forked from TrueCloudLab/certificates
67 lines
1.9 KiB
Go
67 lines
1.9 KiB
Go
package approle
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/vault/api/auth/approle"
|
|
)
|
|
|
|
// AuthOptions defines the configuration options added using the
|
|
// VaultOptions.AuthOptions field when AuthType is approle
|
|
type AuthOptions struct {
|
|
RoleID string `json:"roleID,omitempty"`
|
|
SecretID string `json:"secretID,omitempty"`
|
|
SecretIDFile string `json:"secretIDFile,omitempty"`
|
|
SecretIDEnv string `json:"secretIDEnv,omitempty"`
|
|
IsWrappingToken bool `json:"isWrappingToken,omitempty"`
|
|
}
|
|
|
|
func NewApproleAuthMethod(mountPath string, options json.RawMessage) (*approle.AppRoleAuth, error) {
|
|
var opts *AuthOptions
|
|
|
|
err := json.Unmarshal(options, &opts)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error decoding AppRole auth options: %w", err)
|
|
}
|
|
|
|
var approleAuth *approle.AppRoleAuth
|
|
|
|
var loginOptions []approle.LoginOption
|
|
if mountPath != "" {
|
|
loginOptions = append(loginOptions, approle.WithMountPath(mountPath))
|
|
}
|
|
if opts.IsWrappingToken {
|
|
loginOptions = append(loginOptions, approle.WithWrappingToken())
|
|
}
|
|
|
|
if opts.RoleID == "" {
|
|
return nil, errors.New("you must set roleID")
|
|
}
|
|
|
|
var sid approle.SecretID
|
|
switch {
|
|
case opts.SecretID != "" && opts.SecretIDFile == "" && opts.SecretIDEnv == "":
|
|
sid = approle.SecretID{
|
|
FromString: opts.SecretID,
|
|
}
|
|
case opts.SecretIDFile != "" && opts.SecretID == "" && opts.SecretIDEnv == "":
|
|
sid = approle.SecretID{
|
|
FromFile: opts.SecretIDFile,
|
|
}
|
|
case opts.SecretIDEnv != "" && opts.SecretIDFile == "" && opts.SecretID == "":
|
|
sid = approle.SecretID{
|
|
FromEnv: opts.SecretIDEnv,
|
|
}
|
|
default:
|
|
return nil, errors.New("you must set one of secretID, secretIDFile or secretIDEnv")
|
|
}
|
|
|
|
approleAuth, err = approle.NewAppRoleAuth(opts.RoleID, &sid, loginOptions...)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
|
|
}
|
|
|
|
return approleAuth, nil
|
|
}
|