy{},
Userpass: &userpassStrategy{},
AppRole: &approleStrategy{},
}

var (
Expand Down

0 comments on commit 72bd801

Please sign in to comment.