v1.14.6/builtin/credential/token/cli.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package token

 import (
 	"fmt"
 	"io"
 	"os"
 	"strconv"
 	"strings"

 	"github.com/hashicorp/go-secure-stdlib/password"
 	"github.com/hashicorp/vault/api"
 )

 type CLIHandler struct {
 	// for tests
 	testStdin  io.Reader
 	testStdout io.Writer
 }

 func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
 	// Parse "lookup" first - we want to return an early error if the user
 	// supplied an invalid value here before we prompt them for a token. It would
 	// be annoying to type your token and then be told you supplied an invalid
 	// value that we could have known in advance.
 	lookup := true
 	if x, ok := m["lookup"]; ok {
 		parsed, err := strconv.ParseBool(x)
 		if err != nil {
 			return nil, fmt.Errorf("Failed to parse \"lookup\" as boolean: %w", err)
 		}
 		lookup = parsed
 	}

 	// Parse the token.
 	token, ok := m["token"]
 	if !ok {
 		// Override the output
 		stdout := h.testStdout
 		if stdout == nil {
 			stdout = os.Stderr
 		}

 		// No arguments given, read the token from user input
 		fmt.Fprintf(stdout, "Token (will be hidden): ")
 		var err error
 		token, err = password.Read(os.Stdin)
 		fmt.Fprintf(stdout, "\n")

 		if err != nil {
 			if err == password.ErrInterrupted {
 				return nil, fmt.Errorf("user interrupted")
 			}

 			return nil, fmt.Errorf("An error occurred attempting to "+
 				"ask for a token. The raw error message is shown below, but usually "+
 				"this is because you attempted to pipe a value into the command or "+
 				"you are executing outside of a terminal (tty). If you want to pipe "+
 				"the value, pass \"-\" as the argument to read from stdin. The raw "+
 				"error was: %w", err)
 		}
 	}

 	// Remove any whitespace, etc.
 	token = strings.TrimSpace(token)

 	if token == "" {
 		return nil, fmt.Errorf(
 			"a token must be passed to auth, please view the help for more " +
 				"information")
 	}

 	// If the user declined verification, return now. Note that we will not have
 	// a lot of information about the token.
 	if !lookup {
 		return &api.Secret{
 			Auth: &api.SecretAuth{
 				ClientToken: token,
 			},
 		}, nil
 	}

 	// If we got this far, we want to lookup and lookup the token and pull it's
 	// list of policies an metadata.
 	c.SetToken(token)
 	c.SetWrappingLookupFunc(func(string, string) string { return "" })

 	secret, err := c.Auth().Token().LookupSelf()
 	if err != nil {
 		return nil, fmt.Errorf("error looking up token: %w", err)
 	}
 	if secret == nil {
 		return nil, fmt.Errorf("empty response from lookup-self")
 	}

 	// Return an auth struct that "looks" like the response from an auth method.
 	// lookup and lookup-self return their data in data, not auth. We try to
 	// mirror that data here.
 	id, err := secret.TokenID()
 	if err != nil {
 		return nil, fmt.Errorf("error accessing token ID: %w", err)
 	}
 	accessor, err := secret.TokenAccessor()
 	if err != nil {
 		return nil, fmt.Errorf("error accessing token accessor: %w", err)
 	}
 	// This populates secret.Auth
 	_, err = secret.TokenPolicies()
 	if err != nil {
 		return nil, fmt.Errorf("error accessing token policies: %w", err)
 	}
 	metadata, err := secret.TokenMetadata()
 	if err != nil {
 		return nil, fmt.Errorf("error accessing token metadata: %w", err)
 	}
 	dur, err := secret.TokenTTL()
 	if err != nil {
 		return nil, fmt.Errorf("error converting token TTL: %w", err)
 	}
 	renewable, err := secret.TokenIsRenewable()
 	if err != nil {
 		return nil, fmt.Errorf("error checking if token is renewable: %w", err)
 	}
 	return &api.Secret{
 		Auth: &api.SecretAuth{
 			ClientToken:      id,
 			Accessor:         accessor,
 			Policies:         secret.Auth.Policies,
 			TokenPolicies:    secret.Auth.TokenPolicies,
 			IdentityPolicies: secret.Auth.IdentityPolicies,
 			Metadata:         metadata,

 			LeaseDuration: int(dur.Seconds()),
 			Renewable:     renewable,
 		},
 	}, nil
 }

 func (h *CLIHandler) Help() string {
 	help := `
 Usage: vault login TOKEN [CONFIG K=V...]

   The token auth method allows logging in directly with a token. This
   can be a token from the "token-create" command or API. There are no
   configuration options for this auth method.

   Authenticate using a token:

       $ vault login 96ddf4bc-d217-f3ba-f9bd-017055595017

   Authenticate but do not lookup information about the token:

       $ vault login token=96ddf4bc-d217-f3ba-f9bd-017055595017 lookup=false

   This token usually comes from a different source such as the API or via the
   built-in "vault token create" command.

 Configuration:

   token=<string>
       The token to use for authentication. This is usually provided directly
       via the "vault login" command.

   lookup=<bool>
       Perform a lookup of the token's metadata and policies.
 `

 	return strings.TrimSpace(help)
 }
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package token

	import (
	"fmt"
	"io"
	"os"
	"strconv"
	"strings"

	"github.com/hashicorp/go-secure-stdlib/password"
	"github.com/hashicorp/vault/api"
	)

	type CLIHandler struct {
	// for tests
	testStdin io.Reader
	testStdout io.Writer
	}

	func (h CLIHandler) Auth(c api.Client, m map[string]string) (*api.Secret, error) {
	// Parse "lookup" first - we want to return an early error if the user
	// supplied an invalid value here before we prompt them for a token. It would
	// be annoying to type your token and then be told you supplied an invalid
	// value that we could have known in advance.
	lookup := true
	if x, ok := m["lookup"]; ok {
	parsed, err := strconv.ParseBool(x)
	if err != nil {
	return nil, fmt.Errorf("Failed to parse \"lookup\" as boolean: %w", err)
	}
	lookup = parsed
	}

	// Parse the token.
	token, ok := m["token"]
	if !ok {
	// Override the output
	stdout := h.testStdout
	if stdout == nil {
	stdout = os.Stderr
	}

	// No arguments given, read the token from user input
	fmt.Fprintf(stdout, "Token (will be hidden): ")
	var err error
	token, err = password.Read(os.Stdin)
	fmt.Fprintf(stdout, "\n")

	if err != nil {
	if err == password.ErrInterrupted {
	return nil, fmt.Errorf("user interrupted")
	}

	return nil, fmt.Errorf("An error occurred attempting to "+
	"ask for a token. The raw error message is shown below, but usually "+
	"this is because you attempted to pipe a value into the command or "+
	"you are executing outside of a terminal (tty). If you want to pipe "+
	"the value, pass \"-\" as the argument to read from stdin. The raw "+
	"error was: %w", err)
	}
	}

	// Remove any whitespace, etc.
	token = strings.TrimSpace(token)

	if token == "" {
	return nil, fmt.Errorf(
	"a token must be passed to auth, please view the help for more " +
	"information")
	}

	// If the user declined verification, return now. Note that we will not have
	// a lot of information about the token.
	if !lookup {
	return &api.Secret{
	Auth: &api.SecretAuth{
	ClientToken: token,
	},
	}, nil
	}

	// If we got this far, we want to lookup and lookup the token and pull it's
	// list of policies an metadata.
	c.SetToken(token)
	c.SetWrappingLookupFunc(func(string, string) string { return "" })

	secret, err := c.Auth().Token().LookupSelf()
	if err != nil {
	return nil, fmt.Errorf("error looking up token: %w", err)
	}
	if secret == nil {
	return nil, fmt.Errorf("empty response from lookup-self")
	}

	// Return an auth struct that "looks" like the response from an auth method.
	// lookup and lookup-self return their data in data, not auth. We try to
	// mirror that data here.
	id, err := secret.TokenID()
	if err != nil {
	return nil, fmt.Errorf("error accessing token ID: %w", err)
	}
	accessor, err := secret.TokenAccessor()
	if err != nil {
	return nil, fmt.Errorf("error accessing token accessor: %w", err)
	}
	// This populates secret.Auth
	_, err = secret.TokenPolicies()
	if err != nil {
	return nil, fmt.Errorf("error accessing token policies: %w", err)
	}
	metadata, err := secret.TokenMetadata()
	if err != nil {
	return nil, fmt.Errorf("error accessing token metadata: %w", err)
	}
	dur, err := secret.TokenTTL()
	if err != nil {
	return nil, fmt.Errorf("error converting token TTL: %w", err)
	}
	renewable, err := secret.TokenIsRenewable()
	if err != nil {
	return nil, fmt.Errorf("error checking if token is renewable: %w", err)
	}
	return &api.Secret{
	Auth: &api.SecretAuth{
	ClientToken: id,
	Accessor: accessor,
	Policies: secret.Auth.Policies,
	TokenPolicies: secret.Auth.TokenPolicies,
	IdentityPolicies: secret.Auth.IdentityPolicies,
	Metadata: metadata,

	LeaseDuration: int(dur.Seconds()),
	Renewable: renewable,
	},
	}, nil
	}

	func (h *CLIHandler) Help() string {
	help := `
	Usage: vault login TOKEN [CONFIG K=V...]

	The token auth method allows logging in directly with a token. This
	can be a token from the "token-create" command or API. There are no
	configuration options for this auth method.

	Authenticate using a token:

	$ vault login 96ddf4bc-d217-f3ba-f9bd-017055595017

	Authenticate but do not lookup information about the token:

	$ vault login token=96ddf4bc-d217-f3ba-f9bd-017055595017 lookup=false

	This token usually comes from a different source such as the API or via the
	built-in "vault token create" command.

	Configuration:

	token=<string>
	The token to use for authentication. This is usually provided directly
	via the "vault login" command.

	lookup=<bool>
	Perform a lookup of the token's metadata and policies.
	`

	return strings.TrimSpace(help)
	}