Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

move authenticate dispatch to multimethod for external dispatch #28

Merged
merged 3 commits into from
Jun 14, 2019
Merged

move authenticate dispatch to multimethod for external dispatch #28

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e3ec098
move authenticate dispatch to multimethod for external dispatch
pyncc Jun 13, 2019
3fed662
make common client functions non-private for calls from extensions
pyncc Jun 14, 2019
599233d
PR update: rename internalish fn, mark internalish fns with :no-doc
pyncc Jun 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
70 changes: 30 additions & 40 deletions src/vault/client/http.clj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
ex)))


(defn- do-api-request
(defn ^:no-doc do-api-request
"Performs a request against the API, following redirects at most twice. The
`request-url` should be the full API endpoint."
[method request-url req]
Expand Down Expand Up @@ -124,7 +124,9 @@

;; ## Authentication Methods

(defn- api-auth!
(defn ^:no-doc api-auth!
"Validate the response from a vault auth call, update auth-ref with additional
tracking state like lease metadata."
[claim auth-ref response]
(let [auth-info (lease/auth-lease (:auth (clean-body response)))]
(when-not (:client-token auth-info)
Expand All @@ -136,27 +138,34 @@
(reset! auth-ref auth-info)))


(defn- authenticate-token!
"Updates the token ref by storing the given auth token."
[client token]
(defmulti authenticate*
"Authenticate the client with vault using the given auth-type and credentials."
(fn [client auth-type credentials] auth-type))


(defmethod authenticate* :default
[client auth-type _]
(throw (ex-info (str "Unsupported auth-type " (pr-str auth-type))
{:auth-type auth-type})))


(defmethod authenticate* :token
[client _ token]
(when-not (string? token)
(throw (IllegalArgumentException. "Token credential must be a string")))
(reset! (:auth client) {:client-token (str/trim token)}))


(defn- authenticate-wrap-token!
"Updates the token ref by making an unwrap request that returns the auth token."
[client credentials]
(defmethod authenticate* :wrap-token
[client _ credentials]
(api-auth!
"wrapped token"
(:auth client)
(unwrap-secret client credentials)))


(defn- authenticate-userpass!
"Updates the token ref by making a request to authenticate with a username
and password."
[client credentials]
(defmethod authenticate* :userpass
[client _ credentials]
(let [{:keys [username password]} credentials]
(api-auth!
(str "user " username)
Expand All @@ -171,10 +180,8 @@
:as :json})))))


(defn- authenticate-app!
"Updates the token ref by making a request to authenticate with an app-id and
secret user-id."
[client credentials]
(defmethod authenticate* :app-id
[client _ credentials]
(let [{:keys [app user]} credentials]
(api-auth!
(str "app-id " app)
Expand All @@ -189,10 +196,8 @@
:as :json})))))


(defn- authenticate-app-role!
"Updates the token ref by making a request to authenticate with an role-id and
secret-id."
[client credentials]
(defmethod authenticate* :app-role
[client _ credentials]
(let [{:keys [role-id secret-id]} credentials]
(api-auth!
(str "role-id sha256:" (digest/sha-256 role-id))
Expand All @@ -207,10 +212,8 @@
:as :json})))))


(defn- authenticate-ldap!
"Updates the token ref by making a request to authenticate with a username
and password, to be authenticated against an LDAP backend."
[client credentials]
(defmethod authenticate* :ldap
[client _ credentials]
(let [{:keys [username password]} credentials]
(api-auth!
(str "LDAP user " username)
Expand All @@ -225,10 +228,8 @@
:as :json})))))


(defn- authenticate-k8s!
"Updates the token ref by authenticating via the kubernetes authentication
backend using a JWT."
[client credentials]
(defmethod authenticate* :k8s
[client _ credentials]
(let [{:keys [api-path jwt role]} credentials
api-path (or api-path "/v1/auth/kubernetes/login")]
(when-not jwt
Expand Down Expand Up @@ -298,7 +299,6 @@
(lease/sweep! (:leases client)))



;; ## HTTP Client Type

;; - `api-url`
Expand Down Expand Up @@ -357,17 +357,7 @@

(authenticate!
[this auth-type credentials]
(case auth-type
:token (authenticate-token! this credentials)
:wrap-token (authenticate-wrap-token! this credentials)
:app-id (authenticate-app! this credentials)
:app-role (authenticate-app-role! this credentials)
:userpass (authenticate-userpass! this credentials)
:ldap (authenticate-ldap! this credentials)
:k8s (authenticate-k8s! this credentials)
; Unknown type
(throw (ex-info (str "Unsupported auth-type " (pr-str auth-type))
{:auth-type auth-type})))
(authenticate* this auth-type credentials)
this)


Expand Down