helm-external-secrets/pkg/provider/vault/util/vault.go

/*
Copyright © 2025 ESO Maintainer Team

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Package vaultutil provides utility types and functions for interacting with HashiCorp Vault.
package vaultutil

import (
	"context"

	"github.com/aws/aws-sdk-go/aws/credentials"
	vault "github.com/hashicorp/vault/api"
)

// JwtProviderFactory is a function type that creates a JWT credentials provider.
type JwtProviderFactory func(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)

// Auth defines the interface for Vault authentication.
type Auth interface {
	Login(ctx context.Context, authMethod vault.AuthMethod) (*vault.Secret, error)
}

// Token defines the interface for Vault token operations.
type Token interface {
	RevokeSelfWithContext(ctx context.Context, token string) error
	LookupSelfWithContext(ctx context.Context) (*vault.Secret, error)
}

// Logical defines the interface for Vault's logical operations.
type Logical interface {
	ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*vault.Secret, error)
	ListWithContext(ctx context.Context, path string) (*vault.Secret, error)
	WriteWithContext(ctx context.Context, path string, data map[string]any) (*vault.Secret, error)
	DeleteWithContext(ctx context.Context, path string) (*vault.Secret, error)
}

// Client defines the interface for a Vault client with methods for token management,
// authentication, and secret operations.
type Client interface {
	SetToken(v string)
	Token() string
	ClearToken()
	Auth() Auth
	Logical() Logical
	AuthToken() Token
	Namespace() string
	SetNamespace(namespace string)
	AddHeader(key, value string)
}

// VaultClient is a wrapper around the HashiCorp Vault API client that provides
// methods for authentication, token management, and secret operations.
type VaultClient struct {
	SetTokenFunc     func(v string)
	TokenFunc        func() string
	ClearTokenFunc   func()
	AuthField        Auth
	LogicalField     Logical
	AuthTokenField   Token
	NamespaceFunc    func() string
	SetNamespaceFunc func(namespace string)
	AddHeaderFunc    func(key, value string)
}

// AddHeader adds a header to all requests using the provided key, value pair.
func (v VaultClient) AddHeader(key, value string) {
	v.AddHeaderFunc(key, value)
}

// Namespace returns the current Vault namespace.
func (v VaultClient) Namespace() string {
	return v.NamespaceFunc()
}

// SetNamespace sets the Vault namespace to use for requests.
func (v VaultClient) SetNamespace(namespace string) {
	v.SetNamespaceFunc(namespace)
}

// ClearToken clears the Vault token.
func (v VaultClient) ClearToken() {
	v.ClearTokenFunc()
}

// Token returns the current Vault token.
func (v VaultClient) Token() string {
	return v.TokenFunc()
}

// SetToken sets the Vault token to use for requests.
func (v VaultClient) SetToken(token string) {
	v.SetTokenFunc(token)
}

// Auth returns the Auth interface for authentication operations.
func (v VaultClient) Auth() Auth {
	return v.AuthField
}

// AuthToken returns the Token interface for token operations.
func (v VaultClient) AuthToken() Token {
	return v.AuthTokenField
}

// Logical returns the Logical interface for secret operations.
func (v VaultClient) Logical() Logical {
	return v.LogicalField
}