2017-06-20 09:24:02 +00:00
|
|
|
package functions
|
|
|
|
|
|
|
|
import (
|
2019-07-28 18:09:25 +00:00
|
|
|
"errors"
|
2017-06-20 09:24:02 +00:00
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
homedir "github.com/mitchellh/go-homedir"
|
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
registerFunction("vault", func(name string, v ...string) (interface{}, error) {
|
|
|
|
if name == "" {
|
2024-02-28 22:54:18 +00:00
|
|
|
return nil, fmt.Errorf("path is not set")
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|
|
|
|
if len(v) < 1 {
|
2024-02-28 22:54:18 +00:00
|
|
|
return nil, fmt.Errorf("key is not set")
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|
|
|
|
|
2019-07-28 18:09:25 +00:00
|
|
|
client, err := vaultClientFromEnvOrFile()
|
2017-06-20 09:24:02 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
secret, err := client.Logical().Read(name)
|
|
|
|
if err != nil {
|
2024-02-28 22:54:18 +00:00
|
|
|
return nil, fmt.Errorf("reading secret: %s", err)
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if secret != nil && secret.Data != nil {
|
|
|
|
if val, ok := secret.Data[v[0]]; ok {
|
|
|
|
return val, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-02-28 22:54:18 +00:00
|
|
|
if len(v) < 2 { //nolint:gomnd
|
|
|
|
return nil, fmt.Errorf("requested value %q in key %q was not found in Vault and no default was set", v[0], name)
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return v[1], nil
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-07-28 18:09:25 +00:00
|
|
|
func vaultClientFromEnvOrFile() (*api.Client, error) {
|
|
|
|
client, err := api.NewClient(&api.Config{
|
|
|
|
Address: os.Getenv(api.EnvVaultAddress),
|
|
|
|
})
|
|
|
|
if err != nil {
|
2024-02-28 22:54:18 +00:00
|
|
|
return nil, fmt.Errorf("creating Vault client: %w", err)
|
2019-07-28 18:09:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case os.Getenv(api.EnvVaultToken) != "":
|
|
|
|
client.SetToken(os.Getenv(api.EnvVaultToken))
|
|
|
|
|
|
|
|
case os.Getenv("VAULT_ROLE_ID") != "":
|
|
|
|
if err = setVaultTokenFromRoleID(client); err != nil {
|
2024-02-28 22:54:18 +00:00
|
|
|
return nil, fmt.Errorf("fetch VAULT_TOKEN: %w", err)
|
2019-07-28 18:09:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
case hasTokenFile():
|
|
|
|
if f, err := homedir.Expand("~/.vault-token"); err == nil {
|
2024-02-28 22:54:18 +00:00
|
|
|
//#nosec:G304 // File is a well-known file location
|
|
|
|
if b, err := os.ReadFile(f); err == nil {
|
2019-07-28 18:09:25 +00:00
|
|
|
client.SetToken(string(b))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
2024-02-28 22:54:18 +00:00
|
|
|
return nil, errors.New("neither VAULT_TOKEN nor VAULT_ROLE_ID was found in ENV and no ~/.vault-token file is present")
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|
|
|
|
|
2019-07-28 18:09:25 +00:00
|
|
|
return client, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func hasTokenFile() bool {
|
2017-06-20 09:24:02 +00:00
|
|
|
if f, err := homedir.Expand("~/.vault-token"); err == nil {
|
2019-07-28 18:09:25 +00:00
|
|
|
if _, err := os.Stat(f); err == nil {
|
|
|
|
return true
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-07-28 18:09:25 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func setVaultTokenFromRoleID(client *api.Client) error {
|
|
|
|
data := map[string]interface{}{
|
|
|
|
"role_id": os.Getenv("VAULT_ROLE_ID"),
|
|
|
|
}
|
|
|
|
|
|
|
|
if os.Getenv("VAULT_SECRET_ID") != "" {
|
|
|
|
data["secret_id"] = os.Getenv("VAULT_SECRET_ID")
|
|
|
|
}
|
|
|
|
|
|
|
|
loginSecret, lserr := client.Logical().Write("auth/approle/login", data)
|
|
|
|
if lserr != nil || loginSecret.Auth == nil {
|
2024-02-28 22:54:18 +00:00
|
|
|
return fmt.Errorf("fetching authentication token: %w", lserr)
|
2019-07-28 18:09:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
client.SetToken(loginSecret.Auth.ClientToken)
|
|
|
|
return nil
|
2017-06-20 09:24:02 +00:00
|
|
|
}
|