From 72bd801a486ee06a044823c8ade0c5362bfe73ec Mon Sep 17 00:00:00 2001 From: thomasgouveia Date: Thu, 15 Jun 2023 21:39:49 +1000 Subject: [PATCH] feat: add support for Vault AppRole auth (#2) For more details, see : https://developer.hashicorp.com/vault/docs/auth/approle#approle-auth-method Signed-off-by: thomasgouveia --- pkg/vaultauth/approle.go | 51 ++++++++++++++++++++++++++++++++++++++++ pkg/vaultauth/auth.go | 2 ++ 2 files changed, 53 insertions(+) create mode 100644 pkg/vaultauth/approle.go diff --git a/pkg/vaultauth/approle.go b/pkg/vaultauth/approle.go new file mode 100644 index 0000000..ae97694 --- /dev/null +++ b/pkg/vaultauth/approle.go @@ -0,0 +1,51 @@ +package vaultauth + +import ( + "context" + "errors" + + "github.com/hashicorp/vault-client-go" + "github.com/hashicorp/vault-client-go/schema" +) + +var ( + ErrRoleIdMustNotBeEmpty = errors.New("vault/auth/approle: the role-id must not be empty") + ErrSecretIdMustNotBeEmpty = errors.New("vault/auth/approle: the secret-id must not be empty") +) + +// approleStrategy defines the configuration that should be attached +// to the command in order to configure the AppRole authentication. +type approleStrategy struct { + MountPath string `flag.name:"approle.mount-path" flag.default:"approle" flag.desc:"The path to the AppRole authentication method in your Vault."` + RoleId string `flag.name:"approle.role-id" flag.desc:"The identifier of the role to use to perform the login."` + SecretId string `flag.name:"approle.secret-id" flag.desc:"The secret identifier of the role to use to perform the login."` +} + +// Ensure the implementation satisfies the interface. +var ( + _ vaultLoginStrategy = &approleStrategy{} +) + +// login performs the login using the AppRole authentication method on Vault. +func (s *approleStrategy) login(ctx context.Context, client *vault.Client) (*vault.ResponseAuth, error) { + if s.RoleId == "" { + return nil, ErrRoleIdMustNotBeEmpty + } + + if s.SecretId == "" { + return nil, ErrSecretIdMustNotBeEmpty + } + + opts := []vault.RequestOption{vault.WithMountPath(s.MountPath)} + req := schema.AppRoleLoginRequest{ + RoleId: s.RoleId, + SecretId: s.SecretId, + } + + resp, err := client.Auth.AppRoleLogin(ctx, req, opts...) + if err != nil { + return nil, err + } + + return resp.Auth, nil +} diff --git a/pkg/vaultauth/auth.go b/pkg/vaultauth/auth.go index 3af5393..da2e379 100644 --- a/pkg/vaultauth/auth.go +++ b/pkg/vaultauth/auth.go @@ -16,6 +16,7 @@ type AuthMethod string const ( Token AuthMethod = "token" Userpass AuthMethod = "userpass" + AppRole AuthMethod = "approle" ) // vaultLoginStrategy defines the common interface between all the authentication @@ -31,6 +32,7 @@ type vaultLoginStrategy interface { var strategies = map[AuthMethod]vaultLoginStrategy{ Token: &tokenStrategy{}, Userpass: &userpassStrategy{}, + AppRole: &approleStrategy{}, } var (