Implement spiffe authentication

README.md

@@ -10,3 +10,179 @@ Integrates [SPIFFE][spiffe] SVID authentication with [Hashicorp Vault][hashivaul
 
 [hashivault]: https://vaultproject.org "hashicorp Vault"
 [spiffe]: https://spiffe.io "SPIFFE"
+
+## Compile
+
+```bash
+make build
+```
+
+## Use
+
+### Basic
+
+```bash
+$ export VAULT_ADDR=http://localhost:8200
+$ bin/spiffe-vault auth -role my-role
+# Export following environment variable to authenticate to Hashicorp Vault
+export VAULT_TOKEN=s.IK1LBrCGXFQDAgawmhNLbcDH
+```
+
+### Advanced
+
+Depending on the shell you are using you can automatically export the variable.
+
+<details>
+  <summary>bash</summary>
+
+```bash
+$ export VAULT_ADDR=http://localhost:8200
+$ echo "$(bin/spiffe-vault auth -role my-role)" > /tmp/spiffe-vault
+$ source /tmp/spiffe-vault
+$ vault kv get secrets/my-key
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2021-08-24T08:20:54.925866504Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+============= Data =============
+Key                       Value
+---                       -----
+username                  marco
+password                  Supers3cr3t!
+$ vault token lookup
+Key                 Value
+---                 -----
+accessor            rwpXIHXzbVIMN2TL25Lfssef
+creation_time       1629970184
+creation_ttl        1m
+display_name        jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
+entity_id           8904661e-5a9f-3af5-c269-257e8a0a31d0
+expire_time         2021-08-26T09:30:44.424072877Z
+explicit_max_ttl    0s
+id                  s.eOdhqe1hVV0OPS7M0TSeEqjG
+issue_time          2021-08-26T09:29:44.424078028Z
+meta                map[role:my-role]
+num_uses            0
+orphan              true
+path                auth/jwt/login
+policies            [default my-role]
+renewable           true
+ttl                 13s
+type                service
+$ vault token renew
+Key                  Value
+---                  -----
+token                s.f1mFvr0TdEuvmfcZT0jBLCc5
+token_accessor       vxginlb81XMEIPefLpRz1P24
+token_duration       1m
+token_renewable      true
+token_policies       ["default" "my-role"]
+identity_policies    []
+policies             ["default" "my-role"]
+token_meta_role      my-role
+$ vault token lookup
+Key                  Value
+---                  -----
+accessor             vxginlb81XMEIPefLpRz1P24
+creation_time        1629970320
+creation_ttl         1m
+display_name         jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
+entity_id            8904661e-5a9f-3af5-c269-257e8a0a31d0
+expire_time          2021-08-26T09:33:53.57444787Z
+explicit_max_ttl     0s
+id                   s.f1mFvr0TdEuvmfcZT0jBLCc5
+issue_time           2021-08-26T09:32:00.135787193Z
+last_renewal         2021-08-26T09:32:53.574447972Z
+last_renewal_time    1629970373
+meta                 map[role:my-role]
+num_uses             0
+orphan               true
+path                 auth/jwt/login
+policies             [default my-role]
+renewable            true
+ttl                  56s
+type                 service
+```
+
+</details>
+
+<details>
+  <summary>zsh</summary>
+
+```zsh
+$ export VAULT_ADDR=http://localhost:8200
+$ source <(bin/spiffe-vault auth -role my-role)
+$ vault kv get secrets/my-key
+====== Metadata ======
+Key              Value
+---              -----
+created_time     2021-08-24T08:20:54.925866504Z
+deletion_time    n/a
+destroyed        false
+version          1
+
+============= Data =============
+Key                       Value
+---                       -----
+username                  marco
+password                  Supers3cr3t!
+$ vault token lookup
+Key                 Value
+---                 -----
+accessor            rwpXIHXzbVIMN2TL25Lfssef
+creation_time       1629970184
+creation_ttl        1m
+display_name        jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
+entity_id           8904661e-5a9f-3af5-c269-257e8a0a31d0
+expire_time         2021-08-26T09:30:44.424072877Z
+explicit_max_ttl    0s
+id                  s.eOdhqe1hVV0OPS7M0TSeEqjG
+issue_time          2021-08-26T09:29:44.424078028Z
+meta                map[role:my-role]
+num_uses            0
+orphan              true
+path                auth/jwt/login
+policies            [default my-role]
+renewable           true
+ttl                 13s
+type                service
+$ vault token renew
+Key                  Value
+---                  -----
+token                s.f1mFvr0TdEuvmfcZT0jBLCc5
+token_accessor       vxginlb81XMEIPefLpRz1P24
+token_duration       1m
+token_renewable      true
+token_policies       ["default" "my-role"]
+identity_policies    []
+policies             ["default" "my-role"]
+token_meta_role      my-role
+$ vault token lookup
+Key                  Value
+---                  -----
+accessor             vxginlb81XMEIPefLpRz1P24
+creation_time        1629970320
+creation_ttl         1m
+display_name         jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
+entity_id            8904661e-5a9f-3af5-c269-257e8a0a31d0
+expire_time          2021-08-26T09:33:53.57444787Z
+explicit_max_ttl     0s
+id                   s.f1mFvr0TdEuvmfcZT0jBLCc5
+issue_time           2021-08-26T09:32:00.135787193Z
+last_renewal         2021-08-26T09:32:53.574447972Z
+last_renewal_time    1629970373
+meta                 map[role:my-role]
+num_uses             0
+orphan               true
+path                 auth/jwt/login
+policies             [default my-role]
+renewable            true
+ttl                  56s
+type                 service
+```
+
+</details>

cmd/spiffe-vault/cli/auth.go

@@ -0,0 +1,54 @@
+package cli
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"time"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+
+	"github.com/philips-labs/spiffe-vault/pkg/spiffe"
+	"github.com/philips-labs/spiffe-vault/pkg/vault"
+)
+
+func Auth() *ffcli.Command {
+	var (
+		flagset  = flag.NewFlagSet("spiffe-vault version", flag.ExitOnError)
+		authPath = flagset.String("authPath", "jwt", "the authentication path in Vault (default: jwt)")
+		role     = flagset.String("role", "", "the role to authenticate with against Vault")
+	)
+	return &ffcli.Command{
+		Name:    "auth",
+		FlagSet: flagset,
+		Exec: func(ctx context.Context, args []string) error {
+			if *role == "" {
+				return fmt.Errorf("role flag required")
+			}
+
+			if *authPath == "" {
+				return fmt.Errorf("authPath flag required")
+			}
+
+			ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+			defer cancel()
+
+			jwt, err := spiffe.FetchJWT(ctx)
+			if err != nil {
+				return err
+			}
+
+			c, err := vault.NewClient(*authPath)
+			if err != nil {
+				return err
+			}
+
+			c.Authenticate(jwt, *role)
+
+			fmt.Println("# Export following environment variable to authenticate to Hashicorp Vault")
+			fmt.Printf("export VAULT_TOKEN=%s\n", c.Token())
+
+			return nil
+		},
+	}
+}

cmd/spiffe-vault/main.go

@@ -17,6 +17,7 @@ func main() {
 		Name:    "spiffe-vault [flags] <subcommand>",
 		FlagSet: rootFlagSet,
 		Subcommands: []*ffcli.Command{
+			cli.Auth(),
 			cli.Version(),
 		},
 	}

go.mod

@@ -3,6 +3,21 @@ module github.com/philips-labs/spiffe-vault
 go 1.16
 
 require (
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/hashicorp/vault/api v1.1.1
+	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/peterbourgon/ff/v3 v3.1.0
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1
+	github.com/spiffe/go-spiffe/v2 v2.0.0-beta.8
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 )