From 17cd70cea546e287713a3d4c086528a85abefa2e Mon Sep 17 00:00:00 2001
From: Niall Sheridan <nsheridan@gmail.com>
Date: Tue, 4 Oct 2016 14:37:01 -0700
Subject: Add support for Hashicorp Vault

Vault is supported for the following:
As a well-known filesystem for TLS cert, TLS key and SSH signing key.
For configuration secrets for cookie_secret, csrf_secret, oauth_client_id and oauth_client_secret options.
---
 server/helpers/vault/vault.go | 55 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 server/helpers/vault/vault.go

(limited to 'server/helpers/vault')

diff --git a/server/helpers/vault/vault.go b/server/helpers/vault/vault.go
new file mode 100644
index 0000000..bec18b9
--- /dev/null
+++ b/server/helpers/vault/vault.go
@@ -0,0 +1,55 @@
+package vault
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/vault/api"
+)
+
+// NewClient returns a new vault client.
+func NewClient(address, token string) (*Client, error) {
+	config := &api.Config{
+		Address: address,
+	}
+	client, err := api.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetToken(token)
+	return &Client{
+		vault: client,
+	}, nil
+}
+
+func parseName(name string) (path, key string) {
+	name = strings.TrimPrefix(name, "/vault/")
+	i := strings.LastIndex(name, "/")
+	if i < 0 {
+		return name, ""
+	}
+	return name[:i], name[i+1:]
+}
+
+// Client is a simple client for vault.
+type Client struct {
+	vault *api.Client
+}
+
+// Read returns a secret for a given path and key of the form `/vault/secret/path/key`.
+// If the requested key cannot be read the original string is returned along with an error.
+func (c *Client) Read(value string) (string, error) {
+	p, k := parseName(value)
+	data, err := c.vault.Logical().Read(p)
+	if err != nil {
+		return value, err
+	}
+	if data == nil {
+		return value, fmt.Errorf("no such key %s", k)
+	}
+	secret, ok := data.Data[k]
+	if !ok {
+		return value, fmt.Errorf("no such key %s", k)
+	}
+	return secret.(string), nil
+}
-- 
cgit v1.2.3