8fecccde21
The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user.
84 lines
2 KiB
Go
84 lines
2 KiB
Go
package userpass
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
pwd "github.com/hashicorp/vault/helper/password"
|
|
"github.com/mitchellh/mapstructure"
|
|
)
|
|
|
|
type CLIHandler struct{}
|
|
|
|
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
|
|
var data struct {
|
|
Username string `mapstructure:"username"`
|
|
Password string `mapstructure:"password"`
|
|
Mount string `mapstructure:"mount"`
|
|
Method string `mapstructure:"method"`
|
|
Passcode string `mapstructure:"passcode"`
|
|
}
|
|
if err := mapstructure.WeakDecode(m, &data); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if data.Username == "" {
|
|
return "", fmt.Errorf("'username' must be specified")
|
|
}
|
|
if data.Password == "" {
|
|
fmt.Printf("Password (will be hidden): ")
|
|
password, err := pwd.Read(os.Stdin)
|
|
fmt.Println()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
data.Password = password
|
|
}
|
|
if data.Mount == "" {
|
|
data.Mount = "userpass"
|
|
}
|
|
|
|
options := map[string]interface{}{
|
|
"password": data.Password,
|
|
}
|
|
if data.Method != "" {
|
|
options["method"] = data.Method
|
|
}
|
|
if data.Passcode != "" {
|
|
options["passcode"] = data.Passcode
|
|
}
|
|
|
|
path := fmt.Sprintf("auth/%s/login/%s", data.Mount, data.Username)
|
|
secret, err := c.Logical().Write(path, options)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if secret == nil {
|
|
return "", fmt.Errorf("empty response from credential provider")
|
|
}
|
|
|
|
return secret.Auth.ClientToken, nil
|
|
}
|
|
|
|
func (h *CLIHandler) Help() string {
|
|
help := `
|
|
The "userpass" credential provider allows you to authenticate with
|
|
a username and password. To use it, specify the "username" and "password"
|
|
parameters. If password is not provided on the command line, it will be
|
|
read from stdin.
|
|
|
|
If multi-factor authentication (MFA) is enabled, a "method" and/or "passcode"
|
|
may be provided depending on the MFA backend enabled. To check
|
|
which MFA backend is in use, read "auth/[mount]/mfa_config".
|
|
|
|
Example: vault auth -method=userpass \
|
|
username=<user> \
|
|
password=<password>
|
|
|
|
`
|
|
|
|
return strings.TrimSpace(help)
|
|
}
|