Switch to using official Go Vault client (#177)

hairyhenderson · Aug 4, 2017 · d407614 · d407614
1 parent 72ebf62
commit d407614
Show file tree

Hide file tree

Showing 2,197 changed files with 850,552 additions and 1,021 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/data.go b/data.go
@@ -90,7 +90,7 @@ type Source struct {
 	Params map[string]string
 	FS     vfs.Filesystem // used for file: URLs, nil otherwise
 	HC     *http.Client   // used for http[s]: URLs, nil otherwise
-	VC     *vault.Client  //used for vault: URLs, nil otherwise
+	VC     *vault.Vault   // used for vault: URLs, nil otherwise
 	KV     *libkv.LibKV   // used for consul:, etcd:, zookeeper: & boltdb: URLs, nil otherwise
 	Header http.Header    // used for http[s]: URLs, nil otherwise
 }
@@ -314,12 +314,9 @@ func readHTTP(source *Source, args ...string) ([]byte, error) {
 
 func readVault(source *Source, args ...string) ([]byte, error) {
 	if source.VC == nil {
-		source.VC = vault.NewClient()
-		err := source.VC.Login()
-		addCleanupHook(source.VC.RevokeToken)
-		if err != nil {
-			return nil, err
-		}
+		source.VC = vault.New()
+		source.VC.Login()
+		addCleanupHook(source.VC.Logout)
 	}
 
 	p := source.URL.Path

diff --git a/vault/auth.go b/vault/auth.go
@@ -0,0 +1,178 @@
+package vault
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/blang/vfs"
+	"github.com/hairyhenderson/gomplate/env"
+)
+
+// GetToken -
+func (v *Vault) GetToken() string {
+	if token := v.AppRoleLogin(); token != "" {
+		return token
+	}
+	if token := v.AppIDLogin(); token != "" {
+		return token
+	}
+	if token := v.GitHubLogin(); token != "" {
+		return token
+	}
+	if token := v.UserPassLogin(); token != "" {
+		return token
+	}
+	if token := v.TokenLogin(); token != "" {
+		return token
+	}
+	logFatal("All vault auth failed")
+	return ""
+}
+
+// AppIDLogin - app-id auth backend
+func (v *Vault) AppIDLogin() string {
+	appID := env.Getenv("VAULT_APP_ID")
+	userID := env.Getenv("VAULT_USER_ID")
+
+	if appID == "" {
+		return ""
+	}
+	if userID == "" {
+		return ""
+	}
+
+	mount := env.Getenv("VAULT_AUTH_APP_ID_MOUNT", "app-id")
+
+	vars := map[string]interface{}{
+		"user_id": userID,
+	}
+
+	path := fmt.Sprintf("auth/%s/login/%s", mount, appID)
+	secret, err := v.client.Logical().Write(path, vars)
+	if err != nil {
+		logFatal("AppID logon failed", err)
+	}
+	if secret == nil {
+		logFatal("Empty response from AppID logon")
+	}
+
+	return secret.Auth.ClientToken
+}
+
+// AppRoleLogin - approle auth backend
+func (v *Vault) AppRoleLogin() string {
+	roleID := env.Getenv("VAULT_ROLE_ID")
+	secretID := env.Getenv("VAULT_SECRET_ID")
+
+	if roleID == "" {
+		return ""
+	}
+	if secretID == "" {
+		return ""
+	}
+
+	mount := env.Getenv("VAULT_AUTH_APPROLE_MOUNT", "approle")
+
+	vars := map[string]interface{}{
+		"role_id":   roleID,
+		"secret_id": secretID,
+	}
+
+	path := fmt.Sprintf("auth/%s/login", mount)
+	secret, err := v.client.Logical().Write(path, vars)
+	if err != nil {
+		logFatal("AppRole logon failed", err)
+	}
+	if secret == nil {
+		logFatal("Empty response from AppRole logon")
+	}
+
+	return secret.Auth.ClientToken
+}
+
+// GitHubLogin - github auth backend
+func (v *Vault) GitHubLogin() string {
+	githubToken := env.Getenv("VAULT_AUTH_GITHUB_TOKEN")
+
+	if githubToken == "" {
+		return ""
+	}
+
+	mount := env.Getenv("VAULT_AUTH_GITHUB_MOUNT", "github")
+
+	vars := map[string]interface{}{
+		"token": githubToken,
+	}
+
+	path := fmt.Sprintf("auth/%s/login", mount)
+	secret, err := v.client.Logical().Write(path, vars)
+	if err != nil {
+		logFatal("AppRole logon failed", err)
+	}
+	if secret == nil {
+		logFatal("Empty response from AppRole logon")
+	}
+
+	return secret.Auth.ClientToken
+}
+
+// UserPassLogin - userpass auth backend
+func (v *Vault) UserPassLogin() string {
+	username := env.Getenv("VAULT_AUTH_USERNAME")
+	password := env.Getenv("VAULT_AUTH_PASSWORD")
+
+	if username == "" {
+		return ""
+	}
+	if password == "" {
+		return ""
+	}
+
+	mount := env.Getenv("VAULT_AUTH_USERPASS_MOUNT", "userpass")
+
+	vars := map[string]interface{}{
+		"password": password,
+	}
+
+	path := fmt.Sprintf("auth/%s/login/%s", mount, username)
+	secret, err := v.client.Logical().Write(path, vars)
+	if err != nil {
+		logFatal("UserPass logon failed", err)
+	}
+	if secret == nil {
+		logFatal("Empty response from UserPass logon")
+	}
+
+	return secret.Auth.ClientToken
+}
+
+// TokenLogin -
+func (v *Vault) TokenLogin() string {
+	if token := env.Getenv("VAULT_TOKEN"); token != "" {
+		return token
+	}
+	fs := vfs.OS()
+	f, err := fs.OpenFile(path.Join(v.homeDir(), ".vault-token"), os.O_RDONLY, 0)
+	if err != nil {
+		return ""
+	}
+	b, err := ioutil.ReadAll(f)
+	if err != nil {
+		return ""
+	}
+	return string(b)
+}
+
+func (v *Vault) homeDir() string {
+	if home := os.Getenv("HOME"); home != "" {
+		return home
+	}
+	if home := os.Getenv("USERPROFILE"); home != "" {
+		return home
+	}
+	logFatal(`Neither HOME nor USERPROFILE environment variables are set!
+		I can't figure out where the current user's home directory is!`)
+	return ""
+}