bloomberg · pawalt · Jan 2, 2020 · Jan 2, 2020 · Jan 3, 2020 · Jan 3, 2020
diff --git a/Makefile b/Makefile
@@ -3,5 +3,11 @@ all: build
 build: clean cmd/plugin/vault-auth-spire.go
 	GOOS=linux GOARCH=amd64 go build -o vault-auth-spire cmd/plugin/vault-auth-spire.go
 
+test:
+	go test ./...
+
+lint:
+	golint ./...
+
 clean:
 	@rm -f vault-auth-spire
diff --git a/cmd/plugin/vault-auth-spire.go b/cmd/plugin/vault-auth-spire.go
@@ -20,10 +20,12 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"fmt"
+
+	"github.com/bloomberg/vault-auth-spire/internal/common"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/sirupsen/logrus"
-	"vault-auth-spire/internal/common"
 
 	"log"
 	"os"
@@ -69,7 +71,7 @@ func standardVaultPluginInit() {
 func BackendFactory(ctx context.Context, backendConfig *logical.BackendConfig) (logical.Backend, error) {
 
 	settings, err := parseSettings()
-	if nil != err {
+	if err != nil {
 		return nil, err
 	}
 
@@ -105,14 +107,23 @@ func BackendFactory(ctx context.Context, backendConfig *logical.BackendConfig) (
 
 	spirePlugin.verifier = common.NewSvidVerifier()
 
-	if nil != settings.SourceOfTrust.File {
+	// must add these in reverse order of priority (spire settings will overwrite file settings)
+	if settings.SourceOfTrust.File != nil {
 		trustSource, err := common.NewFileTrustSource(settings.SourceOfTrust.File.Domains)
 		if err != nil {
 			return nil, errors.New("vault-auth-spire: Failed to initialize file TrustSource - " + err.Error())
 		}
-		spirePlugin.verifier.AddTrustSource(&trustSource)
-	} else {
-		return nil, errors.New("vault-auth-spire: No verifier found in settings")
+		spirePlugin.verifier.AddTrustSource(trustSource)
+	}
+	if settings.SourceOfTrust.Spire != nil {
+		trustSource, err := common.NewSpireTrustSource(settings.SourceOfTrust.Spire.SpireEndpointURLs, settings.SourceOfTrust.Spire.LocalBackupPath)
+		if err != nil {
+			return nil, errors.New("vault-auth-spire: Failed to initialize spire TrustSource - " + err.Error())
+		}
+		spirePlugin.verifier.AddTrustSource(trustSource)
+	}
+	if settings.SourceOfTrust.File == nil && settings.SourceOfTrust.Spire == nil {
+		return nil, errors.New("vault-auth-spire: No sources of trust in settings")
 	}
 
 	// Calls standard Vault plugin setup - magic happens here I bet :shrugs: but if it fails then we're gonna
@@ -133,11 +144,12 @@ func parseSettings() (*common.Settings, error) {
 	settingsFlags.StringVar(&settingsFilePath, "settings-file", "", "Path to plugin settings")
 	settingsFlags.Parse(os.Args[1:])
 
-	if settings, err := common.ReadSettings(settingsFilePath); err != nil {
-		return nil, errors.New("vault-auth-spire: Failed to read settings from '" + settingsFilePath + "' - " + err.Error())
-	} else {
-		return settings, nil
+	settings, err := common.ReadSettings(settingsFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("vault-auth-spire: Failed to read settings from %s: %v", settingsFilePath, err)
 	}
+
+	return settings, nil
 }
 
 // spirePlugin is-a framework.Backend as per the embedded unnamed anon field
@@ -157,7 +169,7 @@ func (spirePlugin *spirePlugin) pathAuthLogin(_ context.Context, req *logical.Re
 		return nil, logical.ErrInvalidRequest
 	}
 
-	spiffeId, err := spirePlugin.verifier.VerifyAndExtractSpiffeId(svid)
+	spiffeID, err := spirePlugin.verifier.VerifyAndExtractSpiffeID(svid)
 	if err != nil {
 		logrus.Debug("Provided svid could not be verified - " + err.Error())
 		return nil, logical.ErrPermissionDenied
@@ -173,10 +185,10 @@ func (spirePlugin *spirePlugin) pathAuthLogin(_ context.Context, req *logical.Re
 			},
 			Policies: []string{
 				//"Trust Bundles: " + strconv.Itoa(len(b.svidWatcher.TrustBundle)),
-				"Result: We've been verified and I found SPIFFE ID: " + spiffeId,
+				"Result: We've been verified and I found SPIFFE ID: " + spiffeID,
 			},
 			Metadata: map[string]string{
-				"spiffeId": spiffeId,
+				"spiffeId": spiffeID,
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: false,

diff --git a/go.mod b/go.mod
@@ -1,41 +1,26 @@
-module vault-auth-spire
+module github.com/bloomberg/vault-auth-spire
 
 go 1.12
 
 require (
-	cloud.google.com/go v0.47.0 // indirect
-	cloud.google.com/go/bigquery v1.2.0 // indirect
-	cloud.google.com/go/storage v1.1.2 // indirect
-	github.com/creack/pty v1.1.9 // indirect
 	github.com/go-test/deep v1.0.3 // indirect
 	github.com/gogo/protobuf v1.3.1 // indirect
-	github.com/golang/groupcache v0.0.0-20191027212112-611e8accdfc9 // indirect
-	github.com/google/go-cmp v0.3.1 // indirect
-	github.com/google/pprof v0.0.0-20191028172815-5e965273ee43 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/hashicorp/vault/api v1.0.4
 	github.com/hashicorp/vault/sdk v0.1.13
-	github.com/jstemmer/go-junit-report v0.9.1 // indirect
-	github.com/kr/pty v1.1.8 // indirect
 	github.com/natefinch/lumberjack v2.0.0+incompatible
-	github.com/rogpeppe/go-internal v1.5.0 // indirect
+	github.com/prometheus/common v0.4.0
 	github.com/sirupsen/logrus v1.2.0
+	github.com/spf13/afero v1.1.2
 	github.com/spf13/viper v1.4.0
 	github.com/spiffe/go-spiffe v0.0.0-20190922191205-018e7197ed1c
-	github.com/stretchr/objx v0.2.0 // indirect
-	github.com/stretchr/testify v1.4.0 // indirect
-	go.opencensus.io v0.22.1 // indirect
+	github.com/stretchr/testify v1.4.0
 	golang.org/x/crypto v0.0.0-20191029031824-8986dd9e96cf // indirect
-	golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136 // indirect
-	golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8 // indirect
-	golang.org/x/mobile v0.0.0-20191025110607-73ccc5ba0426 // indirect
 	golang.org/x/net v0.0.0-20191028085509-fe3aa8a45271 // indirect
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect
 	golang.org/x/sys v0.0.0-20191029155521-f43be2a4598c // indirect
+	golang.org/x/text v0.3.2 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
-	golang.org/x/tools v0.0.0-20191030062658-86caa796c7ab // indirect
-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect
-	google.golang.org/appengine v1.6.5 // indirect
+	google.golang.org/genproto v0.0.0-20191028173616-919d9bdd9fe6 // indirect
 	google.golang.org/grpc v1.24.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect