luzifer/korvike
1
0
Fork 0
mirror of https://github.com/Luzifer/korvike.git synced 2024-09-19 17:02:57 +00:00
Code Issues Releases Wiki Activity

Add AppRole support into Vault function

Browse Source 
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2019-07-28 20:09:25 +02:00
parent 47eeb5a350
commit 110f5c3f04
Signed by: luzifer
GPG Key ID: DC2729FDD34BE99E
1 changed files with 55 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
functions/func_vault.go
View File

@ -1,6 +1,7 @@
package functions package functions
import ( import (
"errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os" "os"
@ -18,15 +19,11 @@ func init() {
return nil, fmt.Errorf("Key is not set") return nil, fmt.Errorf("Key is not set")
} }
client, err := api.NewClient(&api.Config{ client, err := vaultClientFromEnvOrFile()
Address: os.Getenv(api.EnvVaultAddress),
})
if err != nil { if err != nil {
return nil, err return nil, err
} }
client.SetToken(vaultTokenFromEnvOrFile())
secret, err := client.Logical().Read(name) secret, err := client.Logical().Read(name)
if err != nil { if err != nil {
return nil, err return nil, err
@ -46,16 +43,63 @@ func init() {
}) })
} }
func vaultTokenFromEnvOrFile() string { func vaultClientFromEnvOrFile() (*api.Client, error) {
if token := os.Getenv(api.EnvVaultToken); token != "" { client, err := api.NewClient(&api.Config{
return token Address: os.Getenv(api.EnvVaultAddress),
})
if err != nil {
return nil, err
} }
switch {
case os.Getenv(api.EnvVaultToken) != "":
client.SetToken(os.Getenv(api.EnvVaultToken))
case os.Getenv("VAULT_ROLE_ID") != "":
if err = setVaultTokenFromRoleID(client); err != nil {
return nil, fmt.Errorf("Unable to fetch VAULT_TOKEN: %s", err)
}
case hasTokenFile():
if f, err := homedir.Expand("~/.vault-token"); err == nil {
if b, err := ioutil.ReadFile(f); err == nil {
client.SetToken(string(b))
}
}
default:
return nil, errors.New("Neither VAULT_TOKEN nor VAULT_ROLE_ID was found in ENV and no ~/.vault-token file is present")
}
return client, nil
}
func hasTokenFile() bool {
if f, err := homedir.Expand("~/.vault-token"); err == nil { if f, err := homedir.Expand("~/.vault-token"); err == nil {
if b, err := ioutil.ReadFile(f); err == nil { if _, err := os.Stat(f); err == nil {
return string(b) return true
} }
} }
return "" return false
}
func setVaultTokenFromRoleID(client *api.Client) error {
data := map[string]interface{}{
"role_id": os.Getenv("VAULT_ROLE_ID"),
}
if os.Getenv("VAULT_SECRET_ID") != "" {
data["secret_id"] = os.Getenv("VAULT_SECRET_ID")
}
loginSecret, lserr := client.Logical().Write("auth/approle/login", data)
if lserr != nil || loginSecret.Auth == nil {
return fmt.Errorf("Unable to fetch authentication token: %s", lserr)
}
client.SetToken(loginSecret.Auth.ClientToken)
return nil
} }