2015-05-06 01:54:27 +00:00
|
|
|
package ldap
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
pwd "github.com/hashicorp/vault/helper/password"
|
|
|
|
)
|
|
|
|
|
|
|
|
type CLIHandler struct{}
|
|
|
|
|
2017-08-31 20:57:00 +00:00
|
|
|
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
|
2015-05-06 01:54:27 +00:00
|
|
|
mount, ok := m["mount"]
|
|
|
|
if !ok {
|
|
|
|
mount = "ldap"
|
|
|
|
}
|
|
|
|
|
|
|
|
username, ok := m["username"]
|
|
|
|
if !ok {
|
2016-12-02 17:44:13 +00:00
|
|
|
username = usernameFromEnv()
|
|
|
|
if username == "" {
|
2017-08-31 20:57:00 +00:00
|
|
|
return nil, fmt.Errorf("'username' not supplied and neither 'LOGNAME' nor 'USER' env vars set")
|
2016-12-02 17:44:13 +00:00
|
|
|
}
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
password, ok := m["password"]
|
|
|
|
if !ok {
|
|
|
|
fmt.Printf("Password (will be hidden): ")
|
|
|
|
var err error
|
|
|
|
password, err = pwd.Read(os.Stdin)
|
|
|
|
fmt.Println()
|
|
|
|
if err != nil {
|
2017-08-31 20:57:00 +00:00
|
|
|
return nil, err
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-27 18:28:09 +00:00
|
|
|
data := map[string]interface{}{
|
2015-05-06 01:54:27 +00:00
|
|
|
"password": password,
|
2015-07-27 18:28:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
mfa_method, ok := m["method"]
|
|
|
|
if ok {
|
|
|
|
data["method"] = mfa_method
|
|
|
|
}
|
|
|
|
mfa_passcode, ok := m["passcode"]
|
|
|
|
if ok {
|
|
|
|
data["passcode"] = mfa_passcode
|
|
|
|
}
|
|
|
|
|
|
|
|
path := fmt.Sprintf("auth/%s/login/%s", mount, username)
|
|
|
|
secret, err := c.Logical().Write(path, data)
|
2015-05-06 01:54:27 +00:00
|
|
|
if err != nil {
|
2017-08-31 20:57:00 +00:00
|
|
|
return nil, err
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
if secret == nil {
|
2017-08-31 20:57:00 +00:00
|
|
|
return nil, fmt.Errorf("empty response from credential provider")
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
|
2017-08-31 20:57:00 +00:00
|
|
|
return secret, nil
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (h *CLIHandler) Help() string {
|
|
|
|
help := `
|
|
|
|
The LDAP credential provider allows you to authenticate with LDAP.
|
|
|
|
To use it, first configure it through the "config" endpoint, and then
|
|
|
|
login by specifying username and password. If password is not provided
|
|
|
|
on the command line, it will be read from stdin.
|
|
|
|
|
2015-07-28 04:12:11 +00:00
|
|
|
If multi-factor authentication (MFA) is enabled, a "method" and/or "passcode"
|
|
|
|
may be provided depending on the MFA backend enabled. To check
|
|
|
|
which MFA backend is in use, read "auth/[mount]/mfa_config".
|
|
|
|
|
2015-05-06 01:54:27 +00:00
|
|
|
Example: vault auth -method=ldap username=john
|
|
|
|
|
|
|
|
`
|
|
|
|
|
|
|
|
return strings.TrimSpace(help)
|
|
|
|
}
|
2016-12-02 17:44:13 +00:00
|
|
|
|
|
|
|
func usernameFromEnv() string {
|
2017-02-08 05:47:06 +00:00
|
|
|
if logname := os.Getenv("LOGNAME"); logname != "" {
|
2016-12-02 17:44:13 +00:00
|
|
|
return logname
|
|
|
|
}
|
2017-02-08 05:47:06 +00:00
|
|
|
if user := os.Getenv("USER"); user != "" {
|
2016-12-02 17:44:13 +00:00
|
|
|
return user
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
}
|