func (s *VaultSource) setToken(c *api.Client) error {
s.mu.Lock()
defer func() {
c.SetToken(s.token)
s.mu.Unlock()
}()
if s.token != "" {
return nil
}
if s.vaultToken == "" {
return errors.New("vault: no token")
}
// did we get a wrapped token?
resp, err := c.Logical().Unwrap(s.vaultToken)
if err != nil {
// not a wrapped token?
if strings.HasPrefix(err.Error(), "no value found at") {
s.token = s.vaultToken
return nil
}
return err
}
log.Printf("[INFO] vault: Unwrapped token %s", s.vaultToken)
s.token = resp.Auth.ClientToken
return nil
}
func initVault() {
// set up vault client
var client *vault.Client
if viper.GetString("vault-cubbyhole-token") != "" || viper.GetString("vault-token") != "" {
config := vault.DefaultConfig()
err := config.ReadEnvironment()
if err != nil {
log.WithError(err).Fatal("Error reading environment for Vault configuration")
}
client, err = vault.NewClient(config)
if err != nil {
log.WithError(err).Fatal("Error initializing Vault client")
}
}
// unwrap real token
if wrapped := viper.GetString("vault-cubbyhole-token"); wrapped != "" {
token, err := client.Logical().Unwrap(wrapped)
if err != nil {
log.WithError(err).Fatal("Error unwrapping token")
} else if token.WrapInfo != nil {
log.Fatal("Secret appears to be doubly wrapped")
} else if token.Auth == nil {
log.Fatal("Secret contained no auth data")
}
viper.Set("vault-token", token.Auth.ClientToken)
}
// read secrets from vault
if token := viper.GetString("vault-token"); token != "" {
client.SetToken(token)
secret, err := client.Logical().Read("secret/mantl-api")
if err != nil {
log.WithError(err).Fatal("Error reading secret/mantl-api")
}
for _, secretName := range []string{
"mesos-principal", "mesos-secret",
"marathon-user", "marathon-password",
} {
secretValue, ok := secret.Data[secretName].(string)
if ok {
viper.Set(secretName, secretValue)
} else {
log.Warnf("secret/mantl-api didn't contain %s", secretName)
}
}
}
}
// authenticate with the remote client
func authenticate(c *vaultapi.Client, authType string, params map[string]string) (err error) {
var secret *vaultapi.Secret
// handle panics gracefully by creating an error
// this would happen when we get a parameter that is missing
defer panicToError(&err)
switch authType {
case "app-id":
secret, err = c.Logical().Write("/auth/app-id/login", map[string]interface{}{
"app_id": getParameter("app-id", params),
"user_id": getParameter("user-id", params),
})
case "github":
secret, err = c.Logical().Write("/auth/github/login", map[string]interface{}{
"token": getParameter("token", params),
})
case "token":
c.SetToken(getParameter("token", params))
secret, err = c.Logical().Read("/auth/token/lookup-self")
case "userpass":
username, password := getParameter("username", params), getParameter("password", params)
secret, err = c.Logical().Write(fmt.Sprintf("/auth/userpass/login/%s", username), map[string]interface{}{
"password": password,
})
}
if err != nil {
return err
}
// if the token has already been set
if c.Token() != "" {
return nil
}
log.Debug("client authenticated with auth backend: %s", authType)
// the default place for a token is in the auth section
// otherwise, the backend will set the token itself
c.SetToken(secret.Auth.ClientToken)
return nil
}
