-
Notifications
You must be signed in to change notification settings - Fork 1
/
store.go
93 lines (79 loc) · 2.1 KB
/
store.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package hcvault
import (
"fmt"
"io"
"os"
"strings"
vault "github.com/hashicorp/vault/api"
)
type HCVaultSecretStore struct {
Client *vault.Client
}
type HCVaultLoginToken struct {
VaultToken string
FileWithVaultToken string
GitHubToken string
FileWithGitHubToken string
}
func NewHCVaultSecretStore(
vaultURL string,
loginToken HCVaultLoginToken,
) (*HCVaultSecretStore, error) {
var token string
config := vault.DefaultConfig()
config.Address = vaultURL
client, err := vault.NewClient(config)
if err != nil {
return nil, fmt.Errorf("failed to create HashiCorp Vault client: %w", err)
}
if loginToken.VaultToken != "" {
token = loginToken.VaultToken
} else if loginToken.FileWithVaultToken != "" {
token, err = readTokenFromFile(loginToken.FileWithVaultToken)
if err != nil {
return nil, err
}
} else {
var gitHubToken string
if loginToken.GitHubToken != "" {
gitHubToken = loginToken.GitHubToken
} else {
gitHubToken, err = readTokenFromFile(loginToken.FileWithGitHubToken)
if err != nil {
return nil, err
}
}
token, err = loginWithGitHubToken(client, gitHubToken)
if err != nil {
return nil, err
}
}
client.SetToken(token)
return &HCVaultSecretStore{
Client: client,
}, nil
}
func readTokenFromFile(fileWithToken string) (string, error) {
secretFile, err := os.Open(fileWithToken)
if err != nil {
return "", fmt.Errorf("unable to open file %s containing token: %w", fileWithToken, err)
}
defer secretFile.Close()
limitReader := io.LimitReader(secretFile, 100)
tokenBytes, err := io.ReadAll(limitReader)
if err != nil {
return "", fmt.Errorf("unable to read token from file %s: %w", fileWithToken, err)
}
token := strings.TrimSuffix(string(tokenBytes), "\n")
return token, nil
}
func loginWithGitHubToken(client *vault.Client, gitHubToken string) (string, error) {
loginData := map[string]interface{}{
"token": gitHubToken,
}
resp, err := client.Logical().Write("auth/github/login", loginData)
if err != nil {
return "", fmt.Errorf("failed to login using GitHub token %w", err)
}
return resp.Auth.ClientToken, nil
}