// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 package cert import ( "fmt" "strings" "github.com/hashicorp/vault/api" "github.com/mitchellh/mapstructure" ) type CLIHandler struct{} func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) { var data struct { Mount string `mapstructure:"mount"` Name string `mapstructure:"name"` } if err := mapstructure.WeakDecode(m, &data); err != nil { return nil, err } if data.Mount == "" { data.Mount = "cert" } options := map[string]interface{}{ "name": data.Name, } path := fmt.Sprintf("auth/%s/login", data.Mount) secret, err := c.Logical().Write(path, options) if err != nil { return nil, err } if secret == nil { return nil, fmt.Errorf("empty response from credential provider") } return secret, nil } func (h *CLIHandler) Help() string { help := ` Usage: vault login -method=cert [CONFIG K=V...] The certificate auth method allows users to authenticate with a client certificate passed with the request. The -client-cert and -client-key flags are included with the "vault login" command, NOT as configuration to the auth method. Authenticate using a local client certificate: $ vault login -method=cert -client-cert=cert.pem -client-key=key.pem Configuration: name= Certificate role to authenticate against. ` return strings.TrimSpace(help) }