Adding headers to Vault for metadata logging (#15)

Author: pclata

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## v0.1.2 (2021-06-14)
+### Changed
+* Adding HTTP headers to Vault client for logging (e.g. transaction ID)
+
 ## v0.1.1 (2021-06-09)
 ### Fixed
 * Add additional valid status codes for Vault health check

service/handlers.go

@@ -14,6 +14,7 @@ import (
 	"github.com/argoproj-labs/argo-cloudops/internal/env"
 	"github.com/argoproj-labs/argo-cloudops/service/internal/credentials"
 	"github.com/argoproj-labs/argo-cloudops/service/internal/workflow"
+	vault "github.com/hashicorp/vault/api"
 
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/distribution/distribution/reference"
@@ -72,12 +73,14 @@ var isStringAlphaNumericUnderscore = regexp.MustCompile(`^([a-zA-Z])[a-zA-Z0-9_]
 // HTTP handler
 type handler struct {
 	logger                 log.Logger
-	newCredentialsProvider func(a credentials.Authorization) (credentials.Provider, error)
+	newCredentialsProvider func(a credentials.Authorization, svc *vault.Client) (credentials.Provider, error)
 	argo                   workflow.Workflow
 	argoCtx                context.Context
 	config                 *Config
 	gitClient              gitClient
 	env                    env.EnvVars
+	newCredsProviderSvc    func(c credentials.VaultConfig, h http.Header) (*vault.Client, error)
+	vaultConfig            credentials.VaultConfig
 }
 
 // Validates workflow parameters
@@ -210,7 +213,7 @@ func (h handler) createWorkflowFromGit(w http.ResponseWriter, r *http.Request) {
 
 	level.Debug(l).Log("message", "creating workflow")
 	cwr.Type = cgwr.Type
-	h.createWorkflowFromRequest(ctx, w, a, cwr, l)
+	h.createWorkflowFromRequest(ctx, w, r, a, cwr, l)
 }
 
 // Creates a workflow
@@ -245,11 +248,11 @@ func (h handler) createWorkflow(w http.ResponseWriter, r *http.Request) {
 	}
 
 	level.Debug(l).Log("message", "creating workflow")
-	h.createWorkflowFromRequest(ctx, w, a, cwr, l)
+	h.createWorkflowFromRequest(ctx, w, r, a, cwr, l)
 }
 
 // Creates a workflow
-func (h handler) createWorkflowFromRequest(ctx context.Context, w http.ResponseWriter, a *credentials.Authorization, cwr createWorkflowRequest, l log.Logger) {
+func (h handler) createWorkflowFromRequest(ctx context.Context, w http.ResponseWriter, r *http.Request, a *credentials.Authorization, cwr createWorkflowRequest, l log.Logger) {
 	level.Debug(l).Log("message", "validating workflow parameters")
 	if err := h.validateWorkflowParameters(cwr.Parameters); err != nil {
 		level.Error(l).Log("message", "error in parameters", "error", err)
@@ -329,8 +332,15 @@ func (h handler) createWorkflowFromRequest(ctx context.Context, w http.ResponseW
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating new credentials provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "bad or unknown credentials provider", "error", err)
 		h.errorResponse(w, "bad or unknown credentials provider", http.StatusInternalServerError, err)
@@ -445,8 +455,15 @@ func (h handler) getTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusBadRequest, err)
@@ -564,8 +581,15 @@ func (h handler) createProject(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusBadRequest, err)
@@ -633,8 +657,15 @@ func (h handler) getProject(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusBadRequest, err)
@@ -674,8 +705,15 @@ func (h handler) deleteProject(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusBadRequest, err)
@@ -760,8 +798,15 @@ func (h handler) createTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusInternalServerError, err)
@@ -845,8 +890,15 @@ func (h handler) deleteTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusBadRequest, err)
@@ -886,8 +938,15 @@ func (h handler) listTargets(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	cpSvc, err := h.newCredsProviderSvc(h.vaultConfig, r.Header)
+	if err != nil {
+		level.Error(l).Log("message", "error creating credentials provider service", "error", err)
+		h.errorResponse(w, "error creating credentials provider service", http.StatusBadRequest, err)
+		return
+	}
+
 	level.Debug(l).Log("message", "creating credential provider")
-	cp, err := h.newCredentialsProvider(*a)
+	cp, err := h.newCredentialsProvider(*a, cpSvc)
 	if err != nil {
 		level.Error(l).Log("message", "error creating credentials provider", "error", err)
 		h.errorResponse(w, "error creating credentials provider", http.StatusInternalServerError, err)

service/handlers_test.go

@@ -12,8 +12,8 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/argoproj-labs/argo-cloudops/service/internal/credentials"
 	"github.com/argoproj-labs/argo-cloudops/internal/env"
+	"github.com/argoproj-labs/argo-cloudops/service/internal/credentials"
 	"github.com/argoproj-labs/argo-cloudops/service/internal/workflow"
 
 	"github.com/go-kit/kit/log"
@@ -62,15 +62,12 @@ func (m mockWorkflowSvc) Submit(ctx context.Context, from string, parameters map
 	return "success", nil
 }
 
-func newMockProvider(svc *vault.Client) func(a credentials.Authorization) (credentials.Provider, error) {
-	return func(a credentials.Authorization) (credentials.Provider, error) {
-		return &mockCredentialsProvider{}, nil
-	}
+func newMockProvider(a credentials.Authorization, svc *vault.Client) (credentials.Provider, error) {
+	return &mockCredentialsProvider{}, nil
 }
 
 type mockCredentialsProvider struct{}
 
-
 func (m mockCredentialsProvider) GetToken() (string, error) {
 	return testPassword, nil
 }
@@ -133,6 +130,10 @@ func (m mockCredentialsProvider) TargetExists(name string) (bool, error) {
 	return false, nil
 }
 
+func mockCredsProvSvc(c credentials.VaultConfig, h http.Header) (*vault.Client, error) {
+	return &vault.Client{}, nil
+}
+
 type test struct {
 	name    string
 	req     interface{}
@@ -580,13 +581,15 @@ func executeRequest(method string, url string, body *bytes.Buffer, asAdmin bool)
 
 	h := handler{
 		logger:                 log.NewNopLogger(),
-		newCredentialsProvider: newMockProvider(nil),
+		newCredentialsProvider: newMockProvider,
 		argo:                   mockWorkflowSvc{},
 		config:                 config,
 		gitClient:              newMockGitClient(),
+		newCredsProviderSvc:    mockCredsProvSvc,
 		env: env.EnvVars{
 			AdminSecret: testPassword},
 	}
+
 	var router = setupRouter(h)
 	req, _ := http.NewRequest(method, url, body)
 	authorizationHeader := "vault:user:" + testPassword

service/internal/credentials/vault.go

@@ -3,6 +3,7 @@ package credentials
 import (
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 
 	vault "github.com/hashicorp/vault/api"
@@ -51,15 +52,51 @@ type VaultProvider struct {
 }
 
 // Returns a new vaultCredentialsProvider
-func NewVaultProvider(svc *vault.Client) func(a Authorization) (Provider, error) {
-	return func(a Authorization) (Provider, error) {
-		return &VaultProvider{
-			vaultLogicalSvc: vaultLogical(svc.Logical()),
-			vaultSysSvc:     vaultSys(svc.Sys()),
-			roleID:          a.Key,
-			secretID:        a.Secret,
-		}, nil
+func NewVaultProvider(a Authorization, svc *vault.Client) (Provider, error) {
+	return &VaultProvider{
+		vaultLogicalSvc: vaultLogical(svc.Logical()),
+		vaultSysSvc:     vaultSys(svc.Sys()),
+		roleID:          a.Key,
+		secretID:        a.Secret,
+	}, nil
+}
+
+type VaultConfig struct {
+	config *vault.Config
+	role   string
+	secret string
+}
+
+// NewVaultConfig returns a new VaultConfig.
+func NewVaultConfig(config *vault.Config, role, secret string) *VaultConfig {
+	return &VaultConfig{
+		config: config,
+		role:   role,
+		secret: secret,
+	}
+}
+
+// TODO before open sourcing we should provide the token instead of generating it
+func NewVaultSvc(c VaultConfig, h http.Header) (*vault.Client, error) {
+	vaultSvc, err := vault.NewClient(c.config)
+	if err != nil {
+		return nil, err
 	}
+
+	vaultSvc.SetHeaders(h)
+
+	options := map[string]interface{}{
+		"role_id":   c.role,
+		"secret_id": c.secret,
+	}
+
+	sec, err := vaultSvc.Logical().Write("auth/approle/login", options)
+	if err != nil {
+		return nil, err
+	}
+
+	vaultSvc.SetToken(sec.Auth.ClientToken)
+	return vaultSvc, nil
 }
 
 // Authorization represents a user's authorization token.

service/main.go

@@ -36,12 +36,6 @@ func main() {
 	}
 	level.Info(logger).Log("message", fmt.Sprintf("loading config '%s' completed", env.ConfigFilePath))
 
-	vaultSvc, err := newVaultSvc(env.VaultAddress, env.VaultRole, env.VaultSecret)
-	if err != nil {
-		level.Error(logger).Log("message", "error creating vault service client", "error", err)
-		panic("error creating vault service client")
-	}
-
 	gitClient, err := newBasicGitClient(env.SSHPEMFile)
 	if err != nil {
 		level.Error(logger).Log("message", "error creating git client", "error", err)
@@ -56,12 +50,18 @@ func main() {
 	// setupRouter and applying it to the request will wipe out Mux vars (or any other data Mux sets in its context).
 	h := handler{
 		logger:                 logger,
-		newCredentialsProvider: credentials.NewVaultProvider(vaultSvc),
+		newCredentialsProvider: credentials.NewVaultProvider,
 		argo:                   workflow.NewArgoWorkflow(argoClient.NewWorkflowServiceClient(), env.ArgoNamespace),
 		argoCtx:                argoCtx,
 		config:                 config,
 		gitClient:              gitClient,
 		env:                    env,
+		// Function that the handler will use to create a Vault svc using the vaultConfig below.
+		// Vault svc needs to be created within the handler methods because Vault uses headers
+		// to add metadata (e.g. transaction ID) to its logs.
+		newCredsProviderSvc: credentials.NewVaultSvc,
+		// A Vault config is needed to be able to create a Vault service from within the handlers.
+		vaultConfig: *credentials.NewVaultConfig(&vault.Config{Address: env.VaultAddress}, env.VaultRole, env.VaultSecret),
 	}
 
 	level.Info(logger).Log("message", "starting web service", "vault addr", env.VaultAddress, "argoAddr", env.ArgoAddress)
@@ -82,29 +82,3 @@ func setLogLevel(logger *log.Logger, logLevel string) {
 		*logger = level.NewFilter(*logger, level.AllowInfo())
 	}
 }
-
-// TODO before open sourcing we should provide the token instead of generating it
-func newVaultSvc(vaultAddr, role, secret string) (*vault.Client, error) {
-	config := &vault.Config{
-		Address: vaultAddr,
-	}
-
-	vaultSvc, err := vault.NewClient(config)
-	if err != nil {
-		return nil, err
-
-	}
-
-	options := map[string]interface{}{
-		"role_id":   role,
-		"secret_id": secret,
-	}
-
-	sec, err := vaultSvc.Logical().Write("auth/approle/login", options)
-	if err != nil {
-		return nil, err
-	}
-
-	vaultSvc.SetToken(sec.Auth.ClientToken)
-	return vaultSvc, nil
-}