v1.14.6/api/auth.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package api

 import (
 	"context"
 	"fmt"
 )

 // Auth is used to perform credential backend related operations.
 type Auth struct {
 	c *Client
 }

 type AuthMethod interface {
 	Login(ctx context.Context, client *Client) (*Secret, error)
 }

 // Auth is used to return the client for credential-backend API calls.
 func (c *Client) Auth() *Auth {
 	return &Auth{c: c}
 }

 // Login sets up the required request body for login requests to the given auth
 // method's /login API endpoint, and then performs a write to it. After a
 // successful login, this method will automatically set the client's token to
 // the login response's ClientToken as well.
 //
 // The Secret returned is the authentication secret, which if desired can be
 // passed as input to the NewLifetimeWatcher method in order to start
 // automatically renewing the token.
 func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {
 	if authMethod == nil {
 		return nil, fmt.Errorf("no auth method provided for login")
 	}
 	return a.login(ctx, authMethod)
 }

 // MFALogin is a wrapper that helps satisfy Vault's MFA implementation.
 // If optional credentials are provided a single-phase login will be attempted
 // and the resulting Secret will contain a ClientToken if the authentication is successful.
 // The client's token will also be set accordingly.
 //
 // If no credentials are provided a two-phase MFA login will be assumed and the resulting
 // Secret will have a MFARequirement containing the MFARequestID to be used in a follow-up
 // call to `sys/mfa/validate` or by passing it to the method (*Auth).MFAValidate.
 func (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (*Secret, error) {
 	if len(creds) > 0 {
 		a.c.SetMFACreds(creds)
 		return a.login(ctx, authMethod)
 	}

 	return a.twoPhaseMFALogin(ctx, authMethod)
 }

 // MFAValidate validates an MFA request using the appropriate payload and a secret containing
 // Auth.MFARequirement, like the one returned by MFALogin when credentials are not provided.
 // Upon successful validation the client token will be set accordingly.
 //
 // The Secret returned is the authentication secret, which if desired can be
 // passed as input to the NewLifetimeWatcher method in order to start
 // automatically renewing the token.
 func (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, payload map[string]interface{}) (*Secret, error) {
 	if mfaSecret == nil || mfaSecret.Auth == nil || mfaSecret.Auth.MFARequirement == nil {
 		return nil, fmt.Errorf("secret does not contain MFARequirements")
 	}

 	s, err := a.c.Sys().MFAValidateWithContext(ctx, mfaSecret.Auth.MFARequirement.MFARequestID, payload)
 	if err != nil {
 		return nil, err
 	}

 	return a.checkAndSetToken(s)
 }

 // login performs the (*AuthMethod).Login() with the configured client and checks that a ClientToken is returned
 func (a *Auth) login(ctx context.Context, authMethod AuthMethod) (*Secret, error) {
 	s, err := authMethod.Login(ctx, a.c)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in to auth method: %w", err)
 	}

 	return a.checkAndSetToken(s)
 }

 // twoPhaseMFALogin performs the (*AuthMethod).Login() with the configured client
 // and checks that an MFARequirement is returned
 func (a *Auth) twoPhaseMFALogin(ctx context.Context, authMethod AuthMethod) (*Secret, error) {
 	s, err := authMethod.Login(ctx, a.c)
 	if err != nil {
 		return nil, fmt.Errorf("unable to log in: %w", err)
 	}
 	if s == nil || s.Auth == nil || s.Auth.MFARequirement == nil {
 		if s != nil {
 			s.Warnings = append(s.Warnings, "expected secret to contain MFARequirements")
 		}
 		return s, fmt.Errorf("assumed two-phase MFA login, returned secret is missing MFARequirements")
 	}

 	return s, nil
 }

 func (a *Auth) checkAndSetToken(s *Secret) (*Secret, error) {
 	if s == nil || s.Auth == nil || s.Auth.ClientToken == "" {
 		if s != nil {
 			s.Warnings = append(s.Warnings, "expected secret to contain ClientToken")
 		}
 		return s, fmt.Errorf("response did not return ClientToken, client token not set")
 	}

 	a.c.SetToken(s.Auth.ClientToken)

 	return s, nil
 }
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package api

	import (
	"context"
	"fmt"
	)

	// Auth is used to perform credential backend related operations.
	type Auth struct {
	c *Client
	}

	type AuthMethod interface {
	Login(ctx context.Context, client Client) (Secret, error)
	}

	// Auth is used to return the client for credential-backend API calls.
	func (c Client) Auth() Auth {
	return &Auth{c: c}
	}

	// Login sets up the required request body for login requests to the given auth
	// method's /login API endpoint, and then performs a write to it. After a
	// successful login, this method will automatically set the client's token to
	// the login response's ClientToken as well.
	//
	// The Secret returned is the authentication secret, which if desired can be
	// passed as input to the NewLifetimeWatcher method in order to start
	// automatically renewing the token.
	func (a Auth) Login(ctx context.Context, authMethod AuthMethod) (Secret, error) {
	if authMethod == nil {
	return nil, fmt.Errorf("no auth method provided for login")
	}
	return a.login(ctx, authMethod)
	}

	// MFALogin is a wrapper that helps satisfy Vault's MFA implementation.
	// If optional credentials are provided a single-phase login will be attempted
	// and the resulting Secret will contain a ClientToken if the authentication is successful.
	// The client's token will also be set accordingly.
	//
	// If no credentials are provided a two-phase MFA login will be assumed and the resulting
	// Secret will have a MFARequirement containing the MFARequestID to be used in a follow-up
	// call to `sys/mfa/validate` or by passing it to the method (*Auth).MFAValidate.
	func (a Auth) MFALogin(ctx context.Context, authMethod AuthMethod, creds ...string) (Secret, error) {
	if len(creds) > 0 {
	a.c.SetMFACreds(creds)
	return a.login(ctx, authMethod)
	}

	return a.twoPhaseMFALogin(ctx, authMethod)
	}

	// MFAValidate validates an MFA request using the appropriate payload and a secret containing
	// Auth.MFARequirement, like the one returned by MFALogin when credentials are not provided.
	// Upon successful validation the client token will be set accordingly.
	//
	// The Secret returned is the authentication secret, which if desired can be
	// passed as input to the NewLifetimeWatcher method in order to start
	// automatically renewing the token.
	func (a Auth) MFAValidate(ctx context.Context, mfaSecret Secret, payload map[string]interface{}) (*Secret, error) {
	if mfaSecret == nil \|\| mfaSecret.Auth == nil \|\| mfaSecret.Auth.MFARequirement == nil {
	return nil, fmt.Errorf("secret does not contain MFARequirements")
	}

	s, err := a.c.Sys().MFAValidateWithContext(ctx, mfaSecret.Auth.MFARequirement.MFARequestID, payload)
	if err != nil {
	return nil, err
	}

	return a.checkAndSetToken(s)
	}

	// login performs the (*AuthMethod).Login() with the configured client and checks that a ClientToken is returned
	func (a Auth) login(ctx context.Context, authMethod AuthMethod) (Secret, error) {
	s, err := authMethod.Login(ctx, a.c)
	if err != nil {
	return nil, fmt.Errorf("unable to log in to auth method: %w", err)
	}

	return a.checkAndSetToken(s)
	}

	// twoPhaseMFALogin performs the (*AuthMethod).Login() with the configured client
	// and checks that an MFARequirement is returned
	func (a Auth) twoPhaseMFALogin(ctx context.Context, authMethod AuthMethod) (Secret, error) {
	s, err := authMethod.Login(ctx, a.c)
	if err != nil {
	return nil, fmt.Errorf("unable to log in: %w", err)
	}
	if s == nil \|\| s.Auth == nil \|\| s.Auth.MFARequirement == nil {
	if s != nil {
	s.Warnings = append(s.Warnings, "expected secret to contain MFARequirements")
	}
	return s, fmt.Errorf("assumed two-phase MFA login, returned secret is missing MFARequirements")
	}

	return s, nil
	}

	func (a Auth) checkAndSetToken(s Secret) (*Secret, error) {
	if s == nil \|\| s.Auth == nil \|\| s.Auth.ClientToken == "" {
	if s != nil {
	s.Warnings = append(s.Warnings, "expected secret to contain ClientToken")
	}
	return s, fmt.Errorf("response did not return ClientToken, client token not set")
	}

	a.c.SetToken(s.Auth.ClientToken)

	return s, nil
	}