2 * Copyright 2018 Intel Corporation, Inc
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 uuid "github.com/hashicorp/go-uuid"
21 vaultapi "github.com/hashicorp/vault/api"
31 // Vault is the main Struct used in Backend to initialize the struct
38 vaultClient *vaultapi.Client
43 vaultTempTokenTTL time.Time
48 // Init will initialize the vault connection
49 // It will also create the initial policy if it does not exist
50 // TODO: Check to see if we need to wait for vault to be running
51 func (v *Vault) Init() error {
52 vaultCFG := vaultapi.DefaultConfig()
53 vaultCFG.Address = v.vaultAddress
54 client, err := vaultapi.NewClient(vaultCFG)
60 v.policyName = "smsvaultpolicy"
62 v.vaultClient = client
64 // Check if vault is ready and unsealed
65 seal, err := v.GetStatus()
70 return fmt.Errorf("Vault is still sealed. Unseal before use")
75 log.Fatalln("Unable to initRole in Vault. Exiting...")
82 // GetStatus returns the current seal status of vault
83 func (v *Vault) GetStatus() (bool, error) {
84 sys := v.vaultClient.Sys()
85 sealStatus, err := sys.SealStatus()
90 return sealStatus.Sealed, nil
93 // GetSecretDomain returns any information related to the secretDomain
94 // More information can be added in the future with updates to the struct
95 func (v *Vault) GetSecretDomain(name string) (SecretDomain, error) {
96 return SecretDomain{}, nil
99 // GetSecret returns a secret mounted on a particular domain name
100 // The secret itself is referenced via its name which translates to
101 // a mount path in vault
102 func (v *Vault) GetSecret(dom string, name string) (Secret, error) {
103 err := v.checkToken()
105 return Secret{}, errors.New("Token check returned error: " + err.Error())
108 dom = v.vaultMount + "/" + dom
110 sec, err := v.vaultClient.Logical().Read(dom + "/" + name)
112 return Secret{}, errors.New("Unable to read Secret at provided path")
115 // sec and err are nil in the case where a path does not exist
117 return Secret{}, errors.New("Secret not found at the provided path")
120 return Secret{Name: name, Values: sec.Data}, nil
123 // ListSecret returns a list of secret names on a particular domain
124 // The values of the secret are not returned
125 func (v *Vault) ListSecret(dom string) ([]string, error) {
126 err := v.checkToken()
128 return nil, errors.New("Token check returned error: " + err.Error())
131 dom = v.vaultMount + "/" + dom
133 sec, err := v.vaultClient.Logical().List(dom)
135 return nil, errors.New("Unable to read Secret at provided path")
138 // sec and err are nil in the case where a path does not exist
140 return nil, errors.New("Secret not found at the provided path")
143 val, ok := sec.Data["keys"].([]interface{})
145 return nil, errors.New("Secret not found at the provided path")
148 retval := make([]string, len(val))
149 for i, v := range val {
150 retval[i] = fmt.Sprint(v)
156 // CreateSecretDomain mounts the kv backend on a path with the given name
157 func (v *Vault) CreateSecretDomain(name string) (SecretDomain, error) {
158 // Check if token is still valid
159 err := v.checkToken()
161 return SecretDomain{}, err
164 name = strings.TrimSpace(name)
165 mountPath := v.vaultMount + "/" + name
166 mountInput := &vaultapi.MountInput{
168 Description: "Mount point for domain: " + name,
171 Config: vaultapi.MountConfigInput{},
174 err = v.vaultClient.Sys().Mount(mountPath, mountInput)
176 return SecretDomain{}, err
179 uuid, _ := uuid.GenerateUUID()
180 return SecretDomain{uuid, name}, nil
183 // CreateSecret creates a secret mounted on a particular domain name
184 // The secret itself is mounted on a path specified by name
185 func (v *Vault) CreateSecret(dom string, sec Secret) error {
186 err := v.checkToken()
188 return errors.New("Token checking returned an error" + err.Error())
191 dom = v.vaultMount + "/" + dom
193 // Vault return is empty on successful write
194 _, err = v.vaultClient.Logical().Write(dom+"/"+sec.Name, sec.Values)
196 return errors.New("Unable to create Secret at provided path")
202 // DeleteSecretDomain deletes a secret domain which translates to
203 // an unmount operation on the given path in Vault
204 func (v *Vault) DeleteSecretDomain(name string) error {
205 err := v.checkToken()
210 name = strings.TrimSpace(name)
211 mountPath := v.vaultMount + "/" + name
213 err = v.vaultClient.Sys().Unmount(mountPath)
215 return errors.New("Unable to delete domain specified")
221 // DeleteSecret deletes a secret mounted on the path provided
222 func (v *Vault) DeleteSecret(dom string, name string) error {
223 err := v.checkToken()
225 return errors.New("Token checking returned an error" + err.Error())
228 dom = v.vaultMount + "/" + dom
230 // Vault return is empty on successful delete
231 _, err = v.vaultClient.Logical().Delete(dom + "/" + name)
233 return errors.New("Unable to delete Secret at provided path")
239 // initRole is called only once during the service bring up
240 func (v *Vault) initRole() error {
241 // Use the root token once here
242 v.vaultClient.SetToken(v.vaultToken)
243 defer v.vaultClient.ClearToken()
245 rules := `path "sms/*" { capabilities = ["create", "read", "update", "delete", "list"] }
246 path "sys/mounts/sms*" { capabilities = ["update","delete","create"] }`
247 err := v.vaultClient.Sys().PutPolicy(v.policyName, rules)
249 return errors.New("Unable to create policy for approle creation")
252 rName := v.vaultMount + "-role"
253 data := map[string]interface{}{
255 "policies": [2]string{"default", v.policyName},
258 // Delete role if it already exists
259 _, err = v.vaultClient.Logical().Delete("auth/approle/role/" + rName)
261 return errors.New("Unable to delete existing role")
264 //Check if approle is mounted
265 authMounts, err := v.vaultClient.Sys().ListAuth()
267 return errors.New("Unable to get mounted auth backends")
270 approleMounted := false
271 for k, v := range authMounts {
272 if v.Type == "approle" && k == "approle/" {
273 approleMounted = true
278 // Mount approle in case its not already mounted
280 v.vaultClient.Sys().EnableAuth("approle", "approle", "")
284 v.vaultClient.Logical().Write("auth/approle/role/"+rName, data)
285 sec, err := v.vaultClient.Logical().Read("auth/approle/role/" + rName + "/role-id")
287 return errors.New("Unable to create role ID for approle")
289 v.roleID = sec.Data["role_id"].(string)
291 // Create a secret-id to go with it
292 sec, err = v.vaultClient.Logical().Write("auth/approle/role/"+rName+"/secret-id",
293 map[string]interface{}{})
295 return errors.New("Unable to create secret ID for role")
298 v.secretID = sec.Data["secret_id"].(string)
303 // Function checkToken() gets called multiple times to create
305 func (v *Vault) checkToken() error {
307 defer v.tokenLock.Unlock()
309 // Return immediately if token still has life
310 if v.vaultClient.Token() != "" &&
311 time.Since(v.vaultTempTokenTTL) < time.Minute*50 {
315 // Create a temporary token using our roleID and secretID
316 out, err := v.vaultClient.Logical().Write("auth/approle/login",
317 map[string]interface{}{"role_id": v.roleID, "secret_id": v.secretID})
322 tok, err := out.TokenID()
324 v.vaultTempToken = tok
325 v.vaultTempTokenTTL = time.Now()
326 v.vaultClient.SetToken(v.vaultTempToken)