New: Initial commit

Author: ceecko

.github/workflows/release.yml

@@ -0,0 +1,40 @@
+name: CI/CD
+
+on: 
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Run tests
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.0'
+      - run: go version
+      - run: make test
+
+  release:
+    needs: test
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    runs-on: ubuntu-latest
+    name: Release a new version
+    env:
+      CLI_DIST_BRANCH: ${GITHUB_REF#refs/heads/}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.0'
+      - uses: actions/setup-node@v1
+        with:
+          node-version: '15'
+      - run: npm install
+      - run: npx semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,3 @@
+/artifacts/
+/bin/
+/node_modules/

.releaserc.yml

@@ -0,0 +1,29 @@
+plugins:
+  -
+    - '@semantic-release/commit-analyzer'
+    - preset: eslint
+  -
+    - '@semantic-release/release-notes-generator'
+    - preset: eslint
+  -
+    - '@semantic-release/changelog'
+    - changelogFile: CHANGELOG.md
+  -
+    - '@semantic-release/exec'
+    - prepareCmd: >
+        make CLI_DIST_VERSION=${nextRelease.gitTag} dist
+  -
+    - '@semantic-release/git'
+    - assets:
+      - CHANGELOG.md
+      message: >
+        Chore: Release ${nextRelease.version}
+
+        ${nextRelease.notes}
+  -
+    - '@semantic-release/github'
+    - assets:
+      - 'artifacts/*'
+      successComment: false
+      failComment: false
+      releasedLabels: false

LICENSE

@@ -0,0 +1,18 @@
+Copyright (c) 2020 EvenNode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Makefile

@@ -0,0 +1,68 @@
+#
+# Commands
+#
+
+export GIT ?= git
+export GO ?= go
+export MKDIR_P ?= mkdir -p
+export RM ?= rm -f
+export SHA256SUM ?= shasum -a 256
+export TAR ?= tar
+export ZIP_M ?= zip -m
+
+#
+# Variables
+#
+
+GOFLAGS ?=
+
+CLI_DIST_TARGETS ?= $(addprefix dist-bin-,darwin-amd64 windows-amd64 windows-386 linux-amd64 linux-386 linux-arm64 linux-arm freebsd-amd64 freebsd-386 freebsd-arm netbsd-amd64 netbsd-386 openbsd-amd64 openbsd-386 solaris-amd64)
+
+#
+#
+#
+
+export CLI_DIST_NAME := vault-plugin-secrets-oauth-client-credentials
+export CLI_DIST_VERSION ?= $(shell $(GIT) describe --tags --always --dirty)
+
+export ARTIFACTS_DIR := artifacts
+export BIN_DIR := bin
+
+#
+# Targets
+#
+
+.PHONY: all
+all: build
+
+$(ARTIFACTS_DIR) $(BIN_DIR):
+	$(MKDIR_P) $@
+
+.PHONY: generate
+generate:
+	$(GO) generate ./...
+
+.PHONY: build
+build: generate $(BIN_DIR)
+	$(GO) build $(GOFLAGS) -o $(BIN_DIR)/$(CLI_DIST_NAME) ./cmd/oauth
+
+.PHONY: test
+test: generate
+	$(GO) test $(GOFLAGS) ./...
+
+.PHONY: dist
+dist: $(CLI_DIST_TARGETS)
+
+.PHONY: clean
+clean:
+	$(RM) -r $(ARTIFACTS_DIR)/
+	$(RM) -r $(BIN_DIR)/
+
+.PHONY: $(CLI_DIST_TARGETS)
+$(CLI_DIST_TARGETS): export CGO_ENABLED = 0
+$(CLI_DIST_TARGETS): export GOFLAGS += -a
+$(CLI_DIST_TARGETS): export GOOS = $(word 1,$(subst -, ,$*))
+$(CLI_DIST_TARGETS): export GOARCH = $(subst $(CLI_EXT_$(GOOS)),,$(word 2,$(subst -, ,$*)))
+$(CLI_DIST_TARGETS): export LDFLAGS += -extldflags "-static"
+$(CLI_DIST_TARGETS): dist-bin-%: $(ARTIFACTS_DIR)
+	@scripts/dist

README.md

@@ -0,0 +1,93 @@
+# vault-plugin-secrets-oauth-client-credentials
+
+This is a standalone secrets engine plugin for use with [Hashicorp
+Vault](https://www.github.com/hashicorp/vault).
+
+This plugin provides a secure wrapper around OAuth 2 authorization client credentials grant, also know as 2-legged OAuth which does not require authorization.  
+Client credentials grant is used by clients to obtain an access token outside of the context of a user.  This is typically used by clients to access resources about themselves rather than to access a user's resources.
+
+## Usage
+
+Download plugin's binary and [register the plugin with Vault](https://www.vaultproject.io/docs/internals/plugins.html#plugin-registration). We will assume it is registered under the name
+`oauthapp`.
+
+Mount the plugin at the path of your choosing:
+
+```console
+$ vault secrets enable -path=oauth2/my-provider oauthapp
+Success! Enabled the oauthapp secrets engine at: oauth2/my-provider/
+```
+
+Configure it with the necessary information to exchange tokens. Token URL shall point to an endpoint for obtaining tokens from your provider (it usually ends with `/token`).
+
+```console
+$ vault write oauth2/my-provider/config \
+    client_id=hOEvqqbHVlSNpuvY \
+    client_secret=6q2xrjZOJ1R9MfUvUxJzFAk \
+    token_url=https://example.com/token \
+    scopes=read.user,read.org
+Success! Data written to: oauth2/my-provider/config
+```
+
+Once the client secret has been written, it will never be exposed again.
+
+To retrieve a token, read from the `/creds/:name` endpoint. The `name` identifier can be any arbitrary string.
+
+```console
+$ vault read oauth2/my-provider/creds/my-user
+Key             Value
+---             -----
+access_token    RRcJk5r2BBUKsIquXaoVJfnSUX6uTkVReSaEthrgJmd8p9xlWPD0d0ADFgW5p6Glki5UNGEBGr6hWCEu
+expires         2020-10-25T13:43:56.6282713+01:00
+```
+
+You can override default scopes by specifying `scopes` parameter. This returns a new token with a new scope.
+```console
+$ vault read oauth2/my-provider/creds/my-user scopes=write.user,write.org
+Key             Value
+---             -----
+access_token    vy7f9quvazKypM4FJ4WQMLCHkUEcDb2Z3ZifSWMi94Ur40Z3xf13dOj6Cydkp7vdoNRLQD2eOMFy0r2L
+expires         2020-10-25T13:44:07.1123581+01:00
+```
+
+The client secret is never exposed to Vault clients.
+
+
+## Endpoints
+
+### `config`
+
+#### `GET` (`read`)
+
+Retrieve the current configuration settings (except the client secret).
+
+#### `PUT` (`write`)
+
+Write new configuration settings. This endpoint completely replaces the existing
+configuration.
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|----------|
+| `client_id` | The OAuth 2.0 client ID. | String | None | Yes |
+| `client_secret` | The OAuth 2.0 client secret. | String | None | Yes |
+| `token_url` | URL to obtain access tokens. | String | None | Yes |
+| `scopes` | Comma separated list of default explicit scopes. | List of String | None | No |
+
+#### `DELETE` (`delete`)
+
+Remove the current configuration. This does not invalidate any existing access
+tokens.
+
+### `creds/:name`
+
+#### `GET` (`read`)
+
+Retrieve a current access token for the given credential.
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|----------|
+| `scopes` | A comma separated list of explicit scopes to override default scopes from config. If not specified, default `scopes` from config are used. | List of String | None | No |
+
+#### `DELETE` (`delete`)
+
+Remove the credential information from storage. This removes all scopes identified by the credential's `name`.

cmd/oauth/main.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"os"
+
+	"github.com/evennode/vault-plugin-secrets-oauth-client-credentials/pkg/backend"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/plugin"
+)
+
+func main() {
+	meta := &api.PluginAPIClientMeta{}
+
+	flags := meta.FlagSet()
+	flags.Parse(os.Args[1:])
+
+	err := plugin.Serve(&plugin.ServeOpts{
+		BackendFactoryFunc: backend.Factory,
+		TLSProviderFunc:    api.VaultPluginTLSProvider(meta.GetTLSConfig()),
+	})
+	if err != nil {
+		logger := hclog.New(&hclog.LoggerOptions{})
+
+		logger.Error("plugin shutting down", "error", err)
+		os.Exit(1)
+	}
+}

go.mod

@@ -0,0 +1,11 @@
+module github.com/evennode/vault-plugin-secrets-oauth-client-credentials
+
+go 1.15
+
+require (
+	github.com/hashicorp/go-hclog v0.14.1
+	github.com/hashicorp/vault/api v1.0.4
+	github.com/hashicorp/vault/sdk v0.1.14-0.20190909201848-e0fbf9b652e2
+	github.com/stretchr/testify v1.6.1
+	golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43
+)