1
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package cmd
6

7
import (
8
	"context"
9
	"encoding/json"
10
	"fmt"
11
	"os"
12
	"os/exec"
13
	"time"
14

15
	"github.com/spf13/cobra"
16
)
17

18
const (
19
	idpAudienceVault = "vault.hashicorp.com"
20
)
21

22
var idpLoginVaultOpts struct {
23
	Role     string
24
	Audience []string
25
}
26

27
var idpLoginVaultCmd = &cobra.Command{
28
	Use:   "vault",
29
	Short: "Login to HashiCorp's Vault",
30
	RunE: func(cmd *cobra.Command, args []string) error {
31
		cmd.SilenceUsage = true
32

33
		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
34
		defer cancel()
35

36
		tkn, err := idpToken(ctx, idpLoginVaultOpts.Audience, idpLoginOpts.Scope)
37
		if err != nil {
38
			return err
39
		}
40

41
		// vault write auth/jwt/login role=demo jwt=$TKN -format=json
42
		out, err := exec.Command("vault", "write", "-format=json", "auth/jwt/login", "role="+idpLoginVaultOpts.Role, "jwt="+tkn).CombinedOutput()
43
		if err != nil {
44
			return fmt.Errorf("%w: %s", err, string(out))
45
		}
46

47
		var result struct {
48
			Auth struct {
49
				ClientToken string `json:"client_token"`
50
			} `json:"auth"`
51
		}
52
		err = json.Unmarshal(out, &result)
53
		if err != nil {
54
			return err
55
		}
56

57
		vaultCmd := exec.Command("vault", "login", result.Auth.ClientToken)
58
		vaultCmd.Stdout = os.Stdout
59
		vaultCmd.Stderr = os.Stderr
60
		return vaultCmd.Run()
61
	},
62
}
63

64
func init() {
65
	idpLoginCmd.AddCommand(idpLoginVaultCmd)
66

67
	idpLoginVaultCmd.Flags().StringArrayVar(&idpLoginVaultOpts.Audience, "audience", []string{idpAudienceVault}, "audience of the ID token")
68
	idpLoginVaultCmd.Flags().StringVar(&idpLoginVaultOpts.Role, "role", os.Getenv("IDP_VAULT_ROLE"), "Vault role to assume (defaults to IDP_VAULT_ROLE env var)")
69
}
70

71