Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: look for vault cached token before login #544

Merged
merged 2 commits into from
Nov 8, 2023
Merged

fix: look for vault cached token before login #544

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
874997d
fix: look for vault cached token before login
DaThumpingRabbit Aug 29, 2023
9b76995
chore: Add tests on vault cached token
DaThumpingRabbit Sep 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions pkg/auth/vault/approle.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ func NewAppRoleAuth(roleID, secretID, mountPath string) *AppRoleAuth {

// Authenticate authenticates with Vault using App Role and returns a token
func (a *AppRoleAuth) Authenticate(vaultClient *api.Client) error {
err := utils.LoginWithCachedToken(vaultClient)
if err != nil {
utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
} else {
return nil
}

payload := map[string]interface{}{
"role_id": a.RoleID,
"secret_id": a.SecretID,
Expand Down
21 changes: 21 additions & 0 deletions pkg/auth/vault/approle_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
package vault_test

import (
"bytes"
"testing"

"github.com/argoproj-labs/argocd-vault-plugin/pkg/auth/vault"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/helpers"
)

Expand All @@ -17,4 +19,23 @@ func TestAppRoleLogin(t *testing.T) {
if err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

cachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

err = appRole.Authenticate(cluster.Cores[0].Client)
if err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

newCachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

if bytes.Compare(cachedToken, newCachedToken) != 0 {
t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken)
}
}
7 changes: 7 additions & 0 deletions pkg/auth/vault/github.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,13 @@ func NewGithubAuth(token, mountPath string) *GithubAuth {

// Authenticate authenticates with Vault and returns a token
func (g *GithubAuth) Authenticate(vaultClient *api.Client) error {
err := utils.LoginWithCachedToken(vaultClient)
if err != nil {
utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
} else {
return nil
}

payload := map[string]interface{}{
"token": g.AccessToken,
}
Expand Down
21 changes: 21 additions & 0 deletions pkg/auth/vault/github_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
package vault_test

import (
"bytes"
"testing"

"github.com/argoproj-labs/argocd-vault-plugin/pkg/auth/vault"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/helpers"
)

Expand All @@ -18,4 +20,23 @@ func TestGithubLogin(t *testing.T) {
if err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

cachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

err = github.Authenticate(cluster.Cores[0].Client)
if err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

newCachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

if bytes.Compare(cachedToken, newCachedToken) != 0 {
t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken)
}
}
7 changes: 7 additions & 0 deletions pkg/auth/vault/kubernetes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ func NewK8sAuth(role, mountPath, tokenPath string) *K8sAuth {

// Authenticate authenticates with Vault via K8s and returns a token
func (k *K8sAuth) Authenticate(vaultClient *api.Client) error {
err := utils.LoginWithCachedToken(vaultClient)
if err != nil {
utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
} else {
return nil
}

token, err := k.getJWT()
if err != nil {
return err
Expand Down
21 changes: 21 additions & 0 deletions pkg/auth/vault/kubernetes_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package vault_test

import (
"bytes"
"fmt"
"os"
"path/filepath"
"testing"

"github.com/argoproj-labs/argocd-vault-plugin/pkg/auth/vault"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/helpers"
)

Expand Down Expand Up @@ -51,6 +53,25 @@ func TestKubernetesAuth(t *testing.T) {
t.Fatalf("expected no errors but got: %s", err)
}

cachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

err = k8s.Authenticate(cluster.Cores[0].Client)
if err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

newCachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

if bytes.Compare(cachedToken, newCachedToken) != 0 {
t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken)
}

err = removeK8sToken()
if err != nil {
fmt.Println(err)
Expand Down
7 changes: 7 additions & 0 deletions pkg/auth/vault/userpass.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ func NewUserPassAuth(username, password, mountPath string) *UserPassAuth {

// Authenticate authenticates with Vault using userpass and returns a token
func (a *UserPassAuth) Authenticate(vaultClient *api.Client) error {
err := utils.LoginWithCachedToken(vaultClient)
if err != nil {
utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
} else {
return nil
}

payload := map[string]interface{}{
"password": a.Password,
}
Expand Down
24 changes: 23 additions & 1 deletion pkg/auth/vault/userpass_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
package vault_test

import (
"bytes"
"testing"

"github.com/argoproj-labs/argocd-vault-plugin/pkg/auth/vault"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
"github.com/argoproj-labs/argocd-vault-plugin/pkg/helpers"
"testing"
)

func TestUserPassLogin(t *testing.T) {
Expand All @@ -15,4 +18,23 @@ func TestUserPassLogin(t *testing.T) {
if err := userpass.Authenticate(cluster.Cores[0].Client); err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

cachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

err = userpass.Authenticate(cluster.Cores[0].Client)
if err != nil {
t.Fatalf("expected no errors but got: %s", err)
}

newCachedToken, err := utils.ReadExistingToken()
if err != nil {
t.Fatalf("expected cached vault token but got: %s", err)
}

if bytes.Compare(cachedToken, newCachedToken) != 0 {
t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken)
}
}
21 changes: 15 additions & 6 deletions pkg/utils/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,28 +15,37 @@ import (
"github.com/spf13/viper"
)

// CheckExistingToken takes a VaultType interface and logs in, while writting the config file
// And setting the token in the client
func CheckExistingToken(vaultClient *api.Client) error {
func ReadExistingToken() ([]byte, error) {
home, err := os.UserHomeDir()
if err != nil {
return err
return nil, err
}

avpConfigPath := filepath.Join(home, ".avp", "config.json")
if _, err := os.Stat(avpConfigPath); err != nil {
return err
return nil, err
}

// Open our jsonFile
jsonFile, err := os.Open(avpConfigPath)
if err != nil {
return err
return nil, err
}
// defer the closing of our jsonFile so that we can parse it later on
defer jsonFile.Close()

byteValue, err := io.ReadAll(jsonFile)
if err != nil {
return nil, err
}

return byteValue, nil
}

// LoginWithCachedToken takes a VaultType interface and tries to log in with the previously cached token,
// And sets the token in the client
func LoginWithCachedToken(vaultClient *api.Client) error {
byteValue, err := ReadExistingToken()
if err != nil {
return err
}
Expand Down
6 changes: 3 additions & 3 deletions pkg/utils/utils_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func TestCheckExistingToken(t *testing.T) {
t.Fatal(err)
}

err = utils.CheckExistingToken(client)
err = utils.LoginWithCachedToken(client)
if err != nil {
t.Fatal(err)
}
Expand All @@ -78,11 +78,11 @@ func TestCheckExistingToken(t *testing.T) {
}
})

t.Run("will throw an error if no toekn", func(t *testing.T) {
t.Run("will throw an error if no token", func(t *testing.T) {
ln, client, _ := helpers.CreateTestVault(t)
defer ln.Close()

err := utils.CheckExistingToken(client)
err := utils.LoginWithCachedToken(client)
if err == nil {
t.Fatal(err)
}
Expand Down