Add option to specify auth backend mount path in Vault

msolimans · May 3, 2018 · c9535ae · c9535ae
1 parent b51998d
commit c9535ae
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 7 deletions.
diff --git a/backends/client.go b/backends/client.go
@@ -75,6 +75,7 @@ func New(config Config) (StoreClient, error) {
 			"cert":      config.ClientCert,
 			"key":       config.ClientKey,
 			"caCert":    config.ClientCaKeys,
+			"path":      config.VaultPath,
 		}
 		return vault.New(backendNodes[0], config.AuthType, vaultConfig)
 	case "dynamodb":

diff --git a/backends/config.go b/backends/config.go
@@ -23,6 +23,7 @@ type Config struct {
 	RoleID       string     `toml:"role_id"`
 	SecretID     string     `toml:"secret_id"`
 	YAMLFile     util.Nodes `toml:"file"`
-  	Filter       string     `toml:"filter"`
+	Filter       string     `toml:"filter"`
+	VaultPath    string     `toml:"vault_path"`
 	Role         string
 }
diff --git a/backends/vault/client.go b/backends/vault/client.go
@@ -51,40 +51,49 @@ func authenticate(c *vaultapi.Client, authType string, params map[string]string)
 	// this would happen when we get a parameter that is missing
 	defer panicToError(&err)
 
+	path := params["path"]
+	if path == "" {
+		path = authType
+		if authType == "app-role" {
+			path = "approle"
+		}
+	}
+	url := fmt.Sprintf("/auth/%s/login", path)
+
 	switch authType {
 	case "app-role":
-		secret, err = c.Logical().Write("/auth/approle/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"role_id":   getParameter("role-id", params),
 			"secret_id": getParameter("secret-id", params),
 		})
 	case "app-id":
-		secret, err = c.Logical().Write("/auth/app-id/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"app_id":  getParameter("app-id", params),
 			"user_id": getParameter("user-id", params),
 		})
 	case "github":
-		secret, err = c.Logical().Write("/auth/github/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"token": getParameter("token", params),
 		})
 	case "token":
 		c.SetToken(getParameter("token", params))
 		secret, err = c.Logical().Read("/auth/token/lookup-self")
 	case "userpass":
 		username, password := getParameter("username", params), getParameter("password", params)
-		secret, err = c.Logical().Write(fmt.Sprintf("/auth/userpass/login/%s", username), map[string]interface{}{
+		secret, err = c.Logical().Write(fmt.Sprintf("%s/%s", url, username), map[string]interface{}{
 			"password": password,
 		})
 	case "kubernetes":
 		jwt, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
 		if err != nil {
 			return err
 		}
-		secret, err = c.Logical().Write("/auth/kubernetes/login", map[string]interface{}{
+		secret, err = c.Logical().Write(url, map[string]interface{}{
 			"jwt":  string(jwt[:]),
 			"role": getParameter("role-id", params),
 		})
 	case "cert":
-		secret, err = c.Logical().Write("/auth/cert/login", map[string]interface{}{})
+		secret, err = c.Logical().Write(url, map[string]interface{}{})
 	}
 
 	if err != nil {

diff --git a/config.go b/config.go
@@ -66,6 +66,7 @@ func init() {
 	flag.StringVar(&config.UserID, "user-id", "", "Vault user-id to use with the app-id backend (only used with -backend=value and auth-type=app-id)")
 	flag.StringVar(&config.RoleID, "role-id", "", "Vault role-id to use with the AppRole, Kubernetes backends (only used with -backend=vault and either auth-type=app-role or auth-type=kubernetes)")
 	flag.StringVar(&config.SecretID, "secret-id", "", "Vault secret-id to use with the AppRole backend (only used with -backend=vault and auth-type=app-role)")
+	flag.StringVar(&config.VaultPath, "vault-path", "", "Vault mount path of the auth method (only used with -backend=vault)")
 	flag.StringVar(&config.Table, "table", "", "the name of the DynamoDB table (only used with -backend=dynamodb)")
 	flag.StringVar(&config.Separator, "separator", "", "the separator to replace '/' with when looking up keys in the backend, prefixed '/' will also be removed (only used with -backend=redis)")
 	flag.StringVar(&config.Username, "username", "", "the username to authenticate as (only used with vault and etcd backends)")

diff --git a/integration/vault-path/test.sh b/integration/vault-path/test.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+vault mount -path database generic
+vault mount -path key generic
+vault mount -path upstream generic
+vault mount -path nested generic
+
+vault write key value=foobar
+vault write database/host value=127.0.0.1
+vault write database/port value=3306
+vault write database/username value=confd
+vault write database/password value=p@sSw0rd
+vault write upstream app1=10.0.1.10:8080 app2=10.0.1.11:8080
+vault write nested/east/app1 value=10.0.1.10:8080
+vault write nested/west/app2 value=10.0.1.11:8080
+
+vault auth enable -path=test approle
+
+echo 'path "*" {
+  capabilities = ["read"]
+}' > my-policy.hcl
+
+vault write sys/policy/my-policy [email protected]
+
+vault write auth/test/role/my-role secret_id_ttl=120m token_num_uses=1000 token_ttl=60m token_max_ttl=120m secret_id_num_uses=10000
+
+export ROLE_ID=$(vault read -field=role_id auth/test/role/my-role/role-id)
+export SECRET_ID=$(vault write -f -field=secret_id auth/test/role/my-role/secret-id)
+
+# Run confd
+confd --onetime --log-level debug \
+      --confdir ./integration/confdir \
+      --backend vault \
+      --auth-type app-role \
+      --role-id $ROLE_ID \
+      --secret-id $SECRET_ID \
+      --vault-path=test \
+      --node http://127.0.0.1:8200