From c74feaa6ac7b0d40fd665f488053145a4ae8cb49 Mon Sep 17 00:00:00 2001 From: Anton Averchenkov <84287187+averche@users.noreply.github.com> Date: Wed, 6 Apr 2022 11:20:34 -0400 Subject: [PATCH] Use WriteWithContext in auth helpers (#14775) --- api/auth/approle/approle.go | 8 ++++++-- api/auth/aws/aws.go | 6 +++++- api/auth/azure/azure.go | 6 +++++- api/auth/gcp/gcp.go | 6 +++++- api/auth/kubernetes/kubernetes.go | 6 +++++- api/auth/ldap/ldap.go | 6 +++++- api/auth/userpass/userpass.go | 6 +++++- changelog/14775.txt | 3 +++ command/agent/auth/approle/approle.go | 4 ++-- command/agent/auth/auth.go | 4 ++-- 10 files changed, 43 insertions(+), 12 deletions(-) create mode 100644 changelog/14775.txt diff --git a/api/auth/approle/approle.go b/api/auth/approle/approle.go index 61c380cd4..b8cf01228 100644 --- a/api/auth/approle/approle.go +++ b/api/auth/approle/approle.go @@ -100,6 +100,10 @@ func NewAppRoleAuth(roleID string, secretID *SecretID, opts ...LoginOption) (*Ap } func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + loginData := map[string]interface{}{ "role_id": a.roleID, } @@ -125,7 +129,7 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre // if the caller indicated that the value was actually a wrapping token, unwrap it first if a.unwrap { - unwrappedToken, err := client.Logical().Unwrap(secretIDValue) + unwrappedToken, err := client.Logical().UnwrapWithContext(ctx, secretIDValue) if err != nil { return nil, fmt.Errorf("unable to unwrap response wrapping token: %w", err) } @@ -135,7 +139,7 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre } path := fmt.Sprintf("auth/%s/login", a.mountPath) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with app role auth: %w", err) } diff --git a/api/auth/aws/aws.go b/api/auth/aws/aws.go index 9e229b871..cef19beb8 100644 --- a/api/auth/aws/aws.go +++ b/api/auth/aws/aws.go @@ -84,6 +84,10 @@ func NewAWSAuth(opts ...LoginOption) (*AWSAuth, error) { // variables. To specify a path to a credentials file on disk instead, set // the environment variable AWS_SHARED_CREDENTIALS_FILE. func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + loginData := make(map[string]interface{}) switch a.authType { case ec2Type: @@ -182,7 +186,7 @@ func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e } path := fmt.Sprintf("auth/%s/login", a.mountPath) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with AWS auth: %w", err) } diff --git a/api/auth/azure/azure.go b/api/auth/azure/azure.go index 825003889..370ec573d 100644 --- a/api/auth/azure/azure.go +++ b/api/auth/azure/azure.go @@ -90,6 +90,10 @@ func NewAzureAuth(roleName string, opts ...LoginOption) (*AzureAuth, error) { // Login sets up the required request body for the Azure auth method's /login // endpoint, and performs a write to it. func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + jwtResp, err := a.getJWT() if err != nil { return nil, fmt.Errorf("unable to get access token: %w", err) @@ -110,7 +114,7 @@ func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, } path := fmt.Sprintf("auth/%s/login", a.mountPath) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with Azure auth: %w", err) } diff --git a/api/auth/gcp/gcp.go b/api/auth/gcp/gcp.go index efa1d0b40..a5dd93646 100644 --- a/api/auth/gcp/gcp.go +++ b/api/auth/gcp/gcp.go @@ -67,6 +67,10 @@ func NewGCPAuth(roleName string, opts ...LoginOption) (*GCPAuth, error) { // endpoint, and performs a write to it. This method defaults to the "gce" // auth type unless NewGCPAuth is called with WithIAMAuth(). func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + loginData := map[string]interface{}{ "role": a.roleName, } @@ -86,7 +90,7 @@ func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e } path := fmt.Sprintf("auth/%s/login", a.mountPath) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with GCP auth: %w", err) } diff --git a/api/auth/kubernetes/kubernetes.go b/api/auth/kubernetes/kubernetes.go index 99541708f..c2fef86a5 100644 --- a/api/auth/kubernetes/kubernetes.go +++ b/api/auth/kubernetes/kubernetes.go @@ -68,13 +68,17 @@ func NewKubernetesAuth(roleName string, opts ...LoginOption) (*KubernetesAuth, e } func (a *KubernetesAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + loginData := map[string]interface{}{ "jwt": a.serviceAccountToken, "role": a.roleName, } path := fmt.Sprintf("auth/%s/login", a.mountPath) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with Kubernetes auth: %w", err) } diff --git a/api/auth/ldap/ldap.go b/api/auth/ldap/ldap.go index 0653484d3..9f37abc66 100644 --- a/api/auth/ldap/ldap.go +++ b/api/auth/ldap/ldap.go @@ -84,6 +84,10 @@ func NewLDAPAuth(username string, password *Password, opts ...LoginOption) (*LDA } func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + loginData := make(map[string]interface{}) if a.passwordFile != "" { @@ -103,7 +107,7 @@ func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, } path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with LDAP auth: %w", err) } diff --git a/api/auth/userpass/userpass.go b/api/auth/userpass/userpass.go index d33e787f9..124cd7a68 100644 --- a/api/auth/userpass/userpass.go +++ b/api/auth/userpass/userpass.go @@ -88,6 +88,10 @@ func NewUserpassAuth(username string, password *Password, opts ...LoginOption) ( } func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) { + if ctx == nil { + ctx = context.Background() + } + loginData := make(map[string]interface{}) if a.passwordFile != "" { @@ -107,7 +111,7 @@ func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secr } path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username) - resp, err := client.Logical().Write(path, loginData) + resp, err := client.Logical().WriteWithContext(ctx, path, loginData) if err != nil { return nil, fmt.Errorf("unable to log in with userpass auth: %w", err) } diff --git a/changelog/14775.txt b/changelog/14775.txt new file mode 100644 index 000000000..03beb827a --- /dev/null +++ b/changelog/14775.txt @@ -0,0 +1,3 @@ +```release-note:improvement +api: Use the context passed to the api/auth Login helpers. +``` diff --git a/command/agent/auth/approle/approle.go b/command/agent/auth/approle/approle.go index 8a1a9b3a6..e58299ad7 100644 --- a/command/agent/auth/approle/approle.go +++ b/command/agent/auth/approle/approle.go @@ -138,7 +138,7 @@ func (a *approleMethod) Authenticate(ctx context.Context, client *api.Client) (s } clonedClient.SetToken(stringSecretID) // Validate the creation path - resp, err := clonedClient.Logical().Read("sys/wrapping/lookup") + resp, err := clonedClient.Logical().ReadWithContext(ctx, "sys/wrapping/lookup") if err != nil { return "", nil, nil, fmt.Errorf("error looking up wrapped secret ID: %w", err) } @@ -161,7 +161,7 @@ func (a *approleMethod) Authenticate(ctx context.Context, client *api.Client) (s return "", nil, nil, errors.New("unable to validate wrapping token creation path") } // Now get the secret ID - resp, err = clonedClient.Logical().Unwrap("") + resp, err = clonedClient.Logical().UnwrapWithContext(ctx, "") if err != nil { return "", nil, nil, fmt.Errorf("error unwrapping secret ID: %w", err) } diff --git a/command/agent/auth/auth.go b/command/agent/auth/auth.go index 889eedd85..c00028608 100644 --- a/command/agent/auth/auth.go +++ b/command/agent/auth/auth.go @@ -172,7 +172,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error { ah.logger.Debug("lookup-self with preloaded token") clientToUse.SetToken(ah.token) - secret, err = clientToUse.Logical().Read("auth/token/lookup-self") + secret, err = clientToUse.Auth().Token().LookupSelfWithContext(ctx) if err != nil { ah.logger.Error("could not look up token", "err", err, "backoff", backoff) backoffOrQuit(ctx, backoff) @@ -220,7 +220,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error { // This should only happen if there's no preloaded token (regular auto-auth login) // or if a preloaded token has expired and is now switching to auto-auth. if secret.Auth == nil { - secret, err = clientToUse.Logical().Write(path, data) + secret, err = clientToUse.Logical().WriteWithContext(ctx, path, data) // Check errors/sanity if err != nil { ah.logger.Error("error authenticating", "error", err, "backoff", backoff)