a75800a988
Adds support for a jwt token in a file. Simply reads the file and sends the read in jwt along to the vault login. It also supports a legacy mode with the jwt string being passed directly. In which case the path is made optional.
51 lines
1.2 KiB
Go
51 lines
1.2 KiB
Go
package ca
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
func NewJwtAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
|
|
params := authMethod.Params
|
|
|
|
role, ok := params["role"].(string)
|
|
if !ok || strings.TrimSpace(role) == "" {
|
|
return nil, fmt.Errorf("missing 'role' value")
|
|
}
|
|
|
|
authClient := NewVaultAPIAuthClient(authMethod, "")
|
|
if legacyCheck(params, "jwt") {
|
|
return authClient, nil
|
|
}
|
|
|
|
// The path is required for the auto-auth config, but this auth provider
|
|
// seems to be used for jwt based auth by directly passing the jwt token.
|
|
// So we only require the token file path if the token string isn't
|
|
// present.
|
|
tokenPath, ok := params["path"].(string)
|
|
if !ok || strings.TrimSpace(tokenPath) == "" {
|
|
return nil, fmt.Errorf("missing 'path' value")
|
|
}
|
|
authClient.LoginDataGen = JwtLoginDataGen
|
|
return authClient, nil
|
|
}
|
|
|
|
func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
|
|
params := authMethod.Params
|
|
role := params["role"].(string)
|
|
|
|
tokenPath := params["path"].(string)
|
|
rawToken, err := os.ReadFile(tokenPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return map[string]any{
|
|
"role": role,
|
|
"jwt": strings.TrimSpace(string(rawToken)),
|
|
}, nil
|
|
}
|