Example #1
0
func (d *driver) mountServer(mountpoint string) (*fuse.Server, error) {
	if err := os.MkdirAll(filepath.Dir(mountpoint), 0755); err != nil {
		return nil, err
	}

	conf := api.DefaultConfig()
	client, err := api.NewClient(conf)
	if err != nil {
		return nil, err
	}

	ownership := keywhizfs.NewOwnership("root", "root")
	kwfs, root := NewFs(client, ownership)

	mountOptions := &fuse.MountOptions{
		AllowOther: true,
		Name:       kwfs.String(),
		Options:    []string{"default_permissions"},
	}

	// Empty Options struct avoids setting a global uid/gid override.
	conn := nodefs.NewFileSystemConnector(root, &nodefs.Options{})
	server, err := fuse.NewServer(conn.RawFS(), mountpoint, mountOptions)
	if err != nil {
		log.Printf("Mount fail: %v\n", err)
		return nil, err
	}

	go server.Serve()

	return server, nil
}
Example #2
0
// NewClient returns a VaultClient object or error
func NewClient(config *VaultConfig) (*VaultClient, error) {
	vc := VaultClient{}
	c, err := api.NewClient(&api.Config{Address: config.Server})
	vc.client = c
	vc.config = config
	return &vc, err
}
Example #3
0
func remove(keyname string) error {

	TOKEN = vLogin("", "", "ldap")
	if TOKEN == "" {
		return fmt.Errorf("%s", "User Login failed")
	}

	// Get element list
	EPATH := fmt.Sprint("secret/usr/", ADNAME)
	ELIST := getVaultValue(EPATH, TOKEN)

	//Split the list into an array
	EARRAY := strings.Split(ELIST.Data[LISTNAME].(string), ",")
	TNUM := -1
	// Search the array for the keyname value
	for lup, v := range EARRAY {
		if v == keyname {
			TNUM = lup
			break
		}
	}
	// If value isn't found, report it
	if TNUM == -1 {
		fmt.Println("Key name was not found in the list")
		return &errorString{"KeyError"}
	}

	// Delete the keyname
	config := tls.Config{InsecureSkipVerify: true}
	cnfg := vault.DefaultConfig()
	cnfg.Address = VAULTSERVER
	cnfg.HttpClient.Transport = &http.Transport{
		TLSClientConfig: &config,
	}
	client, err := vault.NewClient(cnfg)
	if err != nil {
		return err
	}
	client.SetToken(TOKEN)
	SPATH := fmt.Sprint("secret/usr/", ADNAME, "/", keyname)
	_, err = client.Logical().Delete(SPATH)
	if err != nil {
		return err
	}

	//Remove the key from the key list
	var s map[string]interface{}
	if TNUM == -1 || TNUM == 0 {
		s = map[string]interface{}{LISTNAME: ""}
	} else if TNUM > 0 {
		elst1 := strings.Join(EARRAY[:TNUM], ",")
		elst2 := strings.Join(EARRAY[TNUM+1:], ",")
		elst := strings.Join([]string{elst1, elst2}, ",")
		s = map[string]interface{}{LISTNAME: elst}
	}
	// And write it to the Vault
	err = putVaultValue(EPATH, TOKEN, s)
	return err
}
Example #4
0
func Client(token string) (*api.Client, error) {
	client, err := api.NewClient(DefaultConfig)
	if err != nil {
		return nil, err
	}
	client.SetToken(token)
	return client, nil
}
Example #5
0
// newVaultClient creates a new client for connecting to vault.
func newVaultClient(config *Config) (*vaultapi.Client, error) {
	log.Printf("[INFO] (runner) creating vault/api client")

	vaultConfig := vaultapi.DefaultConfig()

	if config.Vault.Address != "" {
		log.Printf("[DEBUG] (runner) setting vault address to %s", config.Vault.Address)
		vaultConfig.Address = config.Vault.Address
	}

	if config.Vault.SSL.Enabled {
		log.Printf("[DEBUG] (runner) enabling vault SSL")
		tlsConfig := &tls.Config{}

		if config.Vault.SSL.Cert != "" {
			cert, err := tls.LoadX509KeyPair(config.Vault.SSL.Cert, config.Vault.SSL.Cert)
			if err != nil {
				return nil, err
			}
			tlsConfig.Certificates = []tls.Certificate{cert}
		}

		if config.Vault.SSL.CaCert != "" {
			cacert, err := ioutil.ReadFile(config.Vault.SSL.CaCert)
			if err != nil {
				return nil, err
			}
			caCertPool := x509.NewCertPool()
			caCertPool.AppendCertsFromPEM(cacert)

			tlsConfig.RootCAs = caCertPool
		}
		tlsConfig.BuildNameToCertificate()

		if !config.Vault.SSL.Verify {
			log.Printf("[WARN] (runner) disabling vault SSL verification")
			tlsConfig.InsecureSkipVerify = true
		}

		vaultConfig.HttpClient.Transport = &http.Transport{
			TLSClientConfig: tlsConfig,
		}
	}

	client, err := vaultapi.NewClient(vaultConfig)
	if err != nil {
		return nil, err
	}

	if config.Vault.Token != "" {
		log.Printf("[DEBUG] (runner) setting vault token")
		client.SetToken(config.Vault.Token)
	}

	return client, nil
}
Example #6
0
func TestHTTP_Fallback_Disabled(t *testing.T) {
	handler1 := http.NewServeMux()
	handler2 := http.NewServeMux()
	handler3 := http.NewServeMux()

	coreConfig := &vault.CoreConfig{
		LogicalBackends: map[string]logical.Factory{
			"transit": transit.Factory,
		},
		ClusterAddr: "empty",
	}

	// Chicken-and-egg: Handler needs a core. So we create handlers first, then
	// add routes chained to a Handler-created handler.
	cores := vault.TestCluster(t, []http.Handler{handler1, handler2, handler3}, coreConfig, true)
	for _, core := range cores {
		defer core.CloseListeners()
	}
	handler1.Handle("/", Handler(cores[0].Core))
	handler2.Handle("/", Handler(cores[1].Core))
	handler3.Handle("/", Handler(cores[2].Core))

	// make it easy to get access to the active
	core := cores[0].Core
	vault.TestWaitActive(t, core)

	root := cores[0].Root

	addrs := []string{
		fmt.Sprintf("https://127.0.0.1:%d", cores[1].Listeners[0].Address.Port),
		fmt.Sprintf("https://127.0.0.1:%d", cores[2].Listeners[0].Address.Port),
	}

	for _, addr := range addrs {
		config := api.DefaultConfig()
		config.Address = addr
		config.HttpClient = cleanhttp.DefaultClient()
		config.HttpClient.Transport.(*http.Transport).TLSClientConfig = cores[0].TLSConfig
		client, err := api.NewClient(config)
		if err != nil {
			t.Fatal(err)
		}
		client.SetToken(root)

		secret, err := client.Auth().Token().LookupSelf()
		if err != nil {
			t.Fatal(err)
		}
		if secret == nil {
			t.Fatal("secret is nil")
		}
		if secret.Data["id"].(string) != root {
			t.Fatal("token mismatch")
		}
	}
}
Example #7
0
func newClientFromConfig(config *api.Config, token string) (*api.Client, error) {
	client, err := api.NewClient(config)
	if err != nil {
		return nil, maskAny(err)
	}
	if token != "" {
		client.SetToken(token)
	}
	return client, nil
}
func Client(token string) (*api.Client, error) {
	if DefaultConfig == nil {
		return nil, fmt.Errorf("Config was nil")
	}
	client, err := api.NewClient(DefaultConfig)
	if err != nil {
		return nil, err
	}
	client.SetToken(token)
	return client, nil
}
Example #9
0
func testClient(t *testing.T, addr string, token string) *api.Client {
	config := api.DefaultConfig()
	config.Address = addr
	client, err := api.NewClient(config)
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	client.SetToken(token)

	return client
}
Example #10
0
func createVaultClient() *vault.Client {
	log.Info("Create vault client")
	config := &vault.Config{
		Address:    "http://localhost:8200",
		HttpClient: http.DefaultClient,
	}
	vc, err := vault.NewClient(config)
	fatal(err)

	return vc
}
Example #11
0
func (vb *vaultBackend) vaultAuthenticate(vaultURI string, token string) error {
	vb.config = api.DefaultConfig()
	vb.config.Address = vaultURI
	client, err := api.NewClient(vb.config) //can probably be global
	if err != nil {
		glog.Errorf("Error authenticating %s\n", err.Error())
		return err
	}
	client.SetToken(token) //TODO put here the howler token to be read from file
	vb.client = client
	return nil
}
Example #12
0
// New returns a new VaultFS
func New(config *api.Config, mountpoint, token, root string) (*VaultFS, error) {
	client, err := api.NewClient(config)
	if err != nil {
		return nil, err
	}
	client.SetToken(token)

	return &VaultFS{
		Client:     client,
		root:       root,
		mountpoint: mountpoint,
	}, nil
}
Example #13
0
func initVault() {
	// set up vault client
	var client *vault.Client
	if viper.GetString("vault-cubbyhole-token") != "" || viper.GetString("vault-token") != "" {
		config := vault.DefaultConfig()
		err := config.ReadEnvironment()
		if err != nil {
			log.WithError(err).Fatal("Error reading environment for Vault configuration")
		}
		client, err = vault.NewClient(config)
		if err != nil {
			log.WithError(err).Fatal("Error initializing Vault client")
		}
	}

	// unwrap real token
	if wrapped := viper.GetString("vault-cubbyhole-token"); wrapped != "" {
		token, err := client.Logical().Unwrap(wrapped)
		if err != nil {
			log.WithError(err).Fatal("Error unwrapping token")
		} else if token.WrapInfo != nil {
			log.Fatal("Secret appears to be doubly wrapped")
		} else if token.Auth == nil {
			log.Fatal("Secret contained no auth data")
		}

		viper.Set("vault-token", token.Auth.ClientToken)
	}

	// read secrets from vault
	if token := viper.GetString("vault-token"); token != "" {
		client.SetToken(token)

		secret, err := client.Logical().Read("secret/mantl-api")
		if err != nil {
			log.WithError(err).Fatal("Error reading secret/mantl-api")
		}

		for _, secretName := range []string{
			"mesos-principal", "mesos-secret",
			"marathon-user", "marathon-password",
		} {
			secretValue, ok := secret.Data[secretName].(string)
			if ok {
				viper.Set(secretName, secretValue)
			} else {
				log.Warnf("secret/mantl-api didn't contain %s", secretName)
			}
		}
	}
}
Example #14
0
File: vault.go Project: nak3/nomad
func (f *VaultFingerprint) Fingerprint(config *client.Config, node *structs.Node) (bool, error) {
	if config.VaultConfig == nil || !config.VaultConfig.IsEnabled() {
		return false, nil
	}

	// Only create the client once to avoid creating too many connections to
	// Vault.
	if f.client == nil {
		vaultConfig, err := config.VaultConfig.ApiConfig()
		if err != nil {
			return false, fmt.Errorf("Failed to initialize the Vault client config: %v", err)
		}

		f.client, err = vapi.NewClient(vaultConfig)
		if err != nil {
			return false, fmt.Errorf("Failed to initialize Vault client: %s", err)
		}
	}

	// Connect to vault and parse its information
	status, err := f.client.Sys().SealStatus()
	if err != nil {
		// Clear any attributes set by a previous fingerprint.
		f.clearVaultAttributes(node)

		// Print a message indicating that Vault is not available anymore
		if f.lastState == vaultAvailable {
			f.logger.Printf("[INFO] fingerprint.vault: Vault is unavailable")
		}
		f.lastState = vaultUnavailable
		return false, nil
	}

	node.Attributes["vault.accessible"] = strconv.FormatBool(true)
	// We strip the Vault prefix becasue < 0.6.2 the version looks like:
	// status.Version = "Vault v0.6.1"
	node.Attributes["vault.version"] = strings.TrimPrefix(status.Version, "Vault ")
	node.Attributes["vault.cluster_id"] = status.ClusterID
	node.Attributes["vault.cluster_name"] = status.ClusterName

	// If Vault was previously unavailable print a message to indicate the Agent
	// is available now
	if f.lastState == vaultUnavailable {
		f.logger.Printf("[INFO] fingerprint.vault: Vault is available")
	}
	f.lastState = vaultAvailable
	return true, nil
}
func NewVaultClient(vaultEndpoint string, token string) (interfaces.VaultClient, error) {
	cfg := api.DefaultConfig()
	cfg.ReadEnvironment()
	cfg.Address = vaultEndpoint

	vault, err := api.NewClient(cfg)
	if err != nil {
		return nil, err
	}

	vault.SetToken(token)

	return &VaultClient{
		vaultClient: vault,
		config:      cfg,
	}, nil
}
Example #16
0
func (s *VaultSource) client() (*api.Client, error) {
	conf := api.DefaultConfig()
	if err := conf.ReadEnvironment(); err != nil {
		return nil, err
	}
	if s.Addr != "" {
		conf.Address = s.Addr
	}
	c, err := api.NewClient(conf)
	if err != nil {
		return nil, err
	}
	if err := s.setToken(c); err != nil {
		return nil, err
	}
	return c, nil
}
Example #17
0
func TestVaultSource(t *testing.T) {
	const (
		addr      = "127.0.0.1:58421"
		rootToken = "token"
		certPath  = "secret/fabio/cert"
	)

	// run a vault server in dev mode
	t.Log("Starting vault server")
	vault := exec.Command("vault", "server", "-dev", "-dev-root-token-id="+rootToken, "-dev-listen-address="+addr)
	if err := vault.Start(); err != nil {
		t.Fatalf("Failed to start vault server. %s", err)
	}
	defer vault.Process.Kill()

	// create a vault client for that server
	c, err := vaultapi.NewClient(&vaultapi.Config{Address: "http://" + addr})
	if err != nil {
		t.Fatalf("NewClient failed: %s", err)
	}
	c.SetToken(rootToken)

	isUp := func() bool {
		ok, err := c.Sys().InitStatus()
		return err == nil && ok
	}
	if !waitFor(time.Second, isUp) {
		t.Fatal("Timeout waiting for vault server")
	}

	// create a renewable token since the vault source
	// will renew the token on every request
	tok, err := c.Auth().Token().Create(&vaultapi.TokenCreateRequest{NoParent: true, TTL: "1h"})
	if err != nil {
		t.Fatalf("Token.Create failed: %s", err)
	}

	// create a cert and store it in vault
	certPEM, keyPEM := makeCert("localhost", time.Minute)
	data := map[string]interface{}{"cert": string(certPEM), "key": string(keyPEM)}
	if _, err := c.Logical().Write(certPath+"/localhost", data); err != nil {
		t.Fatalf("logical.Write failed: %s", err)
	}

	testSource(t, VaultSource{Addr: "http://" + addr, token: tok.Auth.ClientToken, CertPath: certPath}, makeCertPool(certPEM), 50*time.Millisecond)
}
Example #18
0
func main() {
	config := api.DefaultConfig()
	client, err := api.NewClient(config)
	if err != nil {
		log.Fatal("err: %s", err)
	}

	if token := client.Token(); token != "" {
		log.Printf("using token client %s", token)
	} else {
		log.Fatal("no VAULT_TOKEN supplied!")
	}

	path := `secret/hello`
	_, err = client.Logical().Write(path, map[string]interface{}{"audience": "world"})
	if err != nil {
		log.Fatal("error writing %s: %s", path, err)
	} else {
		log.Printf("wrote %s successfully", path)
	}

	secret, err := client.Logical().Read(path)
	if err != nil {
		log.Fatal("error reading %s: %s", path, err)
	} else {
		data, err := json.Marshal(secret.Data)
		if err != nil {
			log.Fatal("error decoding %s: %s", path, err)
		} else {
			log.Printf("read %s as: %s", path, data)
		}
	}

	_, err = client.Logical().Delete(path)
	if err != nil {
		log.Fatal("error deleting %s: %s", path, err)
	} else {
		secret, _ := client.Logical().Read(path)
		if secret != nil {
			log.Fatal("error deleting %s: still readable after delete", path)
		} else {
			log.Printf("deleted %s successfully", path)
		}
	}
}
Example #19
0
// buildClient is used to build a Vault client based on the stored Vault config
func (v *vaultClient) buildClient() error {
	// Validate we have the required fields.
	if v.config.Token == "" {
		return errors.New("Vault token must be set")
	} else if v.config.Addr == "" {
		return errors.New("Vault address must be set")
	}

	// Parse the TTL if it is set
	if v.config.TaskTokenTTL != "" {
		d, err := time.ParseDuration(v.config.TaskTokenTTL)
		if err != nil {
			return fmt.Errorf("failed to parse TaskTokenTTL %q: %v", v.config.TaskTokenTTL, err)
		}

		if d.Nanoseconds() < minimumTokenTTL.Nanoseconds() {
			return fmt.Errorf("ChildTokenTTL is less than minimum allowed of %v", minimumTokenTTL)
		}

		v.childTTL = v.config.TaskTokenTTL
	} else {
		// Default the TaskTokenTTL
		v.childTTL = defaultTokenTTL
	}

	// Get the Vault API configuration
	apiConf, err := v.config.ApiConfig()
	if err != nil {
		return fmt.Errorf("Failed to create Vault API config: %v", err)
	}

	// Create the Vault API client
	client, err := vapi.NewClient(apiConf)
	if err != nil {
		v.logger.Printf("[ERR] vault: failed to create Vault client. Not retrying: %v", err)
		return err
	}

	// Set the token and store the client
	v.token = v.config.Token
	client.SetToken(v.token)
	v.client = client
	v.auth = client.Auth().Token()
	return nil
}
Example #20
0
// NewVaultClient creates a new vault client
func NewVaultClient(vaultURL, caFile string, skipTLSVerify bool) (VaultService, error) {
	var err error

	config := api.DefaultConfig()
	config.Address = vaultURL
	config.HttpClient.Transport, err = buildTransport(skipTLSVerify, caFile)
	if err != nil {
		return nil, err
	}

	client, err := api.NewClient(config)
	if err != nil {
		return nil, err
	}

	return &vault{
		client: client,
	}, nil
}
Example #21
0
func putVaultValue(keypath, tokenstr string, s map[string]interface{}) error {

	config := tls.Config{InsecureSkipVerify: true}
	cnfg := vault.DefaultConfig()
	cnfg.Address = VAULTSERVER
	cnfg.HttpClient.Transport = &http.Transport{
		TLSClientConfig: &config,
	}
	client, err := vault.NewClient(cnfg)
	if err != nil {
		panic(err.Error())
	}
	client.SetToken(tokenstr)
	SPATH := keypath
	_, err = client.Logical().Write(SPATH, s)

	return err

}
Example #22
0
// getClient create and configure vault client
func (c *VaultClient) getClient() (*vaultapi.Client, error) {
	timeout, _ := time.ParseDuration(c.Config.Timeout)
	config := &vaultapi.Config{
		Address: c.Config.Proto + "://" + c.Config.Host + ":" + strconv.Itoa(c.Config.Port),
		HttpClient: &http.Client{
			CheckRedirect: func(req *http.Request, via []*http.Request) error {
				return errors.New("redirect")
			},
			Timeout: timeout,
		},
	}

	cl, err := vaultapi.NewClient(config)
	if err != nil {
		return nil, err
	}

	cl.SetToken(c.Config.AuthToken)
	return cl, nil
}
Example #23
0
File: vault.go Project: pulcy/j2
func NewVault(srvCfg VaultConfig, log *logging.Logger) (*Vault, error) {
	// Create a vault client
	config := api.DefaultConfig()
	if err := config.ReadEnvironment(); err != nil {
		return nil, maskAny(err)
	}
	var serverName string
	if srvCfg.VaultAddr != "" {
		log.Debugf("Setting vault address to %s", srvCfg.VaultAddr)
		config.Address = srvCfg.VaultAddr
		url, err := url.Parse(config.Address)
		if err != nil {
			return nil, maskAny(err)
		}
		host, _, err := net.SplitHostPort(url.Host)
		if err != nil {
			return nil, maskAny(err)
		}
		serverName = host
	}
	if srvCfg.VaultCACert != "" || srvCfg.VaultCAPath != "" {
		clientTLSConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig
		if err := rootcerts.ConfigureTLS(clientTLSConfig, &rootcerts.Config{
			CAFile: srvCfg.VaultCACert,
			CAPath: srvCfg.VaultCAPath,
		}); err != nil {
			return nil, maskAny(err)
		}
		clientTLSConfig.ServerName = serverName
	}
	client, err := api.NewClient(config)
	if err != nil {
		return nil, maskAny(err)
	}

	return &Vault{
		log:         log,
		vaultClient: client,
	}, nil

}
Example #24
0
// NewVaultClient returns a new vault client from the given config.
func NewVaultClient(config *config.VaultConfig, logger *log.Logger, tokenDeriver TokenDeriverFunc) (*vaultClient, error) {
	if config == nil {
		return nil, fmt.Errorf("nil vault config")
	}

	if logger == nil {
		return nil, fmt.Errorf("nil logger")
	}

	c := &vaultClient{
		config: config,
		stopCh: make(chan struct{}),
		// Update channel should be a buffered channel
		updateCh:     make(chan struct{}, 1),
		heap:         newVaultClientHeap(),
		logger:       logger,
		tokenDeriver: tokenDeriver,
	}

	if !config.IsEnabled() {
		return c, nil
	}

	// Get the Vault API configuration
	apiConf, err := config.ApiConfig()
	if err != nil {
		logger.Printf("[ERR] client.vault: failed to create vault API config: %v", err)
		return nil, err
	}

	// Create the Vault API client
	client, err := vaultapi.NewClient(apiConf)
	if err != nil {
		logger.Printf("[ERR] client.vault: failed to create Vault client. Not retrying: %v", err)
		return nil, err
	}

	c.client = client

	return c, nil
}
Example #25
0
// New returns an *vault.Client with a connection to named machines.
// It returns an error if a connection to the cluster cannot be made.
func New(address, authType string, params map[string]string) (*Client, error) {
	if authType == "" {
		return nil, errors.New("you have to set the auth type when using the vault backend")
	}
	log.Info("Vault authentication backend set to %s", authType)
	conf, err := getConfig(address, params["cert"], params["key"], params["caCert"])

	if err != nil {
		return nil, err
	}

	c, err := vaultapi.NewClient(conf)
	if err != nil {
		return nil, err
	}

	if err := authenticate(c, authType, params); err != nil {
		return nil, err
	}
	return &Client{c}, nil
}
Example #26
0
func (vaultSource *VaultSource) Get() (map[string]interface{}, error) {
	config := api.DefaultConfig()
	config.Address = vaultSource.Address

	client, err := api.NewClient(config)

	if err != nil {
		return nil, err
	}

	client.SetToken(vaultSource.Token)

	secret, err := client.Logical().Read(vaultSource.Path)

	if err != nil {
		return nil, err
	}

	return secret.Data, nil

}
Example #27
0
func getVaultValue(keypath, tokenstr string) *vault.Secret {

	config := tls.Config{InsecureSkipVerify: true}
	cnfg := vault.DefaultConfig()
	cnfg.Address = VAULTSERVER
	cnfg.HttpClient.Transport = &http.Transport{
		TLSClientConfig: &config,
	}
	client, err := vault.NewClient(cnfg)
	if err != nil {
		panic(err.Error())
	}
	client.SetToken(tokenstr)
	SPATH := keypath
	response, err := client.Logical().Read(SPATH)
	if err != nil {
		fmt.Println("Error Reading Path")
	}
	return response

}
Example #28
0
// vaultServer starts a vault server in dev mode and waits
// until is ready.
func vaultServer(t *testing.T, addr, rootToken string) (*exec.Cmd, *vaultapi.Client) {
	cmd := exec.Command("vault", "server", "-dev", "-dev-root-token-id="+rootToken, "-dev-listen-address="+addr)
	if err := cmd.Start(); err != nil {
		t.Fatalf("Failed to start vault server. %s", err)
	}

	c, err := vaultapi.NewClient(&vaultapi.Config{Address: "http://" + addr})
	if err != nil {
		cmd.Process.Kill()
		t.Fatalf("NewClient failed: %s", err)
	}
	c.SetToken(rootToken)

	isUp := func() bool {
		ok, err := c.Sys().InitStatus()
		return err == nil && ok
	}
	if !waitFor(time.Second, isUp) {
		cmd.Process.Kill()
		t.Fatal("Timeout waiting for vault server")
	}

	policy := `
	path "secret/fabio/cert" {
	  capabilities = ["list"]
	}

	path "secret/fabio/cert/*" {
	  capabilities = ["read"]
	}
	`

	if err := c.Sys().PutPolicy("fabio", policy); err != nil {
		cmd.Process.Kill()
		t.Fatalf("Could not create policy: %s", err)
	}

	return cmd, c
}
Example #29
0
// newVaultClient creates and authenticates a vault client
func newVaultClient(opts *config) (*api.Client, error) {
	var err error
	var token string

	config := api.DefaultConfig()
	config.Address = opts.vaultURL

	config.HttpClient.Transport, err = buildHTTPTransport(opts)
	if err != nil {
		return nil, err
	}

	// step: create the actual client
	client, err := api.NewClient(config)
	if err != nil {
		return nil, err
	}

	plugin, _ := opts.vaultAuthOptions[VaultAuth]
	switch plugin {
	case "userpass":
		token, err = NewUserPassPlugin(client).Create(opts.vaultAuthOptions)
	case "approle":
		token, err = NewAppRolePlugin(client).Create(opts.vaultAuthOptions)
	case "token":
		opts.vaultAuthOptions["filename"] = options.vaultAuthFile
		token, err = NewUserTokenPlugin(client).Create(opts.vaultAuthOptions)
	default:
		return nil, fmt.Errorf("unsupported authentication plugin: %s", plugin)
	}
	if err != nil {
		return nil, err
	}

	// step: set the token for the client
	client.SetToken(token)

	return client, nil
}
// testVaultServer is a helper for creating a Vault server and returning the
// appropriate client to connect to it.
func testVaultServer(t *testing.T) (*ClientSet, *vaultServer) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := http.TestServer(t, core)

	config := vaultapi.DefaultConfig()
	config.Address = addr
	client, err := vaultapi.NewClient(config)
	if err != nil {
		defer ln.Close()
		t.Fatal(err)
	}

	client.SetToken(token)

	clients := NewClientSet()
	if err := clients.Add(client); err != nil {
		defer ln.Close()
		t.Fatal(err)
	}

	return clients, &vaultServer{Token: token, core: core, ln: ln}
}