Implements auth via Kubernetes serviceaccount (https://www.vaultproject.io/api-docs/auth/kubernetes)

Also: Added basic tests for all endpoints, except login. The reason being that it seems to require a dockertest server with a webserver that can simulate a TokenReviewResponse from a k8s apiserver. I think adding something like "httpmock" to you dockertest-server repository could do the trick? Perhaps, except that Vault requires TLS-connections to the APIserver, so it would require a TLS-proxy container as well, or a specialized docker image for handling all of the above.

tldr, it was too much work for me to find a fitting solution for this at the moment. I would like to request help/suggestions for implementing the login test later at some point.

Hi!

I found an issue with the builder for VaultClientSettings.

The following code panics:

fn main() {
    // VAULT_TOKEN and VAULT_ADDR are both set in the environment

    println!("Building without specifying a token...");
    let settings = VaultClientSettingsBuilder::default()
        .address("https://127.0.0.1:8200")
        .build()
        .unwrap(); // works

    println!("{settings:?}");

    println!("Building without specifying an addr...");
    let settings = VaultClientSettingsBuilder::default()
        .token("TOKEN")
        .build() // panics!
        .unwrap();

    println!("{settings:?}");
}

The panic comes from VaultClientSettingsBuilder::validate which unwrap()s self.address.as_ref().

The problem is that according to derive_builder's documentation

Default values are applied after validation, and will therefore not be validated!

So, validate() is called before default_addr() sets anything, making the unwrap panic.

I have created an issue with derive_builder, because I think validation should happen after applying defaults. However, I think the panic here is still avoidable.

See this PR: #30

Implements AWS auth (https://www.vaultproject.io/api-docs/auth/aws).

I'm still working on the tests and I'm going to use localstack for this. Vault AWS API has some deprecated endpoints. Do you have any suggestions on how to support them (and whether to support them at all)?

Thought I'd take a shot at this one. Closes #8.

I've added spans to every operation I can find, but I haven't added any additional log messages yet.

Looks like it would be good to implement this in the rustify crate as well. In Client::execute for example.

Resolves #5

This implements most of the transit secrets engine API, minus importing external keys or batch_input parameters (but would be easy enough to add on top).

Unfortunately, the reqwest default is "no timeout", which causes apps to hang indefinitely for us.

I figured setting the generic timeout is sufficient for now (not implementing a separate connection-timeout settings mapping on purpose), since reqwest "timeout" covers the entire connection lifecycle.

cc @jmgilman

I am writing a program to unseal Vault(s) over the API. For this purpose, I need Unseal support for the API so I made it.

As per my own testing with my own code, unseal works with these changes.

The Vault Unseal API doc can be found here: https://www.vaultproject.io/api-docs/system/unseal

Thanks & sorry :-)

Added support for key value v1. I inspired code structure from existing kv2 implementation and tried to follow contributing guide.

I'm quite new to Rust, sorry if some things are messy. Feel free to point them out I'll happily improve them :)

I need to use the compare-and-swap feature of vault and see that it is not currently supported.

I think it would be fairly simple to add here via something like:

#[derive(Builder, Debug, Endpoint)]
#[endpoint(
    path = "{self.mount}/data/{self.path}",
    response = "SecretVersionMetadata",
    method = "POST",
    builder = "true"
)]
#[builder(setter(into))]
pub struct SetSecretRequest {
    #[endpoint(skip)]
    pub mount: String,
    #[endpoint(skip)]
    pub path: String,
    pub data: Value,
    pub options: Option<SetSecretRequestOptions>,
}

#[derive(Builder, Clone, Debug, serde::Serialize)]
#[builder(setter(into))]
pub struct SetSecretRequestOptions {
    pub cas: u32,
}

is this a feature that would be accepted if I open a PR?

Hi,

This is an attempt to fix the issue #31.

The difference here (when compared to strconv.ParseBool) is that in the original Vault implementation any other value returns an error, and here I'm keeping the default as true (at least for now) to avoid modifying the function's signature.

I added serial_test to dev-dependencies to make the tests related to this feature run sequentially, and avoid one test to overwrite the VAULT_SKIP_VERIFY value previously set by the other.

Please let me know if there is anything I need to fix.

Hi,

this is the PR attempting to solve #29

Let me know, if you'd like me to make any changes. The test file I've added is kept fairly simple...

Cheers, R

Hi, our infrastructure configures the vault server to require mTLS connections, which requires configuring client certificates for the http connection.

Also, our client certificates are encrypted with a passphrase, so they need to be decrypted before configuring them in the reqwest builder.

We started a contribution to this project (now closed), but soon we realised that it was not enough and the implementation was a bit trickier than expected, so we decided to use a custom Client in our side until this feature is fully supported here.

We are still aiming at helping with that, but it definitively requires some guidance from the maintainers:

• How can we decrypt the certificates when the rustls feature is enabled?
• In case that we leave the decryption out of this lib, is it ok to change String to be a Vec<u8> for the settings involving the client cert, key and passphrase? That would allow the client decrypt them and pass the raw bytes to the lib.
• What about changing the ca_cert into a Vec<u8> in case we leave the reading of the CA stack to the user too?

Thanks!

It may also fail during other times as well, but it definitely doesn't work in that configuration.

A line of documentation somewhere prominent that versioning is required would be nice.

Adds new auth engine: LDAP.

Also attempt at adding a test for said engine but while manual test seems to work just fine (example added in a comment) but automated test fails to bind as a user (probably missing some knowledge on how docker_servertest localstack works)

ansi_term is Unmaintained

| Details | | | ------------------- | ---------------------------------------------- | | Status | unmaintained | | Package | ansi_term | | Version | 0.12.1 | | URL | https://github.com/ogham/rust-ansi-term/issues/72 | | Date | 2021-08-18 |

The maintainer has adviced that this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• anstyle
• console
• nu-ansi-term
• owo-colors
• yansi

Dependency Specific Migration(s)

• structopt, clap2

See advisory page for additional details.