func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
mount, ok := m["mount"]
if !ok {
mount = "ldap"
}
username, ok := m["username"]
if !ok {
return "", fmt.Errorf("'username' var must be set")
}
password, ok := m["password"]
if !ok {
fmt.Printf("Password (will be hidden): ")
var err error
password, err = pwd.Read(os.Stdin)
fmt.Println()
if err != nil {
return "", err
}
}
path := fmt.Sprintf("auth/%s/login/%s", mount, username)
secret, err := c.Logical().Write(path, map[string]interface{}{
"password": password,
})
if err != nil {
return "", err
}
if secret == nil {
return "", fmt.Errorf("empty response from credential provider")
}
return secret.Auth.ClientToken, nil
}
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
mount, ok := m["mount"]
if !ok {
mount = "github"
}
token, ok := m["token"]
if !ok {
if token = os.Getenv("VAULT_AUTH_GITHUB_TOKEN"); token == "" {
return "", fmt.Errorf("GitHub token should be provided either as 'value' for 'token' key,\nor via an env var VAULT_AUTH_GITHUB_TOKEN")
}
}
path := fmt.Sprintf("auth/%s/login", mount)
secret, err := c.Logical().Write(path, map[string]interface{}{
"token": token,
})
if err != nil {
return "", err
}
if secret == nil {
return "", fmt.Errorf("empty response from credential provider")
}
return secret.Auth.ClientToken, nil
}
func (s *VaultSource) setToken(c *api.Client) error {
s.mu.Lock()
defer func() {
c.SetToken(s.token)
s.mu.Unlock()
}()
if s.token != "" {
return nil
}
if s.vaultToken == "" {
return errors.New("vault: no token")
}
// did we get a wrapped token?
resp, err := c.Logical().Unwrap(s.vaultToken)
if err != nil {
// not a wrapped token?
if strings.HasPrefix(err.Error(), "no value found at") {
s.token = s.vaultToken
return nil
}
return err
}
log.Printf("[INFO] vault: Unwrapped token %s", s.vaultToken)
s.token = resp.Auth.ClientToken
return nil
}
func initVault() {
// set up vault client
var client *vault.Client
if viper.GetString("vault-cubbyhole-token") != "" || viper.GetString("vault-token") != "" {
config := vault.DefaultConfig()
err := config.ReadEnvironment()
if err != nil {
log.WithError(err).Fatal("Error reading environment for Vault configuration")
}
client, err = vault.NewClient(config)
if err != nil {
log.WithError(err).Fatal("Error initializing Vault client")
}
}
// unwrap real token
if wrapped := viper.GetString("vault-cubbyhole-token"); wrapped != "" {
token, err := client.Logical().Unwrap(wrapped)
if err != nil {
log.WithError(err).Fatal("Error unwrapping token")
} else if token.WrapInfo != nil {
log.Fatal("Secret appears to be doubly wrapped")
} else if token.Auth == nil {
log.Fatal("Secret contained no auth data")
}
viper.Set("vault-token", token.Auth.ClientToken)
}
// read secrets from vault
if token := viper.GetString("vault-token"); token != "" {
client.SetToken(token)
secret, err := client.Logical().Read("secret/mantl-api")
if err != nil {
log.WithError(err).Fatal("Error reading secret/mantl-api")
}
for _, secretName := range []string{
"mesos-principal", "mesos-secret",
"marathon-user", "marathon-password",
} {
secretValue, ok := secret.Data[secretName].(string)
if ok {
viper.Set(secretName, secretValue)
} else {
log.Warnf("secret/mantl-api didn't contain %s", secretName)
}
}
}
}
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
var data struct {
Username string `mapstructure:"username"`
Password string `mapstructure:"password"`
Mount string `mapstructure:"mount"`
Method string `mapstructure:"method"`
Passcode string `mapstructure:"passcode"`
}
if err := mapstructure.WeakDecode(m, &data); err != nil {
return "", err
}
if data.Username == "" {
return "", fmt.Errorf("'username' must be specified")
}
if data.Password == "" {
fmt.Printf("Password (will be hidden): ")
password, err := pwd.Read(os.Stdin)
fmt.Println()
if err != nil {
return "", err
}
data.Password = password
}
if data.Mount == "" {
data.Mount = "userpass"
}
options := map[string]interface{}{
"password": data.Password,
}
if data.Method != "" {
options["method"] = data.Method
}
if data.Passcode != "" {
options["passcode"] = data.Passcode
}
path := fmt.Sprintf("auth/%s/login/%s", data.Mount, data.Username)
secret, err := c.Logical().Write(path, options)
if err != nil {
return "", err
}
if secret == nil {
return "", fmt.Errorf("empty response from credential provider")
}
return secret.Auth.ClientToken, nil
}
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
var data struct {
Mount string `mapstructure:"mount"`
}
if err := mapstructure.WeakDecode(m, &data); err != nil {
return "", err
}
if data.Mount == "" {
data.Mount = "cert"
}
path := fmt.Sprintf("auth/%s/login", data.Mount)
secret, err := c.Logical().Write(path, nil)
if err != nil {
return "", err
}
if secret == nil {
return "", fmt.Errorf("empty response from credential provider")
}
return secret.Auth.ClientToken, nil
}
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
mount, ok := m["mount"]
if !ok {
mount = "github"
}
token, ok := m["token"]
if !ok {
return "", fmt.Errorf("'token' var must be set")
}
path := fmt.Sprintf("auth/%s/login", mount)
secret, err := c.Logical().Write(path, map[string]interface{}{
"token": token,
})
if err != nil {
return "", err
}
if secret == nil {
return "", fmt.Errorf("empty response from credential provider")
}
return secret.Auth.ClientToken, nil
}
// authenticate with the remote client
func authenticate(c *vaultapi.Client, authType string, params map[string]string) (err error) {
var secret *vaultapi.Secret
// handle panics gracefully by creating an error
// this would happen when we get a parameter that is missing
defer panicToError(&err)
switch authType {
case "app-id":
secret, err = c.Logical().Write("/auth/app-id/login", map[string]interface{}{
"app_id": getParameter("app-id", params),
"user_id": getParameter("user-id", params),
})
case "github":
secret, err = c.Logical().Write("/auth/github/login", map[string]interface{}{
"token": getParameter("token", params),
})
case "token":
c.SetToken(getParameter("token", params))
secret, err = c.Logical().Read("/auth/token/lookup-self")
case "userpass":
username, password := getParameter("username", params), getParameter("password", params)
secret, err = c.Logical().Write(fmt.Sprintf("/auth/userpass/login/%s", username), map[string]interface{}{
"password": password,
})
}
if err != nil {
return err
}
// if the token has already been set
if c.Token() != "" {
return nil
}
log.Debug("client authenticated with auth backend: %s", authType)
// the default place for a token is in the auth section
// otherwise, the backend will set the token itself
c.SetToken(secret.Auth.ClientToken)
return nil
}
// deriveToken takes in an allocation and a set of tasks and derives vault
// tokens for each of the tasks, unwraps all of them using the supplied vault
// client and returns a map of unwrapped tokens, indexed by the task name.
func (c *Client) deriveToken(alloc *structs.Allocation, taskNames []string, vclient *vaultapi.Client) (map[string]string, error) {
if alloc == nil {
return nil, fmt.Errorf("nil allocation")
}
if taskNames == nil || len(taskNames) == 0 {
return nil, fmt.Errorf("missing task names")
}
group := alloc.Job.LookupTaskGroup(alloc.TaskGroup)
if group == nil {
return nil, fmt.Errorf("group name in allocation is not present in job")
}
verifiedTasks := []string{}
found := false
// Check if the given task names actually exist in the allocation
for _, taskName := range taskNames {
found = false
for _, task := range group.Tasks {
if task.Name == taskName {
found = true
}
}
if !found {
c.logger.Printf("[ERR] task %q not found in the allocation", taskName)
return nil, fmt.Errorf("task %q not found in the allocaition", taskName)
}
verifiedTasks = append(verifiedTasks, taskName)
}
// DeriveVaultToken of nomad server can take in a set of tasks and
// creates tokens for all the tasks.
req := &structs.DeriveVaultTokenRequest{
NodeID: c.Node().ID,
SecretID: c.Node().SecretID,
AllocID: alloc.ID,
Tasks: verifiedTasks,
QueryOptions: structs.QueryOptions{
Region: c.Region(),
AllowStale: true,
},
}
// Derive the tokens
var resp structs.DeriveVaultTokenResponse
if err := c.RPC("Node.DeriveVaultToken", &req, &resp); err != nil {
c.logger.Printf("[ERR] client.vault: failed to derive vault tokens: %v", err)
return nil, fmt.Errorf("failed to derive vault tokens: %v", err)
}
if resp.Tasks == nil {
c.logger.Printf("[ERR] client.vault: failed to derive vault token: invalid response")
return nil, fmt.Errorf("failed to derive vault tokens: invalid response")
}
unwrappedTokens := make(map[string]string)
// Retrieve the wrapped tokens from the response and unwrap it
for _, taskName := range verifiedTasks {
// Get the wrapped token
wrappedToken, ok := resp.Tasks[taskName]
if !ok {
c.logger.Printf("[ERR] client.vault: wrapped token missing for task %q", taskName)
return nil, fmt.Errorf("wrapped token missing for task %q", taskName)
}
// Unwrap the vault token
unwrapResp, err := vclient.Logical().Unwrap(wrappedToken)
if err != nil {
return nil, fmt.Errorf("failed to unwrap the token for task %q: %v", taskName, err)
}
if unwrapResp == nil || unwrapResp.Auth == nil || unwrapResp.Auth.ClientToken == "" {
return nil, fmt.Errorf("failed to unwrap the token for task %q", taskName)
}
// Append the unwrapped token to the return value
unwrappedTokens[taskName] = unwrapResp.Auth.ClientToken
}
return unwrappedTokens, nil
}
