open-vault/api/auth.go

package api

import (
	"context"
	"fmt"
)

// Auth is used to perform credential backend related operations.
type Auth struct {
	c *Client
}

type AuthMethod interface {
	Login(ctx context.Context, client *Client) (*Secret, error)
}

// Auth is used to return the client for credential-backend API calls.
func (c *Client) Auth() *Auth {
	return &Auth{c: c}
}

// Login sets up the required request body for login requests to the given auth
// method's /login API endpoint, and then performs a write to it. After a
// successful login, this method will automatically set the client's token to
// the login response's ClientToken as well.
//
// The Secret returned is the authentication secret, which if desired can be
// passed as input to the NewLifetimeWatcher method in order to start
// automatically renewing the token.
func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {
	if authMethod == nil {
		return nil, fmt.Errorf("no auth method provided for login")
	}

	authSecret, err := authMethod.Login(ctx, a.c)
	if err != nil {
		return nil, fmt.Errorf("unable to log in to auth method: %w", err)
	}
	if authSecret == nil || authSecret.Auth == nil || authSecret.Auth.ClientToken == "" {
		return nil, fmt.Errorf("login response from auth method did not return client token")
	}

	a.c.SetToken(authSecret.Auth.ClientToken)

	return authSecret, nil
}
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`package api`

Native Login method for Go client (#12796) * Native Login method, userpass and approle interfaces to implement it * Add AWS auth interface for Login, unexported struct fields for now * Add Kubernetes client login * Add changelog * Add a test for approle client login * Return errors from LoginOptions, use limited reader for secret ID * Fix auth comment length * Return actual type not interface, check for client token in tests * Require specification of secret ID location using SecretID struct as AppRole arg * Allow password from env, file, or plaintext * Add flexibility in how to fetch k8s service token, but still with default * Avoid passing strings that need to be validated by just having different login options * Try a couple real tests with approle and userpass login * Fix method name in comment * Add context to Login methods, remove comments about certain sources being inherently insecure * Perform read of secret ID at login time * Read password from file at login time * Pass context in integ tests * Read env var values in at login time, add extra tests * Update api version * Revert "Update api version" This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679. * Update api version in all go.mod files 2021-10-26 23:48:48 +00:00			`import (`
			`"context"`
			`"fmt"`
			`)`

api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`// Auth is used to perform credential backend related operations.`
			`type Auth struct {`
			`c *Client`
			`}`

Native Login method for Go client (#12796) * Native Login method, userpass and approle interfaces to implement it * Add AWS auth interface for Login, unexported struct fields for now * Add Kubernetes client login * Add changelog * Add a test for approle client login * Return errors from LoginOptions, use limited reader for secret ID * Fix auth comment length * Return actual type not interface, check for client token in tests * Require specification of secret ID location using SecretID struct as AppRole arg * Allow password from env, file, or plaintext * Add flexibility in how to fetch k8s service token, but still with default * Avoid passing strings that need to be validated by just having different login options * Try a couple real tests with approle and userpass login * Fix method name in comment * Add context to Login methods, remove comments about certain sources being inherently insecure * Perform read of secret ID at login time * Read password from file at login time * Pass context in integ tests * Read env var values in at login time, add extra tests * Update api version * Revert "Update api version" This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679. * Update api version in all go.mod files 2021-10-26 23:48:48 +00:00			`type AuthMethod interface {`
			`Login(ctx context.Context, client Client) (Secret, error)`
			`}`

Remove RevokePrefix from the API too as we simply do not support it any longer. 2016-04-05 15:00:12 +00:00			`// Auth is used to return the client for credential-backend API calls.`
api: client library methods to get tokens 2015-04-05 00:53:59 +00:00			`func (c Client) Auth() Auth {`
			`return &Auth{c: c}`
			`}`
Native Login method for Go client (#12796) * Native Login method, userpass and approle interfaces to implement it * Add AWS auth interface for Login, unexported struct fields for now * Add Kubernetes client login * Add changelog * Add a test for approle client login * Return errors from LoginOptions, use limited reader for secret ID * Fix auth comment length * Return actual type not interface, check for client token in tests * Require specification of secret ID location using SecretID struct as AppRole arg * Allow password from env, file, or plaintext * Add flexibility in how to fetch k8s service token, but still with default * Avoid passing strings that need to be validated by just having different login options * Try a couple real tests with approle and userpass login * Fix method name in comment * Add context to Login methods, remove comments about certain sources being inherently insecure * Perform read of secret ID at login time * Read password from file at login time * Pass context in integ tests * Read env var values in at login time, add extra tests * Update api version * Revert "Update api version" This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679. * Update api version in all go.mod files 2021-10-26 23:48:48 +00:00
			`// Login sets up the required request body for login requests to the given auth`
			`// method's /login API endpoint, and then performs a write to it. After a`
			`// successful login, this method will automatically set the client's token to`
			`// the login response's ClientToken as well.`
			`//`
			`// The Secret returned is the authentication secret, which if desired can be`
			`// passed as input to the NewLifetimeWatcher method in order to start`
			`// automatically renewing the token.`
			`func (a Auth) Login(ctx context.Context, authMethod AuthMethod) (Secret, error) {`
			`if authMethod == nil {`
			`return nil, fmt.Errorf("no auth method provided for login")`
			`}`

			`authSecret, err := authMethod.Login(ctx, a.c)`
			`if err != nil {`
			`return nil, fmt.Errorf("unable to log in to auth method: %w", err)`
			`}`
			`if authSecret == nil \|\| authSecret.Auth == nil \|\| authSecret.Auth.ClientToken == "" {`
			`return nil, fmt.Errorf("login response from auth method did not return client token")`
			`}`

			`a.c.SetToken(authSecret.Auth.ClientToken)`

			`return authSecret, nil`
			`}`