From dda65362a716fc31daf0944c3cbc1542e4b0b8a1 Mon Sep 17 00:00:00 2001 From: Jack Newton Date: Wed, 27 Dec 2017 16:18:49 -0800 Subject: [PATCH 1/6] Add app-id authentication. --- avvoenv.1.ronn | 4 ++++ src/avvoenv/commands/helpers.rs | 14 ++++++++++++++ src/avvoenv/source/vault.rs | 13 +++++++++++++ 3 files changed, 31 insertions(+) diff --git a/avvoenv.1.ronn b/avvoenv.1.ronn index 73ea41d..1ba8777 100644 --- a/avvoenv.1.ronn +++ b/avvoenv.1.ronn @@ -53,6 +53,10 @@ current service, or canonicalise the name given with the `--service` option. Set the Consul URL, overriding the `CONSUL_HTTP_ADDR` environment variable, and the default of . + * `--app-id` [] `--app-user` []: + Authenticate with Vault via app-id as /. If the + argument is provided it will override the `USER` environment variable. + * `--dev` []: Authenticate with Vault via LDAP as instead of with the . Will prompt for a password on standard input. If the diff --git a/src/avvoenv/commands/helpers.rs b/src/avvoenv/commands/helpers.rs index d171a63..7832d75 100644 --- a/src/avvoenv/commands/helpers.rs +++ b/src/avvoenv/commands/helpers.rs @@ -29,6 +29,8 @@ pub fn add_fetch_opts(mut opts: getopts::Options) -> getopts::Options { opts.optmulti("i", "include", "filter fetched variables", "PATTERN"); opts.optmulti("e", "exclude", "filter fetched variables", "PATTERN"); opts.optopt("t", "vault-token", "set the vault token", "TOKEN"); + opts.optopt("s", "app-user", "authenticate with vault app-user", "APP_USER"); + opts.optopt("p", "app-id", "authenticate with vault app-id", "APP_ID"); opts } @@ -62,6 +64,18 @@ pub fn env_from_opts(matches: &getopts::Matches) -> Result val, + None => return Err(ErrorWithMessage(String::from("Could not determine app-id"))), + }; + let app_user = match opt_env(matches, "app-user", "APP_USER") { + Some(val) => val, + None => return Err(ErrorWithMessage(String::from("Could not determine app-user"))), + }; + if vault_client.app_id_auth(app_id, app_user).is_err() { + return Err(ErrorWithMessage(String::from("Authentication failed"))); + }; } else { let mut path = std::env::home_dir().unwrap_or(std::path::PathBuf::from("/")); path.push(".vault-token"); diff --git a/src/avvoenv/source/vault.rs b/src/avvoenv/source/vault.rs index 37c7487..9cda7b4 100644 --- a/src/avvoenv/source/vault.rs +++ b/src/avvoenv/source/vault.rs @@ -21,6 +21,11 @@ pub struct AuthRequest { pub password: String, } +#[derive(Serialize)] +pub struct AuthAppIdRequest { + pub user_id: String, +} + #[derive(Deserialize)] pub struct AuthResponse { pub client_token: String, @@ -75,6 +80,14 @@ impl Client { Ok(()) } + pub fn app_id_auth(&mut self, app_id: String, user_id: String) -> Result<(), errors::Error> { + self.resolve_leader()?; + let request = AuthAppIdRequest { user_id: user_id }; + let response: AuthResponseWrapper = self.post_json(&format!("auth/app-id/login/{}", app_id), &request)?; + self.token = Some(response.auth.client_token); + Ok(()) + } + pub fn renew_token(&mut self) -> Result<(), errors::Error> { let _:AuthResponseWrapper = self.post_json("/auth/token/renew-self", &TokenRenewRequest {})?; Ok(()) From 69f7c20e6aa44476d15819fdcc9e61abfb63c912 Mon Sep 17 00:00:00 2001 From: Jack Newton Date: Thu, 28 Dec 2017 11:21:17 -0800 Subject: [PATCH 2/6] Add VAULT_APP_ID and VAULT_APP_USER environment variables. --- avvoenv.1.ronn | 8 +++++--- src/avvoenv/commands/helpers.rs | 12 ++++-------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/avvoenv.1.ronn b/avvoenv.1.ronn index 1ba8777..a09e510 100644 --- a/avvoenv.1.ronn +++ b/avvoenv.1.ronn @@ -53,9 +53,11 @@ current service, or canonicalise the name given with the `--service` option. Set the Consul URL, overriding the `CONSUL_HTTP_ADDR` environment variable, and the default of . - * `--app-id` [] `--app-user` []: - Authenticate with Vault via app-id as /. If the - argument is provided it will override the `USER` environment variable. + * `--app-id` [] `--app-user` []: + Authenticate with Vault via app-id as /. If the + argument is provided it will override the `VAULT_APP_ID` environment variable, + and if the argument is provided it will override the `VAULT_APP_USER` + environment variable. * `--dev` []: Authenticate with Vault via LDAP as instead of with the diff --git a/src/avvoenv/commands/helpers.rs b/src/avvoenv/commands/helpers.rs index 7832d75..d292baf 100644 --- a/src/avvoenv/commands/helpers.rs +++ b/src/avvoenv/commands/helpers.rs @@ -29,8 +29,8 @@ pub fn add_fetch_opts(mut opts: getopts::Options) -> getopts::Options { opts.optmulti("i", "include", "filter fetched variables", "PATTERN"); opts.optmulti("e", "exclude", "filter fetched variables", "PATTERN"); opts.optopt("t", "vault-token", "set the vault token", "TOKEN"); - opts.optopt("s", "app-user", "authenticate with vault app-user", "APP_USER"); - opts.optopt("p", "app-id", "authenticate with vault app-id", "APP_ID"); + opts.optopt("s", "app-user", "authenticate with vault app-user", "VAULT_APP_USER"); + opts.optopt("p", "app-id", "authenticate with vault app-id", "VAULT_APP_ID"); opts } @@ -64,12 +64,8 @@ pub fn env_from_opts(matches: &getopts::Matches) -> Result val, - None => return Err(ErrorWithMessage(String::from("Could not determine app-id"))), - }; - let app_user = match opt_env(matches, "app-user", "APP_USER") { + } else if let Some(app_id) = opt_env(matches, "app-id", "VAULT_APP_ID") { + let app_user = match opt_env(matches, "app-user", "VAULT_APP_USER") { Some(val) => val, None => return Err(ErrorWithMessage(String::from("Could not determine app-user"))), }; From d5388861bf6f3124851a5f79132140f2a5e51966 Mon Sep 17 00:00:00 2001 From: Jack Newton Date: Thu, 28 Dec 2017 13:54:56 -0800 Subject: [PATCH 3/6] Respond to feedback: use shortcut syntax, add to documentation, remove unnecessary call to resolve_leader. --- avvoenv.1.ronn | 24 ++++++++++++++++++------ src/avvoenv/commands/helpers.rs | 2 +- src/avvoenv/source/vault.rs | 3 +-- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/avvoenv.1.ronn b/avvoenv.1.ronn index a09e510..bbab5a6 100644 --- a/avvoenv.1.ronn +++ b/avvoenv.1.ronn @@ -12,6 +12,8 @@ avvoenv(1) -- fetch service environment variables [`-F`|`--force`] [`-I`|`--isolate`] [`-i`|`--include` ] + [`-p`|`--app-id` ] + [`-r`|`--app-user` ] [`-s`|`--service` ] [`-t`|`--vault-token` ] [`-u`|`--vault` ] @@ -23,6 +25,8 @@ avvoenv(1) -- fetch service environment variables [`-e`|`--exclude` ] [`-f`|`--format` ] [`-i`|`--include` ] + [`-p`|`--app-id` ] + [`-r`|`--app-user` ] [`-s`|`--service` ] [`-t`|`--vault-token` ] [`-u`|`--vault` ] @@ -49,16 +53,18 @@ current service, or canonicalise the name given with the `--service` option. and/or with a list of multiple space-separated key value pairs. In the second case the argument must be quoted. + * `--app-id` []: + Authenticate with Vault via app-id. If the argument is provided + it will override the `VAULT_APP_ID` environment variable. + + * `--app-user` []: + Set the user-id for use with Vault app-id authentication. If the + argument is provided it will override the `VAULT_APP_USER` environment variable. + * `-c`, `--consul` : Set the Consul URL, overriding the `CONSUL_HTTP_ADDR` environment variable, and the default of . - * `--app-id` [] `--app-user` []: - Authenticate with Vault via app-id as /. If the - argument is provided it will override the `VAULT_APP_ID` environment variable, - and if the argument is provided it will override the `VAULT_APP_USER` - environment variable. - * `--dev` []: Authenticate with Vault via LDAP as instead of with the . Will prompt for a password on standard input. If the @@ -167,6 +173,12 @@ outputs to standard output): * `VAULT_ADDR`: The Vault URL, overriding the default of . + * `VAULT_APP_ID`: + The application ID used with Vault app-id authentication. + + * `VAULT_APP_USER`: + The application user ID used with Vault app-id authentication. + * `VAULT_TOKEN`: The token used to authenticate with Vault, overriding the `~/.vault-token` file. diff --git a/src/avvoenv/commands/helpers.rs b/src/avvoenv/commands/helpers.rs index d292baf..dcf888c 100644 --- a/src/avvoenv/commands/helpers.rs +++ b/src/avvoenv/commands/helpers.rs @@ -29,7 +29,7 @@ pub fn add_fetch_opts(mut opts: getopts::Options) -> getopts::Options { opts.optmulti("i", "include", "filter fetched variables", "PATTERN"); opts.optmulti("e", "exclude", "filter fetched variables", "PATTERN"); opts.optopt("t", "vault-token", "set the vault token", "TOKEN"); - opts.optopt("s", "app-user", "authenticate with vault app-user", "VAULT_APP_USER"); + opts.optopt("r", "app-user", "authenticate with vault app-user", "VAULT_APP_USER"); opts.optopt("p", "app-id", "authenticate with vault app-id", "VAULT_APP_ID"); opts } diff --git a/src/avvoenv/source/vault.rs b/src/avvoenv/source/vault.rs index 9cda7b4..34866a0 100644 --- a/src/avvoenv/source/vault.rs +++ b/src/avvoenv/source/vault.rs @@ -81,8 +81,7 @@ impl Client { } pub fn app_id_auth(&mut self, app_id: String, user_id: String) -> Result<(), errors::Error> { - self.resolve_leader()?; - let request = AuthAppIdRequest { user_id: user_id }; + let request = AuthAppIdRequest { user_id }; let response: AuthResponseWrapper = self.post_json(&format!("auth/app-id/login/{}", app_id), &request)?; self.token = Some(response.auth.client_token); Ok(()) From 0ad0c0b722a660973c21bf6693265dbff4976608 Mon Sep 17 00:00:00 2001 From: Jack Newton Date: Thu, 28 Dec 2017 15:18:51 -0800 Subject: [PATCH 4/6] Add short-option and order by short option. --- avvoenv.1.ronn | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/avvoenv.1.ronn b/avvoenv.1.ronn index bbab5a6..36dd41d 100644 --- a/avvoenv.1.ronn +++ b/avvoenv.1.ronn @@ -53,14 +53,6 @@ current service, or canonicalise the name given with the `--service` option. and/or with a list of multiple space-separated key value pairs. In the second case the argument must be quoted. - * `--app-id` []: - Authenticate with Vault via app-id. If the argument is provided - it will override the `VAULT_APP_ID` environment variable. - - * `--app-user` []: - Set the user-id for use with Vault app-id authentication. If the - argument is provided it will override the `VAULT_APP_USER` environment variable. - * `-c`, `--consul` : Set the Consul URL, overriding the `CONSUL_HTTP_ADDR` environment variable, and the default of . @@ -104,6 +96,14 @@ current service, or canonicalise the name given with the `--service` option. range eg `[0-9]` or `[a-z]` `[!...]` is the inverse of `[...]` + * `-p`, `--app-id` []: + Authenticate with Vault via app-id. If the argument is provided + it will override the `VAULT_APP_ID` environment variable. + + * `-r`, `--app-user` []: + Set the user-id for use with Vault app-id authentication. If the + argument is provided it will override the `VAULT_APP_USER` environment variable. + * `-s`, `--service` : Set the service name, overriding the `SERVICE` environment variable. If neither `--service` or `SERVICE` are provided the `./requirements.yml` From 762e99eb4b98fe62815ae4ce7616b2c0606298d0 Mon Sep 17 00:00:00 2001 From: Jack Newton Date: Tue, 2 Jan 2018 12:47:48 -0800 Subject: [PATCH 5/6] Bump version. --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a362ece..84f151c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,6 +1,6 @@ [root] name = "avvoenv" -version = "0.2.1" +version = "0.3.0" dependencies = [ "getopts 0.2.14 (registry+https://github.com/rust-lang/crates.io-index)", "glob 0.2.11 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/Cargo.toml b/Cargo.toml index 8233610..77d8fba 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "avvoenv" -version = "0.2.1" +version = "0.3.0" authors = ["Avvo Infrastructure Team "] license = "MIT" From 70df6f8f7283cef227cb7b1f5ba2dbaaa8c08196 Mon Sep 17 00:00:00 2001 From: Jack Newton Date: Tue, 2 Jan 2018 14:01:04 -0800 Subject: [PATCH 6/6] Remove brackets (which indicate param is required). --- avvoenv.1.ronn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/avvoenv.1.ronn b/avvoenv.1.ronn index 36dd41d..dbc8329 100644 --- a/avvoenv.1.ronn +++ b/avvoenv.1.ronn @@ -96,11 +96,11 @@ current service, or canonicalise the name given with the `--service` option. range eg `[0-9]` or `[a-z]` `[!...]` is the inverse of `[...]` - * `-p`, `--app-id` []: + * `-p`, `--app-id` : Authenticate with Vault via app-id. If the argument is provided it will override the `VAULT_APP_ID` environment variable. - * `-r`, `--app-user` []: + * `-r`, `--app-user` : Set the user-id for use with Vault app-id authentication. If the argument is provided it will override the `VAULT_APP_USER` environment variable.