From f2e4867555e9308b0e6d86aa7994487278dc2b8d Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Wed, 12 Aug 2015 12:52:21 -0700
Subject: [PATCH] Vault SSH: Moved SSH agent config to Vault's source

---
 api/ssh_agent.go | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/api/ssh_agent.go b/api/ssh_agent.go
index b657bb05a3..8fd31caa89 100644
--- a/api/ssh_agent.go
+++ b/api/ssh_agent.go
@@ -1,8 +1,16 @@
 package api
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"time"
 
+	"github.com/hashicorp/hcl"
 	"github.com/mitchellh/mapstructure"
 )
 
@@ -25,6 +33,58 @@ type SSHVerifyResponse struct {
 	IP       string `mapstructure:"ip"`
 }
 
+// Structure which represents the entries from the agent's configuration file.
+type SSHAgentConfig struct {
+	VaultAddr       string `hcl:"vault_addr"`
+	SSHMountPoint   string `hcl:"ssh_mount_point"`
+	CACert          string `hcl:"ca_cert"`
+	CAPath          string `hcl:"ca_path"`
+	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
+	AllowedCidrList string `hcl:"allowed_cidr_list"`
+}
+
+// Returns a HTTP client that uses TLS verification (TLS 1.2) with the given
+// certificate pool.
+func (c *SSHAgentConfig) TLSClient(certPool *x509.CertPool) *http.Client {
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: c.TLSSkipVerify,
+		MinVersion:         tls.VersionTLS12,
+		RootCAs:            certPool,
+	}
+
+	client := *http.DefaultClient
+	client.Transport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSClientConfig:     tlsConfig,
+		TLSHandshakeTimeout: 10 * time.Second,
+	}
+	return &client
+}
+
+// Loads agent's configuration from the file and populates the corresponding
+// in memory structure.
+func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) {
+	var config SSHAgentConfig
+	contents, err := ioutil.ReadFile(path)
+	if !os.IsNotExist(err) {
+		obj, err := hcl.Parse(string(contents))
+		if err != nil {
+			return nil, err
+		}
+
+		if err := hcl.DecodeObject(&config, obj); err != nil {
+			return nil, err
+		}
+	} else {
+		return nil, err
+	}
+	return &config, nil
+}
+
 // Creates an SSHAgent object which can talk to Vault server with SSH backend
 // mounted at default path ("ssh").
 func (c *Client) SSHAgent() *SSHAgent {