Use WriteWithContext in auth helpers (#14775)
This commit is contained in:
parent
78a9a50cc9
commit
c74feaa6ac
|
@ -100,6 +100,10 @@ func NewAppRoleAuth(roleID string, secretID *SecretID, opts ...LoginOption) (*Ap
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
loginData := map[string]interface{}{
|
loginData := map[string]interface{}{
|
||||||
"role_id": a.roleID,
|
"role_id": a.roleID,
|
||||||
}
|
}
|
||||||
|
@ -125,7 +129,7 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre
|
||||||
|
|
||||||
// if the caller indicated that the value was actually a wrapping token, unwrap it first
|
// if the caller indicated that the value was actually a wrapping token, unwrap it first
|
||||||
if a.unwrap {
|
if a.unwrap {
|
||||||
unwrappedToken, err := client.Logical().Unwrap(secretIDValue)
|
unwrappedToken, err := client.Logical().UnwrapWithContext(ctx, secretIDValue)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to unwrap response wrapping token: %w", err)
|
return nil, fmt.Errorf("unable to unwrap response wrapping token: %w", err)
|
||||||
}
|
}
|
||||||
|
@ -135,7 +139,7 @@ func (a *AppRoleAuth) Login(ctx context.Context, client *api.Client) (*api.Secre
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with app role auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with app role auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,6 +84,10 @@ func NewAWSAuth(opts ...LoginOption) (*AWSAuth, error) {
|
||||||
// variables. To specify a path to a credentials file on disk instead, set
|
// variables. To specify a path to a credentials file on disk instead, set
|
||||||
// the environment variable AWS_SHARED_CREDENTIALS_FILE.
|
// the environment variable AWS_SHARED_CREDENTIALS_FILE.
|
||||||
func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
loginData := make(map[string]interface{})
|
loginData := make(map[string]interface{})
|
||||||
switch a.authType {
|
switch a.authType {
|
||||||
case ec2Type:
|
case ec2Type:
|
||||||
|
@ -182,7 +186,7 @@ func (a *AWSAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with AWS auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with AWS auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -90,6 +90,10 @@ func NewAzureAuth(roleName string, opts ...LoginOption) (*AzureAuth, error) {
|
||||||
// Login sets up the required request body for the Azure auth method's /login
|
// Login sets up the required request body for the Azure auth method's /login
|
||||||
// endpoint, and performs a write to it.
|
// endpoint, and performs a write to it.
|
||||||
func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
jwtResp, err := a.getJWT()
|
jwtResp, err := a.getJWT()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to get access token: %w", err)
|
return nil, fmt.Errorf("unable to get access token: %w", err)
|
||||||
|
@ -110,7 +114,7 @@ func (a *AzureAuth) Login(ctx context.Context, client *api.Client) (*api.Secret,
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with Azure auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with Azure auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -67,6 +67,10 @@ func NewGCPAuth(roleName string, opts ...LoginOption) (*GCPAuth, error) {
|
||||||
// endpoint, and performs a write to it. This method defaults to the "gce"
|
// endpoint, and performs a write to it. This method defaults to the "gce"
|
||||||
// auth type unless NewGCPAuth is called with WithIAMAuth().
|
// auth type unless NewGCPAuth is called with WithIAMAuth().
|
||||||
func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
loginData := map[string]interface{}{
|
loginData := map[string]interface{}{
|
||||||
"role": a.roleName,
|
"role": a.roleName,
|
||||||
}
|
}
|
||||||
|
@ -86,7 +90,7 @@ func (a *GCPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, e
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with GCP auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with GCP auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,13 +68,17 @@ func NewKubernetesAuth(roleName string, opts ...LoginOption) (*KubernetesAuth, e
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *KubernetesAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *KubernetesAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
loginData := map[string]interface{}{
|
loginData := map[string]interface{}{
|
||||||
"jwt": a.serviceAccountToken,
|
"jwt": a.serviceAccountToken,
|
||||||
"role": a.roleName,
|
"role": a.roleName,
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
path := fmt.Sprintf("auth/%s/login", a.mountPath)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with Kubernetes auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with Kubernetes auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,6 +84,10 @@ func NewLDAPAuth(username string, password *Password, opts ...LoginOption) (*LDA
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
loginData := make(map[string]interface{})
|
loginData := make(map[string]interface{})
|
||||||
|
|
||||||
if a.passwordFile != "" {
|
if a.passwordFile != "" {
|
||||||
|
@ -103,7 +107,7 @@ func (a *LDAPAuth) Login(ctx context.Context, client *api.Client) (*api.Secret,
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username)
|
path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with LDAP auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with LDAP auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -88,6 +88,10 @@ func NewUserpassAuth(username string, password *Password, opts ...LoginOption) (
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secret, error) {
|
||||||
|
if ctx == nil {
|
||||||
|
ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
loginData := make(map[string]interface{})
|
loginData := make(map[string]interface{})
|
||||||
|
|
||||||
if a.passwordFile != "" {
|
if a.passwordFile != "" {
|
||||||
|
@ -107,7 +111,7 @@ func (a *UserpassAuth) Login(ctx context.Context, client *api.Client) (*api.Secr
|
||||||
}
|
}
|
||||||
|
|
||||||
path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username)
|
path := fmt.Sprintf("auth/%s/login/%s", a.mountPath, a.username)
|
||||||
resp, err := client.Logical().Write(path, loginData)
|
resp, err := client.Logical().WriteWithContext(ctx, path, loginData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to log in with userpass auth: %w", err)
|
return nil, fmt.Errorf("unable to log in with userpass auth: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
api: Use the context passed to the api/auth Login helpers.
|
||||||
|
```
|
|
@ -138,7 +138,7 @@ func (a *approleMethod) Authenticate(ctx context.Context, client *api.Client) (s
|
||||||
}
|
}
|
||||||
clonedClient.SetToken(stringSecretID)
|
clonedClient.SetToken(stringSecretID)
|
||||||
// Validate the creation path
|
// Validate the creation path
|
||||||
resp, err := clonedClient.Logical().Read("sys/wrapping/lookup")
|
resp, err := clonedClient.Logical().ReadWithContext(ctx, "sys/wrapping/lookup")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, nil, fmt.Errorf("error looking up wrapped secret ID: %w", err)
|
return "", nil, nil, fmt.Errorf("error looking up wrapped secret ID: %w", err)
|
||||||
}
|
}
|
||||||
|
@ -161,7 +161,7 @@ func (a *approleMethod) Authenticate(ctx context.Context, client *api.Client) (s
|
||||||
return "", nil, nil, errors.New("unable to validate wrapping token creation path")
|
return "", nil, nil, errors.New("unable to validate wrapping token creation path")
|
||||||
}
|
}
|
||||||
// Now get the secret ID
|
// Now get the secret ID
|
||||||
resp, err = clonedClient.Logical().Unwrap("")
|
resp, err = clonedClient.Logical().UnwrapWithContext(ctx, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", nil, nil, fmt.Errorf("error unwrapping secret ID: %w", err)
|
return "", nil, nil, fmt.Errorf("error unwrapping secret ID: %w", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -172,7 +172,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
|
||||||
ah.logger.Debug("lookup-self with preloaded token")
|
ah.logger.Debug("lookup-self with preloaded token")
|
||||||
clientToUse.SetToken(ah.token)
|
clientToUse.SetToken(ah.token)
|
||||||
|
|
||||||
secret, err = clientToUse.Logical().Read("auth/token/lookup-self")
|
secret, err = clientToUse.Auth().Token().LookupSelfWithContext(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ah.logger.Error("could not look up token", "err", err, "backoff", backoff)
|
ah.logger.Error("could not look up token", "err", err, "backoff", backoff)
|
||||||
backoffOrQuit(ctx, backoff)
|
backoffOrQuit(ctx, backoff)
|
||||||
|
@ -220,7 +220,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
|
||||||
// This should only happen if there's no preloaded token (regular auto-auth login)
|
// This should only happen if there's no preloaded token (regular auto-auth login)
|
||||||
// or if a preloaded token has expired and is now switching to auto-auth.
|
// or if a preloaded token has expired and is now switching to auto-auth.
|
||||||
if secret.Auth == nil {
|
if secret.Auth == nil {
|
||||||
secret, err = clientToUse.Logical().Write(path, data)
|
secret, err = clientToUse.Logical().WriteWithContext(ctx, path, data)
|
||||||
// Check errors/sanity
|
// Check errors/sanity
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ah.logger.Error("error authenticating", "error", err, "backoff", backoff)
|
ah.logger.Error("error authenticating", "error", err, "backoff", backoff)
|
||||||
|
|
Loading…
Reference in New Issue