Skip to content
This repository was archived by the owner on Oct 6, 2019. It is now read-only.

Commit fc65a9a

Browse files
CaiyeonCaiyeon
committed
Refactored login backend function #146 
1 parent 197a3eb commit fc65a9a

File tree

1 file changed

+40
-100
lines changed

1 file changed

+40
-100
lines changed

vault/login.go

+40-100
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ package vault
22

33
import (
44
"errors"
5+
"strings"
6+
57
"github.com/hashicorp/vault/api"
68
)
79

@@ -20,121 +22,50 @@ func (auth *AuthInfo) Login() (map[string]interface{}, error) {
2022
if err != nil {
2123
return nil, err
2224
}
25+
client.SetToken("")
2326

24-
switch auth.Type {
25-
case "token":
26-
client.SetToken(auth.ID)
27-
resp, err := client.Auth().Token().LookupSelf()
28-
if err != nil {
29-
return nil, err
30-
}
31-
return resp.Data, nil
32-
33-
case "userpass":
34-
client.SetToken("")
35-
// fetch client access token by performing a login
36-
resp, err := client.Logical().Write("auth/userpass/login/"+auth.ID,
37-
map[string]interface{}{
38-
"password": auth.Pass,
39-
})
40-
if err != nil {
41-
return nil, err
42-
}
43-
if resp.Auth == nil || resp.Auth.ClientToken == "" {
44-
return nil, errors.New("Unable to parse vault response")
45-
}
46-
47-
client.SetToken(resp.Auth.ClientToken)
48-
lookupResp, err := client.Auth().Token().LookupSelf()
49-
if err != nil {
50-
return nil, err
51-
}
52-
53-
// let future requests re-use the client token
54-
auth.Type = "token"
55-
auth.ID = resp.Auth.ClientToken
56-
auth.Pass = ""
57-
return lookupResp.Data, nil
58-
59-
case "github":
60-
client.SetToken("")
61-
// fetch client access token by performing a login
62-
resp, err := client.Logical().Write("auth/github/login",
63-
map[string]interface{}{
64-
"token": auth.ID,
65-
})
66-
if err != nil {
67-
return nil, err
68-
}
69-
if resp.Auth == nil || resp.Auth.ClientToken == "" {
70-
return nil, errors.New("Unable to parse vault response")
71-
}
72-
73-
client.SetToken(resp.Auth.ClientToken)
74-
lookupResp, err := client.Auth().Token().LookupSelf()
75-
if err != nil {
76-
return nil, err
77-
}
27+
// supported means there's a mapping to how the login should be performed
28+
t := strings.ToLower(auth.Type)
29+
key, exists := LoginMap[t]
30+
if !exists {
31+
return nil, errors.New("Unsupported authentication type: " + t)
32+
}
7833

79-
// let future requests re-use the client token
80-
auth.Type = "token"
81-
auth.ID = resp.Auth.ClientToken
82-
return lookupResp.Data, nil
34+
// token logins don't require any writes to vault
35+
if t == "token" {
36+
client.SetToken(auth.ID)
37+
}
8338

84-
case "ldap":
85-
client.SetToken("")
86-
resp, err := client.Logical().Write("auth/ldap/login/"+auth.ID,
39+
// if logging in for the first time with these auth backends
40+
if t == "userpass" || t == "ldap" || t == "github" || t == "okta" {
41+
// fetch a client token by logging. Auth backend is hardcoded for now
42+
resp, err := client.Logical().Write("auth/" + t + "/login/" + auth.ID,
8743
map[string]interface{}{
88-
"password": auth.Pass,
44+
key: auth.Pass,
8945
})
9046
if err != nil {
9147
return nil, err
9248
}
49+
// sanity check to make sure client token exists
9350
if resp.Auth == nil || resp.Auth.ClientToken == "" {
9451
return nil, errors.New("Unable to parse vault response")
9552
}
96-
53+
// set the returned client token as the client's auth
9754
client.SetToken(resp.Auth.ClientToken)
98-
lookupResp, err := client.Auth().Token().LookupSelf()
99-
if err != nil {
100-
return nil, err
101-
}
102-
103-
// let future requests re-use the client token
104-
auth.Type = "token"
105-
auth.ID = resp.Auth.ClientToken
106-
auth.Pass = ""
107-
return lookupResp.Data, nil
108-
109-
case "okta":
110-
client.SetToken("")
111-
// fetch client access token by performing a login
112-
resp, err := client.Logical().Write("auth/okta/login/"+auth.ID,
113-
map[string]interface{}{
114-
"password": auth.Pass,
115-
})
116-
if err != nil {
117-
return nil, err
118-
}
119-
if resp.Auth == nil || resp.Auth.ClientToken == "" {
120-
return nil, errors.New("Unable to parse vault response")
121-
}
55+
}
12256

123-
client.SetToken(resp.Auth.ClientToken)
124-
lookupResp, err := client.Auth().Token().LookupSelf()
125-
if err != nil {
126-
return nil, err
127-
}
57+
// user must be able to lookup-self. This is in the default policy
58+
lookupResp, err := client.Auth().Token().LookupSelf()
59+
if err != nil {
60+
return nil, err
61+
}
12862

129-
// let future requests re-use the client token
130-
auth.Type = "token"
131-
auth.ID = resp.Auth.ClientToken
132-
auth.Pass = ""
133-
return lookupResp.Data, nil
63+
// set auth type to token, so future requests don't need a login again
64+
auth.Type = "token"
65+
auth.ID = client.Token()
66+
auth.Pass = ""
13467

135-
default:
136-
return nil, errors.New("Unsupported authentication type")
137-
}
68+
return lookupResp.Data, nil
13869
}
13970

14071
func (auth AuthInfo) RenewSelf() (*api.Secret, error) {
@@ -152,3 +83,12 @@ func (auth AuthInfo) LookupSelf() (*api.Secret, error) {
15283
}
15384
return client.Auth().Token().LookupSelf()
15485
}
86+
87+
// Logging in with different methods requires different secondary keys
88+
var LoginMap = map[string]string{
89+
"token": "",
90+
"userpass": "password",
91+
"github": "token",
92+
"ldap": "password",
93+
"okta": "password",
94+
}

0 commit comments

Comments
 (0)