vvauth 0.3.0 → 0.3.1

package/README.md

@@ -4,3 +4,48 @@ This projects helps you log yourself in a HCL vault and retrieve VAULT_TOKEN thr
 * jwt login
 * ssh (with agent) login
 
+
+# Vauth configuration
+## Vauth configuration file location
+vauth configuration file lies on a `.vauthrc` file (this name can be controlled by the VAUTHRC env var).
+vauth will try to find
+* if specified, the VAUTHRC file
+* fallback to a .vauthrc file in the current directory
+* fallback to a .vauthrc file in the current user home directory
+
+##  Vauth configuration format
+vauth configuration file is a simple yaml file with a specific macro expansion syntax for dynamic parts.
+The configuration file should abide the following schema
+
+### configuration macro expansion set
+* $${profile.XXX} expand to vault entity metadata/custom_metadata vars
+* $${env.XXX} expand to local environement vars
+* $${secrets.XXX} expand to remote scrapped secrets (see the env.paths)
+
+```
+# vauth URL
+vault_addr: https://vauth.myserver.org
+
+# for vauth-auth-plugin-ssh, configure the binding role here
+ssh_auth:
+  role: $${env.VAUTH_USER_LOGIN}
+env:
+  map:
+    TF_HTTP_USERNAME: $${profile.VAUTH_USER_LOGIN}
+    TF_HTTP_PASSWORD: $${profile.GITLAB_API_TOKEN}
+    AWS_ACCESS_KEY_ID: $${secrets.AWS_ACCESS_KEY_ID}
+    AWS_SECRET_ACCESS_KEY: $${secrets.AWS_SECRET_ACCESS_KEY}
+
+  # remote secrets mecanism
+  # set the secrets mount point - default to secrets
+  [path: secrets]
+  # list extra secrets to be reached and populated into the $${secrets.XXX} macro
+  paths:
+    - /some/pa4-backend.creds
+
+```
+
+
+# Credits
+* [Francois Leurent](https://github.com/131)
+

package/index.js

@@ -52,7 +52,7 @@ class vvauth {
       let vauth_rc = VAUTH_RC.filter(path => path && fs.existsSync(path))[0];
       if(vauth_rc) {
         let body = fs.readFileSync(vauth_rc, 'utf8');
-        this.rc = walk(parse(body), v =>  replaceEnv(v, process.env));
+        this.rc = walk(parse(body), v =>  replaceEnv(v, {env : process.env}));
       }
     }
 
@@ -136,37 +136,27 @@ class vvauth {
   async env(source = false) {
     let {profile} = await this._get_profile();
 
-    let env = {VAULT_TOKEN : this.VAULT_TOKEN},
-      {git, map = [], paths, path : mount = "secrets"} = this.rc.env || {};
-
-    if(!Array.isArray(map))
-      map = [map];
+    let env = {VAULT_TOKEN : this.VAULT_TOKEN}, secrets = {},
+      {git, map = {}, paths, path : mount = "secrets"} = this.rc.env || {};
 
     if(git) {
-      map.push({
-        "GIT_COMMITTER_NAME" : "VAUTH_USER_NAME",
-        "GIT_COMMITTER_EMAIL" : "VAUTH_USER_MAIL",
-        "GIT_AUTHOR_EMAIL" : "VAUTH_USER_MAIL",
-        "GIT_AUTHOR_NAME" : "VAUTH_USER_NAME",
-        "GIT_USER_LOGIN" : "VAUTH_USER_LOGIN",
-      });
+      map = {...map,
+        "GIT_COMMITTER_NAME" : profile.VAUTH_USER_NAME,
+        "GIT_COMMITTER_EMAIL" : profile.VAUTH_USER_MAIL,
+        "GIT_AUTHOR_EMAIL" : profile.VAUTH_USER_MAIL,
+        "GIT_AUTHOR_NAME" : profile.VAUTH_USER_NAME,
+        "GIT_USER_LOGIN" : profile.VAUTH_USER_LOGIN,
+      };
     }
     if(paths) {
       for(let secret_path of paths) {
         console.error("reaching paths", secret_path);
         let data = await this._read(mount, secret_path);
-        profile = {...profile, ...data};
-      }
-    }
-
-    for(let entry of map) {
-      if(typeof entry == "string")
-        entry = {[entry] : entry};
-      for(let [k, v] of Object.entries(entry)) {
-        if(profile[v])
-          env[k] = profile[v];
+        secrets = {...secrets, ...data};
       }
     }
+    for(let [k, v] of Object.entries(map))
+      env[k] = replaceEnv(v, {env : process.env, profile, secrets});
 
     if(source) {
       this._publish_env(env);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vvauth",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "Vault Auth helper",
   "main": "index.js",
   "bin": {