-
Notifications
You must be signed in to change notification settings - Fork 0
/
keyvault.go
120 lines (97 loc) · 2.72 KB
/
keyvault.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package lohpi
import (
// log "github.com/sirupsen/logrus"
"encoding/json"
"fmt"
"io/ioutil"
"net"
"net/http"
"net/url"
"strings"
"time"
)
// Configuration required to use Azure Key Vault
type AzureKeyVaultClientConfig struct {
AzureKeyVaultClientID string
AzureKeyVaultClientSecret string
AzureKeyVaultTenantID string
}
type tokenResponse struct {
TokenType string `json:"token_type"`
AccessToken string `json:"access_token"`
}
type AzureKeyVaultSecretResponse struct {
Value string `json:"value"`
Id string `json:"id"`
}
type AzureKeyVaultClient struct {
config *AzureKeyVaultClientConfig
token string
}
func NewAzureKeyVaultClient(config *AzureKeyVaultClientConfig) (*AzureKeyVaultClient, error) {
const authenticationScope = "https://vault.azure.net/.default"
var keyVaultransport = &http.Transport{
Dial: (&net.Dialer{
Timeout: 5 * time.Second,
}).Dial,
TLSHandshakeTimeout: 5 * time.Second,
}
var keyVaultClient = &http.Client{
Timeout: time.Second * 5,
Transport: keyVaultransport,
}
authenticationURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/v2.0/token", config.AzureKeyVaultTenantID)
data := url.Values{}
data.Set("grant_type", "client_credentials")
data.Set("client_id", config.AzureKeyVaultClientID)
data.Set("client_secret", config.AzureKeyVaultClientSecret)
data.Set("scope", authenticationScope)
resp, err := keyVaultClient.Post(authenticationURL, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
if err != nil {
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
var tr tokenResponse
errUnMarshal := json.Unmarshal(body, &tr)
if errUnMarshal != nil {
return nil, errUnMarshal
}
ss := &AzureKeyVaultClient{
token: tr.AccessToken,
config: config,
}
return ss, nil
}
// GetSecret retrieves a secret from keyvault
func (k *AzureKeyVaultClient) GetSecret(vaultBaseURL, secretName string) (*AzureKeyVaultSecretResponse, error) {
// Create a Bearer string by appending string access token
var bearer = "Bearer " + k.token
url := fmt.Sprintf("%s/secrets/%s/?api-version=7.0", vaultBaseURL, secretName)
// Create a new request using http
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, err
}
// add authorization header to the req
req.Header.Add("Authorization", bearer)
// Send req using http Client
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
var sr AzureKeyVaultSecretResponse
if err := json.Unmarshal([]byte(body), &sr); err != nil {
return nil, err
}
return &sr, nil
}