diff options
author | Niall Sheridan <nsheridan@gmail.com> | 2016-10-04 14:37:01 -0700 |
---|---|---|
committer | Niall Sheridan <nsheridan@gmail.com> | 2016-10-06 22:02:39 -0500 |
commit | 17cd70cea546e287713a3d4c086528a85abefa2e (patch) | |
tree | f52ffa10f2065c47445bd6c37f07a57f68074100 /server/helpers/vault/vault.go | |
parent | 294020406c257ad4eb1867a1e7fb8b694aefddd2 (diff) |
Add support for Hashicorp Vault
Vault is supported for the following:
As a well-known filesystem for TLS cert, TLS key and SSH signing key.
For configuration secrets for cookie_secret, csrf_secret, oauth_client_id and oauth_client_secret options.
Diffstat (limited to 'server/helpers/vault/vault.go')
-rw-r--r-- | server/helpers/vault/vault.go | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/server/helpers/vault/vault.go b/server/helpers/vault/vault.go new file mode 100644 index 0000000..bec18b9 --- /dev/null +++ b/server/helpers/vault/vault.go @@ -0,0 +1,55 @@ +package vault + +import ( + "fmt" + "strings" + + "github.com/hashicorp/vault/api" +) + +// NewClient returns a new vault client. +func NewClient(address, token string) (*Client, error) { + config := &api.Config{ + Address: address, + } + client, err := api.NewClient(config) + if err != nil { + return nil, err + } + client.SetToken(token) + return &Client{ + vault: client, + }, nil +} + +func parseName(name string) (path, key string) { + name = strings.TrimPrefix(name, "/vault/") + i := strings.LastIndex(name, "/") + if i < 0 { + return name, "" + } + return name[:i], name[i+1:] +} + +// Client is a simple client for vault. +type Client struct { + vault *api.Client +} + +// Read returns a secret for a given path and key of the form `/vault/secret/path/key`. +// If the requested key cannot be read the original string is returned along with an error. +func (c *Client) Read(value string) (string, error) { + p, k := parseName(value) + data, err := c.vault.Logical().Read(p) + if err != nil { + return value, err + } + if data == nil { + return value, fmt.Errorf("no such key %s", k) + } + secret, ok := data.Data[k] + if !ok { + return value, fmt.Errorf("no such key %s", k) + } + return secret.(string), nil +} |