publish-vod/vault.go

package main

import (
	"encoding/json"
	"fmt"
	"os"
	"path"

	"github.com/hashicorp/vault/api"
	"golang.org/x/oauth2"
)

func loadClientDetailsFromVault() (clientID, clientSecret string, err error) {
	secret, err := loadVaultKey()
	if err != nil {
		return "", "", fmt.Errorf("getting Vault key: %w", err)
	}

	var ok bool
	if clientID, ok = secret.Data["clientId"].(string); !ok {
		return "", "", fmt.Errorf("missing 'clientId' in key")
	}

	if clientSecret, ok = secret.Data["clientSecret"].(string); !ok {
		return "", "", fmt.Errorf("missing 'clientSecret' in key")
	}

	return clientID, clientSecret, nil
}

func loadTokenFromVault() (t *oauth2.Token, err error) {
	secret, err := loadVaultKey()
	if err != nil {
		return nil, fmt.Errorf("getting Vault key: %w", err)
	}

	token, ok := secret.Data["token"].(string)
	if !ok {
		return nil, fmt.Errorf("token not present in key")
	}

	var tok oauth2.Token
	if err = json.Unmarshal([]byte(token), &tok); err != nil {
		return nil, fmt.Errorf("unmarshaling token: %w", err)
	}

	return &tok, nil
}

func loadVaultKey() (secret *api.Secret, err error) {
	client, err := vaultClient()
	if err != nil {
		return nil, fmt.Errorf("getting vault client: %w", err)
	}

	secret, err = client.Logical().Read(cfg.VaultKey)
	if err != nil {
		return nil, fmt.Errorf("getting secret: %w", err)
	}

	if secret == nil || secret.Data == nil {
		return nil, fmt.Errorf("got secret without data")
	}

	return secret, nil
}

func saveTokenToVault(t *oauth2.Token) (err error) {
	secret, err := loadVaultKey()
	if err != nil {
		return fmt.Errorf("loading existing key: %w", err)
	}

	client, err := vaultClient()
	if err != nil {
		return fmt.Errorf("getting vault client: %w", err)
	}

	data := make(map[string]any)
	for k, v := range secret.Data {
		data[k] = v
	}

	jsonToken, err := json.Marshal(t)
	if err != nil {
		return fmt.Errorf("marshalling token: %w", err)
	}
	data["token"] = string(jsonToken)

	if _, err = client.Logical().Write(cfg.VaultKey, data); err != nil {
		return fmt.Errorf("writing secret: %w", err)
	}

	return nil
}

func vaultClient() (client *api.Client, err error) {
	client, err = api.NewClient(api.DefaultConfig())
	if err != nil {
		return nil, fmt.Errorf("creating Vault client: %w", err)
	}

	home, err := os.UserHomeDir()
	if err != nil {
		return nil, fmt.Errorf("getting user home: %w", err)
	}

	token, err := os.ReadFile(path.Join(home, ".vault-token")) //#nosec:G304 // Secured paths
	if err != nil {
		return nil, fmt.Errorf("reading vault token file: %w", err)
	}
	client.SetToken(string(token))

	return client, nil
}
Initial version 2024-02-24 00:22:19 +00:00			`package main`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"os"`
			`"path"`

			`"github.com/hashicorp/vault/api"`
			`"golang.org/x/oauth2"`
			`)`

			`func loadClientDetailsFromVault() (clientID, clientSecret string, err error) {`
			`secret, err := loadVaultKey()`
			`if err != nil {`
			`return "", "", fmt.Errorf("getting Vault key: %w", err)`
			`}`

			`var ok bool`
			`if clientID, ok = secret.Data["clientId"].(string); !ok {`
			`return "", "", fmt.Errorf("missing 'clientId' in key")`
			`}`

			`if clientSecret, ok = secret.Data["clientSecret"].(string); !ok {`
			`return "", "", fmt.Errorf("missing 'clientSecret' in key")`
			`}`

			`return clientID, clientSecret, nil`
			`}`

			`func loadTokenFromVault() (t *oauth2.Token, err error) {`
			`secret, err := loadVaultKey()`
			`if err != nil {`
			`return nil, fmt.Errorf("getting Vault key: %w", err)`
			`}`

			`token, ok := secret.Data["token"].(string)`
			`if !ok {`
			`return nil, fmt.Errorf("token not present in key")`
			`}`

			`var tok oauth2.Token`
			`if err = json.Unmarshal([]byte(token), &tok); err != nil {`
			`return nil, fmt.Errorf("unmarshaling token: %w", err)`
			`}`

			`return &tok, nil`
			`}`

			`func loadVaultKey() (secret *api.Secret, err error) {`
			`client, err := vaultClient()`
			`if err != nil {`
			`return nil, fmt.Errorf("getting vault client: %w", err)`
			`}`

			`secret, err = client.Logical().Read(cfg.VaultKey)`
			`if err != nil {`
			`return nil, fmt.Errorf("getting secret: %w", err)`
			`}`

			`if secret == nil \|\| secret.Data == nil {`
			`return nil, fmt.Errorf("got secret without data")`
			`}`

			`return secret, nil`
			`}`

			`func saveTokenToVault(t *oauth2.Token) (err error) {`
			`secret, err := loadVaultKey()`
			`if err != nil {`
			`return fmt.Errorf("loading existing key: %w", err)`
			`}`

			`client, err := vaultClient()`
			`if err != nil {`
			`return fmt.Errorf("getting vault client: %w", err)`
			`}`

			`data := make(map[string]any)`
			`for k, v := range secret.Data {`
			`data[k] = v`
			`}`

			`jsonToken, err := json.Marshal(t)`
			`if err != nil {`
			`return fmt.Errorf("marshalling token: %w", err)`
			`}`
			`data["token"] = string(jsonToken)`

			`if _, err = client.Logical().Write(cfg.VaultKey, data); err != nil {`
			`return fmt.Errorf("writing secret: %w", err)`
			`}`

			`return nil`
			`}`

			`func vaultClient() (client *api.Client, err error) {`
			`client, err = api.NewClient(api.DefaultConfig())`
			`if err != nil {`
			`return nil, fmt.Errorf("creating Vault client: %w", err)`
			`}`

			`home, err := os.UserHomeDir()`
			`if err != nil {`
			`return nil, fmt.Errorf("getting user home: %w", err)`
			`}`

			`token, err := os.ReadFile(path.Join(home, ".vault-token")) //#nosec:G304 // Secured paths`
			`if err != nil {`
			`return nil, fmt.Errorf("reading vault token file: %w", err)`
			`}`
			`client.SetToken(string(token))`

			`return client, nil`
			`}`