-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
135 lines (109 loc) · 4.59 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package main
import (
"errors"
"fmt"
"log"
infisicalSdk "github.com/infisical/go-sdk"
)
type AuthStrategyType string
var AuthStrategy = struct {
SERVICE_TOKEN AuthStrategyType
SERVICE_ACCOUNT AuthStrategyType
UNIVERSAL_MACHINE_IDENTITY AuthStrategyType
KUBERNETES_MACHINE_IDENTITY AuthStrategyType
AWS_IAM_MACHINE_IDENTITY AuthStrategyType
AZURE_MACHINE_IDENTITY AuthStrategyType
GCP_ID_TOKEN_MACHINE_IDENTITY AuthStrategyType
GCP_IAM_MACHINE_IDENTITY AuthStrategyType
}{
SERVICE_TOKEN: "SERVICE_TOKEN",
SERVICE_ACCOUNT: "SERVICE_ACCOUNT",
UNIVERSAL_MACHINE_IDENTITY: "UNIVERSAL_MACHINE_IDENTITY",
KUBERNETES_MACHINE_IDENTITY: "KUBERNETES_AUTH_MACHINE_IDENTITY",
AWS_IAM_MACHINE_IDENTITY: "AWS_IAM_MACHINE_IDENTITY",
AZURE_MACHINE_IDENTITY: "AZURE_MACHINE_IDENTITY",
GCP_ID_TOKEN_MACHINE_IDENTITY: "GCP_ID_TOKEN_MACHINE_IDENTITY",
GCP_IAM_MACHINE_IDENTITY: "GCP_IAM_MACHINE_IDENTITY",
}
type AuthenticationDetails struct {
authStrategy AuthStrategyType
}
type AuthHandler struct {
infisicalClient *infisicalSdk.InfisicalClientInterface
clientId string
clientSecret string
identityId string
resource string
serviceAccountKeyfilePath string
}
var ErrAuthNotApplicable = errors.New("authentication not applicable")
func (r *AuthHandler) handleUniversalAuth() (AuthenticationDetails, error) {
if r.clientId == "" && r.clientSecret == "" {
return AuthenticationDetails{}, ErrAuthNotApplicable
}
_, err := (*r.infisicalClient).Auth().UniversalAuthLogin(r.clientId, r.clientSecret)
if err != nil {
return AuthenticationDetails{}, fmt.Errorf("unable to login with machine identity credentials [err=%s]", err)
}
return AuthenticationDetails{authStrategy: AuthStrategy.UNIVERSAL_MACHINE_IDENTITY}, nil
}
func (r *AuthHandler) handleAwsIamAuth() (AuthenticationDetails, error) {
if r.identityId == "" {
return AuthenticationDetails{}, ErrAuthNotApplicable
}
_, err := (*r.infisicalClient).Auth().AwsIamAuthLogin(r.identityId)
if err != nil {
return AuthenticationDetails{}, fmt.Errorf("unable to login with AWS IAM auth [err=%s]", err)
}
return AuthenticationDetails{authStrategy: AuthStrategy.AWS_IAM_MACHINE_IDENTITY}, nil
}
func (r *AuthHandler) handleAzureAuth() (AuthenticationDetails, error) {
if r.identityId == "" {
return AuthenticationDetails{}, ErrAuthNotApplicable
}
_, err := (*r.infisicalClient).Auth().AzureAuthLogin(r.identityId, r.resource) // If resource is empty(""), it will default to "https://management.azure.com/" in the SDK.
if err != nil {
return AuthenticationDetails{}, fmt.Errorf("unable to login with Azure auth [err=%s]", err)
}
return AuthenticationDetails{authStrategy: AuthStrategy.AZURE_MACHINE_IDENTITY}, nil
}
func (r *AuthHandler) handleGcpIdTokenAuth() (AuthenticationDetails, error) {
if r.identityId == "" {
return AuthenticationDetails{}, ErrAuthNotApplicable
}
_, err := (*r.infisicalClient).Auth().GcpIdTokenAuthLogin(r.identityId)
if err != nil {
return AuthenticationDetails{}, fmt.Errorf("unable to login with GCP Id Token auth [err=%s]", err)
}
return AuthenticationDetails{authStrategy: AuthStrategy.GCP_ID_TOKEN_MACHINE_IDENTITY}, nil
}
func (r *AuthHandler) handleGcpIamAuth() (AuthenticationDetails, error) {
if r.identityId == "" && r.serviceAccountKeyfilePath == "" {
return AuthenticationDetails{}, ErrAuthNotApplicable
}
_, err := (*r.infisicalClient).Auth().GcpIamAuthLogin(r.identityId, r.serviceAccountKeyfilePath)
if err != nil {
return AuthenticationDetails{}, fmt.Errorf("unable to login with GCP IAM auth [err=%s]", err)
}
return AuthenticationDetails{authStrategy: AuthStrategy.GCP_IAM_MACHINE_IDENTITY}, nil
}
func (r *AuthHandler) login() error {
authStrategies := map[AuthStrategyType]func() (AuthenticationDetails, error){
AuthStrategy.UNIVERSAL_MACHINE_IDENTITY: r.handleUniversalAuth,
AuthStrategy.AWS_IAM_MACHINE_IDENTITY: r.handleAwsIamAuth,
AuthStrategy.AZURE_MACHINE_IDENTITY: r.handleAzureAuth,
AuthStrategy.GCP_ID_TOKEN_MACHINE_IDENTITY: r.handleGcpIdTokenAuth,
AuthStrategy.GCP_IAM_MACHINE_IDENTITY: r.handleGcpIamAuth,
}
for authStrategy, authHandler := range authStrategies {
authDetails, err := authHandler()
if err == nil {
log.Printf("Using auth method: %s\n", authDetails.authStrategy)
return nil
}
if !errors.Is(err, ErrAuthNotApplicable) {
return fmt.Errorf("authentication failed for strategy [%s] [err=%w]", authStrategy, err)
}
}
return fmt.Errorf("no valid authentication provided")
}