package vault /* Vault implements Hashicorp-vault based storage for configurations * which is substaintally more secure than storing configs in * consul or flat files. * * If using approle authentication. set your environment variables * as follows to use this backend * * export VAULT_SECRET_ID= ... secret ... * export VAULT_ROLE_ID= ... role id ... * -- or -- * export VAULT_TOKEN = .... * * If you are using SSL with vault, you can set * export VAULT_CACERT= ... pem file containing ca cert ... * and/or * export VAULT_SSL_VERIFY=no */ import ( "os" "fmt" "time" "github.com/xordataexchange/crypt/backend" vaultapi "github.com/hashicorp/vault/api" ) type Client struct { client *vaultapi.Client secret string // used only with role authentication, nil if using env-VAULT_TOKEN secret_ttl time.Duration // if non-zero, it expires at this time secret_acq_at float64 // when we got the secret secret_expires bool } func (c *Client) acquireToken(role string, secret string) (string, error) { secretData := map[string]interface{}{ "role_id" : role, "secret_id" : secret, } data, err := c.client.Logical().Write("auth/approle/login", secretData) if data == nil { return "", err } /* data is now of type *api.Secret and we can use it to set the client up */ token,err := data.TokenID() if err == nil { c.client.SetToken(token) } /* handle expiry */ ttl, err := data.TokenTTL() if err == nil { c.secret_ttl = ttl if ttl != 0 { c.secret_expires = true } } c.secret_acq_at = float64(time.Now().Unix()) fmt.Println("Got token %s with expiry %d and acquired at %v", token, c.secret_ttl, c.secret_acq_at) return token, err } // this can be called before operations to ensure token is currentfg func (c *Client) renewToken() (string, error) { if c.secret_expires { if ((c.secret_ttl.Seconds() + c.secret_acq_at > float64(time.Now().Unix())) && c.secret_ttl != 0) { return c.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) } else { return "", nil } } else { return "", nil } } func New(machines []string) (*Client, error) { /* default config reads from the environment and sets defaults */ /* a call to vaultapi.ReadEnvironment is not necessary here. */ /* * vault environment variables are required to proceed. * either VAULT_TOKEN or VAULT_ROLE_ID and VAULT_SECRET_ID must be set * see: https://github.com/hashicorp/vault/blob/master/api/client.go */ conf := vaultapi.DefaultConfig() if len(machines) > 0 { conf.Address = machines[0] } // from the vault docs - // https://godoc.org/github.com/hashicorp/vault/api#Secret // If the environment variable `VAULT_TOKEN` is present, the token // will be automatically added to the client. Otherwise, you must // manually call `SetToken()`. var returnval *Client client, err := vaultapi.NewClient(conf) if err != nil { return nil, err } /* what token are we using? */ if v := os.Getenv(vaultapi.EnvVaultToken); v == "" { /* not using VAULT_TOKEN! */ if v := os.Getenv("VAULT_ROLE_ID"); v == "" { fmt.Fprintf(os.Stderr, "neither VAULT_TOKEN or a VAULT_ROLE_ID/VAULT_SECRET_ID are set. Can't auth to vault.\n") return nil, fmt.Errorf("Can't Auth to Vault") } if v := os.Getenv("VAULT_SECRET_ID"); v == "" { fmt.Fprintf(os.Stderr, "VAULT_ROLE_ID set but VAULT_SECRET_ID is empty. Can't auth to vault.\n") return nil, fmt.Errorf("Can't Auth to Vault") } returnval = &Client{client, "", 0, float64(time.Now().Unix()), false} /* using the approle secrets, try to acquire a token */ _, err := returnval.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) if err != nil { fmt.Fprintf(os.Stderr, "Vault ROLE/SECRET authentication failed - %v\n", err) return nil, fmt.Errorf("Can't Auth to Vault") } } else { /* we'll just go ahead with VAULT_TOKEN for auth */ returnval = &Client{client, os.Getenv(vaultapi.EnvVaultToken), 0, float64(time.Now().Unix()), false} } return returnval, nil } func (c *Client) Get(key string) ([]byte, error) { /* note that the vault client only connects when Get is issued if * you are using VAULT_TOKEN authentication (set in the environment) * * If using role authentication, we'll try to acquire a token at init. * * This interface returns only one value from a secret. It expects that the * referenced secret will have the data in the "value" key. */ data, err := c.client.Logical().Read(key) if err != nil { fmt.Println("Error during Vault Get -", err) return []byte{}, err } if data.Data == nil { return []byte{}, fmt.Errorf("Key ( %s ) was not found.", key) } v := data.Data["value"].(string) return []byte(v) , nil } func (c *Client) List(key string) (backend.KVPairs, error) { // TODO: NOT IMPLEMENTED //pairs, err := c.client.Logical().List(key) return nil, nil } func (c *Client) Set(key string, value []byte) error { secretData := map[string]interface{}{ "value": value, } _, err := c.client.Logical().Write(key, secretData) return err } func (c *Client) Watch(key string, stop chan bool) <-chan *backend.Response { respChan := make(chan *backend.Response, 0) go func() { for { data, err := c.client.Logical().Read(key) if data == nil && err == nil { err = fmt.Errorf("Key ( %s ) was not found.", key) } if err != nil { respChan <- &backend.Response{nil, err} time.Sleep(time.Second * 5) continue } respChan <- &backend.Response{data.Data["value"].([]byte), nil} } }() return respChan }