Vault: adds posibility for AppRole Login

azak-azkaran · Nov 4, 2020 · 915e422 · 915e422
1 parent 42988cd
commit 915e422
Show file tree

Hide file tree

Showing 7 changed files with 116 additions and 34 deletions.
diff --git a/config.go b/config.go
@@ -28,6 +28,9 @@ type Configuration struct {
 	MountAllow       bool
 	MountDuration    string
 	VaultKeyFile     string
+	RoleID           string
+	SecretID         string
+	useLogin         bool
 }
 
 type AgentConfig struct {
@@ -330,6 +333,14 @@ func ParseConfiguration(confi *Configuration) {
 		confi.VaultConfig.Address = viper.GetString(MAIN_VAULT_ADDRESS)
 	}
 
+	if viper.IsSet(MAIN_VAULT_ROLE_ID) {
+		confi.RoleID = viper.GetString(MAIN_VAULT_ROLE_ID)
+	}
+
+	if viper.IsSet(MAIN_VAULT_SECRET_ID) {
+		confi.SecretID = viper.GetString(MAIN_VAULT_SECRET_ID)
+	}
+
 	log.Println("Agent initalzing on: ", confi.Hostname)
 	log.Println("Agent Configuration:",
 		"\nAddress: ", confi.Address,
@@ -340,4 +351,15 @@ func ParseConfiguration(confi *Configuration) {
 		"\nMount Duration: ", confi.MountDuration,
 		"\nMount AllowOther: ", confi.MountAllow,
 	)
+
+	if (confi.RoleID == "" && confi.SecretID == "") || (confi.RoleID == "" && confi.SecretID != "") || (confi.RoleID != "" && confi.SecretID == "") {
+		confi.RoleID = ""
+		confi.SecretID = ""
+		log.Println("Secret ID and Role ID reset")
+		confi.useLogin = false
+	} else {
+		log.Println("RoleID: ", confi.RoleID)
+		log.Println("SecretID: ", confi.SecretID)
+		confi.useLogin = true
+	}
 }
diff --git a/main.go b/main.go
@@ -68,6 +68,8 @@ func Init(vaultConfig *vault.Config, args []string) error {
 	addressCommend.String(MAIN_MOUNT_ALLOW, "true", "If the gocrypt mount should be allowed by other users")
 	addressCommend.String(MAIN_VAULT_KEY_FILE, "", "File in which the vault keys are stored for easy save into Badger database")
 	addressCommend.String(MAIN_VAULT_ADDRESS, "https://localhost:8200", "The address to the vault server")
+	addressCommend.String(MAIN_VAULT_ROLE_ID, "", "Role ID for AppRole login into Vault")
+	addressCommend.String(MAIN_VAULT_SECRET_ID, "", "Secret ID for AppRole login into Vault")
 
 	err := bindEnviorment()
 	if err != nil {
@@ -133,12 +135,21 @@ func CheckKeyFile(path string) error {
 	//return errors.New("Not implemented yet")
 }
 
-func checkRequirementsForBackup() (string, bool) {
+func checkRequirements() (string, bool) {
 	if AgentConfiguration.DB == nil {
 		log.Println(ERROR_DATABASE_NOT_FOUND)
 		return "", false
 	}
 
+	if AgentConfiguration.useLogin {
+		token, err := Login(AgentConfiguration.VaultConfig, AgentConfiguration.RoleID, AgentConfiguration.SecretID)
+		if err != nil {
+			log.Println("Login failed: ", err)
+			return "", false
+		}
+		return token, true
+	}
+
 	ok := CheckToken(AgentConfiguration.DB)
 	if !ok {
 		log.Println("Token is not set")
@@ -154,7 +165,7 @@ func checkRequirementsForBackup() (string, bool) {
 }
 
 func CheckBackupRepository() {
-	token, ok := checkRequirementsForBackup()
+	token, ok := checkRequirements()
 	if !ok {
 		return
 	}
@@ -201,7 +212,7 @@ func CheckBackupRepository() {
 }
 
 func mountFolders() {
-	token, ok := checkRequirementsForBackup()
+	token, ok := checkRequirements()
 	if !ok {
 		return
 	}
@@ -227,7 +238,7 @@ func mountFolders() {
 }
 
 func backup() {
-	token, ok := checkRequirementsForBackup()
+	token, ok := checkRequirements()
 	if !ok {
 		return
 	}
@@ -310,7 +321,7 @@ func BackupRepositoryExists(token string) {
 }
 
 func GitCheckout() {
-	token, ok := checkRequirementsForBackup()
+	token, ok := checkRequirements()
 	if !ok {
 		return
 	}

diff --git a/main_test.go b/main_test.go
@@ -59,14 +59,19 @@ func TestMainInit(t *testing.T) {
 	args = append(args, "--duration="+MAIN_TEST_DURATION)
 	args = append(args, "--mount_duration="+MAIN_TEST_MOUNT_DURATION)
 	args = append(args, "--mount_allow="+MAIN_TEST_MOUNT_ALLOW)
+	args = append(args, "--vault_role_id="+VAULT_TEST_ROLE_ID)
+	args = append(args, "--vault_secret_id="+VAULT_TEST_SECRET_ID)
 
 	err = Init(testconfig.config, args)
 	require.NoError(t, err)
-	assert.Equal(t, AgentConfiguration.Hostname, hostname)
-	assert.Equal(t, AgentConfiguration.Address, MAIN_TEST_ADDRESS)
-	assert.Equal(t, AgentConfiguration.PathDB, MAIN_TEST_PATHDB)
-	assert.Equal(t, AgentConfiguration.MountAllow, false)
-	assert.Equal(t, AgentConfiguration.MountDuration, MAIN_TEST_MOUNT_DURATION)
+	assert.Equal(t, hostname, AgentConfiguration.Hostname)
+	assert.Equal(t, MAIN_TEST_ADDRESS, AgentConfiguration.Address)
+	assert.Equal(t, MAIN_TEST_PATHDB, AgentConfiguration.PathDB)
+	assert.Equal(t, false, AgentConfiguration.MountAllow)
+	assert.Equal(t, MAIN_TEST_MOUNT_DURATION, AgentConfiguration.MountDuration)
+	assert.Equal(t, VAULT_TEST_SECRET_ID, AgentConfiguration.SecretID)
+	assert.Equal(t, VAULT_TEST_ROLE_ID, AgentConfiguration.RoleID)
+	assert.True(t, AgentConfiguration.useLogin)
 
 	dur, err := time.ParseDuration("1h30m")
 	assert.NoError(t, err)
@@ -80,17 +85,18 @@ func TestMainInit(t *testing.T) {
 	os.Setenv("AGENT_ADDRESS", MAIN_TEST_ADDRESS)
 	os.Setenv("AGENT_PATHDB", MAIN_TEST_PATHDB)
 	os.Setenv("AGENT_DURATION", MAIN_TEST_DURATION)
-	os.Setenv("AGNET_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
-	os.Setenv("AGNET_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
+	os.Setenv("AGENT_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
+	os.Setenv("AGENT_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
 
-	err = Init(testconfig.config, args)
+	err = Init(testconfig.config, nil)
 	require.NoError(t, err)
-	assert.Equal(t, AgentConfiguration.Hostname, hostname)
-	assert.Equal(t, AgentConfiguration.Address, MAIN_TEST_ADDRESS)
-	assert.Equal(t, AgentConfiguration.PathDB, MAIN_TEST_PATHDB)
-	assert.Equal(t, AgentConfiguration.TimeBetweenStart, dur)
-	assert.Equal(t, AgentConfiguration.MountAllow, false)
-	assert.Equal(t, AgentConfiguration.MountDuration, MAIN_TEST_MOUNT_DURATION)
+	assert.Equal(t, hostname, AgentConfiguration.Hostname)
+	assert.Equal(t, MAIN_TEST_ADDRESS, AgentConfiguration.Address)
+	assert.Equal(t, MAIN_TEST_PATHDB, AgentConfiguration.PathDB)
+	assert.Equal(t, dur, AgentConfiguration.TimeBetweenStart)
+	assert.Equal(t, false, AgentConfiguration.MountAllow)
+	assert.Equal(t, MAIN_TEST_MOUNT_DURATION, AgentConfiguration.MountDuration)
+	assert.False(t, AgentConfiguration.useLogin)
 }
 
 func TestMainStart(t *testing.T) {
@@ -103,8 +109,8 @@ func TestMainStart(t *testing.T) {
 	os.Setenv("AGENT_ADDRESS", MAIN_TEST_ADDRESS)
 	os.Setenv("AGENT_DURATION", testconfig.Duration)
 	os.Setenv("AGENT_PATHDB", "./test/DB")
-	os.Setenv("AGNET_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
-	os.Setenv("AGNET_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
+	os.Setenv("AGENT", MAIN_TEST_MOUNT_DURATION)
+	os.Setenv("AGENT", MAIN_TEST_MOUNT_ALLOW)
 	err := Init(testconfig.config, os.Args)
 	require.NoError(t, err)
 
@@ -300,8 +306,8 @@ func TestMainBackupRepositoryExists(t *testing.T) {
 	os.Setenv("AGENT_ADDRESS", MAIN_TEST_ADDRESS)
 	os.Setenv("AGENT_DURATION", testconfig.Duration)
 	os.Setenv("AGENT_PATHDB", "./test/DB")
-	os.Setenv("AGNET_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
-	os.Setenv("AGNET_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
+	os.Setenv("AGENT_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
+	os.Setenv("AGENT_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
 	err := Init(testconfig.config, os.Args)
 	require.NoError(t, err)
 
@@ -355,8 +361,8 @@ func TestMainCheckBackupRepository(t *testing.T) {
 	os.Setenv("AGENT_ADDRESS", MAIN_TEST_ADDRESS)
 	os.Setenv("AGENT_DURATION", testconfig.Duration)
 	os.Setenv("AGENT_PATHDB", "./test/DB")
-	os.Setenv("AGNET_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
-	os.Setenv("AGNET_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
+	os.Setenv("AGENT_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
+	os.Setenv("AGENT_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
 	err := Init(testconfig.config, os.Args)
 	require.NoError(t, err)
 
@@ -404,8 +410,8 @@ func TestMainGitCheckout(t *testing.T) {
 	os.Setenv("AGENT_ADDRESS", MAIN_TEST_ADDRESS)
 	os.Setenv("AGENT_DURATION", testconfig.Duration)
 	os.Setenv("AGENT_PATHDB", "./test/DB")
-	os.Setenv("AGNET_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
-	os.Setenv("AGNET_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
+	os.Setenv("AGENT_MOUNT_DURATION", MAIN_TEST_MOUNT_DURATION)
+	os.Setenv("AGENT_MOUNT_ALLOW", MAIN_TEST_MOUNT_ALLOW)
 	err := Init(testconfig.config, os.Args)
 	require.NoError(t, err)
 

diff --git a/statics.go b/statics.go
@@ -18,13 +18,15 @@ const (
 
 	STORE_ERROR_NOT_DROPED = "Error keys were not dropped."
 
-	MAIN_PATHDB         = "pathdb"
-	MAIN_ADDRESS        = "address"
-	MAIN_TIME_DURATION  = "duration"
-	MAIN_MOUNT_DURATION = "mount_duration"
-	MAIN_MOUNT_ALLOW    = "mount_allow"
-	MAIN_VAULT_KEY_FILE = "vault_key_file"
-	MAIN_VAULT_ADDRESS  = "vault_address"
+	MAIN_PATHDB          = "pathdb"
+	MAIN_ADDRESS         = "address"
+	MAIN_TIME_DURATION   = "duration"
+	MAIN_MOUNT_DURATION  = "mount_duration"
+	MAIN_MOUNT_ALLOW     = "mount_allow"
+	MAIN_VAULT_KEY_FILE  = "vault_key_file"
+	MAIN_VAULT_ADDRESS   = "vault_address"
+	MAIN_VAULT_SECRET_ID = "vault_secret_id"
+	MAIN_VAULT_ROLE_ID   = "vault_role_id"
 
 	MAIN_MESSAGE_NOT_ENOUGH_KEYS  = "Not enough vault keys in storage"
 	MAIN_MESSAGE_START_UNSEAL     = "Starting to unseal Vault"
@@ -100,6 +102,8 @@ const (
 	VAULT_TEST_BACKUP_EXCLUDE_FILE = "~/test/exclude"
 	VAULT_TEST_BACKUP_SECRET_KEY   = "secret.key"
 	VAULT_TEST_BACKUP_ACCESS_KEY   = "access.key"
+	VAULT_TEST_ROLE_ID             = "approleid"
+	VAULT_TEST_SECRET_ID           = "appsecretid"
 
 	MAIN_TEST_ADDRESS        = "localhost:8031"
 	MAIN_TEST_PATHDB         = "./test/DB"

diff --git a/vault.go b/vault.go
@@ -96,3 +96,25 @@ func getDataFromSecret(config *vault.Config, token string, path string) (map[str
 		return secret.Data, nil
 	}
 }
+
+func Login(config *vault.Config, role_id string, secret_id string) (string, error) {
+	client, err := vault.NewClient(config)
+	if err != nil {
+		return "", err
+	}
+
+	// to pass the password
+	options := map[string]interface{}{
+		"secret_id": secret_id,
+		"role_id":   role_id,
+	}
+
+	// PUT call to get a token
+	secret, err := client.Logical().Write("auth/approle/login", options)
+	if err != nil {
+		return "", err
+	}
+
+	token := secret.Auth.ClientToken
+	return token, nil
+}
diff --git a/vault_gin_test.go b/vault_gin_test.go
@@ -81,6 +81,7 @@ func createHandler() http.Handler {
 	r.GET("/v1/gocrypt/data/gocryptpath", test_gocrypt)
 	r.GET("/v1/git/data/gitpath", test_git)
 	r.GET("/v1/git/data/vimrc", test_vimrc)
+	r.PUT("/v1/auth/approle/login", test_login)
 	return r
 }
 
@@ -211,3 +212,9 @@ func test_restic(c *gin.Context) {
 	msg.Data = data
 	c.JSON(http.StatusOK, msg)
 }
+
+func test_login(c *gin.Context) {
+	log.Println("MOCK-Server: called login")
+	msg := "{\"request_id\":\"requestid\",\"lease_id\":\"\",\"renewable\":false,\"lease_duration\":0,\"data\":null,\"wrap_info\":null,\"warnings\":null,\"auth\":{\"client_token\":\"" + VAULT_TEST_TOKEN + "\",\"accessor\":\"accessorid\",\"policies\":[\"default\",\"secret access\"],\"token_policies\":[\"default\",\"secret access\"],\"metadata\":{\"role_name\":\"agent\"},\"lease_duration\":3600,\"renewable\":true,\"entity_id\":\"entity_id\",\"token_type\":\"service\",\"orphan\":true}}"
+	c.String(http.StatusOK, msg)
+}
diff --git a/vault_test.go b/vault_test.go
@@ -49,6 +49,7 @@ func TestVaultUnseal(t *testing.T) {
 
 func TestVaultSealStatus(t *testing.T) {
 	fmt.Println("running: TestVaultSealStatus")
+	t.Cleanup(clear)
 	testconfig := readConfig(t)
 	multipleKey = true
 	err := Seal(testconfig.config, VAULT_TEST_TOKEN)
@@ -88,3 +89,12 @@ func TestVaultSealStatus(t *testing.T) {
 
 	multipleKey = false
 }
+
+func TestVaultLogin(t *testing.T) {
+	fmt.Println("Testing: TestVaultLogin")
+	t.Cleanup(clear)
+	testconfig := readConfig(t)
+	token, err := Login(testconfig.config, VAULT_TEST_ROLE_ID, VAULT_TEST_SECRET_ID)
+	assert.NoError(t, err)
+	assert.Equal(t, VAULT_TEST_TOKEN, token)
+}