package api import ( "context" "fmt" ) // Auth is used to perform credential backend related operations. type Auth struct { c *Client } type AuthMethod interface { Login(ctx context.Context, client *Client) (*Secret, error) } // Auth is used to return the client for credential-backend API calls. func (c *Client) Auth() *Auth { return &Auth{c: c} } // Login sets up the required request body for login requests to the given auth // method's /login API endpoint, and then performs a write to it. After a // successful login, this method will automatically set the client's token to // the login response's ClientToken as well. // // The Secret returned is the authentication secret, which if desired can be // passed as input to the NewLifetimeWatcher method in order to start // automatically renewing the token. func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error) { if authMethod == nil { return nil, fmt.Errorf("no auth method provided for login") } return a.login(ctx, authMethod) } // MFALogin is a wrapper that helps satisfy Vault's MFA implementation. // If optional credentials are provided a single-phase login will be attempted // and the resulting Secret will contain a ClientToken if the authentication is successful. // The client's token will also be set accordingly. // // If no credentials are provided a two-phase MFA login will be assumed and the resulting // Secret will have a MFARequirement containing the MFARequestID to be used in a follow-up // call to `sys/mfa/validate` or by passing it to the method (*Auth).MFAValidate. func (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (*Secret, error) { if len(creds) > 0 { a.c.SetMFACreds(creds) return a.login(ctx, authMethod) } return a.twoPhaseMFALogin(ctx, authMethod) } // MFAValidate validates an MFA request using the appropriate payload and a secret containing // Auth.MFARequirement, like the one returned by MFALogin when credentials are not provided. // Upon successful validation the client token will be set accordingly. // // The Secret returned is the authentication secret, which if desired can be // passed as input to the NewLifetimeWatcher method in order to start // automatically renewing the token. func (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, payload map[string]interface{}) (*Secret, error) { if mfaSecret == nil || mfaSecret.Auth == nil || mfaSecret.Auth.MFARequirement == nil { return nil, fmt.Errorf("secret does not contain MFARequirements") } s, err := a.c.Sys().MFAValidateWithContext(ctx, mfaSecret.Auth.MFARequirement.GetMFARequestID(), payload) if err != nil { return nil, err } return a.checkAndSetToken(s) } // login performs the (*AuthMethod).Login() with the configured client and checks that a ClientToken is returned func (a *Auth) login(ctx context.Context, authMethod AuthMethod) (*Secret, error) { s, err := authMethod.Login(ctx, a.c) if err != nil { return nil, fmt.Errorf("unable to log in to auth method: %w", err) } return a.checkAndSetToken(s) } // twoPhaseMFALogin performs the (*AuthMethod).Login() with the configured client // and checks that an MFARequirement is returned func (a *Auth) twoPhaseMFALogin(ctx context.Context, authMethod AuthMethod) (*Secret, error) { s, err := authMethod.Login(ctx, a.c) if err != nil { return nil, fmt.Errorf("unable to log in: %w", err) } if s == nil || s.Auth == nil || s.Auth.MFARequirement == nil { if s != nil { s.Warnings = append(s.Warnings, "expected secret to contain MFARequirements") } return s, fmt.Errorf("assumed two-phase MFA login, returned secret is missing MFARequirements") } return s, nil } func (a *Auth) checkAndSetToken(s *Secret) (*Secret, error) { if s == nil || s.Auth == nil || s.Auth.ClientToken == "" { if s != nil { s.Warnings = append(s.Warnings, "expected secret to contain ClientToken") } return s, fmt.Errorf("response did not return ClientToken, client token not set") } a.c.SetToken(s.Auth.ClientToken) return s, nil }