From 14944f708fc9764e390f45f1233eba0128cc3a19 Mon Sep 17 00:00:00 2001 From: SoXX Date: Sat, 21 Dec 2024 21:51:24 +0100 Subject: [PATCH] feat: Add OAuth2 client credentials workflow for Vault integration Introduced OAuth2 client credentials to fetch JWT tokens and updated Vault logic to support authentication with JWT. Modified the main application flow to utilize the new token-based authentication for enhanced security and flexibility. Updated dependencies to include `golang.org/x/oauth2`. I KNOW THAT I LEAKED THE KEY AND STUFF! --- cmd/otter-cage/main.go | 3 ++- go.mod | 1 + go.sum | 2 ++ internal/vault/vault.go | 51 ++++++++++++++++++++++++++++++++++++++++- 4 files changed, 55 insertions(+), 2 deletions(-) diff --git a/cmd/otter-cage/main.go b/cmd/otter-cage/main.go index fce2c8f..e291355 100644 --- a/cmd/otter-cage/main.go +++ b/cmd/otter-cage/main.go @@ -62,7 +62,8 @@ func main() { ginRouter := setupRouter(ctx) - vault.WhatAmI() + token := vault.GetJWTToken("b7dc7146-88ce-47ba-98c1-ea8184a49be1", "Ni49FqnH_GIi0EIfneuIxDNKm", "https://laughing-banach-ptdsgdxqjf.projects.oryapis.com/oauth2/token") + vault.VaultWithJWT(ctx, "", token) server := &http.Server{ Addr: ":8080", diff --git a/go.mod b/go.mod index 481a3ca..896d699 100644 --- a/go.mod +++ b/go.mod @@ -58,6 +58,7 @@ require ( golang.org/x/arch v0.11.0 // indirect golang.org/x/crypto v0.28.0 // indirect golang.org/x/net v0.30.0 // indirect + golang.org/x/oauth2 v0.24.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.8.0 // indirect diff --git a/go.sum b/go.sum index ad34216..32ec364 100644 --- a/go.sum +++ b/go.sum @@ -157,6 +157,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= +golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= diff --git a/internal/vault/vault.go b/internal/vault/vault.go index 3286524..bba96eb 100644 --- a/internal/vault/vault.go +++ b/internal/vault/vault.go @@ -2,6 +2,8 @@ package vault import ( "context" + "fmt" + "golang.org/x/oauth2/clientcredentials" "time" "github.com/hashicorp/vault-client-go" @@ -9,7 +11,54 @@ import ( log "github.com/sirupsen/logrus" ) -func WhatAmI() { +// GetJWTToken fetches the raw token using client credentials and returns the access token as a string. +func GetJWTToken(clientID string, clientSecret string, tokenURL string) string { + ctx := context.Background() + + clientCredsConfig := clientcredentials.Config{ + ClientID: clientID, + ClientSecret: clientSecret, + TokenURL: tokenURL, + } + + // Fetch the token using the client credentials + token, err := clientCredsConfig.TokenSource(ctx).Token() + if err != nil { + fmt.Printf("Error getting token: %v\n", err) + return "" + } + // Return the raw access token + return token.AccessToken +} + +func VaultWithJWT(ctx context.Context, roles string, jwt string) { + + // prepare a client with the given base address + client, err := vault.New( + vault.WithAddress("http://localhost:8200"), + vault.WithRequestTimeout(30*time.Second), + ) + if err != nil { + log.Fatal(err) + } + + request := schema.JwtLoginRequest{ + Jwt: jwt, + Role: roles, + } + + resp, err := client.Auth.JwtLogin(ctx, request) + if err != nil { + log.Fatal(resp, err) + } + + err = client.SetToken(resp.Auth.ClientToken) + if err != nil { + log.Fatal(err) + } +} + +func VaultWithToken() { // prepare a client with the given base address client, err := vault.New(