mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-08 23:57:01 +02:00
3ed7bca8e4
* Native Login method, userpass and approle interfaces to implement it
* Add AWS auth interface for Login, unexported struct fields for now
* Add Kubernetes client login
* Add changelog
* Add a test for approle client login
* Return errors from LoginOptions, use limited reader for secret ID
* Fix auth comment length
* Return actual type not interface, check for client token in tests
* Require specification of secret ID location using SecretID struct as AppRole arg
* Allow password from env, file, or plaintext
* Add flexibility in how to fetch k8s service token, but still with default
* Avoid passing strings that need to be validated by just having different login options
* Try a couple real tests with approle and userpass login
* Fix method name in comment
* Add context to Login methods, remove comments about certain sources being inherently insecure
* Perform read of secret ID at login time
* Read password from file at login time
* Pass context in integ tests
* Read env var values in at login time, add extra tests
* Update api version
* Revert "Update api version"
This reverts commit 1ef3949497.
* Update api version in all go.mod files
47 lines
1.4 KiB
Go
47 lines
1.4 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
)
|
|
|
|
// Auth is used to perform credential backend related operations.
|
|
type Auth struct {
|
|
c *Client
|
|
}
|
|
|
|
type AuthMethod interface {
|
|
Login(ctx context.Context, client *Client) (*Secret, error)
|
|
}
|
|
|
|
// Auth is used to return the client for credential-backend API calls.
|
|
func (c *Client) Auth() *Auth {
|
|
return &Auth{c: c}
|
|
}
|
|
|
|
// Login sets up the required request body for login requests to the given auth
|
|
// method's /login API endpoint, and then performs a write to it. After a
|
|
// successful login, this method will automatically set the client's token to
|
|
// the login response's ClientToken as well.
|
|
//
|
|
// The Secret returned is the authentication secret, which if desired can be
|
|
// passed as input to the NewLifetimeWatcher method in order to start
|
|
// automatically renewing the token.
|
|
func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {
|
|
if authMethod == nil {
|
|
return nil, fmt.Errorf("no auth method provided for login")
|
|
}
|
|
|
|
authSecret, err := authMethod.Login(ctx, a.c)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to log in to auth method: %w", err)
|
|
}
|
|
if authSecret == nil || authSecret.Auth == nil || authSecret.Auth.ClientToken == "" {
|
|
return nil, fmt.Errorf("login response from auth method did not return client token")
|
|
}
|
|
|
|
a.c.SetToken(authSecret.Auth.ClientToken)
|
|
|
|
return authSecret, nil
|
|
}
|