feat: Add OAuth2 client credentials workflow for Vault integration

Introduced OAuth2 client credentials to fetch JWT tokens and updated Vault logic to support authentication with JWT. Modified the main application flow to utilize the new token-based authentication for enhanced security and flexibility. Updated dependencies to include `golang.org/x/oauth2`. I KNOW THAT I LEAKED THE KEY AND STUFF!
2024-12-21 21:51:24 +01:00 · 2024-12-21 21:51:24 +01:00 · 14944f708f
commit 14944f708f
parent fc5cf0f0d0
4 changed files with 55 additions and 2 deletions
--- a/cmd/otter-cage/main.go
+++ b/cmd/otter-cage/main.go
@ -62,7 +62,8 @@ func main() {

 	ginRouter := setupRouter(ctx)

-	vault.WhatAmI()
+	token := vault.GetJWTToken("b7dc7146-88ce-47ba-98c1-ea8184a49be1", "Ni49FqnH_GIi0EIfneuIxDNKm", "https://laughing-banach-ptdsgdxqjf.projects.oryapis.com/oauth2/token")
+	vault.VaultWithJWT(ctx, "", token)

 	server := &http.Server{
 		Addr:    ":8080",
--- a/go.mod
+++ b/go.mod
@ -58,6 +58,7 @@ require (
 	golang.org/x/arch v0.11.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/oauth2 v0.24.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -157,6 +157,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@ -2,6 +2,8 @@ package vault

 import (
 	"context"
+	"fmt"
+	"golang.org/x/oauth2/clientcredentials"
 	"time"

 	"github.com/hashicorp/vault-client-go"
@ -9,7 +11,54 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-func WhatAmI() {
+// GetJWTToken fetches the raw token using client credentials and returns the access token as a string.
+func GetJWTToken(clientID string, clientSecret string, tokenURL string) string {
+	ctx := context.Background()
+
+	clientCredsConfig := clientcredentials.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		TokenURL:     tokenURL,
+	}
+
+	// Fetch the token using the client credentials
+	token, err := clientCredsConfig.TokenSource(ctx).Token()
+	if err != nil {
+		fmt.Printf("Error getting token: %v\n", err)
+		return ""
+	}
+	// Return the raw access token
+	return token.AccessToken
+}
+
+func VaultWithJWT(ctx context.Context, roles string, jwt string) {
+
+	// prepare a client with the given base address
+	client, err := vault.New(
+		vault.WithAddress("http://localhost:8200"),
+		vault.WithRequestTimeout(30*time.Second),
+	)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	request := schema.JwtLoginRequest{
+		Jwt:  jwt,
+		Role: roles,
+	}
+
+	resp, err := client.Auth.JwtLogin(ctx, request)
+	if err != nil {
+		log.Fatal(resp, err)
+	}
+
+	err = client.SetToken(resp.Auth.ClientToken)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func VaultWithToken() {

 	// prepare a client with the given base address
 	client, err := vault.New(