-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
214 lines (173 loc) · 6.69 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
package main
import (
"context"
"fmt"
"io/ioutil"
"log"
"os"
"golang.org/x/oauth2/clientcredentials"
// "encoding/json"
// "bytes"
vault "github.com/hashicorp/vault/api"
auth "github.com/hashicorp/vault/api/auth/aws"
)
func main() {
var oauthConfig = &clientcredentials.Config{
ClientID: os.Getenv("OAUTH_CLIENT_ID"),
ClientSecret: os.Getenv("OAUTH_CLIENT_SECRET"),
TokenURL: "https://api.tailscale.com/api/v2/oauth/token",
}
client := oauthConfig.Client(context.Background())
// Replace example.com with your tailnet name.
// resp, err := client.Get("https://api.tailscale.com/api/v2/tailnet/vungle.com/devices")
// if err != nil {
// log.Fatalf("error getting keys: %v", err)
// }
// body, err := ioutil.ReadAll(resp.Body)
// if err != nil {
// log.Fatalf("error reading response body: %v", err)
// }
// fmt.Printf("response: %s", string(body))
// Call api to get all the keys
getKeysResp, getKeysErr := client.Get("https://api.tailscale.com/api/v2/tailnet/vungle.com/keys")
if getKeysErr != nil {
log.Fatalf("error getting keys: %v", getKeysErr)
}
getKeysBody, getKeysErr := ioutil.ReadAll(getKeysResp.Body)
if getKeysErr != nil {
log.Fatalf("error reading response body: %v", getKeysErr)
}
fmt.Printf("get_keys_body response: %s", string(getKeysBody))
// Call api to create the key /api/v2/tailnet/{tailnet}/keys
// data := map[string]interface{}{
// "capabilities": map[string]interface{} {
// "devices": map[string]interface{} {
// "create": map[string]interface{} {
// "reusable": true,
// "ephemeral": true,
// "preauthorized": false,
// "tags": []string{"tag:prod"},
// },
// },
// },
// "expirySeconds": 86400,
// "description": "short description of key purpose",
// }
// jsonData, formatErr := json.Marshal(data)
// if formatErr != nil {
// log.Fatalf("error creating body: %v", formatErr)
// }
// reqBody := bytes.NewBuffer(jsonData)
// createKeysResp, createKeysErr := client.Post("https://api.tailscale.com/api/v2/tailnet/vungle.com/keys", "application/json", reqBody)
// if getKeysErr != nil {
// log.Fatalf("error creating keys: %v", createKeysErr)
// }
// createKeysBody, createKeysErr := ioutil.ReadAll(createKeysResp.Body)
// if getKeysErr != nil {
// log.Fatalf("error reading response body: %v", createKeysErr)
// }
// fmt.Printf("create_keys_body response: %s", string(createKeysBody))
// Section to call Vault api
config := vault.DefaultConfig() // modify for more granular configuration
config.Address = "https://vault.ops.vungle.io"
vaultClient, vaultErr := vault.NewClient(config)
if vaultErr != nil {
log.Fatalf("unable to initialize Vault client: %s", vaultErr)
}
awsAuth, err := auth.NewAWSAuth(
auth.WithRole("vault-prod"), // if not provided, Vault will fall back on looking for a role with the IAM role name if you're using the iam auth type, or the EC2 instance's AMI id if using the ec2 auth type
)
if err != nil {
log.Fatalf("unable to initialize AWS auth method: %s", err)
}
authInfo, err := vaultClient.Auth().Login(context.Background(), awsAuth)
if err != nil {
log.Fatalf("unable to login to AWS auth method: %s", err)
}
if authInfo == nil {
log.Fatalf("no auth info was returned after login:")
}
// Create secret
putSecretData := map[string]interface{}{
"bingkun_password": "Hashi123",
}
// Write a secret
_, err = vaultClient.KVv2("ops").Put(context.Background(), "github", putSecretData)
if err != nil {
log.Fatalf("unable to write secret: %v", err)
}
fmt.Println("Secret written successfully.")
// get secret from the default mount path for KV v2 in dev mode, "ops"
secret, err := vaultClient.KVv2("ops").Get(context.Background(), "github")
if err != nil {
log.Fatalf("unable to read secret: %s", err)
}
// data map can contain more than one key-value pair,
// in this case we're just grabbing one of them
value, ok := secret.Data["bingkun_password"].(string)
if !ok {
log.Fatalf("value type assertion failed: %T %#v", secret.Data["bingkun_password"], secret.Data["bingkun_password"])
}
fmt.Printf("value response: %s", value)
// Use token to do
// vaultClient, err := vault.NewClient(config)
// if err != nil {
// log.Fatalf("unable to initialize Vault client: %v", err)
// }
// // Authenticate
// vaultClient.SetToken(os.Getenv("PERSONAL_VAULT_TOKEN"))
// secretData := map[string]interface{}{
// "bingkun_password": "Hashi123",
// }
// // Write a secret
// _, err = vaultClient.KVv2("secret").Put(context.Background(), "bingkun-secret-password", secretData)
// if err != nil {
// log.Fatalf("unable to write secret: %v", err)
// }
// fmt.Println("Secret written successfully.")
// // Read a secret from the default mount path for KV v2 in dev mode, "secret"
// secret, err := vaultClient.KVv2("secret").Get(context.Background(), "bingkun-secret-password")
// if err != nil {
// log.Fatalf("unable to read secret: %v", err)
// }
// value, ok := secret.Data["bingkun_password"].(string)
// if !ok {
// log.Fatalf("value type assertion failed: %T %#v", secret.Data["bingkun_password"], secret.Data["bingkun_password"])
// }
// if value != "Hashi123" {
// log.Fatalf("unexpected password value %q retrieved from vault", value)
// }
// fmt.Println("Access granted!")
}
// func getSecretWithAWSAuthIAM() (string, error) {
// config := vault.DefaultConfig() // modify for more granular configuration
// client, err := vault.NewClient(config)
// if err != nil {
// return "", fmt.Errorf("unable to initialize Vault client: %w", err)
// }
// awsAuth, err := auth.NewAWSAuth(
// auth.WithRole("vault-prod"), // if not provided, Vault will fall back on looking for a role with the IAM role name if you're using the iam auth type, or the EC2 instance's AMI id if using the ec2 auth type
// )
// if err != nil {
// return "", fmt.Errorf("unable to initialize AWS auth method: %w", err)
// }
// authInfo, err := client.Auth().Login(context.Background(), awsAuth)
// if err != nil {
// return "", fmt.Errorf("unable to login to AWS auth method: %w", err)
// }
// if authInfo == nil {
// return "", fmt.Errorf("no auth info was returned after login")
// }
// // get secret from the default mount path for KV v2 in dev mode, "secret"
// secret, err := client.KVv2("secret").Get(context.Background(), "creds")
// if err != nil {
// return "", fmt.Errorf("unable to read secret: %w", err)
// }
// // data map can contain more than one key-value pair,
// // in this case we're just grabbing one of them
// value, ok := secret.Data["test_password"].(string)
// if !ok {
// return "", fmt.Errorf("value type assertion failed: %T %#v", secret.Data["test_password"], secret.Data["test_password"])
// }
// return value, nil
// }