initial commit: certmanager
migrate from python to golang
This commit is contained in:
@@ -0,0 +1,186 @@
|
||||
package vault
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"git.unkin.net/unkin/certmanager/internal/config"
|
||||
)
|
||||
|
||||
const defaultKubernetesTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
||||
|
||||
// Client is an authenticated Vault HTTP client.
|
||||
type Client struct {
|
||||
addr string
|
||||
token string
|
||||
http *http.Client
|
||||
}
|
||||
|
||||
// New authenticates to Vault using the method specified in cfg and returns a
|
||||
// ready Client.
|
||||
func New(cfg config.VaultConfig) (*Client, error) {
|
||||
// TLS verification is intentionally skipped to match the existing Python
|
||||
// scripts; the TODO comment in those scripts notes this should be removed
|
||||
// once certs are generated everywhere.
|
||||
transport := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec
|
||||
}
|
||||
httpClient := &http.Client{Transport: transport}
|
||||
|
||||
c := &Client{addr: cfg.Addr, http: httpClient}
|
||||
|
||||
var err error
|
||||
switch cfg.AuthMethod {
|
||||
case config.AuthMethodAppRole, "":
|
||||
err = c.loginAppRole(cfg)
|
||||
case config.AuthMethodLDAP:
|
||||
err = c.loginLDAP(cfg)
|
||||
case config.AuthMethodKubernetes:
|
||||
err = c.loginKubernetes(cfg)
|
||||
case config.AuthMethodToken:
|
||||
err = c.loginToken(cfg)
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown auth_method %q (valid: approle, ldap, kubernetes, token)", cfg.AuthMethod)
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return c, nil
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// auth method implementations
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func (c *Client) loginAppRole(cfg config.VaultConfig) error {
|
||||
path := cfg.ApprolePath
|
||||
if path == "" {
|
||||
path = "approle"
|
||||
}
|
||||
payload := map[string]string{"role_id": cfg.RoleID}
|
||||
if cfg.SecretID != "" {
|
||||
payload["secret_id"] = cfg.SecretID
|
||||
}
|
||||
token, err := c.fetchToken(fmt.Sprintf("auth/%s/login", path), payload)
|
||||
if err != nil {
|
||||
return fmt.Errorf("approle login: %w", err)
|
||||
}
|
||||
c.token = token
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Client) loginLDAP(cfg config.VaultConfig) error {
|
||||
path := cfg.LDAPPath
|
||||
if path == "" {
|
||||
path = "ldap"
|
||||
}
|
||||
payload := map[string]string{"password": cfg.LDAPPassword}
|
||||
token, err := c.fetchToken(fmt.Sprintf("auth/%s/login/%s", path, cfg.LDAPUsername), payload)
|
||||
if err != nil {
|
||||
return fmt.Errorf("ldap login: %w", err)
|
||||
}
|
||||
c.token = token
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Client) loginKubernetes(cfg config.VaultConfig) error {
|
||||
path := cfg.KubernetesPath
|
||||
if path == "" {
|
||||
path = "kubernetes"
|
||||
}
|
||||
tokenFile := cfg.KubernetesTokenFile
|
||||
if tokenFile == "" {
|
||||
tokenFile = defaultKubernetesTokenFile
|
||||
}
|
||||
jwt, err := os.ReadFile(tokenFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("kubernetes login: read service account token %q: %w", tokenFile, err)
|
||||
}
|
||||
payload := map[string]string{
|
||||
"role": cfg.KubernetesRole,
|
||||
"jwt": string(jwt),
|
||||
}
|
||||
token, err := c.fetchToken(fmt.Sprintf("auth/%s/login", path), payload)
|
||||
if err != nil {
|
||||
return fmt.Errorf("kubernetes login: %w", err)
|
||||
}
|
||||
c.token = token
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Client) loginToken(cfg config.VaultConfig) error {
|
||||
if cfg.Token == "" {
|
||||
return fmt.Errorf("token auth: vault.token must not be empty")
|
||||
}
|
||||
c.token = cfg.Token
|
||||
return nil
|
||||
}
|
||||
|
||||
// fetchToken posts to a Vault auth endpoint and extracts the client token.
|
||||
func (c *Client) fetchToken(authPath string, payload any) (string, error) {
|
||||
body, err := json.Marshal(payload)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
url := fmt.Sprintf("%s/v1/%s", c.addr, authPath)
|
||||
resp, err := c.http.Post(url, "application/json", bytes.NewReader(body))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return "", fmt.Errorf("unexpected status %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
var result struct {
|
||||
Auth struct {
|
||||
ClientToken string `json:"client_token"`
|
||||
} `json:"auth"`
|
||||
}
|
||||
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
||||
return "", fmt.Errorf("decode response: %w", err)
|
||||
}
|
||||
if result.Auth.ClientToken == "" {
|
||||
return "", fmt.Errorf("empty client token in response")
|
||||
}
|
||||
return result.Auth.ClientToken, nil
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// request helpers
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// Post sends an authenticated POST to a Vault path and decodes the response.
|
||||
func (c *Client) Post(path string, payload, out any) error {
|
||||
body, err := json.Marshal(payload)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
url := fmt.Sprintf("%s/v1/%s", c.addr, path)
|
||||
req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(body))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.Header.Set("X-Vault-Token", c.token)
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
resp, err := c.http.Do(req)
|
||||
if err != nil {
|
||||
return fmt.Errorf("vault POST %s: %w", path, err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return fmt.Errorf("vault POST %s: unexpected status %d", path, resp.StatusCode)
|
||||
}
|
||||
|
||||
return json.NewDecoder(resp.Body).Decode(out)
|
||||
}
|
||||
@@ -0,0 +1,283 @@
|
||||
package vault_test
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.unkin.net/unkin/certmanager/internal/config"
|
||||
"git.unkin.net/unkin/certmanager/internal/vault"
|
||||
)
|
||||
|
||||
// tokenHandler returns a handler that serves a fixed Vault token on POST.
|
||||
func tokenHandler(token string) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
json.NewEncoder(w).Encode(map[string]any{
|
||||
"auth": map[string]any{"client_token": token},
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func newTLSServer(t *testing.T, mux *http.ServeMux) *httptest.Server {
|
||||
t.Helper()
|
||||
srv := httptest.NewTLSServer(mux)
|
||||
t.Cleanup(srv.Close)
|
||||
return srv
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// AppRole
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestNew_AppRole(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/auth/approle/login", tokenHandler("tok-approle"))
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodAppRole,
|
||||
ApprolePath: "approle",
|
||||
RoleID: "role-id",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("AppRole auth failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestNew_AppRole_WithSecretID(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/auth/approle/login", func(w http.ResponseWriter, r *http.Request) {
|
||||
var body map[string]string
|
||||
json.NewDecoder(r.Body).Decode(&body)
|
||||
if body["secret_id"] != "my-secret" {
|
||||
http.Error(w, "missing secret_id", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
tokenHandler("tok-approle-secret")(w, r)
|
||||
})
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodAppRole,
|
||||
ApprolePath: "approle",
|
||||
RoleID: "role-id",
|
||||
SecretID: "my-secret",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("AppRole+SecretID auth failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestNew_AppRole_DefaultPath(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/auth/approle/login", tokenHandler("tok"))
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodAppRole,
|
||||
RoleID: "role-id",
|
||||
// ApprolePath intentionally omitted — should default to "approle"
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("AppRole default path failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// LDAP
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestNew_LDAP(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/auth/ldap/login/testuser", func(w http.ResponseWriter, r *http.Request) {
|
||||
var body map[string]string
|
||||
json.NewDecoder(r.Body).Decode(&body)
|
||||
if body["password"] != "secret" {
|
||||
http.Error(w, "bad password", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
tokenHandler("tok-ldap")(w, r)
|
||||
})
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodLDAP,
|
||||
LDAPPath: "ldap",
|
||||
LDAPUsername: "testuser",
|
||||
LDAPPassword: "secret",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("LDAP auth failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestNew_LDAP_DefaultPath(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/auth/ldap/login/u", tokenHandler("tok"))
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodLDAP,
|
||||
LDAPUsername: "u",
|
||||
LDAPPassword: "p",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("LDAP default path failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Kubernetes
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestNew_Kubernetes(t *testing.T) {
|
||||
tmp := t.TempDir()
|
||||
tokenFile := filepath.Join(tmp, "token")
|
||||
os.WriteFile(tokenFile, []byte("k8s-jwt"), 0o600)
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/auth/kubernetes/login", func(w http.ResponseWriter, r *http.Request) {
|
||||
var body map[string]string
|
||||
json.NewDecoder(r.Body).Decode(&body)
|
||||
if body["jwt"] != "k8s-jwt" || body["role"] != "puppet" {
|
||||
http.Error(w, "bad jwt/role", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
tokenHandler("tok-k8s")(w, r)
|
||||
})
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodKubernetes,
|
||||
KubernetesPath: "kubernetes",
|
||||
KubernetesRole: "puppet",
|
||||
KubernetesTokenFile: tokenFile,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("Kubernetes auth failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestNew_Kubernetes_MissingTokenFile(t *testing.T) {
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: "https://vault.example.com",
|
||||
AuthMethod: config.AuthMethodKubernetes,
|
||||
KubernetesRole: "puppet",
|
||||
KubernetesTokenFile: "/nonexistent/token",
|
||||
})
|
||||
if err == nil || !strings.Contains(err.Error(), "read service account token") {
|
||||
t.Errorf("expected token file error, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Token
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestNew_Token(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/pki_int/issue/role", func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Header.Get("X-Vault-Token") != "static-token" {
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
json.NewEncoder(w).Encode(map[string]any{
|
||||
"data": map[string]any{
|
||||
"certificate": "C", "private_key": "K", "issuing_ca": "CA",
|
||||
},
|
||||
})
|
||||
})
|
||||
srv := newTLSServer(t, mux)
|
||||
|
||||
client, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodToken,
|
||||
Token: "static-token",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("Token auth failed: %v", err)
|
||||
}
|
||||
|
||||
var out map[string]any
|
||||
if err := client.Post("pki_int/issue/role", map[string]string{"common_name": "x"}, &out); err != nil {
|
||||
t.Fatalf("Post with token auth failed: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestNew_Token_Empty(t *testing.T) {
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: "https://vault.example.com",
|
||||
AuthMethod: config.AuthMethodToken,
|
||||
Token: "",
|
||||
})
|
||||
if err == nil {
|
||||
t.Error("expected error for empty token")
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Unknown auth method
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestNew_UnknownMethod(t *testing.T) {
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: "https://vault.example.com",
|
||||
AuthMethod: "magic",
|
||||
})
|
||||
if err == nil || !strings.Contains(err.Error(), "unknown auth_method") {
|
||||
t.Errorf("expected unknown method error, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Auth failure
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestNew_AuthFailure(t *testing.T) {
|
||||
srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "permission denied", http.StatusForbidden)
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodAppRole,
|
||||
ApprolePath: "approle",
|
||||
RoleID: "role-id",
|
||||
})
|
||||
if err == nil {
|
||||
t.Error("expected auth error, got nil")
|
||||
}
|
||||
}
|
||||
|
||||
func TestNew_EmptyToken(t *testing.T) {
|
||||
srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
json.NewEncoder(w).Encode(map[string]any{
|
||||
"auth": map[string]any{"client_token": ""},
|
||||
})
|
||||
}))
|
||||
t.Cleanup(srv.Close)
|
||||
|
||||
_, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodAppRole,
|
||||
ApprolePath: "approle",
|
||||
RoleID: "role-id",
|
||||
})
|
||||
if err == nil || !strings.Contains(err.Error(), "empty client token") {
|
||||
t.Errorf("expected empty token error, got %v", err)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user