consul/agent/connect/ca/provider_vault_auth_jwt.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package ca

import (
	"fmt"
	"os"
	"strings"

	"github.com/hashicorp/consul/agent/structs"
)

func NewJwtAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
	params := authMethod.Params

	role, ok := params["role"].(string)
	if !ok || strings.TrimSpace(role) == "" {
		return nil, fmt.Errorf("missing 'role' value")
	}

	authClient := NewVaultAPIAuthClient(authMethod, "")
	if legacyCheck(params, "jwt") {
		return authClient, nil
	}

	// The path is required for the auto-auth config, but this auth provider
	// seems to be used for jwt based auth by directly passing the jwt token.
	// So we only require the token file path if the token string isn't
	// present.
	tokenPath, ok := params["path"].(string)
	if !ok || strings.TrimSpace(tokenPath) == "" {
		return nil, fmt.Errorf("missing 'path' value")
	}
	authClient.LoginDataGen = JwtLoginDataGen
	return authClient, nil
}

func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
	params := authMethod.Params
	role := params["role"].(string)

	tokenPath := params["path"].(string)
	rawToken, err := os.ReadFile(tokenPath)
	if err != nil {
		return nil, err
	}

	return map[string]any{
		"role": role,
		"jwt":  strings.TrimSpace(string(rawToken)),
	}, nil
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
add provider ca support for jwt file base auth Adds support for a jwt token in a file. Simply reads the file and sends the read in jwt along to the vault login. It also supports a legacy mode with the jwt string being passed directly. In which case the path is made optional. 2023-03-02 20:33:06 +00:00			`package ca`

			`import (`
			`"fmt"`
			`"os"`
			`"strings"`

			`"github.com/hashicorp/consul/agent/structs"`
			`)`

			`func NewJwtAuthClient(authMethod structs.VaultAuthMethod) (VaultAuthClient, error) {`
			`params := authMethod.Params`

			`role, ok := params["role"].(string)`
			`if !ok \|\| strings.TrimSpace(role) == "" {`
			`return nil, fmt.Errorf("missing 'role' value")`
			`}`

			`authClient := NewVaultAPIAuthClient(authMethod, "")`
			`if legacyCheck(params, "jwt") {`
			`return authClient, nil`
			`}`

			`// The path is required for the auto-auth config, but this auth provider`
			`// seems to be used for jwt based auth by directly passing the jwt token.`
			`// So we only require the token file path if the token string isn't`
			`// present.`
			`tokenPath, ok := params["path"].(string)`
			`if !ok \|\| strings.TrimSpace(tokenPath) == "" {`
			`return nil, fmt.Errorf("missing 'path' value")`
			`}`
			`authClient.LoginDataGen = JwtLoginDataGen`
			`return authClient, nil`
			`}`

			`func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {`
			`params := authMethod.Params`
			`role := params["role"].(string)`

			`tokenPath := params["path"].(string)`
			`rawToken, err := os.ReadFile(tokenPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return map[string]any{`
			`"role": role,`
			`"jwt": strings.TrimSpace(string(rawToken)),`
			`}, nil`
			`}`