support passing login fields directly as auth conf

The auth method's Parameters (Params) allows you do hardcode your credentials into the config and we need to maintain support for this (for now, probably should be deprecated).
hashicorp · Feb 28, 2023 · 84e26a5 · 84e26a5
1 parent f7a451d
commit 84e26a5
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 6 deletions.
diff --git a/agent/connect/ca/provider_vault_auth_approle.go b/agent/connect/ca/provider_vault_auth_approle.go
@@ -16,19 +16,28 @@ import (
 //                                    (which we don't need to do)
 
 func NewAppRoleAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
-	// role_id_file_path is required
+	params := authMethod.Params
+	client := NewVaultAPIAuthClient(authMethod, "")
+	// handle legacy case where role_id and secret_id are passed in directly.
+	_, role_id_ok := params["role_id"].(string)
+	_, secret_id_ok := params["secret_id"].(string)
+	if role_id_ok && secret_id_ok {
+		return client, nil
+	}
+
+	// vault-agent auth config, role_id_file_path is required
 	key := "role_id_file_path"
 	if val, ok := authMethod.Params[key].(string); !ok {
 		return nil, fmt.Errorf("missing '%s' value", key)
 	} else if strings.TrimSpace(val) == "" {
 		return nil, fmt.Errorf("'%s' value is empty", key)
 	}
-
-	client := NewVaultAPIAuthClient(authMethod, "")
 	client.LoginDataGen = ArLoginDataGen
+
 	return client, nil
 }
 
+// don't need to check for legacy params as this func isn't used in that case
 func ArLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
 	params := authMethod.Params
 	// role_id is required

diff --git a/agent/connect/ca/provider_vault_auth_test.go b/agent/connect/ca/provider_vault_auth_test.go
@@ -363,6 +363,19 @@ func TestVaultCAProvider_AppRoleAuthClient(t *testing.T) {
 			},
 			expErr: fmt.Errorf("missing '%s' value", "role_id_file_path"),
 		},
+		"legacy-direct-values": {
+			authMethod: &structs.VaultAuthMethod{
+				Type: "approle",
+				Params: map[string]any{
+					"role_id":   "test-role",
+					"secret_id": "test-secret",
+				},
+			},
+			expData: map[string]any{
+				"role_id":   "test-role",
+				"secret_id": "test-secret",
+			},
+		},
 	}
 
 	for k, c := range cases {
@@ -374,9 +387,11 @@ func TestVaultCAProvider_AppRoleAuthClient(t *testing.T) {
 				return
 			}
 			require.NoError(t, err)
-			data, err := auth.LoginDataGen(c.authMethod)
-			require.NoError(t, err)
-			require.Equal(t, c.expData, data)
+			if auth.LoginDataGen != nil {
+				data, err := auth.LoginDataGen(c.authMethod)
+				require.NoError(t, err)
+				require.Equal(t, c.expData, data)
+			}
 		})
 	}
 }