Skip to content

Commit

Permalink
Merge pull request #72 from intelops/approle-token-multipath
Browse files Browse the repository at this point in the history
approle token creation for multiple paths
  • Loading branch information
vramk23 authored Jan 21, 2024
2 parents c83e08b + b8cdfab commit 1b64d99
Show file tree
Hide file tree
Showing 6 changed files with 1,770 additions and 462 deletions.
63 changes: 6 additions & 57 deletions internal/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func PrepareCredentialSecretPath(credentialType, credEntityName, credIdentifier
return fmt.Sprintf("%s/%s/%s", credentialType, credEntityName, credIdentifier)
}

func (v *VaultCredServ) GetCred(ctx context.Context, request *vaultcredpb.GetCredRequest) (*vaultcredpb.GetCredResponse, error) {
func (v *VaultCredServ) GetCredential(ctx context.Context, request *vaultcredpb.GetCredentialRequest) (*vaultcredpb.GetCredentialResponse, error) {
vc, err := client.NewVaultClientForServiceAccount(ctx, v.log, v.conf)
if err != nil {
return nil, errors.WithMessage(err, "failed to initiize vault client")
Expand All @@ -54,10 +54,10 @@ func (v *VaultCredServ) GetCred(ctx context.Context, request *vaultcredpb.GetCre
}

v.log.Infof("get credential request processed for %s", secretPath)
return &vaultcredpb.GetCredResponse{Credential: credentail}, nil
return &vaultcredpb.GetCredentialResponse{Credential: credentail}, nil
}

func (v *VaultCredServ) PutCred(ctx context.Context, request *vaultcredpb.PutCredRequest) (*vaultcredpb.PutCredResponse, error) {
func (v *VaultCredServ) PutCredential(ctx context.Context, request *vaultcredpb.PutCredentialRequest) (*vaultcredpb.PutCredentialResponse, error) {
vc, err := client.NewVaultClientForServiceAccount(ctx, v.log, v.conf)
if err != nil {
return nil, errors.WithMessage(err, "failed to initiize vault client")
Expand All @@ -70,10 +70,10 @@ func (v *VaultCredServ) PutCred(ctx context.Context, request *vaultcredpb.PutCre
}

v.log.Infof("write credential request processed for %s", secretPath)
return &vaultcredpb.PutCredResponse{}, nil
return &vaultcredpb.PutCredentialResponse{}, nil
}

func (v *VaultCredServ) DeleteCred(ctx context.Context, request *vaultcredpb.DeleteCredRequest) (*vaultcredpb.DeleteCredResponse, error) {
func (v *VaultCredServ) DeleteCredential(ctx context.Context, request *vaultcredpb.DeleteCredentialRequest) (*vaultcredpb.DeleteCredentialResponse, error) {
vc, err := client.NewVaultClientForServiceAccount(ctx, v.log, v.conf)
if err != nil {
return nil, err
Expand All @@ -86,56 +86,5 @@ func (v *VaultCredServ) DeleteCred(ctx context.Context, request *vaultcredpb.Del
}

v.log.Infof("delete credential request processed for %s", secretPath)
return &vaultcredpb.DeleteCredResponse{}, nil
}

func (v *VaultCredServ) GetAppRoleToken(ctx context.Context, request *vaultcredpb.GetAppRoleTokenRequest) (*vaultcredpb.GetAppRoleTokenResponse, error) {
v.log.Infof("app role token request for vault path %s with role %s", request.CredentialPath, request.AppRoleName)
vc, err := client.NewVaultClientForTokenFromEnv(v.log, v.conf)
if err != nil {
return nil, err
}

err = vc.EnableAppRoleAuth()
if err != nil {
return nil, err
}

policyData := fmt.Sprintf(vaultPolicyReadPath, request.CredentialPath)
v.log.Infof("creating policy %s", policyData)
policyName := request.AppRoleName + "-policy"
err = vc.CreateOrUpdatePolicy(policyName, policyData)
if err != nil {
v.log.Errorf("error while creating Vault policy for app role %s", request.AppRoleName, err)
return nil, err
}

err = vc.CreateOrUpdateAppRole(request.AppRoleName, []string{policyName})
if err != nil {
v.log.Errorf("error while creating Vault policy for app role %s", request.AppRoleName, err)
return nil, err
}

token, err := vc.AuthenticateWithAppRole(request.AppRoleName)
if err != nil {
return nil, err
}

v.log.Infof("app role token generated for path %s with role %s", request.CredentialPath, request.AppRoleName)
return &vaultcredpb.GetAppRoleTokenResponse{Token: token}, nil
}

func (v *VaultCredServ) GetCredentialWithAppRoleToken(ctx context.Context, request *vaultcredpb.GetCredentialWithAppRoleTokenRequest) (*vaultcredpb.GetCredentialWithAppRoleTokenResponse, error) {
vc, err := client.NewVaultClientForToken(v.log, v.conf, request.Token)
if err != nil {
return nil, err
}

credential, err := vc.GetCredential(ctx, CredentialMountPath(), request.CredentialPath)
if err != nil {
v.log.Error("app role get credential request failed for %s, %v", request.CredentialPath, err)
return nil, err
}
v.log.Infof("app role get credential request processed for %s", request.CredentialPath)
return &vaultcredpb.GetCredentialWithAppRoleTokenResponse{Credential: credential}, nil
return &vaultcredpb.DeleteCredentialResponse{}, nil
}
68 changes: 68 additions & 0 deletions internal/api/vault_app_role_api.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
package api

import (
"context"
"fmt"

"github.com/intelops/vault-cred/internal/client"
"github.com/intelops/vault-cred/proto/pb/vaultcredpb"
)

func (v *VaultCredServ) CreateAppRoleToken(ctx context.Context, request *vaultcredpb.CreateAppRoleTokenRequest) (*vaultcredpb.CreateAppRoleTokenResponse, error) {
v.log.Infof("app role token request for vault path %v with role %s", request.SecretPaths, request.AppRoleName)
vc, err := client.NewVaultClientForTokenFromEnv(v.log, v.conf)
if err != nil {
return nil, err
}

err = vc.EnableAppRoleAuth()
if err != nil {
return nil, err
}

var policyData string
for _, credPath := range request.SecretPaths {
credPathPolicy := fmt.Sprintf(vaultPolicyReadPath, credPath)
policyData = policyData + "\n" + credPathPolicy
}

policyName := request.AppRoleName + "-policy"
err = vc.CreateOrUpdatePolicy(policyName, policyData)
if err != nil {
v.log.Errorf("error while creating Vault policy for app role %s", request.AppRoleName, err)
return nil, err
}

err = vc.CreateOrUpdateAppRole(request.AppRoleName, []string{policyName})
if err != nil {
v.log.Errorf("error while creating Vault policy for app role %s", request.AppRoleName, err)
return nil, err
}

token, err := vc.AuthenticateWithAppRole(request.AppRoleName)
if err != nil {
return nil, err
}

v.log.Infof("app role token generated for path %v with role %s", request.SecretPaths, request.AppRoleName)
return &vaultcredpb.CreateAppRoleTokenResponse{Token: token}, nil
}

func (v *VaultCredServ) DeleteAppRole(ctx context.Context, request *vaultcredpb.DeleteAppRoleRequest) (*vaultcredpb.DeleteAppRoleResponse, error) {
return nil, nil
}

func (v *VaultCredServ) GetCredentialWithAppRoleToken(ctx context.Context, request *vaultcredpb.GetCredentialWithAppRoleTokenRequest) (*vaultcredpb.GetCredentialWithAppRoleTokenResponse, error) {
vc, err := client.NewVaultClientForToken(v.log, v.conf, request.Token)
if err != nil {
return nil, err
}

credential, err := vc.GetCredential(ctx, CredentialMountPath(), request.SecretPath)
if err != nil {
v.log.Error("app role get credential request failed for %s, %v", request.SecretPath, err)
return nil, err
}
v.log.Infof("app role get credential request processed for %s", request.SecretPath)
return &vaultcredpb.GetCredentialWithAppRoleTokenResponse{Credential: credential}, nil
}
24 changes: 24 additions & 0 deletions internal/api/vault_k8s_role_api.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
package api

import (
"context"
"fmt"

"github.com/intelops/vault-cred/proto/pb/vaultcredpb"
)

func (v *VaultCredServ) ConfigureClusterK8SAuth(ctx context.Context, request *vaultcredpb.ConfigureClusterK8SAuthRequest) (*vaultcredpb.ConfigureClusterK8SAuthResponse, error) {
return nil, fmt.Errorf("not supported")
}

func (v *VaultCredServ) CreateK8SAuthRole(ctx context.Context, request *vaultcredpb.CreateK8SAuthRoleRequest) (*vaultcredpb.CreateK8SAuthRoleResponse, error) {
return nil, nil
}

func (v *VaultCredServ) UpdateK8SAuthRole(ctx context.Context, request *vaultcredpb.UpdateK8SAuthRoleRequest) (*vaultcredpb.UpdateK8SAuthRoleResponse, error) {
return nil, fmt.Errorf("not supported")
}

func (v *VaultCredServ) DeleteK8SAuthRole(ctx context.Context, request *vaultcredpb.DeleteK8SAuthRoleRequest) (*vaultcredpb.DeleteK8SAuthRoleResponse, error) {
return nil, fmt.Errorf("not supported")
}
Loading

0 comments on commit 1b64d99

Please sign in to comment.