Skip to main content

vault_client_rs/api/auth/
mod.rs

1pub mod approle;
2pub mod aws;
3pub mod azure;
4pub mod cert;
5pub mod gcp;
6pub mod github;
7pub mod kerberos;
8pub mod kubernetes;
9pub mod ldap;
10pub mod oidc;
11pub mod radius;
12pub mod token;
13pub mod userpass;
14
15use std::future::Future;
16use std::pin::Pin;
17
18use crate::VaultClient;
19use crate::api::traits::{
20    AppRoleAuthOperations, AwsAuthOperations, AzureAuthOperations, GcpAuthOperations,
21    GithubAuthOperations, K8sAuthOperations, LdapAuthOperations, OidcAuthOperations,
22    UserpassAuthOperations,
23};
24use crate::client::encode_path;
25use crate::types::aws::AwsAuthLoginRequest;
26use crate::types::error::VaultError;
27use crate::types::response::AuthInfo;
28use crate::types::secret::SecretString;
29
30#[derive(Debug)]
31pub struct AuthHandler<'a> {
32    pub(crate) client: &'a VaultClient,
33}
34
35impl<'a> AuthHandler<'a> {
36    #[must_use]
37    pub fn token(&self) -> token::TokenAuthHandler<'a> {
38        token::TokenAuthHandler {
39            client: self.client,
40        }
41    }
42
43    #[must_use]
44    pub fn approle(&self) -> approle::AppRoleAuthHandler<'a> {
45        self.approle_at("approle")
46    }
47
48    #[must_use]
49    pub fn approle_at(&self, mount: &str) -> approle::AppRoleAuthHandler<'a> {
50        approle::AppRoleAuthHandler {
51            client: self.client,
52            mount: encode_path(mount),
53        }
54    }
55
56    #[must_use]
57    pub fn kubernetes(&self) -> kubernetes::K8sAuthHandler<'a> {
58        self.kubernetes_at("kubernetes")
59    }
60
61    #[must_use]
62    pub fn kubernetes_at(&self, mount: &str) -> kubernetes::K8sAuthHandler<'a> {
63        kubernetes::K8sAuthHandler {
64            client: self.client,
65            mount: encode_path(mount),
66        }
67    }
68
69    #[must_use]
70    pub fn userpass(&self) -> userpass::UserpassAuthHandler<'a> {
71        self.userpass_at("userpass")
72    }
73
74    #[must_use]
75    pub fn userpass_at(&self, mount: &str) -> userpass::UserpassAuthHandler<'a> {
76        userpass::UserpassAuthHandler {
77            client: self.client,
78            mount: encode_path(mount),
79        }
80    }
81
82    #[must_use]
83    pub fn ldap(&self) -> ldap::LdapAuthHandler<'a> {
84        self.ldap_at("ldap")
85    }
86
87    #[must_use]
88    pub fn ldap_at(&self, mount: &str) -> ldap::LdapAuthHandler<'a> {
89        ldap::LdapAuthHandler {
90            client: self.client,
91            mount: encode_path(mount),
92        }
93    }
94
95    #[must_use]
96    pub fn cert(&self) -> cert::CertAuthHandler<'a> {
97        self.cert_at("cert")
98    }
99
100    #[must_use]
101    pub fn cert_at(&self, mount: &str) -> cert::CertAuthHandler<'a> {
102        cert::CertAuthHandler {
103            client: self.client,
104            mount: encode_path(mount),
105        }
106    }
107
108    #[must_use]
109    pub fn github(&self) -> github::GithubAuthHandler<'a> {
110        self.github_at("github")
111    }
112
113    #[must_use]
114    pub fn github_at(&self, mount: &str) -> github::GithubAuthHandler<'a> {
115        github::GithubAuthHandler {
116            client: self.client,
117            mount: encode_path(mount),
118        }
119    }
120
121    #[must_use]
122    pub fn oidc(&self) -> oidc::OidcAuthHandler<'a> {
123        self.oidc_at("oidc")
124    }
125
126    #[must_use]
127    pub fn oidc_at(&self, mount: &str) -> oidc::OidcAuthHandler<'a> {
128        oidc::OidcAuthHandler {
129            client: self.client,
130            mount: encode_path(mount),
131        }
132    }
133
134    #[must_use]
135    pub fn jwt(&self) -> oidc::OidcAuthHandler<'a> {
136        self.oidc_at("jwt")
137    }
138
139    #[must_use]
140    pub fn jwt_at(&self, mount: &str) -> oidc::OidcAuthHandler<'a> {
141        self.oidc_at(mount)
142    }
143
144    #[must_use]
145    pub fn aws(&self) -> aws::AwsAuthHandler<'a> {
146        self.aws_at("aws")
147    }
148
149    #[must_use]
150    pub fn aws_at(&self, mount: &str) -> aws::AwsAuthHandler<'a> {
151        aws::AwsAuthHandler {
152            client: self.client,
153            mount: encode_path(mount),
154        }
155    }
156
157    #[must_use]
158    pub fn azure(&self) -> azure::AzureAuthHandler<'a> {
159        self.azure_at("azure")
160    }
161
162    #[must_use]
163    pub fn azure_at(&self, mount: &str) -> azure::AzureAuthHandler<'a> {
164        azure::AzureAuthHandler {
165            client: self.client,
166            mount: encode_path(mount),
167        }
168    }
169
170    #[must_use]
171    pub fn gcp(&self) -> gcp::GcpAuthHandler<'a> {
172        self.gcp_at("gcp")
173    }
174
175    #[must_use]
176    pub fn gcp_at(&self, mount: &str) -> gcp::GcpAuthHandler<'a> {
177        gcp::GcpAuthHandler {
178            client: self.client,
179            mount: encode_path(mount),
180        }
181    }
182
183    #[must_use]
184    pub fn radius(&self) -> radius::RadiusAuthHandler<'a> {
185        self.radius_at("radius")
186    }
187
188    #[must_use]
189    pub fn radius_at(&self, mount: &str) -> radius::RadiusAuthHandler<'a> {
190        radius::RadiusAuthHandler {
191            client: self.client,
192            mount: encode_path(mount),
193        }
194    }
195
196    #[must_use]
197    pub fn kerberos(&self) -> kerberos::KerberosAuthHandler<'a> {
198        self.kerberos_at("kerberos")
199    }
200
201    #[must_use]
202    pub fn kerberos_at(&self, mount: &str) -> kerberos::KerberosAuthHandler<'a> {
203        kerberos::KerberosAuthHandler {
204            client: self.client,
205            mount: encode_path(mount),
206        }
207    }
208}
209
210// ---------------------------------------------------------------------------
211// AuthMethod trait
212// ---------------------------------------------------------------------------
213
214/// Pluggable authentication method
215///
216/// Implementors store their own credentials and produce an `AuthInfo` on login
217pub trait AuthMethod: Send + Sync {
218    fn login<'a>(
219        &'a self,
220        client: &'a VaultClient,
221    ) -> impl Future<Output = Result<AuthInfo, VaultError>> + Send + 'a;
222}
223
224/// Object-safe version of `AuthMethod` for dynamic dispatch inside the client
225pub(crate) trait AuthMethodDyn: Send + Sync {
226    fn login_dyn<'a>(
227        &'a self,
228        client: &'a VaultClient,
229    ) -> Pin<Box<dyn Future<Output = Result<AuthInfo, VaultError>> + Send + 'a>>;
230}
231
232impl<T: AuthMethod> AuthMethodDyn for T {
233    fn login_dyn<'a>(
234        &'a self,
235        client: &'a VaultClient,
236    ) -> Pin<Box<dyn Future<Output = Result<AuthInfo, VaultError>> + Send + 'a>> {
237        Box::pin(self.login(client))
238    }
239}
240
241/// Self-contained AppRole login credentials
242pub struct AppRoleLogin {
243    pub role_id: String,
244    pub secret_id: SecretString,
245    pub mount: String,
246}
247
248impl AuthMethod for AppRoleLogin {
249    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
250        client
251            .auth()
252            .approle_at(&self.mount)
253            .login(&self.role_id, &self.secret_id)
254            .await
255    }
256}
257
258/// Self-contained Kubernetes login credentials
259pub struct K8sLogin {
260    pub role: String,
261    pub jwt: SecretString,
262    pub mount: String,
263}
264
265impl AuthMethod for K8sLogin {
266    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
267        client
268            .auth()
269            .kubernetes_at(&self.mount)
270            .login(&self.role, &self.jwt)
271            .await
272    }
273}
274
275/// Self-contained userpass login credentials
276pub struct UserpassLogin {
277    pub username: String,
278    pub password: SecretString,
279    pub mount: String,
280}
281
282impl AuthMethod for UserpassLogin {
283    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
284        client
285            .auth()
286            .userpass_at(&self.mount)
287            .login(&self.username, &self.password)
288            .await
289    }
290}
291
292/// Self-contained LDAP login credentials
293pub struct LdapLogin {
294    pub username: String,
295    pub password: SecretString,
296    pub mount: String,
297}
298
299impl AuthMethod for LdapLogin {
300    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
301        client
302            .auth()
303            .ldap_at(&self.mount)
304            .login(&self.username, &self.password)
305            .await
306    }
307}
308
309/// Self-contained GitHub login credentials
310pub struct GithubLogin {
311    pub token: SecretString,
312    pub mount: String,
313}
314
315impl AuthMethod for GithubLogin {
316    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
317        client
318            .auth()
319            .github_at(&self.mount)
320            .login(&self.token)
321            .await
322    }
323}
324
325/// Self-contained JWT login credentials (for the jwt/oidc backend)
326pub struct JwtLogin {
327    pub role: String,
328    pub jwt: SecretString,
329    pub mount: String,
330}
331
332impl AuthMethod for JwtLogin {
333    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
334        client
335            .auth()
336            .oidc_at(&self.mount)
337            .login_jwt(&self.role, &self.jwt)
338            .await
339    }
340}
341
342/// Self-contained AWS login credentials
343pub struct AwsLogin {
344    pub params: AwsAuthLoginRequest,
345    pub mount: String,
346}
347
348impl AuthMethod for AwsLogin {
349    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
350        client.auth().aws_at(&self.mount).login(&self.params).await
351    }
352}
353
354/// Self-contained Azure login credentials
355pub struct AzureLogin {
356    pub role: String,
357    pub jwt: SecretString,
358    pub subscription_id: Option<String>,
359    pub resource_group_name: Option<String>,
360    pub vm_name: Option<String>,
361    pub vmss_name: Option<String>,
362    pub mount: String,
363}
364
365impl AuthMethod for AzureLogin {
366    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
367        client
368            .auth()
369            .azure_at(&self.mount)
370            .login(
371                &self.role,
372                &self.jwt,
373                self.subscription_id.as_deref(),
374                self.resource_group_name.as_deref(),
375                self.vm_name.as_deref(),
376                self.vmss_name.as_deref(),
377            )
378            .await
379    }
380}
381
382/// Self-contained GCP login credentials
383pub struct GcpLogin {
384    pub role: String,
385    pub jwt: SecretString,
386    pub mount: String,
387}
388
389impl AuthMethod for GcpLogin {
390    async fn login(&self, client: &VaultClient) -> Result<AuthInfo, VaultError> {
391        client
392            .auth()
393            .gcp_at(&self.mount)
394            .login(&self.role, &self.jwt)
395            .await
396    }
397}