Beispiel #1
0
func (s *VaultSource) setToken(c *api.Client) error {
	s.mu.Lock()
	defer func() {
		c.SetToken(s.token)
		s.mu.Unlock()
	}()

	if s.token != "" {
		return nil
	}

	if s.vaultToken == "" {
		return errors.New("vault: no token")
	}

	// did we get a wrapped token?
	resp, err := c.Logical().Unwrap(s.vaultToken)
	if err != nil {
		// not a wrapped token?
		if strings.HasPrefix(err.Error(), "no value found at") {
			s.token = s.vaultToken
			return nil
		}
		return err
	}
	log.Printf("[INFO] vault: Unwrapped token %s", s.vaultToken)

	s.token = resp.Auth.ClientToken
	return nil
}
Beispiel #2
0
func initVault() {
	// set up vault client
	var client *vault.Client
	if viper.GetString("vault-cubbyhole-token") != "" || viper.GetString("vault-token") != "" {
		config := vault.DefaultConfig()
		err := config.ReadEnvironment()
		if err != nil {
			log.WithError(err).Fatal("Error reading environment for Vault configuration")
		}
		client, err = vault.NewClient(config)
		if err != nil {
			log.WithError(err).Fatal("Error initializing Vault client")
		}
	}

	// unwrap real token
	if wrapped := viper.GetString("vault-cubbyhole-token"); wrapped != "" {
		token, err := client.Logical().Unwrap(wrapped)
		if err != nil {
			log.WithError(err).Fatal("Error unwrapping token")
		} else if token.WrapInfo != nil {
			log.Fatal("Secret appears to be doubly wrapped")
		} else if token.Auth == nil {
			log.Fatal("Secret contained no auth data")
		}

		viper.Set("vault-token", token.Auth.ClientToken)
	}

	// read secrets from vault
	if token := viper.GetString("vault-token"); token != "" {
		client.SetToken(token)

		secret, err := client.Logical().Read("secret/mantl-api")
		if err != nil {
			log.WithError(err).Fatal("Error reading secret/mantl-api")
		}

		for _, secretName := range []string{
			"mesos-principal", "mesos-secret",
			"marathon-user", "marathon-password",
		} {
			secretValue, ok := secret.Data[secretName].(string)
			if ok {
				viper.Set(secretName, secretValue)
			} else {
				log.Warnf("secret/mantl-api didn't contain %s", secretName)
			}
		}
	}
}
Beispiel #3
0
// authenticate with the remote client
func authenticate(c *vaultapi.Client, authType string, params map[string]string) (err error) {
	var secret *vaultapi.Secret

	// handle panics gracefully by creating an error
	// this would happen when we get a parameter that is missing
	defer panicToError(&err)

	switch authType {
	case "app-id":
		secret, err = c.Logical().Write("/auth/app-id/login", map[string]interface{}{
			"app_id":  getParameter("app-id", params),
			"user_id": getParameter("user-id", params),
		})
	case "github":
		secret, err = c.Logical().Write("/auth/github/login", map[string]interface{}{
			"token": getParameter("token", params),
		})
	case "token":
		c.SetToken(getParameter("token", params))
		secret, err = c.Logical().Read("/auth/token/lookup-self")
	case "userpass":
		username, password := getParameter("username", params), getParameter("password", params)
		secret, err = c.Logical().Write(fmt.Sprintf("/auth/userpass/login/%s", username), map[string]interface{}{
			"password": password,
		})
	}

	if err != nil {
		return err
	}

	// if the token has already been set
	if c.Token() != "" {
		return nil
	}

	log.Debug("client authenticated with auth backend: %s", authType)
	// the default place for a token is in the auth section
	// otherwise, the backend will set the token itself
	c.SetToken(secret.Auth.ClientToken)
	return nil
}