forked from fabiolb/fabio
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vault_client.go
134 lines (111 loc) · 3.03 KB
/
vault_client.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
package cert
import (
"encoding/json"
"errors"
"log"
"strings"
"sync"
"time"
"github.com/hashicorp/vault/api"
)
// vaultClient wraps an *api.Client and takes care of token renewal
// automatically.
type vaultClient struct {
addr string // overrides the default config
token string // overrides the VAULT_TOKEN environment variable
client *api.Client
mu sync.Mutex
}
var DefaultVaultClient = &vaultClient{}
func (c *vaultClient) Get() (*api.Client, error) {
c.mu.Lock()
defer c.mu.Unlock()
if c.client != nil {
return c.client, nil
}
conf := api.DefaultConfig()
if err := conf.ReadEnvironment(); err != nil {
return nil, err
}
if c.addr != "" {
conf.Address = c.addr
}
client, err := api.NewClient(conf)
if err != nil {
return nil, err
}
if c.token != "" {
client.SetToken(c.token)
}
token := client.Token()
if token == "" {
return nil, errors.New("vault: no token")
}
// did we get a wrapped token?
resp, err := client.Logical().Unwrap(token)
switch {
case err == nil:
log.Printf("[INFO] vault: Unwrapped token %s", token)
client.SetToken(resp.Auth.ClientToken)
case strings.HasPrefix(err.Error(), "no value found at"):
// not a wrapped token
default:
return nil, err
}
c.client = client
go c.keepTokenAlive()
return client, nil
}
// dropNotRenewableWarning controls whether the 'Token is not renewable'
// warning is logged. This is useful for testing where this is the expected
// behavior. On production, this should always be set to false.
var dropNotRenewableWarning bool
func (c *vaultClient) keepTokenAlive() {
resp, err := c.client.Auth().Token().LookupSelf()
if err != nil {
log.Printf("[WARN] vault: lookup-self failed, token renewal is disabled: %s", err)
return
}
b, _ := json.Marshal(resp.Data)
var data struct {
TTL int `json:"ttl"`
CreationTTL int `json:"creation_ttl"`
Renewable bool `json:"renewable"`
ExpireTime time.Time `json:"expire_time"`
}
if err := json.Unmarshal(b, &data); err != nil {
log.Printf("[WARN] vault: lookup-self failed, token renewal is disabled: %s", err)
return
}
switch {
case data.Renewable:
// no-op
case data.ExpireTime.IsZero():
// token doesn't expire
return
case dropNotRenewableWarning:
return
default:
ttl := time.Until(data.ExpireTime)
ttl = ttl / time.Second * time.Second // truncate to seconds
log.Printf("[WARN] vault: Token is not renewable and will expire %s from now at %s",
ttl, data.ExpireTime.Format(time.RFC3339))
return
}
ttl := time.Duration(data.TTL) * time.Second
timer := time.NewTimer(ttl / 2)
for range timer.C {
resp, err := c.client.Auth().Token().RenewSelf(data.CreationTTL)
if err != nil {
log.Printf("[WARN] vault: Failed to renew token: %s", err)
timer.Reset(time.Second) // TODO: backoff? abort after N consecutive failures?
continue
}
if !resp.Auth.Renewable || resp.Auth.LeaseDuration == 0 {
// token isn't renewable anymore, we're done.
return
}
ttl = time.Duration(resp.Auth.LeaseDuration) * time.Second
timer.Reset(ttl / 2)
}
}