Merge pull request #1668 from hairyhenderson/remove-vault-app-id-support

Remove support for obsolete Vault app-id auth
hairyhenderson · Mar 11, 2023 · 79472a5 · 79472a5
2 parents 9e33ba7 + 7baad30
commit 79472a5
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 81 deletions.
diff --git a/docs/content/datasources.md b/docs/content/datasources.md
@@ -666,7 +666,6 @@ This table describes the currently-supported authentication mechanisms and how t
 | auth back-end | configuration |
 |-------------:|---------------|
 | [`approle`](https://www.vaultproject.io/docs/auth/approle.html) | Environment variables `$VAULT_ROLE_ID` and `$VAULT_SECRET_ID` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_APPROLE_MOUNT`. |
-| [`app-id`](https://www.vaultproject.io/docs/auth/app-id.html) | Environment variables `$VAULT_APP_ID` and `$VAULT_USER_ID` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_APP_ID_MOUNT`. |
 | [`github`](https://www.vaultproject.io/docs/auth/github.html) | Environment variable `$VAULT_AUTH_GITHUB_TOKEN` must be set to an appropriate value.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_GITHUB_MOUNT`. |
 | [`userpass`](https://www.vaultproject.io/docs/auth/userpass.html) | Environment variables `$VAULT_AUTH_USERNAME` and `$VAULT_AUTH_PASSWORD` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_USERPASS_MOUNT`. |
 | [`token`](https://www.vaultproject.io/docs/auth/token.html) | Determined from either the `$VAULT_TOKEN` environment variable, or read from the file `~/.vault-token` |

diff --git a/internal/tests/integration/datasources_vault_test.go b/internal/tests/integration/datasources_vault_test.go
@@ -237,58 +237,6 @@ func TestDatasources_Vault_AppRoleAuth(t *testing.T) {
 	assertSuccess(t, o, e, err, "bar")
 }
 
-func TestDatasources_Vault_AppIDAuth(t *testing.T) {
-	// temporarily allow the deprecated pending-removal appID auth method
-	// when this starts failing completely, we should remove support
-	t.Setenv("VAULT_ALLOW_PENDING_REMOVAL_MOUNTS", "true")
-
-	v := setupDatasourcesVaultTest(t)
-
-	v.vc.Logical().Write("secret/foo", map[string]interface{}{"value": "bar"})
-	defer v.vc.Logical().Delete("secret/foo")
-	err := v.vc.Sys().EnableAuth("app-id", "app-id", "")
-	require.NoError(t, err)
-	err = v.vc.Sys().EnableAuth("app-id2", "app-id", "")
-	require.NoError(t, err)
-	defer v.vc.Sys().DisableAuth("app-id")
-	defer v.vc.Sys().DisableAuth("app-id2")
-	_, err = v.vc.Logical().Write("auth/app-id/map/app-id/testappid", map[string]interface{}{
-		"display_name": "test_app_id", "value": "readpol",
-	})
-	require.NoError(t, err)
-	_, err = v.vc.Logical().Write("auth/app-id/map/user-id/testuserid", map[string]interface{}{
-		"value": "testappid",
-	})
-	require.NoError(t, err)
-	_, err = v.vc.Logical().Write("auth/app-id2/map/app-id/testappid", map[string]interface{}{
-		"display_name": "test_app_id", "value": "readpol",
-	})
-	require.NoError(t, err)
-	_, err = v.vc.Logical().Write("auth/app-id2/map/user-id/testuserid", map[string]interface{}{
-		"value": "testappid",
-	})
-	require.NoError(t, err)
-
-	o, e, err := cmd(t,
-		"-d", "vault=vault:///secret",
-		"-i", `{{(ds "vault" "foo").value}}`).
-		withEnv("VAULT_ADDR", "http://"+v.addr).
-		withEnv("VAULT_APP_ID", "testappid").
-		withEnv("VAULT_USER_ID", "testuserid").
-		run()
-	assertSuccess(t, o, e, err, "bar")
-
-	o, e, err = cmd(t,
-		"-d", "vault=vault:///secret",
-		"-i", `{{(ds "vault" "foo").value}}`).
-		withEnv("VAULT_ADDR", "http://"+v.addr).
-		withEnv("VAULT_APP_ID", "testappid").
-		withEnv("VAULT_USER_ID", "testuserid").
-		withEnv("VAULT_AUTH_APP_ID_MOUNT", "app-id2").
-		run()
-	assertSuccess(t, o, e, err, "bar")
-}
-
 func TestDatasources_Vault_DynamicAuth(t *testing.T) {
 	v := setupDatasourcesVaultTest(t)
 

diff --git a/vault/auth.go b/vault/auth.go
@@ -19,7 +19,6 @@ func (v *Vault) GetToken() (string, error) {
 	// sorted in order of precedence
 	authFuncs := []func() (string, error){
 		v.AppRoleLogin,
-		v.AppIDLogin,
 		v.GitHubLogin,
 		v.UserPassLogin,
 		v.TokenLogin,
@@ -33,33 +32,6 @@ func (v *Vault) GetToken() (string, error) {
 	return "", fmt.Errorf("no vault auth methods succeeded")
 }
 
-// AppIDLogin - app-id auth backend
-func (v *Vault) AppIDLogin() (string, error) {
-	appID := env.Getenv("VAULT_APP_ID")
-	userID := env.Getenv("VAULT_USER_ID")
-
-	if appID == "" || userID == "" {
-		return "", nil
-	}
-
-	mount := env.Getenv("VAULT_AUTH_APP_ID_MOUNT", "app-id")
-
-	vars := map[string]interface{}{
-		"user_id": userID,
-	}
-
-	path := fmt.Sprintf("auth/%s/login/%s", mount, appID)
-	secret, err := v.client.Logical().Write(path, vars)
-	if err != nil {
-		return "", fmt.Errorf("appID logon failed: %w", err)
-	}
-	if secret == nil {
-		return "", fmt.Errorf("empty response from AppID logon")
-	}
-
-	return secret.Auth.ClientToken, nil
-}
-
 // AppRoleLogin - approle auth backend
 func (v *Vault) AppRoleLogin() (string, error) {
 	roleID := env.Getenv("VAULT_ROLE_ID")