-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
96 lines (82 loc) · 2.66 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package main
import (
"encoding/json"
"fmt"
"log"
"net/http"
"time"
"github.com/hashicorp/vault/api"
"github.com/julienschmidt/httprouter"
"github.com/urfave/negroni"
)
// Setup
var cfg = ParseConfig()
var clients = SetupClients()
// HTTP Methods & Routes
// Authenticate protects the endpoints from requests with invalid signatures
func Authenticate(h httprouter.Handle) httprouter.Handle {
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
client, err := clients.Chef.GetClient(r.Header.Get("X-VAULT-CLIENT"))
if err != nil {
log.Printf("[INFO] Failed to find Chef client for %s, error: %s", r.Header.Get("X-VAULT-CLIENT"), err)
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return
}
err = VerifySignature(r.Header.Get("X-VAULT-SIGNATURE"), client.PublicKey)
if err != nil {
log.Printf("[INFO] Failed to verify signature for Chef client %s, error: %s", r.Header.Get("X-VAULT-CLIENT"), err)
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
} else {
log.Printf("[INFO] Successfully authenticated %s", r.Header.Get("X-VAULT-CLIENT"))
// Delegate request to the given handle
h(w, r, ps)
}
}
}
// TokenRole Issues a Role Token
func TokenRole(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
tcr := &api.TokenCreateRequest{}
err := json.NewDecoder(r.Body).Decode(&tcr)
if err != nil {
http.Error(w, "Failed to decode request body", http.StatusBadRequest)
return
}
token, err := clients.Vault.IssueTokenRole(tcr, ps.ByName("role"))
if err != nil {
http.Error(w, "Failed to create token from role", http.StatusBadRequest)
log.Printf("Error: %s", err)
return
}
fmt.Fprint(w, token)
}
// Main
func main() {
srvCert, err := clients.Vault.ReadSecretPath(cfg.SecretCertPath)
if err != nil {
log.Fatalf("Failed to get certificates from Vault: %s", err)
}
cert, err := ParseX509KeyPair(srvCert.Data["cert"].(string), srvCert.Data["key"].(string))
if err != nil {
log.Fatalf("Failed to parse certifcates: %s", err)
}
if cfg.RenewToken {
go clients.Vault.RenewToken()
}
router := httprouter.New()
router.POST("/token/issue/:role", Authenticate(TokenRole))
n := negroni.New()
n.Use(negroni.NewRecovery())
n.Use(negroni.NewLogger())
n.UseHandler(router)
s := &http.Server{
Addr: cfg.ListenAddr,
TLSConfig: TLSConfig(cert),
Handler: n,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20,
}
// Certs are specified in the tls.Config struct
log.Println("[INFO] Starting vault-chef server, listening on", cfg.ListenAddr)
log.Fatal(s.ListenAndServeTLS("", ""))
}