Initial sketch for client TLS auth

command/meta.go

@@ -25,6 +25,8 @@ import (
 const EnvVaultAddress = "VAULT_ADDR"
 const EnvVaultCACert = "VAULT_CACERT"
 const EnvVaultCAPath = "VAULT_CAPATH"
+const EnvVaultClientCert = "VAULT_CLIENT_CERT"
+const EnvVaultClientKey = "VAULT_CLIENT_KEY"
 const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
 
 // FlagSetFlags is an enum to define what flags are present in the
@@ -51,6 +53,8 @@ type Meta struct {
 	flagAddress    string
 	flagCACert     string
 	flagCAPath     string
+	flagClientCert string
+	flagClientKey  string
 	flagInsecure   bool
 
 	// These are internal and shouldn't be modified or access by anyone
@@ -77,6 +81,12 @@ func (m *Meta) Client() (*api.Client, error) {
 	if v := os.Getenv(EnvVaultCAPath); v != "" {
 		m.flagCAPath = v
 	}
+	if v := os.Getenv(EnvVaultClientCert); v != "" {
+		m.flagClientCert = v
+	}
+	if v := os.Getenv(EnvVaultClientKey); v != "" {
+		m.flagClientKey = v
+	}
 	if v := os.Getenv(EnvVaultInsecure); v != "" {
 		var err error
 		m.flagInsecure, err = strconv.ParseBool(v)
@@ -103,6 +113,14 @@ func (m *Meta) Client() (*api.Client, error) {
 			RootCAs:            certPool,
 		}
 
+		if m.flagClientCert != "" {
+			tlsCert, err := tls.LoadX509KeyPair(m.flagClientCert, m.flagClientKey)
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.Certificates = []tls.Certificate{tlsCert}
+		}
+
 		client := *http.DefaultClient
 		client.Transport = &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
@@ -184,6 +202,8 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 		f.StringVar(&m.flagAddress, "address", "", "")
 		f.StringVar(&m.flagCACert, "ca-cert", "", "")
 		f.StringVar(&m.flagCAPath, "ca-path", "", "")
+		f.StringVar(&m.flagClientCert, "client-cert", "", "")
+		f.StringVar(&m.flagClientKey, "client-key", "", "")
 		f.BoolVar(&m.flagInsecure, "insecure", false, "")
 		f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")
 	}

command/meta_test.go

@@ -19,7 +19,7 @@ func TestFlagSet(t *testing.T) {
 		},
 		{
 			FlagSetServer,
-			[]string{"address", "ca-cert", "ca-path", "insecure", "tls-skip-verify"},
+			[]string{"address", "ca-cert", "ca-path", "client-cert", "client-key", "insecure", "tls-skip-verify"},
 		},
 	}
 
@@ -44,9 +44,13 @@ func TestFlagSet(t *testing.T) {
 func TestEnvSettings(t *testing.T) {
 	os.Setenv("VAULT_CACERT", "/path/to/fake/cert.crt")
 	os.Setenv("VAULT_CAPATH", "/path/to/fake/certs")
+	os.Setenv("VAULT_CLIENT_CERT", "/path/to/fake/client.crt")
+	os.Setenv("VAULT_CLIENT_KEY", "/path/to/fake/client.key")
 	os.Setenv("VAULT_SKIP_VERIFY", "true")
 	defer os.Setenv("VAULT_CACERT", "")
 	defer os.Setenv("VAULT_CAPATH", "")
+	defer os.Setenv("VAULT_CLIENT_CERT", "")
+	defer os.Setenv("VAULT_CLIENT_KEY", "")
 	defer os.Setenv("VAULT_SKIP_VERIFY", "")
 	var m Meta
 
@@ -60,6 +64,12 @@ func TestEnvSettings(t *testing.T) {
 	if m.flagCAPath != "/path/to/fake/certs" {
 		t.Fatalf("bad: %s", m.flagAddress)
 	}
+	if m.flagClientCert != "/path/to/fake/client.crt" {
+		t.Fatalf("bad: %s", m.flagAddress)
+	}
+	if m.flagClientKey != "/path/to/fake/client.key" {
+		t.Fatalf("bad: %s", m.flagAddress)
+	}
 	if m.flagInsecure != true {
 		t.Fatalf("bad: %s", m.flagAddress)
 	}