Native Login method for Go client (#12796)

* Native Login method, userpass and approle interfaces to implement it * Add AWS auth interface for Login, unexported struct fields for now * Add Kubernetes client login * Add changelog * Add a test for approle client login * Return errors from LoginOptions, use limited reader for secret ID * Fix auth comment length * Return actual type not interface, check for client token in tests * Require specification of secret ID location using SecretID struct as AppRole arg * Allow password from env, file, or plaintext * Add flexibility in how to fetch k8s service token, but still with default * Avoid passing strings that need to be validated by just having different login options * Try a couple real tests with approle and userpass login * Fix method name in comment * Add context to Login methods, remove comments about certain sources being inherently insecure * Perform read of secret ID at login time * Read password from file at login time * Pass context in integ tests * Read env var values in at login time, add extra tests * Update api version * Revert "Update api version" This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679. * Update api version in all go.mod files
2025-10-30 02:02:43 +00:00 · 2021-10-26 16:48:48 -07:00
parent 8f1a4cc01d
commit 3ed7bca8e4
19 changed files with 2650 additions and 15 deletions
--- a/api/auth.go
+++ b/api/auth.go
@@ -1,11 +1,46 @@
 package api

+import (
+	"context"
+	"fmt"
+)
+
 // Auth is used to perform credential backend related operations.
 type Auth struct {
 	c *Client
 }

+type AuthMethod interface {
+	Login(ctx context.Context, client *Client) (*Secret, error)
+}
+
 // Auth is used to return the client for credential-backend API calls.
 func (c *Client) Auth() *Auth {
 	return &Auth{c: c}
 }
+
+// Login sets up the required request body for login requests to the given auth
+// method's /login API endpoint, and then performs a write to it. After a
+// successful login, this method will automatically set the client's token to
+// the login response's ClientToken as well.
+//
+// The Secret returned is the authentication secret, which if desired can be
+// passed as input to the NewLifetimeWatcher method in order to start
+// automatically renewing the token.
+func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {
+	if authMethod == nil {
+		return nil, fmt.Errorf("no auth method provided for login")
+	}
+
+	authSecret, err := authMethod.Login(ctx, a.c)
+	if err != nil {
+		return nil, fmt.Errorf("unable to log in to auth method: %w", err)
+	}
+	if authSecret == nil || authSecret.Auth == nil || authSecret.Auth.ClientToken == "" {
+		return nil, fmt.Errorf("login response from auth method did not return client token")
+	}
+
+	a.c.SetToken(authSecret.Auth.ClientToken)
+
+	return authSecret, nil
+}