vault2env/main.go

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	"os/exec"
	"strings"

	"github.com/Luzifer/go_helpers/env"
	"github.com/Luzifer/rconfig"
	log "github.com/Sirupsen/logrus"
	"github.com/hashicorp/vault/api"
	"github.com/mitchellh/go-homedir"
)

var (
	cfg = struct {
		AppRoleAuth struct {
			RoleID   string `flag:"vault-role-id" env:"VAULT_ROLE_ID" default:"" description:"ID of the role to use"`
			SecretID string `flag:"vault-secret-id" env:"VAULT_SECRET_ID" default:"" description:"Corresponding secret ID to the role"`
		}
		Export    bool   `flag:"export,e" default:"false" description:"Show export statements instead of running the command specified"`
		LogLevel  string `flag:"log-level" default:"info" description:"Verbosity of logs to use (debug, info, warning, error, ...)"`
		TokenAuth struct {
			Token string `flag:"vault-token" env:"VAULT_TOKEN" vardefault:"vault-token" description:"Specify a token to use instead of app-id auth"`
		}
		Transform      []string `flag:"transform,t" default:"" description:"Translates keys to different names (oldkey=newkey)"`
		TransformSet   []string `flag:"transform-set" default:"" description:"Apply predefined transform sets (Available: STS)"`
		VaultAddress   string   `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
		VaultKeys      []string `flag:"key,k" default:"" description:"Keys to read and use for environment variables"`
		VersionAndExit bool     `flag:"version" default:"false" description:"Print program version and exit"`
	}{}
	version = "dev"
)

func vaultTokenFromDisk() string {
	vf, err := homedir.Expand("~/.vault-token")
	if err != nil {
		return ""
	}

	data, err := ioutil.ReadFile(vf)
	if err != nil {
		return ""
	}

	return string(data)
}

func init() {
	rconfig.SetVariableDefaults(map[string]string{
		"vault-token": vaultTokenFromDisk(),
	})
	rconfig.Parse(&cfg)

	if cfg.VersionAndExit {
		fmt.Printf("vault2env %s\n", version)
		os.Exit(0)
	}

	if logLevel, err := log.ParseLevel(cfg.LogLevel); err == nil {
		log.SetLevel(logLevel)
	} else {
		log.Fatalf("Unable to parse log level: %s", err)
	}

	if len(cfg.VaultKeys) == 0 || (len(cfg.VaultKeys) == 1 && cfg.VaultKeys[0] == "") {
		log.Fatalf("[ERR] You need to specify at least one --key to read")
	}

	if !cfg.Export && len(rconfig.Args()) == 1 {
		log.Fatalf("[ERR] Usage: vault2env [command]")
	}
}

func main() {
	client, err := api.NewClient(&api.Config{
		Address: cfg.VaultAddress,
	})
	if err != nil {
		log.Fatalf("Unable to create client: %s", err)
	}

	switch {
	case cfg.TokenAuth.Token != "":
		client.SetToken(cfg.TokenAuth.Token)

	case cfg.AppRoleAuth.RoleID != "":
		data := map[string]interface{}{
			"role_id": cfg.AppRoleAuth.RoleID,
		}
		if cfg.AppRoleAuth.SecretID != "" {
			data["secret_id"] = cfg.AppRoleAuth.SecretID
		}
		loginSecret, lserr := client.Logical().Write("auth/approle/login", data)
		if lserr != nil || loginSecret.Auth == nil {
			log.Fatalf("Unable to fetch authentication token: %s", lserr)
		}

		client.SetToken(loginSecret.Auth.ClientToken)
		defer client.Auth().Token().RevokeSelf(client.Token())

	default:
		log.Fatalf(strings.Join([]string{
			"[ERR] Did not find any authentication method. Try one of these:",
			"- Specify `--vault-token` for token based authentication",
			"- Specify `--vault-role-id` and optionally `--vault-secret-id` for AppRole authentication",
		}, "\n"))
	}

	envData := map[string]string{}

	for _, setName := range cfg.TransformSet {
		if set, ok := transformSets[setName]; ok {
			cfg.Transform = append(cfg.Transform, set...)
		} else {
			log.Warnf("Transform set %q was not found, ignoring", setName)
		}
	}
	transformMap := env.ListToMap(cfg.Transform)

	for _, vaultKey := range cfg.VaultKeys {
		data, err := client.Logical().Read(vaultKey)
		if err != nil {
			log.Errorf("Unable to fetch data for key %q: %s", vaultKey, err)
			continue
		}

		if data == nil {
			log.Errorf("Vault key %q does not exist", vaultKey)
			continue
		}

		if data.Data == nil {
			log.Errorf("Vault key %q did not contain data", vaultKey)
			continue
		}

		for k, v := range data.Data {
			key := k
			if newKey, ok := transformMap[key]; ok {
				key = newKey
			}
			envData[key] = v.(string)
		}
	}

	if len(envData) == 0 {
		log.Fatalf("No environment data could be extracted")
	}

	if cfg.Export {
		for k, v := range envData {
			fmt.Printf("export %s=%q\n", k, v)
		}
		return
	}

	emap := env.ListToMap(os.Environ())
	for k, v := range emap {
		if _, ok := envData[k]; !ok {
			envData[k] = v
		}
	}

	cmd := exec.Command(rconfig.Args()[1], rconfig.Args()[2:]...)
	cmd.Stdout = os.Stdout
	cmd.Stderr = os.Stderr
	cmd.Stdin = os.Stdin
	cmd.Env = env.MapToList(envData)
	if err := cmd.Run(); err != nil {
		log.Fatal("Command exitted unclean (code != 0)")
	}
}
First version 2016-05-28 23:35:17 +00:00			`package main`

			`import (`
			`"fmt"`
If not specified use token from ~/.vault-token 2016-06-25 12:24:13 +00:00			`"io/ioutil"`
Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`"os"`
			`"os/exec"`
Add support for AppRole authentication 2016-09-17 23:16:31 +00:00			`"strings"`
First version 2016-05-28 23:35:17 +00:00
Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`"github.com/Luzifer/go_helpers/env"`
First version 2016-05-28 23:35:17 +00:00			`"github.com/Luzifer/rconfig"`
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`log "github.com/Sirupsen/logrus"`
First version 2016-05-28 23:35:17 +00:00			`"github.com/hashicorp/vault/api"`
If not specified use token from ~/.vault-token 2016-06-25 12:24:13 +00:00			`"github.com/mitchellh/go-homedir"`
First version 2016-05-28 23:35:17 +00:00			`)`

			`var (`
			`cfg = struct {`
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`AppRoleAuth struct {`
Add support for AppRole authentication 2016-09-17 23:16:31 +00:00			RoleID string `flag:"vault-role-id" env:"VAULT_ROLE_ID" default:"" description:"ID of the role to use"`
			SecretID string `flag:"vault-secret-id" env:"VAULT_SECRET_ID" default:"" description:"Corresponding secret ID to the role"`
			`}`
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			Export bool `flag:"export,e" default:"false" description:"Show export statements instead of running the command specified"`
			LogLevel string `flag:"log-level" default:"info" description:"Verbosity of logs to use (debug, info, warning, error, ...)"`
Add support for AppRole authentication 2016-09-17 23:16:31 +00:00			`TokenAuth struct {`
			Token string `flag:"vault-token" env:"VAULT_TOKEN" vardefault:"vault-token" description:"Specify a token to use instead of app-id auth"`
			`}`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			Transform []string `flag:"transform,t" default:"" description:"Translates keys to different names (oldkey=newkey)"`
Add predefined transform sets Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-18 20:17:19 +00:00			TransformSet []string `flag:"transform-set" default:"" description:"Apply predefined transform sets (Available: STS)"`
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			VaultAddress string `flag:"vault-addr" env:"VAULT_ADDR" default:"https://127.0.0.1:8200" description:"Vault API address"`
			VaultKeys []string `flag:"key,k" default:"" description:"Keys to read and use for environment variables"`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			VersionAndExit bool `flag:"version" default:"false" description:"Print program version and exit"`
First version 2016-05-28 23:35:17 +00:00			`}{}`
			`version = "dev"`
			`)`

If not specified use token from ~/.vault-token 2016-06-25 12:24:13 +00:00			`func vaultTokenFromDisk() string {`
			`vf, err := homedir.Expand("~/.vault-token")`
			`if err != nil {`
			`return ""`
			`}`

			`data, err := ioutil.ReadFile(vf)`
			`if err != nil {`
			`return ""`
			`}`

			`return string(data)`
			`}`

First version 2016-05-28 23:35:17 +00:00			`func init() {`
If not specified use token from ~/.vault-token 2016-06-25 12:24:13 +00:00			`rconfig.SetVariableDefaults(map[string]string{`
			`"vault-token": vaultTokenFromDisk(),`
			`})`
First version 2016-05-28 23:35:17 +00:00			`rconfig.Parse(&cfg)`

Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`if cfg.VersionAndExit {`
			`fmt.Printf("vault2env %s\n", version)`
			`os.Exit(0)`
			`}`

Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`if logLevel, err := log.ParseLevel(cfg.LogLevel); err == nil {`
			`log.SetLevel(logLevel)`
Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`} else {`
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`log.Fatalf("Unable to parse log level: %s", err)`
			`}`

			`if len(cfg.VaultKeys) == 0 \|\| (len(cfg.VaultKeys) == 1 && cfg.VaultKeys[0] == "") {`
			`log.Fatalf("[ERR] You need to specify at least one --key to read")`
			`}`

			`if !cfg.Export && len(rconfig.Args()) == 1 {`
			`log.Fatalf("[ERR] Usage: vault2env [command]")`
First version 2016-05-28 23:35:17 +00:00			`}`
			`}`

			`func main() {`
			`client, err := api.NewClient(&api.Config{`
			`Address: cfg.VaultAddress,`
			`})`
			`if err != nil {`
			`log.Fatalf("Unable to create client: %s", err)`
			`}`

Add support for AppRole authentication 2016-09-17 23:16:31 +00:00			`switch {`
			`case cfg.TokenAuth.Token != "":`
			`client.SetToken(cfg.TokenAuth.Token)`

			`case cfg.AppRoleAuth.RoleID != "":`
			`data := map[string]interface{}{`
			`"role_id": cfg.AppRoleAuth.RoleID,`
			`}`
			`if cfg.AppRoleAuth.SecretID != "" {`
			`data["secret_id"] = cfg.AppRoleAuth.SecretID`
			`}`
			`loginSecret, lserr := client.Logical().Write("auth/approle/login", data)`
			`if lserr != nil \|\| loginSecret.Auth == nil {`
			`log.Fatalf("Unable to fetch authentication token: %s", lserr)`
			`}`

			`client.SetToken(loginSecret.Auth.ClientToken)`
			`defer client.Auth().Token().RevokeSelf(client.Token())`

			`default:`
			`log.Fatalf(strings.Join([]string{`
			`"[ERR] Did not find any authentication method. Try one of these:",`
			"- Specify `--vault-token` for token based authentication",
			"- Specify `--vault-role-id` and optionally `--vault-secret-id` for AppRole authentication",
			`}, "\n"))`
Enable token auth 2016-05-29 00:17:04 +00:00			`}`
First version 2016-05-28 23:35:17 +00:00
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`envData := map[string]string{}`
Add predefined transform sets Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-18 20:17:19 +00:00
			`for _, setName := range cfg.TransformSet {`
			`if set, ok := transformSets[setName]; ok {`
			`cfg.Transform = append(cfg.Transform, set...)`
			`} else {`
			`log.Warnf("Transform set %q was not found, ignoring", setName)`
			`}`
			`}`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			`transformMap := env.ListToMap(cfg.Transform)`

Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`for _, vaultKey := range cfg.VaultKeys {`
			`data, err := client.Logical().Read(vaultKey)`
			`if err != nil {`
Fix: Do not try to access data on error Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-08-07 13:36:42 +00:00			`log.Errorf("Unable to fetch data for key %q: %s", vaultKey, err)`
			`continue`
			`}`

Fix: Don't panic if a key is not existent Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-09-25 19:51:29 +00:00			`if data == nil {`
			`log.Errorf("Vault key %q does not exist", vaultKey)`
			`continue`
			`}`

Fix: Do not try to access data on error Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-08-07 13:36:42 +00:00			`if data.Data == nil {`
			`log.Errorf("Vault key %q did not contain data", vaultKey)`
			`continue`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			`}`
Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00
			`for k, v := range data.Data {`
			`key := k`
			`if newKey, ok := transformMap[key]; ok {`
			`key = newKey`
			`}`
			`envData[key] = v.(string)`
			`}`
			`}`

			`if len(envData) == 0 {`
			`log.Fatalf("No environment data could be extracted")`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			`}`

Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`if cfg.Export {`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			`for k, v := range envData {`
Add predefined transform sets Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-18 20:17:19 +00:00			`fmt.Printf("export %s=%q\n", k, v)`
Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`}`
			`return`
			`}`

			`emap := env.ListToMap(os.Environ())`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			`for k, v := range emap {`
			`if _, ok := envData[k]; !ok {`
			`envData[k] = v`
			`}`
First version 2016-05-28 23:35:17 +00:00			`}`

Breaking: Move vault keys to parameters Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-04-21 19:31:46 +00:00			`cmd := exec.Command(rconfig.Args()[1], rconfig.Args()[2:]...)`
Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`cmd.Stdout = os.Stdout`
			`cmd.Stderr = os.Stderr`
			`cmd.Stdin = os.Stdin`
Add transform feature to rename keys from Vault 2016-10-04 11:12:36 +00:00			`cmd.Env = env.MapToList(envData)`
Added command execution in addition to execution 2016-05-29 00:04:23 +00:00			`if err := cmd.Run(); err != nil {`
			`log.Fatal("Command exitted unclean (code != 0)")`
First version 2016-05-28 23:35:17 +00:00			`}`
			`}`