npm - vvauth - Versions diffs - 0.1.5 → 0.2.1 - Mend

vvauth 0.1.5 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +115 -27
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -22,57 +22,59 @@ const replaceEnv = require('nyks/string/replaceEnv');
 const debug = require('debug');
 const logger  = {
-  debug : debug('dspp:secrets:debug'),
-  info  : debug('dspp:secrets:info'),
-  error : debug('dspp:secrets:error'),
+  debug : debug('vvauth:debug'),
+  info  : debug('vvauth:info'),
+  error : debug('vvauth:error'),
 };
-const VAUTH_RC = process.env.VAUTHRC || ".vauthrc";
+const VAUTH_RC = [process.env.VAUTHRC, path.join(process.cwd(), ".vauthrc"), path.join(os.homedir(), ".vauthrc")];
 const FUNCTION_NAME = "vauth";
 const FUNCTION_DECL = "function vauth() { source <(/usr/bin/env vvauth --ir://raw --source --ir://run=$1 \"${@:2}\"); }";
 class vvauth {
   constructor(rc = null) {
     this.rc = {};
     if(rc) {
       this.rc = rc;
     } else {
-      if(fs.existsSync(VAUTH_RC)) {
-        let body = fs.readFileSync(VAUTH_RC, 'utf8');
+      let vauth_rc = VAUTH_RC.filter(path => path && fs.existsSync(path))[0];
+      if(vauth_rc) {
+        let body = fs.readFileSync(vauth_rc, 'utf8');
         this.rc = walk(parse(body), v =>  replaceEnv(v, { env : process.env}));
       }
     }
-    let {vault_addr} = this.rc;
-    if(!vault_addr)
+    this.vault_addr = this.rc.vault_addr;
+    if(!this.vault_addr)
       throw `Invalid vault remote`;
-    console.error("vauth bound to '%s'", vault_addr);
+    this.VAULT_TOKEN = process.env.VAULT_TOKEN;
+    console.error("vauth bound to '%s'", this.vault_addr);
   }
-  async _get_token() {
-    let {vault_addr, ssh_auth, jwt_auth} = this.rc;
+  async connect() {
+    let {VAULT_TOKEN, rc : {ssh_auth, jwt_auth}} = this;
-    let token = this.rc.VAULT_TOKEN;
-    if(!token && ssh_auth && process.env.SSH_AUTH_SOCK)
-      token = await this._login_vault_ssh({...ssh_auth, vault_addr});
+    if(!VAULT_TOKEN && ssh_auth && process.env.SSH_AUTH_SOCK)
+      VAULT_TOKEN = await this._login_vault_ssh({...ssh_auth});
-    if(!token && jwt_auth && jwt_auth.jwt) {
+    if(!VAULT_TOKEN && jwt_auth && jwt_auth.jwt) {
       let {path, jwt, role} = jwt_auth, payload = {jwt, role};
-      token = await this._login_vault(vault_addr, path, payload);
+      VAULT_TOKEN = await this._login_vault(path, payload);
     }
-    return token;
+    this.VAULT_TOKEN = VAULT_TOKEN;
   }
   async login(source = false) {
-    let VAULT_TOKEN = await this._get_token();
+    await this.connect();
     if(source) {
-      let env = {VAULT_TOKEN};
+      let env = {VAULT_TOKEN : this.VAULT_TOKEN};
       this._publish_env(env);
       process.exit();
     }
-    return VAULT_TOKEN;
   }
   _publish_env(env) {
@@ -84,7 +86,70 @@ class vvauth {
     process.stdout.write(cmds.join("\n") + "\n");
   }
-  async _login_vault_ssh({vault_addr, path = 'ssh', role}) {
+  async set(k, v) {
+    let {entity_id, identity : {metadata}} = await this._get_profile();
+    if(!metadata)
+      metadata = {};
+    let key_name = `env_${k.toUpperCase()}`;
+    metadata[key_name] = v;
+    await this._update_identity(this.VAULT_TOKEN, entity_id, {metadata});
+  }
+  async unset(k) {
+    await this.set(k, undefined);
+  }
+  async show() {
+    let {profile} = await this._get_profile();
+    return profile;
+  }
+  async _get_profile() {
+    await this.connect();
+    let {entity_id} = await this._lookup_token(this.VAULT_TOKEN);
+    let identity = await this._lookup_identity(this.VAULT_TOKEN, entity_id);
+    let profile = {};
+    for(let alias of identity.aliases) {
+      for(let [k, v] of Object.entries(alias.custom_metadata || {})) {
+        if(k.startsWith('env_'))
+          profile[k.substr(4)] = v;
+      }
+    }
+    for(let [k, v] of Object.entries(identity.metadata || {})) {
+      if(k.startsWith('env_'))
+        profile[k.substr(4)] = v;
+    }
+    return {entity_id, identity, profile};
+  }
+  async env(source = false) {
+    let {profile} = await this._get_profile();
+    let env = {VAULT_TOKEN : this.VAULT_TOKEN}, {env : {git, map}} = this.rc;
+    if(git) {
+      map = {...map,
+        "GIT_COMMITTER_NAME" : "VAUTH_USER_NAME",
+        "GIT_COMMITTER_EMAIL" : "VAUTH_USER_MAIL",
+        "GIT_AUTHOR_EMAIL" : "VAUTH_USER_MAIL",
+        "GIT_AUTHOR_NAME" : "VAUTH_USER_NAME",
+        "GIT_USER_LOGIN" : "VAUTH_USER_LOGIN",
+      };
+    }
+    for(let [k, v] of Object.entries(map || {})) {
+      if(profile[v])
+        env[k] = profile[v];
+    }
+    if(source) {
+      this._publish_env(env);
+      process.exit();
+    }
+  }
+  async _login_vault_ssh({path = 'ssh', role}) {
+    logger.info("Trying to auth as '%s'", role);
     let sock;
     await new Promise(resolve => (sock = net.connect(process.env.SSH_AUTH_SOCK, resolve)));
     let agent = new SSHAgent(sock);
@@ -95,7 +160,7 @@ class vvauth {
       if(token)
         return;
-      let remote_url = `${trim(vault_addr, '/')}/v1/auth/${path}/nonce`;
+      let remote_url = `${trim(this.vault_addr, '/')}/v1/auth/${path}/nonce`;
       let query = {...url.parse(remote_url), json : true};
       let res = await request(query);
       let {data : {nonce}} = JSON.parse(String(await drain(res)));
@@ -105,7 +170,7 @@ class vvauth {
       const payload = {public_key, role, nonce : Buffer.from(nonce).toString('base64'), signature};
       try {
-        token = await this._login_vault(vault_addr, path, payload);
+        token = await this._login_vault(path, payload);
       } catch(err) {
         logger.debug("ssh : invalid challenge for public key", comment);
       }
@@ -137,8 +202,32 @@ class vvauth {
     console.error(`Installation ok, please \nsource ${bashrc_path}`);
   }
-  async _login_vault(vault_addr, path, payload) {
-    let remote_url = `${trim(vault_addr, '/')}/v1/auth/${path}/login`;
+  async _lookup_token(token) {
+    let remote_url = `${trim(this.vault_addr, '/')}/v1/auth/token/lookup-self`;
+    let query = {...url.parse(remote_url), headers : {'x-vault-token' : token}, expect : 200};
+    let res = await request(query);
+    let response = JSON.parse(await drain(res)).data;
+    return response;
+  }
+  async _lookup_identity(token, id) {
+    let remote_url = `${trim(this.vault_addr, '/')}/v1/identity/entity/id/${id}`;
+    let query = {...url.parse(remote_url), headers : {'x-vault-token' : token}, expect : 200};
+    let res = await request(query);
+    return JSON.parse(String(await drain(res))).data;
+  }
+  async _update_identity(token, id, payload) {
+    let remote_url = `${trim(this.vault_addr, '/')}/v1/identity/entity/id/${id}`;
+    let query = {...url.parse(remote_url), headers : {'x-vault-token' : token}, expect : 204, json : true};
+    await request(query, payload);
+    return payload;
+  }
+  async _login_vault(path, payload) {
+    let remote_url = `${trim(this.vault_addr, '/')}/v1/auth/${path}/login`;
     let query = {...url.parse(remote_url), json : true};
     let res = await request(query, payload);
     let response = String(await drain(res));
@@ -147,7 +236,6 @@ class vvauth {
       throw `Could not login to vault : ${response}`;
     response = JSON.parse(response);
-    //console.log(response);
     let token = get(response, 'auth.client_token');
     return token;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vvauth",
-  "version": "0.1.5",
+  "version": "0.2.1",
   "description": "Vault Auth helper",
   "main": "index.js",
   "bin": {