github.com/zntrio/harp/v2@v2.0.9/pkg/tasks/share/put.go

github.com/zntrio/harp/v2@v2.0.9/pkg/tasks/share/put.go (about)

     1  // Licensed to Elasticsearch B.V. under one or more contributor
     2  // license agreements. See the NOTICE file distributed with
     3  // this work for additional information regarding copyright
     4  // ownership. Elasticsearch B.V. licenses this file to you under
     5  // the Apache License, Version 2.0 (the "License"); you may
     6  // not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing,
    12  // software distributed under the License is distributed on an
    13  // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    14  // KIND, either express or implied.  See the License for the
    15  // specific language governing permissions and limitations
    16  // under the License.
    17  
    18  package share
    19  
    20  import (
    21  	"context"
    22  	"encoding/json"
    23  	"fmt"
    24  	"time"
    25  
    26  	"github.com/hashicorp/vault/api"
    27  
    28  	"github.com/zntrio/harp/v2/pkg/tasks"
    29  	"github.com/zntrio/harp/v2/pkg/vault"
    30  )
    31  
    32  // PutTask implements secret sharing via Vault Cubbyhole.
    33  type PutTask struct {
    34  	InputReader    tasks.ReaderProvider
    35  	OutputWriter   tasks.WriterProvider
    36  	BackendPrefix  string
    37  	TTL            time.Duration
    38  	VaultNamespace string
    39  	JSONOutput     bool
    40  }
    41  
    42  // Run the task.
    43  func (t *PutTask) Run(ctx context.Context) error {
    44  	// Create input reader
    45  	reader, err := t.InputReader(ctx)
    46  	if err != nil {
    47  		return fmt.Errorf("unable to read input reader: %w", err)
    48  	}
    49  
    50  	// Initialize vault connection
    51  	client, err := api.NewClient(api.DefaultConfig())
    52  	if err != nil {
    53  		return fmt.Errorf("unable to initialize Vault connection: %w", err)
    54  	}
    55  
    56  	// If a namespace is specified
    57  	if t.VaultNamespace != "" {
    58  		client.SetNamespace(t.VaultNamespace)
    59  	}
    60  
    61  	// Set expiration
    62  	client.SetWrappingLookupFunc(func(operation, path string) string {
    63  		return t.TTL.String()
    64  	})
    65  
    66  	// Verify vault connection
    67  	if _, errAuth := vault.CheckAuthentication(ctx, client); errAuth != nil {
    68  		return fmt.Errorf("vault connection verification failed: %w", errAuth)
    69  	}
    70  
    71  	// Create cubbyhole service
    72  	sf, errFactory := vault.FromVaultClient(client)
    73  	if err != nil {
    74  		return fmt.Errorf("unable to initialize service factory: %w", errFactory)
    75  	}
    76  	s, errService := sf.Cubbyhole(t.BackendPrefix)
    77  	if errService != nil {
    78  		return fmt.Errorf("unable to initialize service factory: %w", errFactory)
    79  	}
    80  
    81  	// Get output writer
    82  	outputWriter, err := t.OutputWriter(ctx)
    83  	if err != nil {
    84  		return fmt.Errorf("unable to retrieve output writer: %w", err)
    85  	}
    86  
    87  	// Retrieve secret
    88  	token, err := s.Put(ctx, reader)
    89  	if err != nil {
    90  		return fmt.Errorf("unable to retrieve secret: %w", err)
    91  	}
    92  
    93  	// Display as json
    94  	if t.JSONOutput {
    95  		if err := json.NewEncoder(outputWriter).Encode(map[string]interface{}{
    96  			"token":      token,
    97  			"expires_in": t.TTL.Seconds(),
    98  		}); err != nil {
    99  			return fmt.Errorf("unable to display as json: %w", err)
   100  		}
   101  	} else {
   102  		// Display container key
   103  		fmt.Fprintf(outputWriter, "Token : %s (Expires in %d seconds)\n", token, int64(t.TTL.Seconds()))
   104  	}
   105  
   106  	// No error
   107  	return nil
   108  }