open-vault/command/auth.go

package command

import (
	"fmt"
	"io"
	"os"
	"strings"

	"github.com/hashicorp/vault/api"
	"github.com/posener/complete"
)

// AuthHandler is the interface that any auth handlers must implement
// to enable auth via the CLI.
type AuthHandler interface {
	Auth(*api.Client, map[string]string) (*api.Secret, error)
	Help() string
}

// AuthCommand is a Command that handles authentication.
type AuthCommand struct {
	*BaseCommand

	Handlers map[string]AuthHandler

	flagMethod    string
	flagPath      string
	flagNoVerify  bool
	flagNoStore   bool
	flagOnlyToken bool

	// Deprecations
	// TODO: remove in 0.9.0
	flagTokenOnly  bool
	flagMethods    bool
	flagMethodHelp bool

	testStdin io.Reader // for tests
}

func (c *AuthCommand) Synopsis() string {
	return "Authenticates users or machines"
}

func (c *AuthCommand) Help() string {
	helpText := `
Usage: vault auth [options] [AUTH K=V...]

  Authenticates users or machines to Vault using the provided arguments. By
  default, the authentication method is "token". If not supplied via the CLI,
  Vault will prompt for input. If argument is "-", the configuration options
  are read from stdin.

  The -method flag allows alternative authentication providers to be used,
  such as userpass, github, or cert. For these, additional "key=value" pairs
  may be required. For example, to authenticate to the userpass auth backend:

      $ vault auth -method=userpass username=my-username

  Use "vault auth-help TYPE" for more information about the list of
  configuration parameters and examples for a particular provider. Use the
  "vault auth-list" command to see a list of enabled authentication providers.

  If an authentication provider is mounted at a different path, the -method
  flag should by the canonical type, and the -path flag should be set to the
  mount path. If a github authentication provider was mounted at "github-ent",
  you would authenticate to this backend like this:

      $ vault auth -method=github -path=github-prod

  If the authentication is requested with response wrapping (via -wrap-ttl),
  the returned token is automatically unwrapped unless:

    - The -only-token flag is used, in which case this command will output
      the wrapping token

    - The -no-store flag is used, in which case this command will output
      the details of the wrapping token.

  For a full list of examples, please see the documentation.

` + c.Flags().Help()

	return strings.TrimSpace(helpText)
}

func (c *AuthCommand) Flags() *FlagSets {
	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)

	f := set.NewFlagSet("Command Options")

	f.StringVar(&StringVar{
		Name:       "method",
		Target:     &c.flagMethod,
		Default:    "token",
		Completion: c.PredictVaultAvailableAuths(),
		Usage: "Type of authentication to use such as \"userpass\" or " +
			"\"ldap\". Note this corresponds to the TYPE, not the mount path. Use " +
			"-path to specify the path where the authentication is mounted.",
	})

	f.StringVar(&StringVar{
		Name:       "path",
		Target:     &c.flagPath,
		Default:    "",
		Completion: c.PredictVaultAuths(),
		Usage: "Mount point where the auth backend is enabled. This defaults to " +
			"the TYPE of backend (e.g. userpass -> userpass/).",
	})

	f.BoolVar(&BoolVar{
		Name:    "no-verify",
		Target:  &c.flagNoVerify,
		Default: false,
		Usage: "Do not verify the token after authentication. By default, Vault " +
			"issue a request to get more metdata about the token. This request " +
			"against the use-limit of the token. Set this to true to disable the " +
			"post-authenication lookup.",
	})

	f.BoolVar(&BoolVar{
		Name:    "no-store",
		Target:  &c.flagNoStore,
		Default: false,
		Usage: "Do not persist the token to the token helper (usually the " +
			"local filesystem) after authentication for use in future requests. " +
			"The token will only be displayed in the command output.",
	})

	f.BoolVar(&BoolVar{
		Name:    "only-token",
		Target:  &c.flagOnlyToken,
		Default: false,
		Usage: "Output only the token with no verification. This flag is a " +
			"shortcut for \"-field=token -no-store -no-verify\". Setting those " +
			"flags to other values will have no affect.",
	})

	// Deprecations
	// TODO: remove in Vault 0.9.0

	f.BoolVar(&BoolVar{
		Name:    "token-only", // Prefer only-token
		Target:  &c.flagTokenOnly,
		Default: false,
		Hidden:  true,
	})

	f.BoolVar(&BoolVar{
		Name:    "methods", // Prefer auth-list
		Target:  &c.flagMethods,
		Default: false,
		Hidden:  true,
	})

	f.BoolVar(&BoolVar{
		Name:    "method-help", // Prefer auth-help
		Target:  &c.flagMethodHelp,
		Default: false,
		Hidden:  true,
	})

	return set
}

func (c *AuthCommand) AutocompleteArgs() complete.Predictor {
	return nil
}

func (c *AuthCommand) AutocompleteFlags() complete.Flags {
	return c.Flags().Completions()
}

func (c *AuthCommand) Run(args []string) int {
	f := c.Flags()

	if err := f.Parse(args); err != nil {
		c.UI.Error(err.Error())
		return 1
	}

	args = f.Args()

	// Deprecations - do this before any argument validations
	// TODO: remove in 0.9.0
	switch {
	case c.flagMethods:
		c.UI.Warn(wrapAtLength(
			"WARNING! The -methods flag is deprecated. Please use " +
				"\"vault auth-list\". This flag will be removed in the next major " +
				"release of Vault."))
		cmd := &AuthListCommand{
			BaseCommand: &BaseCommand{
				UI:     c.UI,
				client: c.client,
			},
		}
		return cmd.Run(nil)
	case c.flagMethodHelp:
		c.UI.Warn(wrapAtLength(
			"WARNING! The -method-help flag is deprecated. Please use " +
				"\"vault auth-help\". This flag will be removed in the next major " +
				"release of Vault."))
		cmd := &AuthHelpCommand{
			BaseCommand: &BaseCommand{
				UI:     c.UI,
				client: c.client,
			},
			Handlers: c.Handlers,
		}
		return cmd.Run([]string{c.flagMethod})
	}

	// TODO: remove in 0.9.0
	if c.flagTokenOnly {
		c.UI.Warn(wrapAtLength(
			"WARNING! The -token-only flag is deprecated. Plase use -only-token " +
				"instead. This flag will be removed in the next major release of " +
				"Vault."))
		c.flagOnlyToken = c.flagTokenOnly
	}

	// Set the right flags if the user requested only-token - this overrides
	// any previously configured values, as documented.
	if c.flagOnlyToken {
		c.flagNoStore = true
		c.flagNoVerify = true
		c.flagField = "token"
	}

	// Get the auth method
	authMethod := sanitizePath(c.flagMethod)
	if authMethod == "" {
		authMethod = "token"
	}

	// If no path is specified, we default the path to the backend type
	// or use the plugin name if it's a plugin backend
	authPath := c.flagPath
	if authPath == "" {
		authPath = ensureTrailingSlash(authMethod)
	}

	// Get the handler function
	authHandler, ok := c.Handlers[authMethod]
	if !ok {
		c.UI.Error(wrapAtLength(fmt.Sprintf(
			"Unknown authentication method: %s. Use \"vault auth-list\" to see the "+
				"complete list of authentication providers. Additionally, some "+
				"authentication providers are only available via the HTTP API.",
			authMethod)))
		return 1
	}

	// Pull our fake stdin if needed
	stdin := (io.Reader)(os.Stdin)
	if c.testStdin != nil {
		stdin = c.testStdin
	}

	// If the user provided a token, pass it along to the auth provier.
	if authMethod == "token" && len(args) == 1 {
		args = []string{"token=" + args[0]}
	}

	config, err := parseArgsDataString(stdin, args)
	if err != nil {
		c.UI.Error(fmt.Sprintf("Error parsing configuration: %s", err))
		return 1
	}

	// If the user did not specify a mount path, use the provided mount path.
	if config["mount"] == "" && authPath != "" {
		config["mount"] = authPath
	}

	// Create the client
	client, err := c.Client()
	if err != nil {
		c.UI.Error(err.Error())
		return 2
	}

	// Authenticate delegation to the auth handler
	secret, err := authHandler.Auth(client, config)
	if err != nil {
		c.UI.Error(wrapAtLength(fmt.Sprintf(
			"Error authenticating: %s", err)))
		return 2
	}

	// Unset any previous token wrapping functionality. If the original request
	// was for a wrapped token, we don't want future requests to be wrapped.
	client.SetWrappingLookupFunc(func(string, string) string { return "" })

	// Recursively extract the token, handling wrapping
	unwrap := !c.flagOnlyToken && !c.flagNoStore
	secret, isWrapped, err := c.extractToken(client, secret, unwrap)
	if err != nil {
		c.UI.Error(fmt.Sprintf("Error extracting token: %s", err))
		return 2
	}
	if secret == nil {
		c.UI.Error("Vault returned an empty secret")
		return 2
	}

	// Handle special cases if the token was wrapped
	if isWrapped {
		if c.flagOnlyToken {
			return PrintRawField(c.UI, secret, "wrapping_token")
		}
		if c.flagNoStore {
			return OutputSecret(c.UI, c.flagFormat, secret)
		}
	}

	// If we got this far, verify we have authentication data before continuing
	if secret.Auth == nil {
		c.UI.Error(wrapAtLength(
			"Vault returned a secret, but the secret has no authentication " +
				"information attached. This should never happen and is likely a " +
				"bug."))
		return 2
	}

	// Pull the token itself out, since we don't need the rest of the auth
	// information anymore/.
	token := secret.Auth.ClientToken

	tokenHelper, err := c.TokenHelper()
	if err != nil {
		c.UI.Error(fmt.Sprintf(
			"Error initializing token helper: %s\n\n"+
				"Please verify that the token helper is available and properly\n"+
				"configured for your system. Please refer to the documentation\n"+
				"on token helpers for more information.",
			err))
		return 1
	}

	if !c.flagNoVerify {
		// Verify the token and pull it's list of policies
		client.SetToken(token)
		client.SetWrappingLookupFunc(func(string, string) string { return "" })

		secret, err = client.Auth().Token().LookupSelf()
		if err != nil {
			c.UI.Error(fmt.Sprintf("Error verifying token: %s", err))
			return 2
		}
		if secret == nil {
			c.UI.Error("Empty response from lookup-self")
			return 2
		}
	}

	if !c.flagNoStore {
		// Store the token in the local client
		if err := tokenHelper.Store(token); err != nil {
			c.UI.Error(fmt.Sprintf("Error storing token: %s", err))
			c.UI.Error(wrapAtLength(
				"Authentication was successful, but the token was not persisted. The " +
					"resulting token is shown below for your records."))
			OutputSecret(c.UI, c.flagFormat, secret)
			return 2
		}

		// Warn if the VAULT_TOKEN environment variable is set, as that will take
		// precedence. Don't output on token-only since we're likely piping output.
		if c.flagField == "" && c.flagFormat == "table" {
			if os.Getenv("VAULT_TOKEN") != "" {
				c.UI.Warn(wrapAtLength("WARNING! The VAULT_TOKEN environment variable " +
					"is set! This takes precedence over the value set by this command. To " +
					"use the value set by this command, unset the VAULT_TOKEN environment " +
					"variable or set it to the token displayed below."))
			}
		}
	}

	// If the user requested a particular field, print that out now since we
	// are likely piping to another process.
	if c.flagField != "" {
		return PrintRawField(c.UI, secret, c.flagField)
	}

	// Output the secret as json or yaml if requested. We have to maintain
	// backwards compatiability
	if c.flagFormat != "table" {
		return OutputSecret(c.UI, c.flagFormat, secret)
	}

	output := "Success! You are now authenticated. "
	if c.flagNoVerify {
		output += "The token was not verified for validity. "
	}
	if c.flagNoStore {
		output += "The token was not stored in the token helper. "
	} else {
		output += "The token information displayed below is already stored in " +
			"the token helper. You do NOT need to run \"vault auth\" again."
	}
	c.UI.Output(wrapAtLength(output) + "\n")

	// TODO make this consistent with other printed token secrets.
	c.UI.Output(fmt.Sprintf("token: %s", secret.TokenID()))
	c.UI.Output(fmt.Sprintf("accessor: %s", secret.TokenAccessor()))

	if ttl := secret.TokenTTL(); ttl != 0 {
		c.UI.Output(fmt.Sprintf("duration: %s", ttl))
	}

	c.UI.Output(fmt.Sprintf("renewable: %t", secret.TokenIsRenewable()))

	if policies := secret.TokenPolicies(); len(policies) > 0 {
		c.UI.Output(fmt.Sprintf("policies: %s", policies))
	}

	return 0
}

// extractToken extracts the token from the given secret, automatically
// unwrapping responses and handling error conditions if unwrap is true. The
// result also returns whether it was a wrapped resonse that was not unwrapped.
func (c *AuthCommand) extractToken(client *api.Client, secret *api.Secret, unwrap bool) (*api.Secret, bool, error) {
	switch {
	case secret == nil:
		return nil, false, fmt.Errorf("empty response from auth helper")

	case secret.Auth != nil:
		return secret, false, nil

	case secret.WrapInfo != nil:
		if secret.WrapInfo.WrappedAccessor == "" {
			return nil, false, fmt.Errorf("wrapped response does not contain a token")
		}

		if !unwrap {
			return secret, true, nil
		}

		client.SetToken(secret.WrapInfo.Token)
		secret, err := client.Logical().Unwrap("")
		if err != nil {
			return nil, false, err
		}
		return c.extractToken(client, secret, unwrap)

	default:
		return nil, false, fmt.Errorf("no auth or wrapping info in response")
	}
}