format cleanup

This commit is contained in:
John Adams 2018-05-14 11:46:15 -07:00
parent 33dd3593c9
commit 5197566d20
1 changed files with 94 additions and 94 deletions

View File

@ -16,11 +16,11 @@ package vault
* export VAULT_CACERT= ... pem file containing ca cert ... * export VAULT_CACERT= ... pem file containing ca cert ...
* and/or * and/or
* export VAULT_SSL_VERIFY=no * export VAULT_SSL_VERIFY=no
*/ */
import ( import (
"os"
"fmt" "fmt"
"os"
"time" "time"
"github.com/xordataexchange/crypt/backend" "github.com/xordataexchange/crypt/backend"
@ -29,65 +29,65 @@ import (
) )
type Client struct { type Client struct {
client *vaultapi.Client client *vaultapi.Client
secret string // used only with role authentication, nil if using env-VAULT_TOKEN secret string // used only with role authentication, nil if using env-VAULT_TOKEN
secret_ttl time.Duration // if non-zero, it expires at this time secret_ttl time.Duration // if non-zero, it expires at this time
secret_acq_at float64 // when we got the secret secret_acq_at float64 // when we got the secret
secret_expires bool secret_expires bool
} }
func (c *Client) acquireToken(role string, secret string) (string, error) { func (c *Client) acquireToken(role string, secret string) (string, error) {
secretData := map[string]interface{}{ secretData := map[string]interface{}{
"role_id" : role, "role_id": role,
"secret_id" : secret, "secret_id": secret,
} }
data, err := c.client.Logical().Write("auth/approle/login", secretData) data, err := c.client.Logical().Write("auth/approle/login", secretData)
if data == nil { if data == nil {
return "", err return "", err
} }
/* data is now of type *api.Secret and we can use it to set the client up */ /* data is now of type *api.Secret and we can use it to set the client up */
token,err := data.TokenID() token, err := data.TokenID()
if err == nil { if err == nil {
c.client.SetToken(token) c.client.SetToken(token)
} }
/* handle expiry */ /* handle expiry */
ttl, err := data.TokenTTL() ttl, err := data.TokenTTL()
if err == nil { if err == nil {
c.secret_ttl = ttl c.secret_ttl = ttl
if ttl != 0 { if ttl != 0 {
c.secret_expires = true c.secret_expires = true
} }
} }
c.secret_acq_at = float64(time.Now().Unix()) c.secret_acq_at = float64(time.Now().Unix())
fmt.Println("Got token %s with expiry %d and acquired at %v", token, c.secret_ttl, c.secret_acq_at) fmt.Println("Got token %s with expiry %d and acquired at %v", token, c.secret_ttl, c.secret_acq_at)
return token, err return token, err
} }
// this can be called before operations to ensure token is currentfg // this can be called before operations to ensure token is currentfg
func (c *Client) renewToken() (string, error) { func (c *Client) renewToken() (string, error) {
if c.secret_expires { if c.secret_expires {
if ((c.secret_ttl.Seconds() + c.secret_acq_at > float64(time.Now().Unix())) && c.secret_ttl != 0) { if (c.secret_ttl.Seconds()+c.secret_acq_at > float64(time.Now().Unix())) && c.secret_ttl != 0 {
return c.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) return c.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID"))
} else { } else {
return "", nil return "", nil
} }
} else { } else {
return "", nil return "", nil
} }
} }
func New(machines []string) (*Client, error) { func New(machines []string) (*Client, error) {
/* default config reads from the environment and sets defaults */ /* default config reads from the environment and sets defaults */
/* a call to vaultapi.ReadEnvironment is not necessary here. */ /* a call to vaultapi.ReadEnvironment is not necessary here. */
/* /*
* vault environment variables are required to proceed. * vault environment variables are required to proceed.
* either VAULT_TOKEN or VAULT_ROLE_ID and VAULT_SECRET_ID must be set * either VAULT_TOKEN or VAULT_ROLE_ID and VAULT_SECRET_ID must be set
* see: https://github.com/hashicorp/vault/blob/master/api/client.go * see: https://github.com/hashicorp/vault/blob/master/api/client.go
*/ */
conf := vaultapi.DefaultConfig() conf := vaultapi.DefaultConfig()
@ -95,82 +95,82 @@ func New(machines []string) (*Client, error) {
conf.Address = machines[0] conf.Address = machines[0]
} }
// from the vault docs - // from the vault docs -
// https://godoc.org/github.com/hashicorp/vault/api#Secret // https://godoc.org/github.com/hashicorp/vault/api#Secret
// If the environment variable `VAULT_TOKEN` is present, the token // If the environment variable `VAULT_TOKEN` is present, the token
// will be automatically added to the client. Otherwise, you must // will be automatically added to the client. Otherwise, you must
// manually call `SetToken()`. // manually call `SetToken()`.
var returnval *Client var returnval *Client
client, err := vaultapi.NewClient(conf) client, err := vaultapi.NewClient(conf)
if err != nil { if err != nil {
return nil, err return nil, err
} }
/* what token are we using? */ /* what token are we using? */
if v := os.Getenv(vaultapi.EnvVaultToken); v == "" { if v := os.Getenv(vaultapi.EnvVaultToken); v == "" {
/* not using VAULT_TOKEN! */ /* not using VAULT_TOKEN! */
if v := os.Getenv("VAULT_ROLE_ID"); v == "" { if v := os.Getenv("VAULT_ROLE_ID"); v == "" {
fmt.Fprintf(os.Stderr, "neither VAULT_TOKEN or a VAULT_ROLE_ID/VAULT_SECRET_ID are set. Can't auth to vault.\n") fmt.Fprintf(os.Stderr, "neither VAULT_TOKEN or a VAULT_ROLE_ID/VAULT_SECRET_ID are set. Can't auth to vault.\n")
return nil, fmt.Errorf("Can't Auth to Vault") return nil, fmt.Errorf("Can't Auth to Vault")
} }
if v := os.Getenv("VAULT_SECRET_ID"); v == "" { if v := os.Getenv("VAULT_SECRET_ID"); v == "" {
fmt.Fprintf(os.Stderr, "VAULT_ROLE_ID set but VAULT_SECRET_ID is empty. Can't auth to vault.\n") fmt.Fprintf(os.Stderr, "VAULT_ROLE_ID set but VAULT_SECRET_ID is empty. Can't auth to vault.\n")
return nil, fmt.Errorf("Can't Auth to Vault") return nil, fmt.Errorf("Can't Auth to Vault")
} }
returnval = &Client{client, "", 0, float64(time.Now().Unix()), false} returnval = &Client{client, "", 0, float64(time.Now().Unix()), false}
/* using the approle secrets, try to acquire a token */ /* using the approle secrets, try to acquire a token */
_, err := returnval.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) _, err := returnval.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID"))
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "Vault ROLE/SECRET authentication failed - %v\n", err) fmt.Fprintf(os.Stderr, "Vault ROLE/SECRET authentication failed - %v\n", err)
return nil, fmt.Errorf("Can't Auth to Vault") return nil, fmt.Errorf("Can't Auth to Vault")
} }
} else { } else {
/* we'll just go ahead with VAULT_TOKEN for auth */ /* we'll just go ahead with VAULT_TOKEN for auth */
returnval = &Client{client, os.Getenv(vaultapi.EnvVaultToken), 0, float64(time.Now().Unix()), false} returnval = &Client{client, os.Getenv(vaultapi.EnvVaultToken), 0, float64(time.Now().Unix()), false}
} }
return returnval, nil return returnval, nil
} }
func (c *Client) Get(key string) ([]byte, error) { func (c *Client) Get(key string) ([]byte, error) {
/* note that the vault client only connects when Get is issued if /* note that the vault client only connects when Get is issued if
* you are using VAULT_TOKEN authentication (set in the environment) * you are using VAULT_TOKEN authentication (set in the environment)
* *
* If using role authentication, we'll try to acquire a token at init. * If using role authentication, we'll try to acquire a token at init.
* *
* This interface returns only one value from a secret. It expects that the * This interface returns only one value from a secret. It expects that the
* referenced secret will have the data in the "value" key. * referenced secret will have the data in the "value" key.
*/ */
data, err := c.client.Logical().Read(key) data, err := c.client.Logical().Read(key)
if err != nil { if err != nil {
fmt.Println("Error during Vault Get -", err) fmt.Println("Error during Vault Get -", err)
return []byte{}, err return []byte{}, err
} }
if data.Data == nil { if data.Data == nil {
return []byte{}, fmt.Errorf("Key ( %s ) was not found.", key) return []byte{}, fmt.Errorf("Key ( %s ) was not found.", key)
} }
v := data.Data["value"].(string) v := data.Data["value"].(string)
return []byte(v) , nil return []byte(v), nil
} }
func (c *Client) List(key string) (backend.KVPairs, error) { func (c *Client) List(key string) (backend.KVPairs, error) {
// TODO: NOT IMPLEMENTED // TODO: NOT IMPLEMENTED
//pairs, err := c.client.Logical().List(key) //pairs, err := c.client.Logical().List(key)
return nil, nil return nil, nil
} }
func (c *Client) Set(key string, value []byte) error { func (c *Client) Set(key string, value []byte) error {
secretData := map[string]interface{}{ secretData := map[string]interface{}{
"value": value, "value": value,
} }
_, err := c.client.Logical().Write(key, secretData) _, err := c.client.Logical().Write(key, secretData)
return err return err
} }
func (c *Client) Watch(key string, stop chan bool) <-chan *backend.Response { func (c *Client) Watch(key string, stop chan bool) <-chan *backend.Response {