Initial sketch for client TLS auth

2025-11-02 03:27:54 +00:00 · 2015-06-29 15:33:16 -04:00
parent 01592c0744
commit 75861c7c3b
2 changed files with 35 additions and 5 deletions
--- a/command/meta.go
+++ b/command/meta.go
@@ -25,6 +25,8 @@ import (
 const EnvVaultAddress = "VAULT_ADDR"
 const EnvVaultCACert = "VAULT_CACERT"
 const EnvVaultCAPath = "VAULT_CAPATH"
+const EnvVaultClientCert = "VAULT_CLIENT_CERT"
+const EnvVaultClientKey = "VAULT_CLIENT_KEY"
 const EnvVaultInsecure = "VAULT_SKIP_VERIFY"

 // FlagSetFlags is an enum to define what flags are present in the
@@ -48,10 +50,12 @@ type Meta struct {
 	ForceConfig  *Config // Force a config, don't load from disk

 	// These are set by the command line flags.
-	flagAddress  string
-	flagCACert   string
-	flagCAPath   string
-	flagInsecure bool
+	flagAddress    string
+	flagCACert     string
+	flagCAPath     string
+	flagClientCert string
+	flagClientKey  string
+	flagInsecure   bool

 	// These are internal and shouldn't be modified or access by anyone
 	// except Meta.
@@ -77,6 +81,12 @@ func (m *Meta) Client() (*api.Client, error) {
 	if v := os.Getenv(EnvVaultCAPath); v != "" {
 		m.flagCAPath = v
 	}
+	if v := os.Getenv(EnvVaultClientCert); v != "" {
+		m.flagClientCert = v
+	}
+	if v := os.Getenv(EnvVaultClientKey); v != "" {
+		m.flagClientKey = v
+	}
 	if v := os.Getenv(EnvVaultInsecure); v != "" {
 		var err error
 		m.flagInsecure, err = strconv.ParseBool(v)
@@ -103,6 +113,14 @@ func (m *Meta) Client() (*api.Client, error) {
 			RootCAs:            certPool,
 		}

+		if m.flagClientCert != "" {
+			tlsCert, err := tls.LoadX509KeyPair(m.flagClientCert, m.flagClientKey)
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.Certificates = []tls.Certificate{tlsCert}
+		}
+
 		client := *http.DefaultClient
 		client.Transport = &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
@@ -184,6 +202,8 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 		f.StringVar(&m.flagAddress, "address", "", "")
 		f.StringVar(&m.flagCACert, "ca-cert", "", "")
 		f.StringVar(&m.flagCAPath, "ca-path", "", "")
+		f.StringVar(&m.flagClientCert, "client-cert", "", "")
+		f.StringVar(&m.flagClientKey, "client-key", "", "")
 		f.BoolVar(&m.flagInsecure, "insecure", false, "")
 		f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")
 	}