luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-consul/agent/connect/ca/provider_vault_auth_approle.go
John Eikenberry 95288615fa
add provider ca support for approle auth-method 
Adds support for the approle auth-method. Only handles using the approle
role/secret to auth and it doesn't support the agent's extra management
configuration options (wrap and delete after read) as they are not
required as part of the auth (ie. they are vault agent things).
2023-03-03 19:29:53 +00:00

67 lines
2 KiB
Go
Raw Blame History

package ca
import (
"bytes"
"fmt"
"os"
"strings"
"github.com/hashicorp/consul/agent/structs"
)
// left out 2 config options as we are re-using vault agent's auth config.
// Why?
// remove_secret_id_file_after_reading - don't remove what we don't own
// secret_id_response_wrapping_path - wrapping the secret before writing to disk
// (which we don't need to do)
func NewAppRoleAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
authClient := NewVaultAPIAuthClient(authMethod, "")
// check for hardcoded /login params
if legacyCheck(authMethod.Params, "role_id", "secret_id") {
return authClient, nil
}
// check for required config params
key := "role_id_file_path"
if val, ok := authMethod.Params[key].(string); !ok {
return nil, fmt.Errorf("missing '%s' value", key)
} else if strings.TrimSpace(val) == "" {
return nil, fmt.Errorf("'%s' value is empty", key)
}
authClient.LoginDataGen = ArLoginDataGen
return authClient, nil
}
func ArLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
// don't need to check for legacy params as this func isn't used in that case
params := authMethod.Params
// role_id is required
roleIdFilePath := params["role_id_file_path"].(string)
// secret_id is optional (secret_ok is used in check below)
// secretIdFilePath, secret_ok := params["secret_id_file_path"].(string)
secretIdFilePath, hasSecret := params["secret_id_file_path"].(string)
if hasSecret && strings.TrimSpace(secretIdFilePath) == "" {
hasSecret = false
}
var err error
var rawRoleID, rawSecretID []byte
data := make(map[string]any)
if rawRoleID, err = os.ReadFile(roleIdFilePath); err != nil {
return nil, err
}
data["role_id"] = string(rawRoleID)
if hasSecret {
switch rawSecretID, err = os.ReadFile(secretIdFilePath); {
case err != nil:
return nil, err
case len(bytes.TrimSpace(rawSecretID)) > 0:
data["secret_id"] = strings.TrimSpace(string(rawSecretID))
}
}
return data, nil
}
Reference in a new issue View git blame Copy permalink