chore: add vault cert handler

0xPolygonID · Jul 24, 2024 · 49ae30f · 49ae30f
1 parent 4229724
commit 49ae30f
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 12 deletions.
diff --git a/.env-issuer.sample b/.env-issuer.sample
@@ -36,7 +36,8 @@ ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH=iden3
 # if one of the plugins is vault, you can specify the authentication method
 ISSUER_VAULT_USERPASS_AUTH_ENABLED=false
 ISSUER_VAULT_USERPASS_AUTH_PASSWORD=issuernodepwd
-
+ISSUER_VAULT_TLS_ENABLED=false
+ISSUER_VAULT_TLS_CERT_PATH=<path to cert>
 # -------------------------------------------------------------------------------
 
 ISSUER_PROVER_SERVER_URL=http://localhost:8002

diff --git a/cmd/platform/main.go b/cmd/platform/main.go
@@ -84,6 +84,8 @@ func main() {
 		Pass:                cfg.KeyStore.VaultUserPassAuthPassword,
 		Address:             cfg.KeyStore.Address,
 		Token:               cfg.KeyStore.Token,
+		TLSEnabled:          cfg.KeyStore.TLSEnabled,
+		CertPath:            cfg.KeyStore.CertPath,
 	}
 
 	keyStore, err := keyStoreConfig(cfg, ctx, vaultCfg)

diff --git a/go.mod b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/golangci/golangci-lint v1.56.2
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-retryablehttp v0.7.5
+	github.com/hashicorp/vault-client-go v0.4.3
 	github.com/hashicorp/vault/api v1.10.0
 	github.com/hashicorp/vault/api/auth/userpass v0.5.0
 	github.com/iden3/contracts-abi/onchain-credential-status-resolver/go/abi v0.0.0-20231116131043-966af42c9b58

diff --git a/go.sum b/go.sum
@@ -534,6 +534,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/vault-client-go v0.4.3 h1:zG7STGVgn/VK6rnZc0k8PGbfv2x/sJExRKHSUg3ljWc=
+github.com/hashicorp/vault-client-go v0.4.3/go.mod h1:4tDw7Uhq5XOxS1fO+oMtotHL7j4sB9cp0T7U6m4FzDY=
 github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ=
 github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
 github.com/hashicorp/vault/api/auth/userpass v0.5.0 h1:u//BC15YJviWSpeTlxsmt96FPULsCF7dYhPHg5oOAzo=

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -164,6 +164,8 @@ type KeyStore struct {
 	AWSRegion                  string `tip:"AWS Region"`
 	VaultUserPassAuthEnabled   bool   `tip:"VaultUserPassAuthEnabled"`
 	VaultUserPassAuthPassword  string `tip:"VaultUserPassAuthPassword"`
+	TLSEnabled                 bool   `tip:"TLSEnabled"`
+	CertPath                   string `tip:"CertPath"`
 }
 
 // Log holds runtime configurations
@@ -444,6 +446,8 @@ func bindEnv() {
 	_ = viper.BindEnv("KeyStore.PluginIden3MountPath", "ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH")
 	_ = viper.BindEnv("KeyStore.VaultUserPassAuthEnabled", "ISSUER_VAULT_USERPASS_AUTH_ENABLED")
 	_ = viper.BindEnv("KeyStore.VaultUserPassAuthPassword", "ISSUER_VAULT_USERPASS_AUTH_PASSWORD")
+	_ = viper.BindEnv("KeyStore.TLSEnabled", "ISSUER_VAULT_TLS_ENABLED")
+	_ = viper.BindEnv("KeyStore.CertPath", "ISSUER_VAULT_TLS_CERT_PATH")
 
 	_ = viper.BindEnv("Ethereum.URL", "ISSUER_ETHEREUM_URL")
 	_ = viper.BindEnv("Ethereum.ContractAddress", "ISSUER_ETHEREUM_CONTRACT_ADDRESS")

diff --git a/internal/providers/vault.go b/internal/providers/vault.go
@@ -37,6 +37,8 @@ type Config struct {
 	UserPassAuthEnabled bool
 	Token               string
 	Pass                string
+	TLSEnabled          bool
+	CertPath            string
 }
 
 // VaultClient checks vault configuration and creates new vault client
@@ -49,7 +51,7 @@ func VaultClient(ctx context.Context, cfg Config) (*vault.Client, error) {
 			log.Error(ctx, "Vault userpass auth enabled but password not provided")
 			return nil, errors.New("Vault userpass auth enabled but password not provided")
 		}
-		vaultCli, _, err = newVaultClientWithUserPassAuth(ctx, cfg.Address, cfg.Pass)
+		vaultCli, _, err = newVaultClientWithUserPassAuth(ctx, cfg)
 		if err != nil {
 			log.Error(ctx, "cannot init vault client with userpass auth: ", "err", err)
 			return nil, err
@@ -60,7 +62,7 @@ func VaultClient(ctx context.Context, cfg Config) (*vault.Client, error) {
 			log.Error(ctx, "Vault userpass auth not enabled but token not provided")
 			return nil, errors.New("Vault userpass auth not enabled but token not provided")
 		}
-		vaultCli, err = newVaultClientWithToken(cfg.Address, cfg.Token)
+		vaultCli, err = newVaultClientWithToken(cfg)
 		if err != nil {
 			log.Error(ctx, "cannot init vault client: ", "err", err)
 			return nil, err
@@ -71,40 +73,56 @@ func VaultClient(ctx context.Context, cfg Config) (*vault.Client, error) {
 }
 
 // newVaultClientWithToken checks vault configuration and creates new vault client
-func newVaultClientWithToken(address, token string) (*vault.Client, error) {
-	if address == "" {
+func newVaultClientWithToken(cfg Config) (*vault.Client, error) {
+	if cfg.Address == "" {
 		return nil, errors.New("vault address is not specified")
 	}
-	if token == "" {
+	if cfg.Address == "" {
 		return nil, errors.New("vault access token is not specified")
 	}
 
 	config := vault.DefaultConfig()
-	config.Address = address
+	if cfg.TLSEnabled {
+		err := config.ConfigureTLS(&vault.TLSConfig{
+			CACert: cfg.CertPath,
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+	config.Address = cfg.Address
 	config.HttpClient.Timeout = HTTPClientTimeout
-
 	client, err := vault.NewClient(config)
 	if err != nil {
 		return nil, err
 	}
 
-	client.SetToken(token)
+	client.SetToken(cfg.Token)
 	return client, nil
 }
 
 // newVaultClientWithUserPassAuth checks vault configuration and creates new vault client with userpass auth
-func newVaultClientWithUserPassAuth(ctx context.Context, address string, pass string) (*vault.Client, *vault.Secret, error) {
+func newVaultClientWithUserPassAuth(ctx context.Context, cfg Config) (*vault.Client, *vault.Secret, error) {
 	config := vault.DefaultConfig()
-	config.Address = address
+	config.Address = cfg.Address
 	config.HttpClient.Timeout = HTTPClientTimeout
 
+	if cfg.TLSEnabled {
+		err := config.ConfigureTLS(&vault.TLSConfig{
+			CACert: cfg.CertPath,
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
 	client, err := vault.NewClient(config)
 	if err != nil {
 		log.Error(ctx, "error creating vault client with userpass auth", "error", err)
 		return nil, nil, err
 	}
 
-	secret, err := login(ctx, client, user, pass)
+	secret, err := login(ctx, client, user, cfg.Pass)
 	if err != nil {
 		log.Error(ctx, "error logging in to vault with userpass auth", "error", err)
 		return nil, nil, err