From 5197566d20505978c52fb904f29318046fd772eb Mon Sep 17 00:00:00 2001 From: John Adams Date: Mon, 14 May 2018 11:46:15 -0700 Subject: [PATCH] format cleanup --- vault/vault.go | 188 ++++++++++++++++++++++++------------------------- 1 file changed, 94 insertions(+), 94 deletions(-) diff --git a/vault/vault.go b/vault/vault.go index 2bdad21..5d41df2 100644 --- a/vault/vault.go +++ b/vault/vault.go @@ -16,11 +16,11 @@ package vault * export VAULT_CACERT= ... pem file containing ca cert ... * and/or * export VAULT_SSL_VERIFY=no -*/ + */ import ( - "os" "fmt" + "os" "time" "github.com/xordataexchange/crypt/backend" @@ -29,65 +29,65 @@ import ( ) type Client struct { - client *vaultapi.Client - secret string // used only with role authentication, nil if using env-VAULT_TOKEN - secret_ttl time.Duration // if non-zero, it expires at this time - secret_acq_at float64 // when we got the secret - secret_expires bool + client *vaultapi.Client + secret string // used only with role authentication, nil if using env-VAULT_TOKEN + secret_ttl time.Duration // if non-zero, it expires at this time + secret_acq_at float64 // when we got the secret + secret_expires bool } func (c *Client) acquireToken(role string, secret string) (string, error) { - secretData := map[string]interface{}{ - "role_id" : role, - "secret_id" : secret, - } + secretData := map[string]interface{}{ + "role_id": role, + "secret_id": secret, + } - data, err := c.client.Logical().Write("auth/approle/login", secretData) - if data == nil { - return "", err - } - /* data is now of type *api.Secret and we can use it to set the client up */ - token,err := data.TokenID() - if err == nil { - c.client.SetToken(token) - } + data, err := c.client.Logical().Write("auth/approle/login", secretData) + if data == nil { + return "", err + } + /* data is now of type *api.Secret and we can use it to set the client up */ + token, err := data.TokenID() + if err == nil { + c.client.SetToken(token) + } - /* handle expiry */ - ttl, err := data.TokenTTL() - if err == nil { - c.secret_ttl = ttl - if ttl != 0 { - c.secret_expires = true - } - } + /* handle expiry */ + ttl, err := data.TokenTTL() + if err == nil { + c.secret_ttl = ttl + if ttl != 0 { + c.secret_expires = true + } + } - c.secret_acq_at = float64(time.Now().Unix()) + c.secret_acq_at = float64(time.Now().Unix()) - fmt.Println("Got token %s with expiry %d and acquired at %v", token, c.secret_ttl, c.secret_acq_at) - return token, err + fmt.Println("Got token %s with expiry %d and acquired at %v", token, c.secret_ttl, c.secret_acq_at) + return token, err } // this can be called before operations to ensure token is currentfg func (c *Client) renewToken() (string, error) { - if c.secret_expires { - if ((c.secret_ttl.Seconds() + c.secret_acq_at > float64(time.Now().Unix())) && c.secret_ttl != 0) { - return c.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) - } else { - return "", nil - } - } else { - return "", nil - } + if c.secret_expires { + if (c.secret_ttl.Seconds()+c.secret_acq_at > float64(time.Now().Unix())) && c.secret_ttl != 0 { + return c.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) + } else { + return "", nil + } + } else { + return "", nil + } } func New(machines []string) (*Client, error) { - /* default config reads from the environment and sets defaults */ - /* a call to vaultapi.ReadEnvironment is not necessary here. */ - /* - * vault environment variables are required to proceed. - * either VAULT_TOKEN or VAULT_ROLE_ID and VAULT_SECRET_ID must be set - * see: https://github.com/hashicorp/vault/blob/master/api/client.go - */ + /* default config reads from the environment and sets defaults */ + /* a call to vaultapi.ReadEnvironment is not necessary here. */ + /* + * vault environment variables are required to proceed. + * either VAULT_TOKEN or VAULT_ROLE_ID and VAULT_SECRET_ID must be set + * see: https://github.com/hashicorp/vault/blob/master/api/client.go + */ conf := vaultapi.DefaultConfig() @@ -95,82 +95,82 @@ func New(machines []string) (*Client, error) { conf.Address = machines[0] } - // from the vault docs - - // https://godoc.org/github.com/hashicorp/vault/api#Secret - // If the environment variable `VAULT_TOKEN` is present, the token - // will be automatically added to the client. Otherwise, you must - // manually call `SetToken()`. - var returnval *Client + // from the vault docs - + // https://godoc.org/github.com/hashicorp/vault/api#Secret + // If the environment variable `VAULT_TOKEN` is present, the token + // will be automatically added to the client. Otherwise, you must + // manually call `SetToken()`. + var returnval *Client - client, err := vaultapi.NewClient(conf) + client, err := vaultapi.NewClient(conf) if err != nil { return nil, err } - /* what token are we using? */ - if v := os.Getenv(vaultapi.EnvVaultToken); v == "" { - /* not using VAULT_TOKEN! */ - if v := os.Getenv("VAULT_ROLE_ID"); v == "" { - fmt.Fprintf(os.Stderr, "neither VAULT_TOKEN or a VAULT_ROLE_ID/VAULT_SECRET_ID are set. Can't auth to vault.\n") - return nil, fmt.Errorf("Can't Auth to Vault") - } - if v := os.Getenv("VAULT_SECRET_ID"); v == "" { - fmt.Fprintf(os.Stderr, "VAULT_ROLE_ID set but VAULT_SECRET_ID is empty. Can't auth to vault.\n") - return nil, fmt.Errorf("Can't Auth to Vault") - } + /* what token are we using? */ + if v := os.Getenv(vaultapi.EnvVaultToken); v == "" { + /* not using VAULT_TOKEN! */ + if v := os.Getenv("VAULT_ROLE_ID"); v == "" { + fmt.Fprintf(os.Stderr, "neither VAULT_TOKEN or a VAULT_ROLE_ID/VAULT_SECRET_ID are set. Can't auth to vault.\n") + return nil, fmt.Errorf("Can't Auth to Vault") + } + if v := os.Getenv("VAULT_SECRET_ID"); v == "" { + fmt.Fprintf(os.Stderr, "VAULT_ROLE_ID set but VAULT_SECRET_ID is empty. Can't auth to vault.\n") + return nil, fmt.Errorf("Can't Auth to Vault") + } - returnval = &Client{client, "", 0, float64(time.Now().Unix()), false} + returnval = &Client{client, "", 0, float64(time.Now().Unix()), false} - /* using the approle secrets, try to acquire a token */ - _, err := returnval.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) - if err != nil { - fmt.Fprintf(os.Stderr, "Vault ROLE/SECRET authentication failed - %v\n", err) - return nil, fmt.Errorf("Can't Auth to Vault") - } - } else { - /* we'll just go ahead with VAULT_TOKEN for auth */ - returnval = &Client{client, os.Getenv(vaultapi.EnvVaultToken), 0, float64(time.Now().Unix()), false} - } + /* using the approle secrets, try to acquire a token */ + _, err := returnval.acquireToken(os.Getenv("VAULT_ROLE_ID"), os.Getenv("VAULT_SECRET_ID")) + if err != nil { + fmt.Fprintf(os.Stderr, "Vault ROLE/SECRET authentication failed - %v\n", err) + return nil, fmt.Errorf("Can't Auth to Vault") + } + } else { + /* we'll just go ahead with VAULT_TOKEN for auth */ + returnval = &Client{client, os.Getenv(vaultapi.EnvVaultToken), 0, float64(time.Now().Unix()), false} + } return returnval, nil } func (c *Client) Get(key string) ([]byte, error) { - /* note that the vault client only connects when Get is issued if - * you are using VAULT_TOKEN authentication (set in the environment) - * - * If using role authentication, we'll try to acquire a token at init. - * - * This interface returns only one value from a secret. It expects that the - * referenced secret will have the data in the "value" key. - */ + /* note that the vault client only connects when Get is issued if + * you are using VAULT_TOKEN authentication (set in the environment) + * + * If using role authentication, we'll try to acquire a token at init. + * + * This interface returns only one value from a secret. It expects that the + * referenced secret will have the data in the "value" key. + */ data, err := c.client.Logical().Read(key) if err != nil { - fmt.Println("Error during Vault Get -", err) + fmt.Println("Error during Vault Get -", err) return []byte{}, err } if data.Data == nil { return []byte{}, fmt.Errorf("Key ( %s ) was not found.", key) } - v := data.Data["value"].(string) - return []byte(v) , nil + v := data.Data["value"].(string) + return []byte(v), nil } func (c *Client) List(key string) (backend.KVPairs, error) { - // TODO: NOT IMPLEMENTED - //pairs, err := c.client.Logical().List(key) + // TODO: NOT IMPLEMENTED + //pairs, err := c.client.Logical().List(key) return nil, nil } func (c *Client) Set(key string, value []byte) error { - secretData := map[string]interface{}{ - "value": value, - } - _, err := c.client.Logical().Write(key, secretData) + secretData := map[string]interface{}{ + "value": value, + } + _, err := c.client.Logical().Write(key, secretData) - return err + return err } func (c *Client) Watch(key string, stop chan bool) <-chan *backend.Response {