package vault import ( "context" "encoding/json" "fmt" "net/http" "time" "dario.cat/mergo" "github.com/hashicorp/vault/api" "go.unistack.org/micro/v4/config" "go.unistack.org/micro/v4/options" rutil "go.unistack.org/micro/v4/util/reflect" ) var DefaultStructTag = "vault" type vaultConfig struct { path string cli *api.Client opts config.Options } func (c *vaultConfig) Options() config.Options { return c.opts } func (c *vaultConfig) Init(opts ...options.Option) error { for _, o := range opts { o(&c.opts) } if err := config.DefaultBeforeInit(c.opts.Context, c); err != nil && !c.opts.AllowFail { return err } if c.opts.Codec == nil { return config.ErrCodecMissing } cfg := api.DefaultConfig() cfg.Timeout = 500 * time.Millisecond cfg.MaxRetries = 2 path := "" token := "" roleID := "" secretID := "" if c.opts.Context != nil { if v, ok := c.opts.Context.Value(configKey{}).(*api.Config); ok { cfg = v } if v, ok := c.opts.Context.Value(httpClientKey{}).(*http.Client); ok { cfg.HttpClient = v } if v, ok := c.opts.Context.Value(timeoutKey{}).(time.Duration); ok { cfg.Timeout = v } if v, ok := c.opts.Context.Value(addrKey{}).(string); ok { cfg.Address = v } if v, ok := c.opts.Context.Value(tokenKey{}).(string); ok { token = v } if v, ok := c.opts.Context.Value(pathKey{}).(string); ok { path = v } if v, ok := c.opts.Context.Value(roleIDKey{}).(string); ok { roleID = v } if v, ok := c.opts.Context.Value(secretIDKey{}).(string); ok { secretID = v } } cli, err := api.NewClient(cfg) if err != nil { if !c.opts.AllowFail { return err } if err = config.DefaultAfterInit(c.opts.Context, c); err != nil && !c.opts.AllowFail { return err } return nil } c.cli = cli c.path = path if token != "" { cli.SetToken(token) if err := config.DefaultAfterInit(c.opts.Context, c); err != nil && !c.opts.AllowFail { return err } return nil } else if roleID == "" || secretID == "" { if !c.opts.AllowFail { return fmt.Errorf("missing Token or RoleID and SecretID") } if err := config.DefaultAfterInit(c.opts.Context, c); err != nil && !c.opts.AllowFail { return err } return nil } rsp, err := cli.Logical().Write("auth/approle/login", map[string]interface{}{ "role_id": roleID, "secret_id": secretID, }) if err != nil { if !c.opts.AllowFail { return err } } else if err == nil { cli.SetToken(rsp.Auth.ClientToken) } if err := config.DefaultAfterInit(c.opts.Context, c); err != nil && !c.opts.AllowFail { return err } return nil } func (c *vaultConfig) Load(ctx context.Context, opts ...options.Option) error { if err := config.DefaultBeforeLoad(ctx, c); err != nil { return err } options := config.NewLoadOptions(opts...) if c.cli == nil { c.opts.Logger.Error(c.opts.Context, fmt.Sprintf("vault load err: %v", "vault client not created")) if !c.opts.AllowFail { return fmt.Errorf("vault client not created") } return config.DefaultAfterLoad(ctx, c) } pair, err := c.cli.Logical().Read(c.path) if err != nil { err = fmt.Errorf("vault load path %s err: %w", c.path, err) if !c.opts.AllowFail { return err } return config.DefaultAfterLoad(ctx, c) } if pair == nil || pair.Data == nil { err = fmt.Errorf("vault load path %s err: %w", c.path, fmt.Errorf("not found")) if !c.opts.AllowFail { return err } return config.DefaultAfterLoad(ctx, c) } var data []byte var src interface{} data, err = json.Marshal(pair.Data["data"]) if err != nil { err = fmt.Errorf("vault load path %s err: %w", c.path, err) if !c.opts.AllowFail { return err } return config.DefaultAfterLoad(ctx, c) } dst := c.opts.Struct if options.Struct != nil { dst = options.Struct } src, err = rutil.Zero(dst) if err == nil { err = c.opts.Codec.Unmarshal(data, src) } if err != nil { c.opts.Logger.Error(c.opts.Context, fmt.Sprintf("vault load path %s err: %v", c.path, err)) if !c.opts.AllowFail { return err } return config.DefaultAfterLoad(ctx, c) } mopts := []func(*mergo.Config){mergo.WithTypeCheck} if options.Override { mopts = append(mopts, mergo.WithOverride) } if options.Append { mopts = append(mopts, mergo.WithAppendSlice) } err = mergo.Merge(dst, src, mopts...) if err != nil { err = fmt.Errorf("vault load path %s err: %w", c.path, err) if !c.opts.AllowFail { return err } } if err := config.DefaultAfterLoad(ctx, c); err != nil { return err } return nil } func (c *vaultConfig) Save(ctx context.Context, opts ...options.Option) error { if err := config.DefaultBeforeSave(ctx, c); err != nil { return err } if err := config.DefaultAfterSave(ctx, c); err != nil { return err } return nil } func (c *vaultConfig) String() string { return "vault" } func (c *vaultConfig) Name() string { return c.opts.Name } func (c *vaultConfig) Watch(ctx context.Context, opts ...options.Option) (config.Watcher, error) { w := &vaultWatcher{ cli: c.cli, path: c.path, opts: c.opts, wopts: config.NewWatchOptions(opts...), done: make(chan struct{}), vchan: make(chan map[string]interface{}), echan: make(chan error), } go w.run() return w, nil } func NewConfig(opts ...options.Option) config.Config { options := config.NewOptions(opts...) if len(options.StructTag) == 0 { options.StructTag = DefaultStructTag } return &vaultConfig{opts: options} }