2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2017-09-02 22:50:42 +00:00
|
|
|
package token
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"os"
|
2017-09-08 02:04:30 +00:00
|
|
|
"strconv"
|
2017-09-02 22:50:42 +00:00
|
|
|
"strings"
|
|
|
|
|
2021-07-16 00:17:31 +00:00
|
|
|
"github.com/hashicorp/go-secure-stdlib/password"
|
2017-09-02 22:50:42 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
)
|
|
|
|
|
|
|
|
type CLIHandler struct {
|
2017-09-03 04:09:18 +00:00
|
|
|
// for tests
|
|
|
|
testStdin io.Reader
|
|
|
|
testStdout io.Writer
|
2017-09-02 22:50:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
|
2017-09-08 02:04:30 +00:00
|
|
|
// Parse "lookup" first - we want to return an early error if the user
|
|
|
|
// supplied an invalid value here before we prompt them for a token. It would
|
|
|
|
// be annoying to type your token and then be told you supplied an invalid
|
|
|
|
// value that we could have known in advance.
|
|
|
|
lookup := true
|
|
|
|
if x, ok := m["lookup"]; ok {
|
|
|
|
parsed, err := strconv.ParseBool(x)
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("Failed to parse \"lookup\" as boolean: %w", err)
|
2017-09-08 02:04:30 +00:00
|
|
|
}
|
|
|
|
lookup = parsed
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parse the token.
|
2017-09-02 22:50:42 +00:00
|
|
|
token, ok := m["token"]
|
|
|
|
if !ok {
|
|
|
|
// Override the output
|
|
|
|
stdout := h.testStdout
|
|
|
|
if stdout == nil {
|
2018-01-18 17:14:19 +00:00
|
|
|
stdout = os.Stderr
|
2017-09-02 22:50:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// No arguments given, read the token from user input
|
|
|
|
fmt.Fprintf(stdout, "Token (will be hidden): ")
|
|
|
|
var err error
|
|
|
|
token, err = password.Read(os.Stdin)
|
|
|
|
fmt.Fprintf(stdout, "\n")
|
2017-09-03 04:09:18 +00:00
|
|
|
|
2017-09-02 22:50:42 +00:00
|
|
|
if err != nil {
|
2017-09-03 04:09:18 +00:00
|
|
|
if err == password.ErrInterrupted {
|
|
|
|
return nil, fmt.Errorf("user interrupted")
|
|
|
|
}
|
|
|
|
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("An error occurred attempting to "+
|
2017-09-03 04:09:18 +00:00
|
|
|
"ask for a token. The raw error message is shown below, but usually "+
|
|
|
|
"this is because you attempted to pipe a value into the command or "+
|
|
|
|
"you are executing outside of a terminal (tty). If you want to pipe "+
|
|
|
|
"the value, pass \"-\" as the argument to read from stdin. The raw "+
|
2021-04-22 15:20:59 +00:00
|
|
|
"error was: %w", err)
|
2017-09-02 22:50:42 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove any whitespace, etc.
|
|
|
|
token = strings.TrimSpace(token)
|
|
|
|
|
|
|
|
if token == "" {
|
|
|
|
return nil, fmt.Errorf(
|
2018-04-09 18:35:21 +00:00
|
|
|
"a token must be passed to auth, please view the help for more " +
|
|
|
|
"information")
|
2017-09-02 22:50:42 +00:00
|
|
|
}
|
|
|
|
|
2017-09-08 02:04:30 +00:00
|
|
|
// If the user declined verification, return now. Note that we will not have
|
|
|
|
// a lot of information about the token.
|
|
|
|
if !lookup {
|
|
|
|
return &api.Secret{
|
|
|
|
Auth: &api.SecretAuth{
|
|
|
|
ClientToken: token,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// If we got this far, we want to lookup and lookup the token and pull it's
|
|
|
|
// list of policies an metadata.
|
|
|
|
c.SetToken(token)
|
|
|
|
c.SetWrappingLookupFunc(func(string, string) string { return "" })
|
|
|
|
|
|
|
|
secret, err := c.Auth().Token().LookupSelf()
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error looking up token: %w", err)
|
2017-09-08 02:04:30 +00:00
|
|
|
}
|
|
|
|
if secret == nil {
|
2018-04-05 15:49:21 +00:00
|
|
|
return nil, fmt.Errorf("empty response from lookup-self")
|
2017-09-08 02:04:30 +00:00
|
|
|
}
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
// Return an auth struct that "looks" like the response from an auth method.
|
2017-09-08 02:04:30 +00:00
|
|
|
// lookup and lookup-self return their data in data, not auth. We try to
|
|
|
|
// mirror that data here.
|
2017-10-07 22:41:07 +00:00
|
|
|
id, err := secret.TokenID()
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error accessing token ID: %w", err)
|
2017-10-07 22:41:07 +00:00
|
|
|
}
|
|
|
|
accessor, err := secret.TokenAccessor()
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error accessing token accessor: %w", err)
|
2017-10-07 22:41:07 +00:00
|
|
|
}
|
2018-06-14 13:49:33 +00:00
|
|
|
// This populates secret.Auth
|
|
|
|
_, err = secret.TokenPolicies()
|
2017-10-07 22:41:07 +00:00
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error accessing token policies: %w", err)
|
2017-10-07 22:41:07 +00:00
|
|
|
}
|
|
|
|
metadata, err := secret.TokenMetadata()
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error accessing token metadata: %w", err)
|
2017-10-07 22:41:07 +00:00
|
|
|
}
|
|
|
|
dur, err := secret.TokenTTL()
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error converting token TTL: %w", err)
|
2017-10-07 22:41:07 +00:00
|
|
|
}
|
|
|
|
renewable, err := secret.TokenIsRenewable()
|
|
|
|
if err != nil {
|
2021-04-22 15:20:59 +00:00
|
|
|
return nil, fmt.Errorf("error checking if token is renewable: %w", err)
|
2017-10-07 22:41:07 +00:00
|
|
|
}
|
2017-09-02 22:50:42 +00:00
|
|
|
return &api.Secret{
|
|
|
|
Auth: &api.SecretAuth{
|
2018-06-14 13:49:33 +00:00
|
|
|
ClientToken: id,
|
|
|
|
Accessor: accessor,
|
|
|
|
Policies: secret.Auth.Policies,
|
|
|
|
TokenPolicies: secret.Auth.TokenPolicies,
|
|
|
|
IdentityPolicies: secret.Auth.IdentityPolicies,
|
|
|
|
Metadata: metadata,
|
2017-09-08 02:04:30 +00:00
|
|
|
|
2017-10-07 22:41:07 +00:00
|
|
|
LeaseDuration: int(dur.Seconds()),
|
|
|
|
Renewable: renewable,
|
2017-09-02 22:50:42 +00:00
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *CLIHandler) Help() string {
|
|
|
|
help := `
|
2017-09-06 14:02:15 +00:00
|
|
|
Usage: vault login TOKEN [CONFIG K=V...]
|
2017-09-02 22:50:42 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The token auth method allows logging in directly with a token. This
|
2017-09-06 14:02:15 +00:00
|
|
|
can be a token from the "token-create" command or API. There are no
|
2017-09-13 01:48:52 +00:00
|
|
|
configuration options for this auth method.
|
2017-09-02 22:50:42 +00:00
|
|
|
|
|
|
|
Authenticate using a token:
|
|
|
|
|
2017-09-06 14:02:15 +00:00
|
|
|
$ vault login 96ddf4bc-d217-f3ba-f9bd-017055595017
|
2017-09-02 22:50:42 +00:00
|
|
|
|
2017-09-08 02:04:30 +00:00
|
|
|
Authenticate but do not lookup information about the token:
|
|
|
|
|
|
|
|
$ vault login token=96ddf4bc-d217-f3ba-f9bd-017055595017 lookup=false
|
|
|
|
|
2017-09-02 22:50:42 +00:00
|
|
|
This token usually comes from a different source such as the API or via the
|
2018-01-15 20:19:28 +00:00
|
|
|
built-in "vault token create" command.
|
2017-09-02 22:50:42 +00:00
|
|
|
|
|
|
|
Configuration:
|
|
|
|
|
|
|
|
token=<string>
|
|
|
|
The token to use for authentication. This is usually provided directly
|
2017-09-06 14:02:15 +00:00
|
|
|
via the "vault login" command.
|
2017-09-08 02:04:30 +00:00
|
|
|
|
|
|
|
lookup=<bool>
|
|
|
|
Perform a lookup of the token's metadata and policies.
|
2017-09-02 22:50:42 +00:00
|
|
|
`
|
|
|
|
|
|
|
|
return strings.TrimSpace(help)
|
|
|
|
}
|