open-vault/builtin/credential/cert/cli.go

package cert

import (
	"fmt"
	"strings"

	"github.com/hashicorp/vault/api"
	"github.com/mitchellh/mapstructure"
)

type CLIHandler struct{}

func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
	var data struct {
		Mount string `mapstructure:"mount"`
		Name  string `mapstructure:"name"`
	}
	if err := mapstructure.WeakDecode(m, &data); err != nil {
		return "", err
	}

	if data.Mount == "" {
		data.Mount = "cert"
	}

	options := map[string]interface{}{
		"name": data.Name,
	}
	path := fmt.Sprintf("auth/%s/login", data.Mount)
	secret, err := c.Logical().Write(path, options)
	if err != nil {
		return "", err
	}
	if secret == nil {
		return "", fmt.Errorf("empty response from credential provider")
	}

	return secret.Auth.ClientToken, nil
}

func (h *CLIHandler) Help() string {
	help := `
The "cert" credential provider allows you to authenticate with a
client certificate. No other authentication materials are needed.
Optionally, you may specify the specific certificate role to
authenticate against with the "name" parameter.

    Example: vault auth -method=cert \
                        -client-cert=/path/to/cert.pem \
                        -client-key=/path/to/key.pem
                        name=cert1

	`

	return strings.TrimSpace(help)
}
enable CLI cert login 2015-06-30 03:29:41 +00:00			`package cert`

			`import (`
			`"fmt"`
			`"strings"`

			`"github.com/hashicorp/vault/api"`
			`"github.com/mitchellh/mapstructure"`
			`)`

			`type CLIHandler struct{}`

			`func (h CLIHandler) Auth(c api.Client, m map[string]string) (string, error) {`
			`var data struct {`
Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00			Mount string `mapstructure:"mount"`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			Name string `mapstructure:"name"`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`}`
			`if err := mapstructure.WeakDecode(m, &data); err != nil {`
			`return "", err`
			`}`

			`if data.Mount == "" {`
			`data.Mount = "cert"`
			`}`

Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`options := map[string]interface{}{`
			`"name": data.Name,`
			`}`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`path := fmt.Sprintf("auth/%s/login", data.Mount)`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`secret, err := c.Logical().Write(path, options)`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`if err != nil {`
			`return "", err`
			`}`
			`if secret == nil {`
			`return "", fmt.Errorf("empty response from credential provider")`
			`}`

			`return secret.Auth.ClientToken, nil`
			`}`

			`func (h *CLIHandler) Help() string {`
			help := `
			`The "cert" credential provider allows you to authenticate with a`
			`client certificate. No other authentication materials are needed.`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`Optionally, you may specify the specific certificate role to`
			`authenticate against with the "name" parameter.`
enable CLI cert login 2015-06-30 03:29:41 +00:00
Provide working example of TLS certificate authentication Fixes #474 2015-08-07 22:15:53 +00:00			`Example: vault auth -method=cert \`
			`-client-cert=/path/to/cert.pem \`
			`-client-key=/path/to/key.pem`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`name=cert1`
enable CLI cert login 2015-06-30 03:29:41 +00:00
			`

			`return strings.TrimSpace(help)`
			`}`