forked from concourse/concourse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manager.go
209 lines (168 loc) · 6.86 KB
/
manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
package vault
import (
"encoding/json"
"errors"
"fmt"
"net/url"
"path"
"time"
"code.cloudfoundry.org/lager"
"github.com/pf-qiu/concourse/v6/atc/creds"
"github.com/mitchellh/mapstructure"
)
type VaultManager struct {
URL string `mapstructure:"url" long:"url" description:"Vault server address used to access secrets."`
PathPrefix string `mapstructure:"path_prefix" long:"path-prefix" default:"/concourse" description:"Path under which to namespace credential lookup."`
LookupTemplates []string `mapstructure:"lookup_templates" long:"lookup-templates" default:"/{{.Team}}/{{.Pipeline}}/{{.Secret}}" default:"/{{.Team}}/{{.Secret}}" description:"Path templates for credential lookup"`
SharedPath string `mapstructure:"shared_path" long:"shared-path" description:"Path under which to lookup shared credentials."`
Namespace string `mapstructure:"namespace" long:"namespace" description:"Vault namespace to use for authentication and secret lookup."`
TLS TLSConfig `mapstructure:",squash"`
Auth AuthConfig `mapstructure:",squash"`
Client *APIClient
ReAuther *ReAuther
SecretFactory *vaultFactory
}
type TLSConfig struct {
CACert string `mapstructure:"ca_cert"`
CACertFile string `long:"ca-cert" description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
CAPath string `long:"ca-path" description:"Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert."`
ClientCert string `mapstructure:"client_cert"`
ClientCertFile string `long:"client-cert" description:"Path to the client certificate for Vault authorization."`
ClientKey string `mapstructure:"client_key"`
ClientKeyFile string `long:"client-key" description:"Path to the client private key for Vault authorization."`
ServerName string `mapstructure:"server_name" long:"server-name" description:"If set, is used to set the SNI host when connecting via TLS."`
Insecure bool `mapstructure:"insecure_skip_verify" long:"insecure-skip-verify" description:"Enable insecure SSL verification."`
}
type AuthConfig struct {
ClientToken string `mapstructure:"client_token" long:"client-token" description:"Client token for accessing secrets within the Vault server."`
Backend string `mapstructure:"auth_backend" long:"auth-backend" description:"Auth backend to use for logging in to Vault."`
BackendMaxTTL time.Duration `mapstructure:"auth_backend_max_ttl" long:"auth-backend-max-ttl" description:"Time after which to force a re-login. If not set, the token will just be continuously renewed."`
RetryMax time.Duration `mapstructure:"auth_retry_max" long:"retry-max" default:"5m" description:"The maximum time between retries when logging in or re-authing a secret."`
RetryInitial time.Duration `mapstructure:"auth_retry_initial" long:"retry-initial" default:"1s" description:"The initial time between retries when logging in or re-authing a secret."`
Params map[string]string `mapstructure:"auth_params" long:"auth-param" description:"Paramter to pass when logging in via the backend. Can be specified multiple times." value-name:"NAME:VALUE"`
}
func (manager *VaultManager) Init(log lager.Logger) error {
var err error
manager.Client, err = NewAPIClient(log, manager.URL, manager.TLS, manager.Auth, manager.Namespace)
if err != nil {
return err
}
return nil
}
func (manager *VaultManager) MarshalJSON() ([]byte, error) {
health, err := manager.Health()
if err != nil {
return nil, err
}
return json.Marshal(&map[string]interface{}{
"url": manager.URL,
"path_prefix": manager.PathPrefix,
"lookup_templates": manager.LookupTemplates,
"shared_path": manager.SharedPath,
"namespace": manager.Namespace,
"ca_cert": manager.TLS.CACert,
"server_name": manager.TLS.ServerName,
"auth_backend": manager.Auth.Backend,
"auth_max_ttl": manager.Auth.BackendMaxTTL,
"auth_retry_max": manager.Auth.RetryMax,
"auth_retry_initial": manager.Auth.RetryInitial,
"health": health,
})
}
func (manager *VaultManager) Config(config map[string]interface{}) error {
// apply defaults
manager.PathPrefix = "/concourse"
manager.Auth.RetryMax = 5 * time.Minute
manager.Auth.RetryInitial = time.Second
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
DecodeHook: mapstructure.StringToTimeDurationHookFunc(),
ErrorUnused: true,
Result: &manager,
})
if err != nil {
return err
}
err = decoder.Decode(config)
if err != nil {
return err
}
// Fill in default templates if not otherwise set (done here so
// that these are effective all together or not at all, rather
// than combining the defaults with a user's custom setting)
if _, setsTemplates := config["lookup_templates"]; !setsTemplates {
manager.LookupTemplates = []string{
"/{{.Team}}/{{.Pipeline}}/{{.Secret}}",
"/{{.Team}}/{{.Secret}}",
}
}
return nil
}
func (manager VaultManager) IsConfigured() bool {
return manager.URL != ""
}
func (manager VaultManager) Validate() error {
_, err := url.Parse(manager.URL)
if err != nil {
return fmt.Errorf("invalid URL: %s", err)
}
if manager.PathPrefix == "" {
return fmt.Errorf("path prefix must be a non-empty string")
}
for i, tmpl := range manager.LookupTemplates {
name := fmt.Sprintf("lookup-template-%d", i)
if _, err := creds.BuildSecretTemplate(name, manager.PathPrefix + tmpl); err != nil {
return err
}
}
if manager.Auth.ClientToken != "" {
return nil
}
if manager.Auth.Backend != "" {
return nil
}
return errors.New("must configure client token or auth backend")
}
func (manager VaultManager) Health() (*creds.HealthResponse, error) {
health := &creds.HealthResponse{
Method: "/v1/sys/health",
}
response, err := manager.Client.health()
if err != nil {
health.Error = err.Error()
return health, nil
}
health.Response = response
return health, nil
}
func (manager *VaultManager) NewSecretsFactory(logger lager.Logger) (creds.SecretsFactory, error) {
if manager.SecretFactory == nil {
templates := []*creds.SecretTemplate{}
for i, tmpl := range manager.LookupTemplates {
name := fmt.Sprintf("lookup-template-%d", i)
scopedTemplate := path.Join(manager.PathPrefix, tmpl)
if template, err := creds.BuildSecretTemplate(name, scopedTemplate); err != nil {
return nil, err
} else {
templates = append(templates, template)
}
}
manager.ReAuther = NewReAuther(
logger,
manager.Client,
manager.Auth.BackendMaxTTL,
manager.Auth.RetryInitial,
manager.Auth.RetryMax,
)
manager.SecretFactory = NewVaultFactory(
manager.Client,
manager.ReAuther.LoggedIn(),
manager.PathPrefix,
templates,
manager.SharedPath,
)
}
return manager.SecretFactory, nil
}
func (manager VaultManager) Close(logger lager.Logger) {
manager.ReAuther.Close()
}