fix: prevent vault commands from stomping on ~/.vault-token (#61)

* fix: prevent vault commands from stomping on ~/.vault-token instead of exec'ing raw vault commands, instead just get the token or login and get the token, but don't overwrite ~/.vault-token * go mod tidy * removed codecov, no longer supported * latest stencil * go mod tidy
getoutreach · Feb 16, 2023 · 91da0c9 · 91da0c9
1 parent f5827e9
commit 91da0c9
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 23 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,7 +2,8 @@
 # syntax, such as anchors, will be fixed automatically.
 version: 2.1
 orbs:
-  shared: getoutreach/shared@dev:2.9.0-rc.4
+  shared: getoutreach/shared@dev:2.9.0-rc.12
+  queue: eddiewebb/[email protected]
 
 parameters:
   rebuild_cache:
@@ -110,6 +111,5 @@ workflows:
           context: *contexts
           filters:
             branches:
-              ignore: /.*/
-            tags:
-              only: /v[0-9]+(\.[0-9]+)*(-.*)*/
+              only:
+                - main
diff --git a/cli/login.go b/cli/login.go
@@ -3,37 +3,66 @@
 // Description: Stores functions to ensure that the user is logged into vault
 package cli //nolint:revive // Why: We're using - in the name
 import (
+	"bytes"
 	"context"
-	"os"
+	"encoding/json"
 	"os/exec"
 
-	"github.com/getoutreach/gobox/pkg/box"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"k8s.io/client-go/util/jsonpath"
+
+	"github.com/getoutreach/gobox/pkg/box"
 )
 
 // EnsureLoggedIn ensures that we are authenticated with Vault and have a valid token
-func EnsureLoggedIn(ctx context.Context, log logrus.FieldLogger, b *box.Config) error {
+func EnsureLoggedIn(ctx context.Context, log logrus.FieldLogger, b *box.Config) ([]byte, error) {
 	// Check if we need to issue a new token
 	//nolint:gosec // Why: Passing in the vault address
-	err := exec.CommandContext(ctx, "vault", "token", "lookup", "-address", b.DeveloperEnvironmentConfig.VaultConfig.Address).Run()
+	output, err := exec.CommandContext(ctx,
+		"vault",
+		"token",
+		"lookup",
+		"-format",
+		"json",
+		"-address",
+		b.DeveloperEnvironmentConfig.VaultConfig.Address).
+		CombinedOutput()
 	if err != nil {
 		// We did, so issue a new token using our authentication method
 		//nolint:gosec // Why: passing in the auth method and vault address
-		cmd := exec.CommandContext(ctx, "vault", "login", "-no-print",
+		cmd := exec.CommandContext(ctx, "vault",
+			"login",
+			"-token-only",
+			"-format",
+			"json",
 			"-method",
 			b.DeveloperEnvironmentConfig.VaultConfig.AuthMethod,
 			"-address", b.DeveloperEnvironmentConfig.VaultConfig.Address,
 		)
-		cmd.Stdin = os.Stdin
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-
-		err = cmd.Run()
+		output, err = cmd.CombinedOutput()
 		if err != nil {
-			return errors.Wrap(err, "failed to run vault login")
+			return nil, errors.Wrap(err, "failed to run vault login")
 		}
+		token, err := cmdOutputToToken(output)
+		return token, errors.Wrap(err, "vault output token jsonpath failed")
 	}
+	token, err := cmdOutputToToken(output)
+	return token, errors.Wrap(err, "vault output token jsonpath failed")
+}
 
-	return nil
+// cmdOutputToToken converts vault token lookup and vault token login output to
+// just the token id
+func cmdOutputToToken(in []byte) ([]byte, error) {
+	jp := jsonpath.New("vault-token")
+	if err := jp.Parse("{$.data.id}"); err != nil {
+		return nil, err
+	}
+	var data interface{}
+	if err := json.Unmarshal(in, &data); err != nil {
+		return nil, err
+	}
+	buf := new(bytes.Buffer)
+	err := jp.Execute(buf, data)
+	return buf.Bytes(), errors.Wrap(err, "jsonpath failed")
 }
diff --git a/cli/login_test.go b/cli/login_test.go
@@ -0,0 +1,52 @@
+// Copyright 2023 Outreach Corporation. All Rights Reserved.
+
+// Description: test login token parsing
+package cli
+
+import (
+	"fmt"
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestVaultLoginTokenJSONPath(t *testing.T) {
+	expectedTokenID := "s.gNhNGm524pfZDJzIOVk4NGaX"
+	input := []byte(fmt.Sprintf(`{
+  "request_id": "676169b4-d7f9-d94d-ac94-a16891024d73",
+  "lease_id": "",
+  "lease_duration": 0,
+  "renewable": false,
+  "data": {
+    "accessor": "X4dXerFDLHFCvfP6nR1Qiz9K",
+    "creation_time": 1676411158,
+    "creation_ttl": 43200,
+    "display_name": "[email protected]",
+    "entity_id": "697e1d36-03ea-86a3-927d-258b15e30ada",
+    "expire_time": "2023-02-15T09:45:58.590848523Z",
+    "explicit_max_ttl": 0,
+    "external_namespace_policies": {},
+    "id": "%s",
+    "identity_policies": [
+      "root-policy"
+    ],
+    "issue_time": "2023-02-14T21:45:58.59084807Z",
+    "meta": {
+      "role": "outreach"
+    },
+    "num_uses": 0,
+    "orphan": true,
+    "path": "auth/oidc/oidc/callback",
+    "policies": [
+      "default"
+    ],
+    "renewable": true,
+    "ttl": 40988,
+    "type": "service"
+  },
+  "warnings": null
+}`, expectedTokenID))
+	actual, err := cmdOutputToToken(input)
+	assert.NilError(t, err)
+	assert.Equal(t, expectedTokenID, string(actual))
+}
diff --git a/go.mod b/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
+	gotest.tools/v3 v3.4.0
 )
 
 require (
@@ -19,7 +20,7 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/onsi/gomega v1.18.1 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
-	k8s.io/client-go v0.23.1 // indirect
+	k8s.io/client-go v0.23.1
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
@@ -259,7 +260,6 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.4.0 // indirect
 	k8s.io/api v0.23.1 // indirect
 	k8s.io/apimachinery v0.24.0-alpha.3 // indirect
 	k8s.io/klog/v2 v2.60.1 // indirect

diff --git a/service.yaml b/service.yaml
@@ -1,7 +1,5 @@
 name: vault-client
 arguments:
-  coverage:
-    provider: codecov
   circleAPIKey: ""
   commands: []
   commitGuard: false

diff --git a/stencil.lock b/stencil.lock
@@ -2,16 +2,16 @@ version: v1.29.0
 modules:
     - name: github.com/getoutreach/devbase
       url: https://github.com/getoutreach/devbase
-      version: v2.9.0-rc.4
+      version: v2.9.0-rc.12
     - name: github.com/getoutreach/stencil-actions
       url: https://github.com/getoutreach/stencil-actions
       version: v0.2.0
     - name: github.com/getoutreach/stencil-base
       url: https://github.com/getoutreach/stencil-base
-      version: v0.8.0-rc.2
+      version: v0.8.0-rc.3
     - name: github.com/getoutreach/stencil-circleci
       url: https://github.com/getoutreach/stencil-circleci
-      version: v1.7.0-rc.2
+      version: v1.7.0-rc.3
     - name: github.com/getoutreach/stencil-discovery
       url: https://github.com/getoutreach/stencil-discovery
       version: v1.3.3