certificates/cas/vaultcas/auth/approle/approle.go
2022-05-21 21:06:15 +02:00

67 lines
1.9 KiB
Go

package approle
import (
"encoding/json"
"errors"
"fmt"
"github.com/hashicorp/vault/api/auth/approle"
)
// AuthOptions defines the configuration options added using the
// VaultOptions.AuthOptions field when AuthType is approle
type AuthOptions struct {
RoleID string `json:"roleID,omitempty"`
SecretID string `json:"secretID,omitempty"`
SecretIDFile string `json:"secretIDFile,omitempty"`
SecretIDEnv string `json:"secretIDEnv,omitempty"`
IsWrappingToken bool `json:"isWrappingToken,omitempty"`
}
func NewApproleAuthMethod(mountPath string, options json.RawMessage) (*approle.AppRoleAuth, error) {
var opts *AuthOptions
err := json.Unmarshal(options, &opts)
if err != nil {
return nil, fmt.Errorf("error decoding AppRole auth options: %w", err)
}
var approleAuth *approle.AppRoleAuth
var loginOptions []approle.LoginOption
if mountPath != "" {
loginOptions = append(loginOptions, approle.WithMountPath(mountPath))
}
if opts.IsWrappingToken {
loginOptions = append(loginOptions, approle.WithWrappingToken())
}
if opts.RoleID == "" {
return nil, errors.New("you must set roleID")
}
var sid approle.SecretID
switch {
case opts.SecretID != "" && opts.SecretIDFile == "" && opts.SecretIDEnv == "":
sid = approle.SecretID{
FromString: opts.SecretID,
}
case opts.SecretIDFile != "" && opts.SecretID == "" && opts.SecretIDEnv == "":
sid = approle.SecretID{
FromFile: opts.SecretIDFile,
}
case opts.SecretIDEnv != "" && opts.SecretIDFile == "" && opts.SecretID == "":
sid = approle.SecretID{
FromEnv: opts.SecretIDEnv,
}
default:
return nil, errors.New("you must set one of secretID, secretIDFile or secretIDEnv")
}
approleAuth, err = approle.NewAppRoleAuth(opts.RoleID, &sid, loginOptions...)
if err != nil {
return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
}
return approleAuth, nil
}