open-consul/agent/connect/ca/provider_vault_auth_jwt.go

package ca

import (
	"fmt"
	"os"
	"strings"

	"github.com/hashicorp/consul/agent/structs"
)

func NewJwtAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
	params := authMethod.Params

	role, ok := params["role"].(string)
	if !ok || strings.TrimSpace(role) == "" {
		return nil, fmt.Errorf("missing 'role' value")
	}

	authClient := NewVaultAPIAuthClient(authMethod, "")
	if legacyCheck(params, "jwt") {
		return authClient, nil
	}

	// The path is required for the auto-auth config, but this auth provider
	// seems to be used for jwt based auth by directly passing the jwt token.
	// So we only require the token file path if the token string isn't
	// present.
	tokenPath, ok := params["path"].(string)
	if !ok || strings.TrimSpace(tokenPath) == "" {
		return nil, fmt.Errorf("missing 'path' value")
	}
	authClient.LoginDataGen = JwtLoginDataGen
	return authClient, nil
}

func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
	params := authMethod.Params
	role := params["role"].(string)

	tokenPath := params["path"].(string)
	rawToken, err := os.ReadFile(tokenPath)
	if err != nil {
		return nil, err
	}

	return map[string]any{
		"role": role,
		"jwt":  strings.TrimSpace(string(rawToken)),
	}, nil
}
add provider ca support for jwt file base auth Adds support for a jwt token in a file. Simply reads the file and sends the read in jwt along to the vault login. It also supports a legacy mode with the jwt string being passed directly. In which case the path is made optional. 2023-03-02 20:33:06 +00:00			`package ca`

			`import (`
			`"fmt"`
			`"os"`
			`"strings"`

			`"github.com/hashicorp/consul/agent/structs"`
			`)`

			`func NewJwtAuthClient(authMethod structs.VaultAuthMethod) (VaultAuthClient, error) {`
			`params := authMethod.Params`

			`role, ok := params["role"].(string)`
			`if !ok \|\| strings.TrimSpace(role) == "" {`
			`return nil, fmt.Errorf("missing 'role' value")`
			`}`

			`authClient := NewVaultAPIAuthClient(authMethod, "")`
			`if legacyCheck(params, "jwt") {`
			`return authClient, nil`
			`}`

			`// The path is required for the auto-auth config, but this auth provider`
			`// seems to be used for jwt based auth by directly passing the jwt token.`
			`// So we only require the token file path if the token string isn't`
			`// present.`
			`tokenPath, ok := params["path"].(string)`
			`if !ok \|\| strings.TrimSpace(tokenPath) == "" {`
			`return nil, fmt.Errorf("missing 'path' value")`
			`}`
			`authClient.LoginDataGen = JwtLoginDataGen`
			`return authClient, nil`
			`}`

			`func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {`
			`params := authMethod.Params`
			`role := params["role"].(string)`

			`tokenPath := params["path"].(string)`
			`rawToken, err := os.ReadFile(tokenPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return map[string]any{`
			`"role": role,`
			`"jwt": strings.TrimSpace(string(rawToken)),`
			`}, nil`
			`}`