mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 11:38:02 +00:00
Jeff Mitchell
@@ -37,11 +37,12 @@ type AuthCommand struct {
|
|||||||
|
|
||||||
func (c *AuthCommand) Run(args []string) int {
|
func (c *AuthCommand) Run(args []string) int {
|
||||||
var method, authPath string
|
var method, authPath string
|
||||||
var methods, methodHelp, noVerify bool
|
var methods, methodHelp, noVerify, noStore bool
|
||||||
flags := c.Meta.FlagSet("auth", meta.FlagSetDefault)
|
flags := c.Meta.FlagSet("auth", meta.FlagSetDefault)
|
||||||
flags.BoolVar(&methods, "methods", false, "")
|
flags.BoolVar(&methods, "methods", false, "")
|
||||||
flags.BoolVar(&methodHelp, "method-help", false, "")
|
flags.BoolVar(&methodHelp, "method-help", false, "")
|
||||||
flags.BoolVar(&noVerify, "no-verify", false, "")
|
flags.BoolVar(&noVerify, "no-verify", false, "")
|
||||||
|
flags.BoolVar(&noStore, "no-store", false, "")
|
||||||
flags.StringVar(&method, "method", "", "method")
|
flags.StringVar(&method, "method", "", "method")
|
||||||
flags.StringVar(&authPath, "path", "", "")
|
flags.StringVar(&authPath, "path", "", "")
|
||||||
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
||||||
@@ -178,13 +179,15 @@ func (c *AuthCommand) Run(args []string) int {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Store the token!
|
// Store the token!
|
||||||
if err := tokenHelper.Store(token); err != nil {
|
if !noStore {
|
||||||
c.Ui.Error(fmt.Sprintf(
|
if err := tokenHelper.Store(token); err != nil {
|
||||||
"Error storing token: %s\n\n"+
|
c.Ui.Error(fmt.Sprintf(
|
||||||
"Authentication was not successful and did not persist.\n"+
|
"Error storing token: %s\n\n"+
|
||||||
"Please reauthenticate, or fix the issue above if possible.",
|
"Authentication was not successful and did not persist.\n"+
|
||||||
err))
|
"Please reauthenticate, or fix the issue above if possible.",
|
||||||
return 1
|
err))
|
||||||
|
return 1
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if noVerify {
|
if noVerify {
|
||||||
@@ -192,6 +195,16 @@ func (c *AuthCommand) Run(args []string) int {
|
|||||||
"Authenticated - no token verification has been performed.",
|
"Authenticated - no token verification has been performed.",
|
||||||
))
|
))
|
||||||
|
|
||||||
|
if noStore {
|
||||||
|
if err := tokenHelper.Erase(); err != nil {
|
||||||
|
c.Ui.Error(fmt.Sprintf(
|
||||||
|
"Error removing prior token: %s\n\n"+
|
||||||
|
"Authentication was successful, but unable to remove the\n"+
|
||||||
|
"previous token.",
|
||||||
|
err))
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
}
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -200,15 +213,23 @@ func (c *AuthCommand) Run(args []string) int {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
c.Ui.Error(fmt.Sprintf(
|
c.Ui.Error(fmt.Sprintf(
|
||||||
"Error initializing client to verify the token: %s", err))
|
"Error initializing client to verify the token: %s", err))
|
||||||
if err := tokenHelper.Store(previousToken); err != nil {
|
if !noStore {
|
||||||
c.Ui.Error(fmt.Sprintf(
|
if err := tokenHelper.Store(previousToken); err != nil {
|
||||||
"Error restoring the previous token: %s\n\n"+
|
c.Ui.Error(fmt.Sprintf(
|
||||||
"Please reauthenticate with a valid token.",
|
"Error restoring the previous token: %s\n\n"+
|
||||||
err))
|
"Please reauthenticate with a valid token.",
|
||||||
|
err))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If in no-store mode it won't have read the token from a token-helper (or
|
||||||
|
// will read an old one) so set it explicitly
|
||||||
|
if noStore {
|
||||||
|
client.SetToken(token)
|
||||||
|
}
|
||||||
|
|
||||||
// Verify the token
|
// Verify the token
|
||||||
secret, err := client.Auth().Token().LookupSelf()
|
secret, err := client.Auth().Token().LookupSelf()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -222,7 +243,7 @@ func (c *AuthCommand) Run(args []string) int {
|
|||||||
}
|
}
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
if secret == nil {
|
if secret == nil && !noStore {
|
||||||
c.Ui.Error(fmt.Sprintf("Error: Invalid token"))
|
c.Ui.Error(fmt.Sprintf("Error: Invalid token"))
|
||||||
if err := tokenHelper.Store(previousToken); err != nil {
|
if err := tokenHelper.Store(previousToken); err != nil {
|
||||||
c.Ui.Error(fmt.Sprintf(
|
c.Ui.Error(fmt.Sprintf(
|
||||||
@@ -233,6 +254,17 @@ func (c *AuthCommand) Run(args []string) int {
|
|||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if noStore {
|
||||||
|
if err := tokenHelper.Erase(); err != nil {
|
||||||
|
c.Ui.Error(fmt.Sprintf(
|
||||||
|
"Error removing prior token: %s\n\n"+
|
||||||
|
"Authentication was successful, but unable to remove the\n"+
|
||||||
|
"previous token.",
|
||||||
|
err))
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Get the policies we have
|
// Get the policies we have
|
||||||
policiesRaw, ok := secret.Data["policies"]
|
policiesRaw, ok := secret.Data["policies"]
|
||||||
if !ok {
|
if !ok {
|
||||||
@@ -244,6 +276,9 @@ func (c *AuthCommand) Run(args []string) int {
|
|||||||
}
|
}
|
||||||
|
|
||||||
output := "Successfully authenticated! You are now logged in."
|
output := "Successfully authenticated! You are now logged in."
|
||||||
|
if noStore {
|
||||||
|
output += "\nThe token has not been stored to the configured token helper."
|
||||||
|
}
|
||||||
if method != "" {
|
if method != "" {
|
||||||
output += "\nThe token below is already saved in the session. You do not"
|
output += "\nThe token below is already saved in the session. You do not"
|
||||||
output += "\nneed to \"vault auth\" again with the token."
|
output += "\nneed to \"vault auth\" again with the token."
|
||||||
@@ -355,6 +390,9 @@ Auth Options:
|
|||||||
-no-verify Do not verify the token after creation; avoids a use count
|
-no-verify Do not verify the token after creation; avoids a use count
|
||||||
decrement.
|
decrement.
|
||||||
|
|
||||||
|
-no-store Do not store the token after creation; it will only be
|
||||||
|
displayed in the command output.
|
||||||
|
|
||||||
-path The path at which the auth backend is enabled. If an auth
|
-path The path at which the auth backend is enabled. If an auth
|
||||||
backend is mounted at multiple paths, this option can be
|
backend is mounted at multiple paths, this option can be
|
||||||
used to authenticate against specific paths.
|
used to authenticate against specific paths.
|
||||||
|
|||||||
@@ -84,6 +84,45 @@ func TestAuth_token(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAuth_token_nostore(t *testing.T) {
|
||||||
|
core, _, token := vault.TestCoreUnsealed(t)
|
||||||
|
ln, addr := http.TestServer(t, core)
|
||||||
|
defer ln.Close()
|
||||||
|
|
||||||
|
testAuthInit(t)
|
||||||
|
|
||||||
|
ui := new(cli.MockUi)
|
||||||
|
c := &AuthCommand{
|
||||||
|
Meta: meta.Meta{
|
||||||
|
Ui: ui,
|
||||||
|
TokenHelper: DefaultTokenHelper,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
args := []string{
|
||||||
|
"-address", addr,
|
||||||
|
"-no-store",
|
||||||
|
token,
|
||||||
|
}
|
||||||
|
if code := c.Run(args); code != 0 {
|
||||||
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
helper, err := c.TokenHelper()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("err: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
actual, err := helper.Get()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("err: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if actual != "" {
|
||||||
|
t.Fatalf("bad: %s", actual)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestAuth_stdin(t *testing.T) {
|
func TestAuth_stdin(t *testing.T) {
|
||||||
core, _, token := vault.TestCoreUnsealed(t)
|
core, _, token := vault.TestCoreUnsealed(t)
|
||||||
ln, addr := http.TestServer(t, core)
|
ln, addr := http.TestServer(t, core)
|
||||||
|
|||||||
Reference in New Issue
Block a user