Merge pull request #102 from starkandwayne/add-userpass-auth

Added auth method 'userpass'
egen · Aug 4, 2017 · b127919 · b127919
2 parents 9c35ec6 + b4597e6
commit b127919
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 2 deletions.
diff --git a/auth/userpass.go b/auth/userpass.go
@@ -0,0 +1,30 @@
+package auth
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"github.com/starkandwayne/safe/prompt"
+)
+
+func UserPass(addr string) (string, error) {
+	username := prompt.Normal("Username: ")
+	password := prompt.Secure("Password: ")
+
+	body := struct {
+		Password string `json:"password"`
+	}{password}
+	b, err := json.Marshal(body)
+	if err != nil {
+		return "", err
+	}
+
+	req, err := http.NewRequest("POST", authurl(addr, "/v1/auth/userpass/login/%s", username),
+		strings.NewReader(string(b)))
+	if err != nil {
+		return "", err
+	}
+
+	return authenticate(req)
+}
diff --git a/ci/release_notes.md b/ci/release_notes.md
@@ -0,0 +1,13 @@
+## New Features
+
+- `safe auth userpass` allows users to authenticate using a username and
+  password via the Vault [Username &
+  Password](https://www.vaultproject.io/docs/auth/userpass.html) auth backend.
+
+  This backend needs to be enabled first using `safe vault enable-auth
+  userpass`, then each username/password needs to be added via:
+  ```
+  vault write auth/userpass/users/&lt;username> \
+      password=&lt;password> \
+      policies=&lt;user-policy>
+  ```
diff --git a/main.go b/main.go
@@ -41,6 +41,7 @@ func connect() *vault.Vault {
 		ansi.Fprintf(os.Stderr, "Try @C{safe auth ldap}\n")
 		ansi.Fprintf(os.Stderr, " or @C{safe auth github}\n")
 		ansi.Fprintf(os.Stderr, " or @C{safe auth token}\n")
+		ansi.Fprintf(os.Stderr, " or @C{safe auth userpass}\n")
 		os.Exit(1)
 	}
 
@@ -260,7 +261,7 @@ func main() {
 					ansi.Fprintf(os.Stderr, "You will need to target a Vault manually first.\n\n")
 					ansi.Fprintf(os.Stderr, "Try something like this:\n")
 					ansi.Fprintf(os.Stderr, "     @C{safe target ops https://address.of.your.vault}\n")
-					ansi.Fprintf(os.Stderr, "     @C{safe auth (github|token|ldap)}\n")
+					ansi.Fprintf(os.Stderr, "     @C{safe auth (github|token|ldap|userpass)}\n")
 					ansi.Fprintf(os.Stderr, "\n")
 					os.Exit(1)
 				}
@@ -460,7 +461,7 @@ func main() {
 
 	r.Dispatch("auth", &Help{
 		Summary: "Authenticate to the current target",
-		Usage:   "safe auth (token|github|ldap)",
+		Usage:   "safe auth (token|github|ldap|userpass)",
 		Type:    AdministrativeCommand,
 	}, func(command string, args ...string) error {
 		cfg := rc.Apply()
@@ -497,6 +498,13 @@ func main() {
 			}
 			break
 
+		case "userpass":
+			token, err = auth.UserPass(os.Getenv("VAULT_ADDR"))
+			if err != nil {
+				return err
+			}
+			break
+
 		default:
 			return fmt.Errorf("Unrecognized authentication method '%s'", method)
 		}