forked from Caiyeon/goldfish
/
login.go
128 lines (112 loc) · 3.02 KB
/
login.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
package vault
import (
"errors"
"github.com/hashicorp/vault/api"
)
// constructs a client with server's vault address and client access token
func (auth AuthInfo) Client() (client *api.Client, err error) {
if client, err = NewVaultClient(); err == nil {
client.SetToken(auth.ID)
}
return client, err
}
// verifies whether auth ID and password are valid
// if valid, creates a client access token and returns the metadata
func (auth *AuthInfo) Login() (map[string]interface{}, error) {
client, err := NewVaultClient()
if err != nil {
return nil, err
}
switch auth.Type {
case "token":
client.SetToken(auth.ID)
resp, err := client.Auth().Token().LookupSelf()
if err != nil {
return nil, err
}
return resp.Data, nil
case "userpass":
client.SetToken("")
// fetch client access token by performing a login
resp, err := client.Logical().Write("auth/userpass/login/"+auth.ID,
map[string]interface{}{
"password": auth.Pass,
})
if err != nil {
return nil, err
}
if resp.Auth == nil || resp.Auth.ClientToken == "" {
return nil, errors.New("Unable to parse vault response")
}
client.SetToken(resp.Auth.ClientToken)
lookupResp, err := client.Auth().Token().LookupSelf()
if err != nil {
return nil, err
}
// let future requests re-use the client token
auth.Type = "token"
auth.ID = resp.Auth.ClientToken
auth.Pass = ""
return lookupResp.Data, nil
case "github":
client.SetToken("")
// fetch client access token by performing a login
resp, err := client.Logical().Write("auth/github/login",
map[string]interface{}{
"token": auth.ID,
})
if err != nil {
return nil, err
}
if resp.Auth == nil || resp.Auth.ClientToken == "" {
return nil, errors.New("Unable to parse vault response")
}
client.SetToken(resp.Auth.ClientToken)
lookupResp, err := client.Auth().Token().LookupSelf()
if err != nil {
return nil, err
}
// let future requests re-use the client token
auth.Type = "token"
auth.ID = resp.Auth.ClientToken
return lookupResp.Data, nil
case "ldap":
client.SetToken("")
resp, err := client.Logical().Write("auth/ldap/login/"+auth.ID,
map[string]interface{}{
"password": auth.Pass,
})
if err != nil {
return nil, err
}
if resp.Auth == nil || resp.Auth.ClientToken == "" {
return nil, errors.New("Unable to parse vault response")
}
client.SetToken(resp.Auth.ClientToken)
lookupResp, err := client.Auth().Token().LookupSelf()
if err != nil {
return nil, err
}
// let future requests re-use the client token
auth.Type = "token"
auth.ID = resp.Auth.ClientToken
auth.Pass = ""
return lookupResp.Data, nil
default:
return nil, errors.New("Unsupported authentication type")
}
}
func (auth AuthInfo) RenewSelf() (*api.Secret, error) {
client, err := auth.Client()
if err != nil {
return nil, err
}
return client.Auth().Token().RenewSelf(0)
}
func (auth AuthInfo) LookupSelf() (*api.Secret, error) {
client, err := auth.Client()
if err != nil {
return nil, err
}
return client.Auth().Token().LookupSelf()
}