diff --git a/internal/api/api.go b/internal/api/api.go index c30a5069..9efea5a2 100644 --- a/internal/api/api.go +++ b/internal/api/api.go @@ -11,6 +11,10 @@ import ( "github.com/pkg/errors" ) +const ( + vaultPolicyReadPath = `path "%s" {capabilities = ["read"]}` +) + type VaultCredServ struct { vaultcredpb.UnimplementedVaultCredServer conf config.VaultEnv @@ -84,3 +88,54 @@ func (v *VaultCredServ) DeleteCred(ctx context.Context, request *vaultcredpb.Del v.log.Infof("delete credential request processed for %s", secretPath) return &vaultcredpb.DeleteCredResponse{}, nil } + +func (v *VaultCredServ) GetAppRoleToken(ctx context.Context, request *vaultcredpb.GetAppRoleTokenRequest) (*vaultcredpb.GetAppRoleTokenResponse, error) { + v.log.Infof("app role token request for vault path %s with role %s", request.CredentialPath, request.AppRoleName) + vc, err := client.NewVaultClientForTokenFromEnv(v.log, v.conf) + if err != nil { + return nil, err + } + + err = vc.EnableAppRoleAuth() + if err != nil { + return nil, err + } + + policyData := fmt.Sprintf(vaultPolicyReadPath, request.CredentialPath) + v.log.Infof("creating policy %s", policyData) + policyName := request.AppRoleName + "-policy" + err = vc.CreateOrUpdatePolicy(policyName, policyData) + if err != nil { + v.log.Errorf("error while creating Vault policy for app role %s", request.AppRoleName, err) + return nil, err + } + + err = vc.CreateOrUpdateAppRole(request.AppRoleName, []string{policyName}) + if err != nil { + v.log.Errorf("error while creating Vault policy for app role %s", request.AppRoleName, err) + return nil, err + } + + token, err := vc.AuthenticateWithAppRole(request.AppRoleName) + if err != nil { + return nil, err + } + + v.log.Infof("app role token generated for path %s with role %s", request.CredentialPath, request.AppRoleName) + return &vaultcredpb.GetAppRoleTokenResponse{Token: token}, nil +} + +func (v *VaultCredServ) GetCredentialWithAppRoleToken(ctx context.Context, request *vaultcredpb.GetCredentialWithAppRoleTokenRequest) (*vaultcredpb.GetCredentialWithAppRoleTokenResponse, error) { + vc, err := client.NewVaultClientForToken(v.log, v.conf, request.Token) + if err != nil { + return nil, err + } + + credential, err := vc.GetCredential(ctx, "", request.CredentialPath) + if err != nil { + v.log.Error("app role get credential request failed for %s, %v", request.CredentialPath, err) + return nil, err + } + v.log.Infof("app role get credential request processed for %s", request.CredentialPath) + return &vaultcredpb.GetCredentialWithAppRoleTokenResponse{Credential: credential}, nil +} diff --git a/internal/client/vault.go b/internal/client/vault.go index 69eb609a..d0f03a6c 100644 --- a/internal/client/vault.go +++ b/internal/client/vault.go @@ -27,7 +27,7 @@ type VaultClient struct { func NewVaultClientForServiceAccount(ctx context.Context, log logging.Logger, conf config.VaultEnv) (*VaultClient, error) { if conf.VaultTokenForRequests { - return NewVaultClientForVaultToken(log, conf) + return NewVaultClientForTokenFromEnv(log, conf) } vc, err := NewVaultClient(log, conf) @@ -42,7 +42,7 @@ func NewVaultClientForServiceAccount(ctx context.Context, log logging.Logger, co return vc, nil } -func NewVaultClientForVaultToken(log logging.Logger, conf config.VaultEnv) (*VaultClient, error) { +func NewVaultClientForTokenFromEnv(log logging.Logger, conf config.VaultEnv) (*VaultClient, error) { vc, err := NewVaultClient(log, conf) if err != nil { return nil, err @@ -70,6 +70,15 @@ func NewVaultClientForVaultToken(log logging.Logger, conf config.VaultEnv) (*Vau return vc, nil } +func NewVaultClientForToken(log logging.Logger, conf config.VaultEnv, token string) (*VaultClient, error) { + vc, err := NewVaultClient(log, conf) + if err != nil { + return nil, err + } + vc.c.SetToken(token) + return vc, nil +} + func NewVaultClient(log logging.Logger, conf config.VaultEnv) (*VaultClient, error) { cfg, err := prepareVaultConfig(conf) if err != nil { diff --git a/internal/client/vault_auth.go b/internal/client/vault_auth.go index f63690cb..53035e87 100644 --- a/internal/client/vault_auth.go +++ b/internal/client/vault_auth.go @@ -1,6 +1,7 @@ package client import ( + "fmt" "strings" "github.com/hashicorp/vault/api" @@ -93,7 +94,7 @@ func (v *VaultClient) EnableAppRoleAuth() error { return err } -func (v *VaultClient) CreateAppRole(roleName string) (string, string, error) { +func (v *VaultClient) createOrUpdateAppRole(roleName string) (string, string, error) { roleIDResponse, err := v.c.Logical().Read("auth/approle/role/" + roleName + "/role-id") if err != nil { return "", "", err @@ -109,3 +110,26 @@ func (v *VaultClient) CreateAppRole(roleName string) (string, string, error) { return roleID, secretID, nil } + +func (v *VaultClient) AuthenticateWithAppRole(roleName string) (string, error) { + roleID, secretID, err := v.createOrUpdateAppRole(roleName) + if err != nil { + return "", err + } + + data := map[string]interface{}{ + "role_id": roleID, + "secret_id": secretID, + } + + secret, err := v.c.Logical().Write("auth/approle/login", data) + if err != nil { + return "", err + } + + if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" { + return "", fmt.Errorf("authentication failed") + } + + return secret.Auth.ClientToken, nil +} diff --git a/internal/client/vault_policy.go b/internal/client/vault_policy.go index a88d3f46..19bfbb8c 100644 --- a/internal/client/vault_policy.go +++ b/internal/client/vault_policy.go @@ -52,6 +52,25 @@ func (v *VaultClient) CreateOrUpdateRole(roleName string, serviceAccounts, names return nil } +func (v *VaultClient) CreateOrUpdateAppRole(roleName string, policies []string) error { + roleData := make(map[string]interface{}) + + roleData["policies"] = policies + roleData["max_ttl"] = 1800000 + roleData["secret_id_ttl"] = 1800000 + roleData["token_ttl"] = 1800000 + roleData["token_max_ttl"] = 1800000 + + path := fmt.Sprintf("/auth/approle/role/%s", roleName) + _, err := v.c.Logical().Write(path, roleData) + if err != nil { + return err + } + + v.log.Infof("Updated app role %s", roleName) + return nil +} + func (v *VaultClient) DeleteRole(roleName string) error { path := fmt.Sprintf("/auth/kubernetes/role/%s", roleName) _, err := v.c.Logical().Delete(path) diff --git a/internal/job/vault-cred-sync.go b/internal/job/vault-cred-sync.go index 89bd0577..6a60a09a 100644 --- a/internal/job/vault-cred-sync.go +++ b/internal/job/vault-cred-sync.go @@ -92,7 +92,7 @@ func (v *VaultCredSync) Run() { } } - vc, err := client.NewVaultClientForVaultToken(v.log, v.conf) + vc, err := client.NewVaultClientForTokenFromEnv(v.log, v.conf) if err != nil { v.log.Errorf("%s", err) return diff --git a/internal/job/vault_policy_watcher.go b/internal/job/vault_policy_watcher.go index bf93193a..8b83f9f9 100644 --- a/internal/job/vault_policy_watcher.go +++ b/internal/job/vault_policy_watcher.go @@ -35,7 +35,7 @@ func (v *VaultPolicyWatcher) CronSpec() string { func (v *VaultPolicyWatcher) Run() { v.log.Debug("started vault policy watcher") - vc, err := client.NewVaultClientForVaultToken(v.log, v.conf) + vc, err := client.NewVaultClientForTokenFromEnv(v.log, v.conf) if err != nil { v.log.Errorf("%s", err) return diff --git a/internal/policy/vault_policy_handler.go b/internal/policy/vault_policy_handler.go index 4d4a9d36..a16ac5c6 100644 --- a/internal/policy/vault_policy_handler.go +++ b/internal/policy/vault_policy_handler.go @@ -88,11 +88,6 @@ func (p *VaultPolicyHandler) UpdateVaultRoles(ctx context.Context, vc *client.Va return err } - err = vc.EnableAppRoleAuth() - if err != nil { - return err - } - existingPolicies, err := vc.ListPolicies() if err != nil { return err diff --git a/proto/pb/vaultcredpb/vault-cred.pb.go b/proto/pb/vaultcredpb/vault-cred.pb.go index 0e524ed3..48639dcc 100644 --- a/proto/pb/vaultcredpb/vault-cred.pb.go +++ b/proto/pb/vaultcredpb/vault-cred.pb.go @@ -344,6 +344,210 @@ func (*DeleteCredResponse) Descriptor() ([]byte, []int) { return file_vault_cred_proto_rawDescGZIP(), []int{5} } +type GetAppRoleTokenRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + AppRoleName string `protobuf:"bytes,1,opt,name=appRoleName,proto3" json:"appRoleName,omitempty"` + CredentialPath string `protobuf:"bytes,2,opt,name=credentialPath,proto3" json:"credentialPath,omitempty"` +} + +func (x *GetAppRoleTokenRequest) Reset() { + *x = GetAppRoleTokenRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_vault_cred_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetAppRoleTokenRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetAppRoleTokenRequest) ProtoMessage() {} + +func (x *GetAppRoleTokenRequest) ProtoReflect() protoreflect.Message { + mi := &file_vault_cred_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetAppRoleTokenRequest.ProtoReflect.Descriptor instead. +func (*GetAppRoleTokenRequest) Descriptor() ([]byte, []int) { + return file_vault_cred_proto_rawDescGZIP(), []int{6} +} + +func (x *GetAppRoleTokenRequest) GetAppRoleName() string { + if x != nil { + return x.AppRoleName + } + return "" +} + +func (x *GetAppRoleTokenRequest) GetCredentialPath() string { + if x != nil { + return x.CredentialPath + } + return "" +} + +type GetAppRoleTokenResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` +} + +func (x *GetAppRoleTokenResponse) Reset() { + *x = GetAppRoleTokenResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_vault_cred_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetAppRoleTokenResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetAppRoleTokenResponse) ProtoMessage() {} + +func (x *GetAppRoleTokenResponse) ProtoReflect() protoreflect.Message { + mi := &file_vault_cred_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetAppRoleTokenResponse.ProtoReflect.Descriptor instead. +func (*GetAppRoleTokenResponse) Descriptor() ([]byte, []int) { + return file_vault_cred_proto_rawDescGZIP(), []int{7} +} + +func (x *GetAppRoleTokenResponse) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +type GetCredentialWithAppRoleTokenRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` + CredentialPath string `protobuf:"bytes,2,opt,name=credentialPath,proto3" json:"credentialPath,omitempty"` +} + +func (x *GetCredentialWithAppRoleTokenRequest) Reset() { + *x = GetCredentialWithAppRoleTokenRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_vault_cred_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetCredentialWithAppRoleTokenRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetCredentialWithAppRoleTokenRequest) ProtoMessage() {} + +func (x *GetCredentialWithAppRoleTokenRequest) ProtoReflect() protoreflect.Message { + mi := &file_vault_cred_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetCredentialWithAppRoleTokenRequest.ProtoReflect.Descriptor instead. +func (*GetCredentialWithAppRoleTokenRequest) Descriptor() ([]byte, []int) { + return file_vault_cred_proto_rawDescGZIP(), []int{8} +} + +func (x *GetCredentialWithAppRoleTokenRequest) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +func (x *GetCredentialWithAppRoleTokenRequest) GetCredentialPath() string { + if x != nil { + return x.CredentialPath + } + return "" +} + +type GetCredentialWithAppRoleTokenResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Credential map[string]string `protobuf:"bytes,1,rep,name=credential,proto3" json:"credential,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` +} + +func (x *GetCredentialWithAppRoleTokenResponse) Reset() { + *x = GetCredentialWithAppRoleTokenResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_vault_cred_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetCredentialWithAppRoleTokenResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetCredentialWithAppRoleTokenResponse) ProtoMessage() {} + +func (x *GetCredentialWithAppRoleTokenResponse) ProtoReflect() protoreflect.Message { + mi := &file_vault_cred_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetCredentialWithAppRoleTokenResponse.ProtoReflect.Descriptor instead. +func (*GetCredentialWithAppRoleTokenResponse) Descriptor() ([]byte, []int) { + return file_vault_cred_proto_rawDescGZIP(), []int{9} +} + +func (x *GetCredentialWithAppRoleTokenResponse) GetCredential() map[string]string { + if x != nil { + return x.Credential + } + return nil +} + var File_vault_cred_proto protoreflect.FileDescriptor var file_vault_cred_proto_rawDesc = []byte{ @@ -396,23 +600,67 @@ var file_vault_cred_proto_rawDesc = []byte{ 0x72, 0x65, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x22, 0x14, 0x0a, 0x12, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x72, 0x65, - 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xec, 0x01, 0x0a, 0x09, 0x56, 0x61, - 0x75, 0x6c, 0x74, 0x43, 0x72, 0x65, 0x64, 0x12, 0x46, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x43, 0x72, + 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x62, 0x0a, 0x16, 0x47, 0x65, 0x74, + 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x61, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x4e, 0x61, + 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x70, 0x70, 0x52, 0x6f, 0x6c, + 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x61, 0x6c, 0x50, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, + 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x50, 0x61, 0x74, 0x68, 0x22, 0x2f, 0x0a, + 0x17, 0x47, 0x65, 0x74, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, + 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x64, + 0x0a, 0x24, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x57, + 0x69, 0x74, 0x68, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x26, 0x0a, 0x0e, + 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x50, 0x61, 0x74, 0x68, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, + 0x50, 0x61, 0x74, 0x68, 0x22, 0xca, 0x01, 0x0a, 0x25, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x57, 0x69, 0x74, 0x68, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, + 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x62, + 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x03, + 0x28, 0x0b, 0x32, 0x42, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, + 0x2e, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x57, 0x69, + 0x74, 0x68, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, + 0x6c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x61, 0x6c, 0x1a, 0x3d, 0x0a, 0x0f, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, + 0x01, 0x32, 0xd7, 0x03, 0x0a, 0x09, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x43, 0x72, 0x65, 0x64, 0x12, + 0x46, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x12, 0x1b, 0x2e, 0x76, 0x61, 0x75, + 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, + 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x07, 0x50, 0x75, 0x74, 0x43, 0x72, 0x65, 0x64, 0x12, 0x1b, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, - 0x2e, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x1c, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x47, 0x65, + 0x2e, 0x50, 0x75, 0x74, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x1c, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x50, 0x75, 0x74, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, - 0x46, 0x0a, 0x07, 0x50, 0x75, 0x74, 0x43, 0x72, 0x65, 0x64, 0x12, 0x1b, 0x2e, 0x76, 0x61, 0x75, - 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x50, 0x75, 0x74, 0x43, 0x72, 0x65, 0x64, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, - 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x50, 0x75, 0x74, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, - 0x65, 0x43, 0x72, 0x65, 0x64, 0x12, 0x1e, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, - 0x64, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, - 0x64, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x0e, 0x5a, 0x0c, 0x2f, 0x76, 0x61, 0x75, - 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x4f, 0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x72, 0x65, 0x64, 0x12, 0x1e, 0x2e, + 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, + 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x44, 0x65, 0x6c, 0x65, + 0x74, 0x65, 0x43, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, + 0x12, 0x5e, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, + 0x6b, 0x65, 0x6e, 0x12, 0x23, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, + 0x62, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, + 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, + 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, + 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, + 0x12, 0x88, 0x01, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x61, 0x6c, 0x57, 0x69, 0x74, 0x68, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, + 0x65, 0x6e, 0x12, 0x31, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, + 0x2e, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x57, 0x69, + 0x74, 0x68, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x32, 0x2e, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, + 0x64, 0x70, 0x62, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, + 0x6c, 0x57, 0x69, 0x74, 0x68, 0x41, 0x70, 0x70, 0x52, 0x6f, 0x6c, 0x65, 0x54, 0x6f, 0x6b, 0x65, + 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x0e, 0x5a, 0x0c, 0x2f, + 0x76, 0x61, 0x75, 0x6c, 0x74, 0x63, 0x72, 0x65, 0x64, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -427,31 +675,41 @@ func file_vault_cred_proto_rawDescGZIP() []byte { return file_vault_cred_proto_rawDescData } -var file_vault_cred_proto_msgTypes = make([]protoimpl.MessageInfo, 8) +var file_vault_cred_proto_msgTypes = make([]protoimpl.MessageInfo, 13) var file_vault_cred_proto_goTypes = []interface{}{ - (*GetCredRequest)(nil), // 0: vaultcredpb.GetCredRequest - (*GetCredResponse)(nil), // 1: vaultcredpb.GetCredResponse - (*PutCredRequest)(nil), // 2: vaultcredpb.PutCredRequest - (*PutCredResponse)(nil), // 3: vaultcredpb.PutCredResponse - (*DeleteCredRequest)(nil), // 4: vaultcredpb.DeleteCredRequest - (*DeleteCredResponse)(nil), // 5: vaultcredpb.DeleteCredResponse - nil, // 6: vaultcredpb.GetCredResponse.CredentialEntry - nil, // 7: vaultcredpb.PutCredRequest.CredentialEntry + (*GetCredRequest)(nil), // 0: vaultcredpb.GetCredRequest + (*GetCredResponse)(nil), // 1: vaultcredpb.GetCredResponse + (*PutCredRequest)(nil), // 2: vaultcredpb.PutCredRequest + (*PutCredResponse)(nil), // 3: vaultcredpb.PutCredResponse + (*DeleteCredRequest)(nil), // 4: vaultcredpb.DeleteCredRequest + (*DeleteCredResponse)(nil), // 5: vaultcredpb.DeleteCredResponse + (*GetAppRoleTokenRequest)(nil), // 6: vaultcredpb.GetAppRoleTokenRequest + (*GetAppRoleTokenResponse)(nil), // 7: vaultcredpb.GetAppRoleTokenResponse + (*GetCredentialWithAppRoleTokenRequest)(nil), // 8: vaultcredpb.GetCredentialWithAppRoleTokenRequest + (*GetCredentialWithAppRoleTokenResponse)(nil), // 9: vaultcredpb.GetCredentialWithAppRoleTokenResponse + nil, // 10: vaultcredpb.GetCredResponse.CredentialEntry + nil, // 11: vaultcredpb.PutCredRequest.CredentialEntry + nil, // 12: vaultcredpb.GetCredentialWithAppRoleTokenResponse.CredentialEntry } var file_vault_cred_proto_depIdxs = []int32{ - 6, // 0: vaultcredpb.GetCredResponse.credential:type_name -> vaultcredpb.GetCredResponse.CredentialEntry - 7, // 1: vaultcredpb.PutCredRequest.credential:type_name -> vaultcredpb.PutCredRequest.CredentialEntry - 0, // 2: vaultcredpb.VaultCred.GetCred:input_type -> vaultcredpb.GetCredRequest - 2, // 3: vaultcredpb.VaultCred.PutCred:input_type -> vaultcredpb.PutCredRequest - 4, // 4: vaultcredpb.VaultCred.DeleteCred:input_type -> vaultcredpb.DeleteCredRequest - 1, // 5: vaultcredpb.VaultCred.GetCred:output_type -> vaultcredpb.GetCredResponse - 3, // 6: vaultcredpb.VaultCred.PutCred:output_type -> vaultcredpb.PutCredResponse - 5, // 7: vaultcredpb.VaultCred.DeleteCred:output_type -> vaultcredpb.DeleteCredResponse - 5, // [5:8] is the sub-list for method output_type - 2, // [2:5] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 10, // 0: vaultcredpb.GetCredResponse.credential:type_name -> vaultcredpb.GetCredResponse.CredentialEntry + 11, // 1: vaultcredpb.PutCredRequest.credential:type_name -> vaultcredpb.PutCredRequest.CredentialEntry + 12, // 2: vaultcredpb.GetCredentialWithAppRoleTokenResponse.credential:type_name -> vaultcredpb.GetCredentialWithAppRoleTokenResponse.CredentialEntry + 0, // 3: vaultcredpb.VaultCred.GetCred:input_type -> vaultcredpb.GetCredRequest + 2, // 4: vaultcredpb.VaultCred.PutCred:input_type -> vaultcredpb.PutCredRequest + 4, // 5: vaultcredpb.VaultCred.DeleteCred:input_type -> vaultcredpb.DeleteCredRequest + 6, // 6: vaultcredpb.VaultCred.GetAppRoleToken:input_type -> vaultcredpb.GetAppRoleTokenRequest + 8, // 7: vaultcredpb.VaultCred.GetCredentialWithAppRoleToken:input_type -> vaultcredpb.GetCredentialWithAppRoleTokenRequest + 1, // 8: vaultcredpb.VaultCred.GetCred:output_type -> vaultcredpb.GetCredResponse + 3, // 9: vaultcredpb.VaultCred.PutCred:output_type -> vaultcredpb.PutCredResponse + 5, // 10: vaultcredpb.VaultCred.DeleteCred:output_type -> vaultcredpb.DeleteCredResponse + 7, // 11: vaultcredpb.VaultCred.GetAppRoleToken:output_type -> vaultcredpb.GetAppRoleTokenResponse + 9, // 12: vaultcredpb.VaultCred.GetCredentialWithAppRoleToken:output_type -> vaultcredpb.GetCredentialWithAppRoleTokenResponse + 8, // [8:13] is the sub-list for method output_type + 3, // [3:8] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_vault_cred_proto_init() } @@ -532,6 +790,54 @@ func file_vault_cred_proto_init() { return nil } } + file_vault_cred_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetAppRoleTokenRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_vault_cred_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetAppRoleTokenResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_vault_cred_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetCredentialWithAppRoleTokenRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_vault_cred_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetCredentialWithAppRoleTokenResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } type x struct{} out := protoimpl.TypeBuilder{ @@ -539,7 +845,7 @@ func file_vault_cred_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_vault_cred_proto_rawDesc, NumEnums: 0, - NumMessages: 8, + NumMessages: 13, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/pb/vaultcredpb/vault-cred_grpc.pb.go b/proto/pb/vaultcredpb/vault-cred_grpc.pb.go index ed104e5d..c9ffb98f 100644 --- a/proto/pb/vaultcredpb/vault-cred_grpc.pb.go +++ b/proto/pb/vaultcredpb/vault-cred_grpc.pb.go @@ -19,9 +19,11 @@ import ( const _ = grpc.SupportPackageIsVersion7 const ( - VaultCred_GetCred_FullMethodName = "/vaultcredpb.VaultCred/GetCred" - VaultCred_PutCred_FullMethodName = "/vaultcredpb.VaultCred/PutCred" - VaultCred_DeleteCred_FullMethodName = "/vaultcredpb.VaultCred/DeleteCred" + VaultCred_GetCred_FullMethodName = "/vaultcredpb.VaultCred/GetCred" + VaultCred_PutCred_FullMethodName = "/vaultcredpb.VaultCred/PutCred" + VaultCred_DeleteCred_FullMethodName = "/vaultcredpb.VaultCred/DeleteCred" + VaultCred_GetAppRoleToken_FullMethodName = "/vaultcredpb.VaultCred/GetAppRoleToken" + VaultCred_GetCredentialWithAppRoleToken_FullMethodName = "/vaultcredpb.VaultCred/GetCredentialWithAppRoleToken" ) // VaultCredClient is the client API for VaultCred service. @@ -36,6 +38,8 @@ type VaultCredClient interface { GetCred(ctx context.Context, in *GetCredRequest, opts ...grpc.CallOption) (*GetCredResponse, error) PutCred(ctx context.Context, in *PutCredRequest, opts ...grpc.CallOption) (*PutCredResponse, error) DeleteCred(ctx context.Context, in *DeleteCredRequest, opts ...grpc.CallOption) (*DeleteCredResponse, error) + GetAppRoleToken(ctx context.Context, in *GetAppRoleTokenRequest, opts ...grpc.CallOption) (*GetAppRoleTokenResponse, error) + GetCredentialWithAppRoleToken(ctx context.Context, in *GetCredentialWithAppRoleTokenRequest, opts ...grpc.CallOption) (*GetCredentialWithAppRoleTokenResponse, error) } type vaultCredClient struct { @@ -73,6 +77,24 @@ func (c *vaultCredClient) DeleteCred(ctx context.Context, in *DeleteCredRequest, return out, nil } +func (c *vaultCredClient) GetAppRoleToken(ctx context.Context, in *GetAppRoleTokenRequest, opts ...grpc.CallOption) (*GetAppRoleTokenResponse, error) { + out := new(GetAppRoleTokenResponse) + err := c.cc.Invoke(ctx, VaultCred_GetAppRoleToken_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *vaultCredClient) GetCredentialWithAppRoleToken(ctx context.Context, in *GetCredentialWithAppRoleTokenRequest, opts ...grpc.CallOption) (*GetCredentialWithAppRoleTokenResponse, error) { + out := new(GetCredentialWithAppRoleTokenResponse) + err := c.cc.Invoke(ctx, VaultCred_GetCredentialWithAppRoleToken_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + // VaultCredServer is the server API for VaultCred service. // All implementations must embed UnimplementedVaultCredServer // for forward compatibility @@ -85,6 +107,8 @@ type VaultCredServer interface { GetCred(context.Context, *GetCredRequest) (*GetCredResponse, error) PutCred(context.Context, *PutCredRequest) (*PutCredResponse, error) DeleteCred(context.Context, *DeleteCredRequest) (*DeleteCredResponse, error) + GetAppRoleToken(context.Context, *GetAppRoleTokenRequest) (*GetAppRoleTokenResponse, error) + GetCredentialWithAppRoleToken(context.Context, *GetCredentialWithAppRoleTokenRequest) (*GetCredentialWithAppRoleTokenResponse, error) mustEmbedUnimplementedVaultCredServer() } @@ -101,6 +125,12 @@ func (UnimplementedVaultCredServer) PutCred(context.Context, *PutCredRequest) (* func (UnimplementedVaultCredServer) DeleteCred(context.Context, *DeleteCredRequest) (*DeleteCredResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method DeleteCred not implemented") } +func (UnimplementedVaultCredServer) GetAppRoleToken(context.Context, *GetAppRoleTokenRequest) (*GetAppRoleTokenResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetAppRoleToken not implemented") +} +func (UnimplementedVaultCredServer) GetCredentialWithAppRoleToken(context.Context, *GetCredentialWithAppRoleTokenRequest) (*GetCredentialWithAppRoleTokenResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetCredentialWithAppRoleToken not implemented") +} func (UnimplementedVaultCredServer) mustEmbedUnimplementedVaultCredServer() {} // UnsafeVaultCredServer may be embedded to opt out of forward compatibility for this service. @@ -168,6 +198,42 @@ func _VaultCred_DeleteCred_Handler(srv interface{}, ctx context.Context, dec fun return interceptor(ctx, in, info, handler) } +func _VaultCred_GetAppRoleToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetAppRoleTokenRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(VaultCredServer).GetAppRoleToken(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: VaultCred_GetAppRoleToken_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(VaultCredServer).GetAppRoleToken(ctx, req.(*GetAppRoleTokenRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _VaultCred_GetCredentialWithAppRoleToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetCredentialWithAppRoleTokenRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(VaultCredServer).GetCredentialWithAppRoleToken(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: VaultCred_GetCredentialWithAppRoleToken_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(VaultCredServer).GetCredentialWithAppRoleToken(ctx, req.(*GetCredentialWithAppRoleTokenRequest)) + } + return interceptor(ctx, in, info, handler) +} + // VaultCred_ServiceDesc is the grpc.ServiceDesc for VaultCred service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -187,6 +253,14 @@ var VaultCred_ServiceDesc = grpc.ServiceDesc{ MethodName: "DeleteCred", Handler: _VaultCred_DeleteCred_Handler, }, + { + MethodName: "GetAppRoleToken", + Handler: _VaultCred_GetAppRoleToken_Handler, + }, + { + MethodName: "GetCredentialWithAppRoleToken", + Handler: _VaultCred_GetCredentialWithAppRoleToken_Handler, + }, }, Streams: []grpc.StreamDesc{}, Metadata: "vault-cred.proto", diff --git a/proto/vault-cred.proto b/proto/vault-cred.proto index a1daeb79..d834e294 100644 --- a/proto/vault-cred.proto +++ b/proto/vault-cred.proto @@ -12,6 +12,8 @@ service VaultCred { rpc GetCred (GetCredRequest) returns (GetCredResponse) {}; rpc PutCred (PutCredRequest) returns (PutCredResponse) {}; rpc DeleteCred (DeleteCredRequest) returns (DeleteCredResponse) {}; + rpc GetAppRoleToken(GetAppRoleTokenRequest) returns (GetAppRoleTokenResponse) {}; + rpc GetCredentialWithAppRoleToken(GetCredentialWithAppRoleTokenRequest) returns (GetCredentialWithAppRoleTokenResponse) {}; } message GetCredRequest { @@ -46,3 +48,21 @@ message DeleteCredRequest { message DeleteCredResponse { } + +message GetAppRoleTokenRequest { + string appRoleName = 1; + string credentialPath = 2; +} + +message GetAppRoleTokenResponse { + string token = 1; +} + +message GetCredentialWithAppRoleTokenRequest { + string token = 1; + string credentialPath = 2; +} + +message GetCredentialWithAppRoleTokenResponse { + map credential = 1; +} \ No newline at end of file