open-vault/command/agent/auth/kubernetes/kubernetes.go

package kubernetes

import (
	"context"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	"strings"

	"github.com/hashicorp/errwrap"
	hclog "github.com/hashicorp/go-hclog"
	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/command/agent/auth"
)

const (
	serviceAccountFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
)

type kubernetesMethod struct {
	logger    hclog.Logger
	mountPath string

	role string

	// tokenPath is an optional path to a projected service account token inside
	// the pod, for use instead of the default service account token.
	tokenPath string

	// jwtData is a ReadCloser used to inject a ReadCloser for mocking tests.
	jwtData io.ReadCloser
}

// NewKubernetesAuthMethod reads the user configuration and returns a configured
// AuthMethod
func NewKubernetesAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
	if conf == nil {
		return nil, errors.New("empty config")
	}
	if conf.Config == nil {
		return nil, errors.New("empty config data")
	}

	k := &kubernetesMethod{
		logger:    conf.Logger,
		mountPath: conf.MountPath,
	}

	roleRaw, ok := conf.Config["role"]
	if !ok {
		return nil, errors.New("missing 'role' value")
	}
	k.role, ok = roleRaw.(string)
	if !ok {
		return nil, errors.New("could not convert 'role' config value to string")
	}

	tokenPathRaw, ok := conf.Config["token_path"]
	if ok {
		k.tokenPath, ok = tokenPathRaw.(string)
		if !ok {
			return nil, errors.New("could not convert 'token_path' config value to string")
		}
	}

	if k.role == "" {
		return nil, errors.New("'role' value is empty")
	}

	return k, nil
}

func (k *kubernetesMethod) Authenticate(ctx context.Context, client *api.Client) (string, map[string]interface{}, error) {
	k.logger.Trace("beginning authentication")

	jwtString, err := k.readJWT()
	if err != nil {
		return "", nil, errwrap.Wrapf("error reading JWT with Kubernetes Auth: {{err}}", err)
	}

	return fmt.Sprintf("%s/login", k.mountPath), map[string]interface{}{
		"role": k.role,
		"jwt":  jwtString,
	}, nil
}

func (k *kubernetesMethod) NewCreds() chan struct{} {
	return nil
}

func (k *kubernetesMethod) CredSuccess() {
}

func (k *kubernetesMethod) Shutdown() {
}

// readJWT reads the JWT data for the Agent to submit to Vault. The default is
// to read the JWT from the default service account location, defined by the
// constant serviceAccountFile. In normal use k.jwtData is nil at invocation and
// the method falls back to reading the token path with os.Open, opening a file
// from either the default location or from the token_path path specified in
// configuration.
func (k *kubernetesMethod) readJWT() (string, error) {
	// load configured token path if set, default to serviceAccountFile
	tokenFilePath := serviceAccountFile
	if k.tokenPath != "" {
		tokenFilePath = k.tokenPath
	}

	data := k.jwtData
	// k.jwtData should only be non-nil in tests
	if data == nil {
		f, err := os.Open(tokenFilePath)
		if err != nil {
			return "", err
		}
		data = f
	}
	defer data.Close()

	contentBytes, err := ioutil.ReadAll(data)
	if err != nil {
		return "", err
	}

	return strings.TrimSpace(string(contentBytes)), nil
}
VSI (#4985) 2018-07-25 02:02:27 +00:00			`package kubernetes`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`"io"`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`"io/ioutil"`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`"os"`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`"strings"`

Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`"github.com/hashicorp/errwrap"`
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing. 2019-01-09 00:48:57 +00:00			`hclog "github.com/hashicorp/go-hclog"`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`"github.com/hashicorp/vault/api"`
			`"github.com/hashicorp/vault/command/agent/auth"`
			`)`

			`const (`
agent: kubernetes: add missing slash in token path (#5010) 2018-07-29 19:50:18 +00:00			`serviceAccountFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`)`

			`type kubernetesMethod struct {`
			`logger hclog.Logger`
			`mountPath string`

			`role string`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00
			`// tokenPath is an optional path to a projected service account token inside`
			`// the pod, for use instead of the default service account token.`
			`tokenPath string`

fix typo in comment 2018-11-28 16:06:23 +00:00			`// jwtData is a ReadCloser used to inject a ReadCloser for mocking tests.`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`jwtData io.ReadCloser`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`}`

Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`// NewKubernetesAuthMethod reads the user configuration and returns a configured`
			`// AuthMethod`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`func NewKubernetesAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {`
			`if conf == nil {`
			`return nil, errors.New("empty config")`
			`}`
			`if conf.Config == nil {`
			`return nil, errors.New("empty config data")`
			`}`

			`k := &kubernetesMethod{`
			`logger: conf.Logger,`
			`mountPath: conf.MountPath,`
			`}`

			`roleRaw, ok := conf.Config["role"]`
			`if !ok {`
			`return nil, errors.New("missing 'role' value")`
			`}`
			`k.role, ok = roleRaw.(string)`
			`if !ok {`
			`return nil, errors.New("could not convert 'role' config value to string")`
			`}`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00
			`tokenPathRaw, ok := conf.Config["token_path"]`
			`if ok {`
			`k.tokenPath, ok = tokenPathRaw.(string)`
			`if !ok {`
			`return nil, errors.New("could not convert 'token_path' config value to string")`
			`}`
			`}`

VSI (#4985) 2018-07-25 02:02:27 +00:00			`if k.role == "" {`
			`return nil, errors.New("'role' value is empty")`
			`}`

			`return k, nil`
			`}`

			`func (k kubernetesMethod) Authenticate(ctx context.Context, client api.Client) (string, map[string]interface{}, error) {`
			`k.logger.Trace("beginning authentication")`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00
			`jwtString, err := k.readJWT()`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`if err != nil {`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`return "", nil, errwrap.Wrapf("error reading JWT with Kubernetes Auth: {{err}}", err)`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`}`

			`return fmt.Sprintf("%s/login", k.mountPath), map[string]interface{}{`
			`"role": k.role,`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00			`"jwt": jwtString,`
VSI (#4985) 2018-07-25 02:02:27 +00:00			`}, nil`
			`}`

			`func (k *kubernetesMethod) NewCreds() chan struct{} {`
			`return nil`
			`}`

			`func (k *kubernetesMethod) CredSuccess() {`
			`}`

			`func (k *kubernetesMethod) Shutdown() {`
			`}`
Agent kube projected token (#5725) * Add support for custom JWT path in Agent: kubernetes auth - add support for "token_path" configuration - add a reader for mocking in tests * add documentation for token_path 2018-11-19 22:28:17 +00:00
			`// readJWT reads the JWT data for the Agent to submit to Vault. The default is`
			`// to read the JWT from the default service account location, defined by the`
			`// constant serviceAccountFile. In normal use k.jwtData is nil at invocation and`
			`// the method falls back to reading the token path with os.Open, opening a file`
			`// from either the default location or from the token_path path specified in`
			`// configuration.`
			`func (k *kubernetesMethod) readJWT() (string, error) {`
			`// load configured token path if set, default to serviceAccountFile`
			`tokenFilePath := serviceAccountFile`
			`if k.tokenPath != "" {`
			`tokenFilePath = k.tokenPath`
			`}`

			`data := k.jwtData`
			`// k.jwtData should only be non-nil in tests`
			`if data == nil {`
			`f, err := os.Open(tokenFilePath)`
			`if err != nil {`
			`return "", err`
			`}`
			`data = f`
			`}`
			`defer data.Close()`

			`contentBytes, err := ioutil.ReadAll(data)`
			`if err != nil {`
			`return "", err`
			`}`

			`return strings.TrimSpace(string(contentBytes)), nil`
			`}`