Merge branch 'main' into dependabot/go_modules/github.com/Azure/azure…

…-sdk-for-go/sdk/azidentity-1.6.0
argoproj-labs · Sep 30, 2024 · 0240304 · 0240304
2 parents 1e23e72 + 73bf267
commit 0240304
Show file tree

Hide file tree

Showing 15 changed files with 198 additions and 78 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,7 +34,7 @@ jobs:
             ${{ steps.tag.outputs.tag }}
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: latest

diff --git a/cmd/generate.go b/cmd/generate.go
@@ -21,6 +21,7 @@ func NewGenerateCommand() *cobra.Command {
 	const StdIn = "-"
 	var configPath, secretName string
 	var verboseOutput bool
+	var disableCache bool
 
 	var command = &cobra.Command{
 		Use:   "generate <path>",
@@ -63,6 +64,7 @@ func NewGenerateCommand() *cobra.Command {
 
 			v := viper.New()
 			viper.Set("verboseOutput", verboseOutput)
+			viper.Set("disableCache", disableCache)
 			cmdConfig, err := config.New(v, &config.Options{
 				SecretName: secretName,
 				ConfigPath: configPath,
@@ -116,5 +118,6 @@ func NewGenerateCommand() *cobra.Command {
 	command.Flags().StringVarP(&configPath, "config-path", "c", "", "path to a file containing Vault configuration (YAML, JSON, envfile) to use")
 	command.Flags().StringVarP(&secretName, "secret-name", "s", "", "name of a Kubernetes Secret in the argocd namespace containing Vault configuration data in the argocd namespace of your ArgoCD host (Only available when used in ArgoCD). The namespace can be overridden by using the format <namespace>:<name>")
 	command.Flags().BoolVar(&verboseOutput, "verbose-sensitive-output", false, "enable verbose mode for detailed info to help with debugging. Includes sensitive data (credentials), logged to stderr")
+	command.Flags().BoolVar(&disableCache, "disable-token-cache", false, "disable the automatic token cache feature that store tokens locally")
 	return command
 }
diff --git a/cmd/generate_test.go b/cmd/generate_test.go
@@ -2,12 +2,14 @@ package cmd
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 	"os"
 	"strings"
 	"testing"
 
 	"github.com/argoproj-labs/argocd-vault-plugin/pkg/helpers"
+	"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/vault"
 )
@@ -250,6 +252,54 @@ func TestMain(t *testing.T) {
 		}
 	})
 
+	t.Run("will not create cache if disabled", func(t *testing.T) {
+
+		// Purging token cache before launching this test
+		err := utils.PurgeTokenCache()
+		if err != nil {
+			t.Fatalf("fail to purge tocken cache: %s", err.Error())
+		}
+
+		// Starting the generate command with the --disable-token-cache flag
+		args := []string{
+			"../fixtures/input/nonempty",
+			"--disable-token-cache",
+		}
+		cmd := NewGenerateCommand()
+
+		b := bytes.NewBufferString("")
+		e := bytes.NewBufferString("")
+		cmd.SetArgs(args)
+		cmd.SetOut(b)
+		cmd.SetErr(e)
+		cmd.Execute()
+		out, err := io.ReadAll(b) // Read buffer to bytes
+		if err != nil {
+			t.Fatal(err)
+		}
+		stderr, err := io.ReadAll(e) // Read buffer to bytes
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		buf, err := os.ReadFile("../fixtures/output/all.yaml")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// We first check that the command was successful to make sure it reached the token caching part
+		expected := string(buf)
+		if string(out) != expected {
+			t.Fatalf("expected %s\n\nbut got\n\n%s\nerr: %s", expected, string(out), string(stderr))
+		}
+
+		// No cache is expected
+		_, err = utils.ReadExistingToken(fmt.Sprintf("approle_%s", roleid))
+		if err == nil {
+			t.Fatalf("expected no cache but found one")
+		}
+	})
+
 	os.Unsetenv("AVP_TYPE")
 	os.Unsetenv("VAULT_ADDR")
 	os.Unsetenv("AVP_AUTH_TYPE")

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/argoproj-labs/argocd-vault-plugin
 
-go 1.21
+go 1.21.13
 
 require (
 	cloud.google.com/go/secretmanager v1.11.4
@@ -15,7 +15,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.27.17
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.29.2
 	github.com/googleapis/gax-go/v2 v2.12.0
-	github.com/hashicorp/go-hclog v1.6.2
+	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/vault v1.16.1
 	github.com/hashicorp/vault-plugin-secrets-kv v0.17.0
 	github.com/hashicorp/vault/api v1.12.0
@@ -107,7 +107,7 @@ require (
 	github.com/digitalocean/godo v1.7.5 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/docker v25.0.5+incompatible // indirect
+	github.com/docker/docker v25.0.6+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74 // indirect
@@ -178,7 +178,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.6.0 // indirect
 	github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 // indirect

diff --git a/go.sum b/go.sum
@@ -364,8 +364,8 @@ github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbTO1lpcGSkU=
 github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v25.0.5+incompatible h1:UmQydMduGkrD5nQde1mecF/YnSbTOaPeFIeP5C4W+DE=
-github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v25.0.6+incompatible h1:5cPwbwriIcsua2REJe8HqQV+6WlWc1byg2QSXzBxBGg=
+github.com/docker/docker v25.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -690,8 +690,8 @@ github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I=
-github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
@@ -729,8 +729,8 @@ github.com/hashicorp/go-plugin v1.6.0/go.mod h1:lBS5MtSSBZk0SHc66KACcjjlU6WzEVP/
 github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a h1:FmnBDwGwlTgugDGbVxwV8UavqSMACbGrUpfc98yFLR4=
 github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a/go.mod h1:xbXnmKqX9/+RhPkJ4zrEx4738HacP72aaUPlT2RZ4sU=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 h1:I8bynUKMh9I7JdwtW9voJ0xmHvBpxQtLjrMFDYmhOxY=

diff --git a/pkg/auth/vault/approle.go b/pkg/auth/vault/approle.go
@@ -33,7 +33,7 @@ func NewAppRoleAuth(roleID, secretID, mountPath string) *AppRoleAuth {
 
 // Authenticate authenticates with Vault using App Role and returns a token
 func (a *AppRoleAuth) Authenticate(vaultClient *api.Client) error {
-	err := utils.LoginWithCachedToken(vaultClient)
+	err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("approle_%s", a.RoleID))
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
 	} else {
@@ -54,7 +54,7 @@ func (a *AppRoleAuth) Authenticate(vaultClient *api.Client) error {
 	utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data)
 
 	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
-	err = utils.SetToken(vaultClient, data.Auth.ClientToken)
+	err = utils.SetToken(vaultClient, fmt.Sprintf("approle_%s", a.RoleID), data.Auth.ClientToken)
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err)
 	}

diff --git a/pkg/auth/vault/approle_test.go b/pkg/auth/vault/approle_test.go
@@ -2,6 +2,7 @@ package vault_test
 
 import (
 	"bytes"
+	"fmt"
 	"testing"
 
 	"github.com/argoproj-labs/argocd-vault-plugin/pkg/auth/vault"
@@ -20,7 +21,7 @@ func TestAppRoleLogin(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	cachedToken, err := utils.ReadExistingToken()
+	cachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_%s", roleID))
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}
@@ -30,12 +31,33 @@ func TestAppRoleLogin(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	newCachedToken, err := utils.ReadExistingToken()
+	newCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_%s", roleID))
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}
 
 	if bytes.Compare(cachedToken, newCachedToken) != 0 {
 		t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken)
 	}
+
+	// We create a new connection with a different approle and create a different cache
+	secondCluster, secondRoleID, secondSecretID := helpers.CreateTestAppRoleVault(t)
+	defer secondCluster.Cleanup()
+
+	secondAppRole := vault.NewAppRoleAuth(secondRoleID, secondSecretID, "")
+
+	err = secondAppRole.Authenticate(secondCluster.Cores[0].Client)
+	if err != nil {
+		t.Fatalf("expected no errors but got: %s", err)
+	}
+
+	secondCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_%s", secondRoleID))
+	if err != nil {
+		t.Fatalf("expected cached vault token but got: %s", err)
+	}
+
+	// Both cache should be different
+	if bytes.Compare(cachedToken, secondCachedToken) == 0 {
+		t.Fatalf("expected different tokens but got %s", secondCachedToken)
+	}
 }
diff --git a/pkg/auth/vault/github.go b/pkg/auth/vault/github.go
@@ -32,7 +32,7 @@ func NewGithubAuth(token, mountPath string) *GithubAuth {
 
 // Authenticate authenticates with Vault and returns a token
 func (g *GithubAuth) Authenticate(vaultClient *api.Client) error {
-	err := utils.LoginWithCachedToken(vaultClient)
+	err := utils.LoginWithCachedToken(vaultClient, "github")
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
 	} else {
@@ -52,7 +52,7 @@ func (g *GithubAuth) Authenticate(vaultClient *api.Client) error {
 	utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data)
 
 	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
-	err = utils.SetToken(vaultClient, data.Auth.ClientToken)
+	err = utils.SetToken(vaultClient, "github", data.Auth.ClientToken)
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err)
 	}

diff --git a/pkg/auth/vault/github_test.go b/pkg/auth/vault/github_test.go
@@ -21,7 +21,7 @@ func TestGithubLogin(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	cachedToken, err := utils.ReadExistingToken()
+	cachedToken, err := utils.ReadExistingToken("github")
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}
@@ -31,7 +31,7 @@ func TestGithubLogin(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	newCachedToken, err := utils.ReadExistingToken()
+	newCachedToken, err := utils.ReadExistingToken("github")
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}

diff --git a/pkg/auth/vault/kubernetes.go b/pkg/auth/vault/kubernetes.go
@@ -39,7 +39,7 @@ func NewK8sAuth(role, mountPath, tokenPath string) *K8sAuth {
 
 // Authenticate authenticates with Vault via K8s and returns a token
 func (k *K8sAuth) Authenticate(vaultClient *api.Client) error {
-	err := utils.LoginWithCachedToken(vaultClient)
+	err := utils.LoginWithCachedToken(vaultClient, "kubernetes")
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
 	} else {
@@ -70,7 +70,7 @@ func (k *K8sAuth) Authenticate(vaultClient *api.Client) error {
 	utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data)
 
 	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
-	err = utils.SetToken(vaultClient, data.Auth.ClientToken)
+	err = utils.SetToken(vaultClient, "kubernetes", data.Auth.ClientToken)
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err)
 	}

diff --git a/pkg/auth/vault/kubernetes_test.go b/pkg/auth/vault/kubernetes_test.go
@@ -53,7 +53,7 @@ func TestKubernetesAuth(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	cachedToken, err := utils.ReadExistingToken()
+	cachedToken, err := utils.ReadExistingToken("kubernetes")
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}
@@ -63,7 +63,7 @@ func TestKubernetesAuth(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	newCachedToken, err := utils.ReadExistingToken()
+	newCachedToken, err := utils.ReadExistingToken("kubernetes")
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}

diff --git a/pkg/auth/vault/userpass.go b/pkg/auth/vault/userpass.go
@@ -33,7 +33,7 @@ func NewUserPassAuth(username, password, mountPath string) *UserPassAuth {
 
 // Authenticate authenticates with Vault using userpass and returns a token
 func (a *UserPassAuth) Authenticate(vaultClient *api.Client) error {
-	err := utils.LoginWithCachedToken(vaultClient)
+	err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("userpass_%s", a.Username))
 	if err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err)
 	} else {
@@ -53,7 +53,7 @@ func (a *UserPassAuth) Authenticate(vaultClient *api.Client) error {
 	utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data)
 
 	// If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping.
-	if err = utils.SetToken(vaultClient, data.Auth.ClientToken); err != nil {
+	if err = utils.SetToken(vaultClient, fmt.Sprintf("userpass_%s", a.Username), data.Auth.ClientToken); err != nil {
 		utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err)
 	}
 

diff --git a/pkg/auth/vault/userpass_test.go b/pkg/auth/vault/userpass_test.go
@@ -2,6 +2,7 @@ package vault_test
 
 import (
 	"bytes"
+	"fmt"
 	"testing"
 
 	"github.com/argoproj-labs/argocd-vault-plugin/pkg/auth/vault"
@@ -19,7 +20,7 @@ func TestUserPassLogin(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	cachedToken, err := utils.ReadExistingToken()
+	cachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_%s", username))
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}
@@ -29,12 +30,33 @@ func TestUserPassLogin(t *testing.T) {
 		t.Fatalf("expected no errors but got: %s", err)
 	}
 
-	newCachedToken, err := utils.ReadExistingToken()
+	newCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_%s", username))
 	if err != nil {
 		t.Fatalf("expected cached vault token but got: %s", err)
 	}
 
 	if bytes.Compare(cachedToken, newCachedToken) != 0 {
 		t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken)
 	}
+
+	// We create a new connection with a different approle and create a different cache
+	secondCluster, secondUsername, secondPassword := helpers.CreateTestUserPassVault(t)
+	defer secondCluster.Cleanup()
+
+	secondUserpass := vault.NewUserPassAuth(secondUsername, secondPassword, "")
+
+	err = secondUserpass.Authenticate(secondCluster.Cores[0].Client)
+	if err != nil {
+		t.Fatalf("expected no errors but got: %s", err)
+	}
+
+	secondCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_%s", secondUsername))
+	if err != nil {
+		t.Fatalf("expected cached vault token but got: %s", err)
+	}
+
+	// Both cache should be different
+	if bytes.Compare(cachedToken, secondCachedToken) == 0 {
+		t.Fatalf("expected different tokens but got %s", secondCachedToken)
+	}
 }