open-vault/builtin/credential/cert/cli.go

package cert

import (
	"fmt"
	"strings"

	"github.com/hashicorp/vault/api"
	"github.com/mitchellh/mapstructure"
)

type CLIHandler struct{}

func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
	var data struct {
		Mount string `mapstructure:"mount"`
		Name  string `mapstructure:"name"`
	}
	if err := mapstructure.WeakDecode(m, &data); err != nil {
		return nil, err
	}

	if data.Mount == "" {
		data.Mount = "cert"
	}

	options := map[string]interface{}{
		"name": data.Name,
	}
	path := fmt.Sprintf("auth/%s/login", data.Mount)
	secret, err := c.Logical().Write(path, options)
	if err != nil {
		return nil, err
	}
	if secret == nil {
		return nil, fmt.Errorf("empty response from credential provider")
	}

	return secret, nil
}

func (h *CLIHandler) Help() string {
	help := `
Usage: vault auth -method=cert [CONFIG K=V...]

  The certificate authentication provider allows uers to authenticate with a
  client certificate passed with the request. The -client-cert and -client-key
  flags are included with the "vault auth" command, NOT as configuration to
  the authentication provider.

  Authenticate using a local client certificate:

      $ vault auth -method=cert -client-cert=cert.pem -client-key=key.pem

Configuration:

  name=<string>
      Certificate role to authenticate against.

`

	return strings.TrimSpace(help)
}
enable CLI cert login 2015-06-30 03:29:41 +00:00			`package cert`

			`import (`
			`"fmt"`
			`"strings"`

			`"github.com/hashicorp/vault/api"`
			`"github.com/mitchellh/mapstructure"`
			`)`

			`type CLIHandler struct{}`

Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`func (h CLIHandler) Auth(c api.Client, m map[string]string) (*api.Secret, error) {`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`var data struct {`
Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00			Mount string `mapstructure:"mount"`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			Name string `mapstructure:"name"`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`}`
			`if err := mapstructure.WeakDecode(m, &data); err != nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, err`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`}`

			`if data.Mount == "" {`
			`data.Mount = "cert"`
			`}`

Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`options := map[string]interface{}{`
			`"name": data.Name,`
			`}`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`path := fmt.Sprintf("auth/%s/login", data.Mount)`
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice 2017-04-30 15:37:10 +00:00			`secret, err := c.Logical().Write(path, options)`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`if err != nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, err`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`}`
			`if secret == nil {`
Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return nil, fmt.Errorf("empty response from credential provider")`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`}`

Change auth helper interface to api.Secret. (#3263) This allows us to properly handle wrapped responses. Fixes #3217 2017-08-31 20:57:00 +00:00			`return secret, nil`
enable CLI cert login 2015-06-30 03:29:41 +00:00			`}`

			`func (h *CLIHandler) Help() string {`
			help := `
Update help output for cert auth 2017-09-02 22:49:55 +00:00			`Usage: vault auth -method=cert [CONFIG K=V...]`
enable CLI cert login 2015-06-30 03:29:41 +00:00
Update help output for cert auth 2017-09-02 22:49:55 +00:00			`The certificate authentication provider allows uers to authenticate with a`
			`client certificate passed with the request. The -client-cert and -client-key`
			`flags are included with the "vault auth" command, NOT as configuration to`
			`the authentication provider.`
enable CLI cert login 2015-06-30 03:29:41 +00:00
Update help output for cert auth 2017-09-02 22:49:55 +00:00			`Authenticate using a local client certificate:`

			`$ vault auth -method=cert -client-cert=cert.pem -client-key=key.pem`

			`Configuration:`

			`name=<string>`
			`Certificate role to authenticate against.`

			`
enable CLI cert login 2015-06-30 03:29:41 +00:00
			`return strings.TrimSpace(help)`
			`}`