rebase: update github.com/libopenstorage/secrets to latest

With this update, we no longer import github.com/hashicorp/vault which now is under BSL license. https://github.com/hashicorp/vault/blob/main/LICENSE resolves: #4196 Signed-off-by: Rakshith R <rar@redhat.com>
2025-06-14 18:53:35 +00:00 · 2023-10-17 10:29:04 +05:30
parent 5ff0607360
commit e46a007961
131 changed files with 3931 additions and 16000 deletions
--- a/vendor/github.com/libopenstorage/secrets/vault/utils/utils.go
+++ b/vendor/github.com/libopenstorage/secrets/vault/utils/utils.go
@ -3,24 +3,23 @@ package utils
 import (
 	"context"
 	"errors"
-	"fmt"
 	"net/http"
 	"os"
-	"path"
 	"strconv"
 	"strings"

-	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/command/agent/auth"
-	"github.com/hashicorp/vault/command/agent/auth/kubernetes"
+	"github.com/hashicorp/vault/api/auth/approle"
+	"github.com/hashicorp/vault/api/auth/kubernetes"
 )

 const (
-	vaultAddressPrefix  = "http"
+	vaultAddressPrefix = "http"

 	// AuthMethodKubernetes is a named auth method.
 	AuthMethodKubernetes = "kubernetes"
+	// AuthMethodApprole
+	AuthMethodAppRole = "approle"
 	// AuthMethod is a vault authentication method used.
 	// https://www.vaultproject.io/docs/auth#auth-methods
 	AuthMethod = "VAULT_AUTH_METHOD"
@ -33,6 +32,10 @@ const (
 	AuthKubernetesTokenPath = "VAULT_AUTH_KUBERNETES_TOKEN_PATH"
 	// AuthKubernetesMountPath
 	AuthKubernetesMountPath = "kubernetes"
+	// AuthAppRoleRoleID
+	AuthAppRoleRoleID = "VAULT_APPROLE_ROLE_ID"
+	// AuthAppRoleSecretID
+	AuthAppRoleSecretID = "VAULT_APPROLE_SECRET_ID"
 )

 var (
@ -40,6 +43,7 @@ var (
 	ErrVaultAddressNotSet    = errors.New("VAULT_ADDR not set")
 	ErrInvalidVaultToken     = errors.New("VAULT_TOKEN is invalid")
 	ErrInvalidSkipVerify     = errors.New("VAULT_SKIP_VERIFY is invalid")
+	ErrAppRoleIDNotSet       = errors.New("VAULT_APPROLE_ROLE_ID or VAULT_APPROLE_SECRET_ID not set")
 	ErrInvalidVaultAddress   = errors.New("VAULT_ADDRESS is invalid. " +
 		"Should be of the form http(s)://<ip>:<port>")

@ -117,23 +121,29 @@ func Authenticate(client *api.Client, config map[string]interface{}) (token stri
 		return token, false, nil
 	}

-	// or try to use the kubernetes auth method
+	// or use other authentication method: kubernetes, approle
 	if GetVaultParam(config, AuthMethod) != "" {
 		token, err = GetAuthToken(client, config)
 		return token, true, err
 	}

 	return "", false, ErrVaultAuthParamsNotSet
-} 
+}

 // GetAuthToken tries to get the vault token for the provided authentication method.
 func GetAuthToken(client *api.Client, config map[string]interface{}) (string, error) {
-	path, _, data, err := authenticate(client, config)
-	if err != nil {
-		return "", err
+	method := GetVaultParam(config, AuthMethod)
+	var secret *api.Secret
+	var err error
+	switch method {
+	case AuthMethodKubernetes:
+		secret, err = authKubernetes(client, config)
+	case AuthMethodAppRole:
+		secret, err = authAppRole(client, config)
+	default:
+		return "", ErrAuthMethodUnknown
 	}

-	secret, err := client.Logical().Write(path, data)
 	if err != nil {
 		return "", err
 	}
@ -144,49 +154,52 @@ func GetAuthToken(client *api.Client, config map[string]interface{}) (string, er
 		return "", errors.New("authentication returned empty client token")
 	}

-	return secret.Auth.ClientToken, err
+	return secret.Auth.ClientToken, nil
 }

-func authenticate(client *api.Client, config map[string]interface{}) (string, http.Header, map[string]interface{}, error) {
-	method := GetVaultParam(config, AuthMethod)
-	switch method {
-	case AuthMethodKubernetes:
-		return authKubernetes(client, config)
-	}
-	return "", nil, nil, fmt.Errorf("%s method: %s", method, ErrAuthMethodUnknown)
-}
-
-func authKubernetes(client *api.Client, config map[string]interface{}) (string, http.Header, map[string]interface{}, error) {
-	authConfig, err := buildAuthConfig(config)
-	if err != nil {
-		return "", nil, nil, err
-	}
-	method, err := kubernetes.NewKubernetesAuthMethod(authConfig)
-	if err != nil {
-		return "", nil, nil, err
-	}
-
-	return method.Authenticate(context.TODO(), client)
-}
-
-func buildAuthConfig(config map[string]interface{}) (*auth.AuthConfig, error) {
+func authKubernetes(client *api.Client, config map[string]interface{}) (*api.Secret, error) {
 	role := GetVaultParam(config, AuthKubernetesRole)
 	if role == "" {
 		return nil, ErrKubernetesRole
 	}
+
+	loginOpts := []kubernetes.LoginOption{}
+
 	mountPath := GetVaultParam(config, AuthMountPath)
 	if mountPath == "" {
 		mountPath = AuthKubernetesMountPath
 	}
-	tokenPath := GetVaultParam(config, AuthKubernetesTokenPath)
+	loginOpts = append(loginOpts, kubernetes.WithMountPath(mountPath))

-	authMountPath := path.Join("auth", mountPath)
-	return &auth.AuthConfig{
-		Logger:    hclog.NewNullLogger(),
-		MountPath: authMountPath,
-		Config: map[string]interface{}{
-			"role":       role,
-			"token_path": tokenPath,
-		},
-	}, nil
+	tokenPath := GetVaultParam(config, AuthKubernetesTokenPath)
+	if tokenPath != "" {
+		loginOpts = append(loginOpts, kubernetes.WithServiceAccountTokenPath(tokenPath))
+	}
+
+	kAuth, err := kubernetes.NewKubernetesAuth(role, loginOpts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return kAuth.Login(context.TODO(), client)
+}
+
+func authAppRole(client *api.Client, config map[string]interface{}) (*api.Secret, error) {
+	roleID := GetVaultParam(config, AuthAppRoleRoleID)
+	secretIDRaw := GetVaultParam(config, AuthAppRoleSecretID)
+
+	if roleID == "" || secretIDRaw == "" {
+		return nil, ErrAppRoleIDNotSet
+	}
+	secretID := &approle.SecretID{FromString: secretIDRaw}
+
+	appRoleAuth, err := approle.NewAppRoleAuth(
+		roleID,
+		secretID,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return client.Auth().Login(context.TODO(), appRoleAuth)
 }