Skip to content

Commit

Permalink
Remove support for obsolete Vault app-id auth
Browse files Browse the repository at this point in the history
Signed-off-by: Dave Henderson <[email protected]>
  • Loading branch information
hairyhenderson committed Mar 11, 2023
1 parent 9e33ba7 commit 7baad30
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 81 deletions.
1 change: 0 additions & 1 deletion docs/content/datasources.md
Original file line number Diff line number Diff line change
Expand Up @@ -666,7 +666,6 @@ This table describes the currently-supported authentication mechanisms and how t
| auth back-end | configuration |
|-------------:|---------------|
| [`approle`](https://www.vaultproject.io/docs/auth/approle.html) | Environment variables `$VAULT_ROLE_ID` and `$VAULT_SECRET_ID` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_APPROLE_MOUNT`. |
| [`app-id`](https://www.vaultproject.io/docs/auth/app-id.html) | Environment variables `$VAULT_APP_ID` and `$VAULT_USER_ID` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_APP_ID_MOUNT`. |
| [`github`](https://www.vaultproject.io/docs/auth/github.html) | Environment variable `$VAULT_AUTH_GITHUB_TOKEN` must be set to an appropriate value.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_GITHUB_MOUNT`. |
| [`userpass`](https://www.vaultproject.io/docs/auth/userpass.html) | Environment variables `$VAULT_AUTH_USERNAME` and `$VAULT_AUTH_PASSWORD` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_USERPASS_MOUNT`. |
| [`token`](https://www.vaultproject.io/docs/auth/token.html) | Determined from either the `$VAULT_TOKEN` environment variable, or read from the file `~/.vault-token` |
Expand Down
52 changes: 0 additions & 52 deletions internal/tests/integration/datasources_vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,58 +237,6 @@ func TestDatasources_Vault_AppRoleAuth(t *testing.T) {
assertSuccess(t, o, e, err, "bar")
}

func TestDatasources_Vault_AppIDAuth(t *testing.T) {
// temporarily allow the deprecated pending-removal appID auth method
// when this starts failing completely, we should remove support
t.Setenv("VAULT_ALLOW_PENDING_REMOVAL_MOUNTS", "true")

v := setupDatasourcesVaultTest(t)

v.vc.Logical().Write("secret/foo", map[string]interface{}{"value": "bar"})
defer v.vc.Logical().Delete("secret/foo")
err := v.vc.Sys().EnableAuth("app-id", "app-id", "")
require.NoError(t, err)
err = v.vc.Sys().EnableAuth("app-id2", "app-id", "")
require.NoError(t, err)
defer v.vc.Sys().DisableAuth("app-id")
defer v.vc.Sys().DisableAuth("app-id2")
_, err = v.vc.Logical().Write("auth/app-id/map/app-id/testappid", map[string]interface{}{
"display_name": "test_app_id", "value": "readpol",
})
require.NoError(t, err)
_, err = v.vc.Logical().Write("auth/app-id/map/user-id/testuserid", map[string]interface{}{
"value": "testappid",
})
require.NoError(t, err)
_, err = v.vc.Logical().Write("auth/app-id2/map/app-id/testappid", map[string]interface{}{
"display_name": "test_app_id", "value": "readpol",
})
require.NoError(t, err)
_, err = v.vc.Logical().Write("auth/app-id2/map/user-id/testuserid", map[string]interface{}{
"value": "testappid",
})
require.NoError(t, err)

o, e, err := cmd(t,
"-d", "vault=vault:///secret",
"-i", `{{(ds "vault" "foo").value}}`).
withEnv("VAULT_ADDR", "http://"+v.addr).
withEnv("VAULT_APP_ID", "testappid").
withEnv("VAULT_USER_ID", "testuserid").
run()
assertSuccess(t, o, e, err, "bar")

o, e, err = cmd(t,
"-d", "vault=vault:///secret",
"-i", `{{(ds "vault" "foo").value}}`).
withEnv("VAULT_ADDR", "http://"+v.addr).
withEnv("VAULT_APP_ID", "testappid").
withEnv("VAULT_USER_ID", "testuserid").
withEnv("VAULT_AUTH_APP_ID_MOUNT", "app-id2").
run()
assertSuccess(t, o, e, err, "bar")
}

func TestDatasources_Vault_DynamicAuth(t *testing.T) {
v := setupDatasourcesVaultTest(t)

Expand Down
28 changes: 0 additions & 28 deletions vault/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ func (v *Vault) GetToken() (string, error) {
// sorted in order of precedence
authFuncs := []func() (string, error){
v.AppRoleLogin,
v.AppIDLogin,
v.GitHubLogin,
v.UserPassLogin,
v.TokenLogin,
Expand All @@ -33,33 +32,6 @@ func (v *Vault) GetToken() (string, error) {
return "", fmt.Errorf("no vault auth methods succeeded")
}

// AppIDLogin - app-id auth backend
func (v *Vault) AppIDLogin() (string, error) {
appID := env.Getenv("VAULT_APP_ID")
userID := env.Getenv("VAULT_USER_ID")

if appID == "" || userID == "" {
return "", nil
}

mount := env.Getenv("VAULT_AUTH_APP_ID_MOUNT", "app-id")

vars := map[string]interface{}{
"user_id": userID,
}

path := fmt.Sprintf("auth/%s/login/%s", mount, appID)
secret, err := v.client.Logical().Write(path, vars)
if err != nil {
return "", fmt.Errorf("appID logon failed: %w", err)
}
if secret == nil {
return "", fmt.Errorf("empty response from AppID logon")
}

return secret.Auth.ClientToken, nil
}

// AppRoleLogin - approle auth backend
func (v *Vault) AppRoleLogin() (string, error) {
roleID := env.Getenv("VAULT_ROLE_ID")
Expand Down

0 comments on commit 7baad30

Please sign in to comment.