open-vault/meta/meta.go

package meta

import (
	"bufio"
	"crypto/tls"
	"flag"
	"fmt"
	"io"
	"net/http"
	"os"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/go-rootcerts"
	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/command/token"
	"github.com/mitchellh/cli"
)

// FlagSetFlags is an enum to define what flags are present in the
// default FlagSet returned by Meta.FlagSet.
type FlagSetFlags uint

type TokenHelperFunc func() (token.TokenHelper, error)

const (
	FlagSetNone    FlagSetFlags = 0
	FlagSetServer  FlagSetFlags = 1 << iota
	FlagSetDefault              = FlagSetServer
)

// Meta contains the meta-options and functionality that nearly every
// Vault command inherits.
type Meta struct {
	ClientToken string
	Ui          cli.Ui

	// The things below can be set, but aren't common
	ForceAddress string // Address to force for API clients

	// These are set by the command line flags.
	flagAddress    string
	flagCACert     string
	flagCAPath     string
	flagClientCert string
	flagClientKey  string
	flagWrapTTL    string
	flagInsecure   bool

	// Queried if no token can be found
	TokenHelper TokenHelperFunc
}

func (m *Meta) DefaultWrappingLookupFunc(operation, path string) string {
	if m.flagWrapTTL != "" {
		return m.flagWrapTTL
	}

	return os.Getenv(api.EnvVaultWrapTTL)
}

// Client returns the API client to a Vault server given the configured
// flag settings for this command.
func (m *Meta) Client() (*api.Client, error) {
	config := api.DefaultConfig()

	err := config.ReadEnvironment()
	if err != nil {
		return nil, errwrap.Wrapf("error reading environment: {{err}}", err)
	}

	if m.flagAddress != "" {
		config.Address = m.flagAddress
	}
	if m.ForceAddress != "" {
		config.Address = m.ForceAddress
	}
	// If we need custom TLS configuration, then set it
	if m.flagCACert != "" || m.flagCAPath != "" || m.flagClientCert != "" || m.flagClientKey != "" || m.flagInsecure {
		// We may have set items from the environment so start with the
		// existing TLS config
		tlsConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig

		rootConfig := &rootcerts.Config{
			CAFile: m.flagCACert,
			CAPath: m.flagCAPath,
		}
		if err := rootcerts.ConfigureTLS(tlsConfig, rootConfig); err != nil {
			return nil, err
		}

		if m.flagInsecure {
			tlsConfig.InsecureSkipVerify = true
		}

		if m.flagClientCert != "" && m.flagClientKey != "" {
			tlsCert, err := tls.LoadX509KeyPair(m.flagClientCert, m.flagClientKey)
			if err != nil {
				return nil, err
			}
			tlsConfig.Certificates = []tls.Certificate{tlsCert}
		} else if m.flagClientCert != "" || m.flagClientKey != "" {
			return nil, fmt.Errorf("Both client cert and client key must be provided")
		}
	}

	// Build the client
	client, err := api.NewClient(config)
	if err != nil {
		return nil, err
	}

	client.SetWrappingLookupFunc(m.DefaultWrappingLookupFunc)

	// If we have a token directly, then set that
	token := m.ClientToken

	// Try to set the token to what is already stored
	if token == "" {
		token = client.Token()
	}

	// If we don't have a token, check the token helper
	if token == "" {
		if m.TokenHelper != nil {
			// If we have a token, then set that
			tokenHelper, err := m.TokenHelper()
			if err != nil {
				return nil, err
			}
			token, err = tokenHelper.Get()
			if err != nil {
				return nil, err
			}
		}
	}

	// Set the token
	if token != "" {
		client.SetToken(token)
	}

	return client, nil
}

// FlagSet returns a FlagSet with the common flags that every
// command implements. The exact behavior of FlagSet can be configured
// using the flags as the second parameter, for example to disable
// server settings on the commands that don't talk to a server.
func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
	f := flag.NewFlagSet(n, flag.ContinueOnError)

	// FlagSetServer tells us to enable the settings for selecting
	// the server information.
	if fs&FlagSetServer != 0 {
		f.StringVar(&m.flagAddress, "address", "", "")
		f.StringVar(&m.flagCACert, "ca-cert", "", "")
		f.StringVar(&m.flagCAPath, "ca-path", "", "")
		f.StringVar(&m.flagClientCert, "client-cert", "", "")
		f.StringVar(&m.flagClientKey, "client-key", "", "")
		f.StringVar(&m.flagWrapTTL, "wrap-ttl", "", "")
		f.BoolVar(&m.flagInsecure, "insecure", false, "")
		f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")
	}

	// Create an io.Writer that writes to our Ui properly for errors.
	// This is kind of a hack, but it does the job. Basically: create
	// a pipe, use a scanner to break it into lines, and output each line
	// to the UI. Do this forever.
	errR, errW := io.Pipe()
	errScanner := bufio.NewScanner(errR)
	go func() {
		for errScanner.Scan() {
			m.Ui.Error(errScanner.Text())
		}
	}()
	f.SetOutput(errW)

	return f
}

// GeneralOptionsUsage returns the usage documentation for commonly
// available options
func GeneralOptionsUsage() string {
	general := `
  -address=addr           The address of the Vault server.
                          Overrides the VAULT_ADDR environment variable if set.

  -ca-cert=path           Path to a PEM encoded CA cert file to use to
                          verify the Vault server SSL certificate.
                          Overrides the VAULT_CACERT environment variable if set.

  -ca-path=path           Path to a directory of PEM encoded CA cert files
                          to verify the Vault server SSL certificate. If both
                          -ca-cert and -ca-path are specified, -ca-cert is used.
                          Overrides the VAULT_CAPATH environment variable if set.

  -client-cert=path       Path to a PEM encoded client certificate for TLS
                          authentication to the Vault server. Must also specify
                          -client-key. Overrides the VAULT_CLIENT_CERT
                          environment variable if set.

  -client-key=path        Path to an unencrypted PEM encoded private key
                          matching the client certificate from -client-cert.
                          Overrides the VAULT_CLIENT_KEY environment variable
                          if set.

  -tls-skip-verify        Do not verify TLS certificate. This is highly
                          not recommended. Verification will also be skipped
                          if VAULT_SKIP_VERIFY is set.
`

	general += AdditionalOptionsUsage()
	return general
}
Move meta into its own package 2016-04-01 17:16:05 +00:00			`package meta`
command/auth 2015-03-04 07:34:32 +00:00
			`import (`
			`"bufio"`
command/init 2015-03-13 17:32:39 +00:00			`"crypto/tls"`
command/auth 2015-03-04 07:34:32 +00:00			`"flag"`
command/*: lets try to remove this before 0.1.0 2015-04-28 16:20:42 +00:00			`"fmt"`
command/auth 2015-03-04 07:34:32 +00:00			`"io"`
command/init 2015-03-13 17:32:39 +00:00			`"net/http"`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`"os"`
command/auth 2015-03-04 07:34:32 +00:00
Move environment variable reading logic to API. This allows the same environment variables to be read, parsed, and used from any API client as was previously handled in the CLI. The CLI now uses the API environment variable reading capability, then overrides any values from command line flags, if necessary. Fixes #618 2015-11-03 19:21:14 +00:00			`"github.com/hashicorp/errwrap"`
Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 16:23:25 +00:00			`"github.com/hashicorp/go-rootcerts"`
command/init 2015-03-13 17:32:39 +00:00			`"github.com/hashicorp/vault/api"`
command/auth: setting tokens works 2015-03-30 17:55:41 +00:00			`"github.com/hashicorp/vault/command/token"`
command/auth 2015-03-04 07:34:32 +00:00			`"github.com/mitchellh/cli"`
			`)`

			`// FlagSetFlags is an enum to define what flags are present in the`
			`// default FlagSet returned by Meta.FlagSet.`
			`type FlagSetFlags uint`

Remove config from Meta; it's only used right now with the token helper. 2016-04-01 20:02:18 +00:00			`type TokenHelperFunc func() (token.TokenHelper, error)`
Move token helper out of meta 2016-04-01 18:23:15 +00:00
command/auth 2015-03-04 07:34:32 +00:00			`const (`
			`FlagSetNone FlagSetFlags = 0`
			`FlagSetServer FlagSetFlags = 1 << iota`
			`FlagSetDefault = FlagSetServer`
			`)`

			`// Meta contains the meta-options and functionality that nearly every`
			`// Vault command inherits.`
			`type Meta struct {`
command/meta: tests passing 2015-03-31 06:30:30 +00:00			`ClientToken string`
			`Ui cli.Ui`
command/meta: server options 2015-03-04 07:49:37 +00:00
command/meta: can force config 2015-04-13 00:51:38 +00:00			`// The things below can be set, but aren't common`
Remove config from Meta; it's only used right now with the token helper. 2016-04-01 20:02:18 +00:00			`ForceAddress string // Address to force for API clients`
command/meta: can force config 2015-04-13 00:51:38 +00:00
command/meta: server options 2015-03-04 07:49:37 +00:00			`// These are set by the command line flags.`
Initial sketch for client TLS auth 2015-06-29 19:33:16 +00:00			`flagAddress string`
			`flagCACert string`
			`flagCAPath string`
			`flagClientCert string`
			`flagClientKey string`
Add wrap support to API/CLI 2016-05-02 05:58:58 +00:00			`flagWrapTTL string`
Initial sketch for client TLS auth 2015-06-29 19:33:16 +00:00			`flagInsecure bool`
command: load configuration 2015-03-30 17:25:24 +00:00
Move token helper out of meta 2016-04-01 18:23:15 +00:00			`// Queried if no token can be found`
			`TokenHelper TokenHelperFunc`
command/auth 2015-03-04 07:34:32 +00:00			`}`

Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`func (m *Meta) DefaultWrappingLookupFunc(operation, path string) string {`
			`if m.flagWrapTTL != "" {`
			`return m.flagWrapTTL`
			`}`

			`return os.Getenv(api.EnvVaultWrapTTL)`
			`}`

command/init 2015-03-13 17:32:39 +00:00			`// Client returns the API client to a Vault server given the configured`
			`// flag settings for this command.`
			`func (m Meta) Client() (api.Client, error) {`
			`config := api.DefaultConfig()`
Move environment variable reading logic to API. This allows the same environment variables to be read, parsed, and used from any API client as was previously handled in the CLI. The CLI now uses the API environment variable reading capability, then overrides any values from command line flags, if necessary. Fixes #618 2015-11-03 19:21:14 +00:00
			`err := config.ReadEnvironment()`
			`if err != nil {`
			`return nil, errwrap.Wrapf("error reading environment: {{err}}", err)`
command/meta: VAULT_ADDR to set the addr via env var 2015-03-16 03:41:36 +00:00			`}`
Move environment variable reading logic to API. This allows the same environment variables to be read, parsed, and used from any API client as was previously handled in the CLI. The CLI now uses the API environment variable reading capability, then overrides any values from command line flags, if necessary. Fixes #618 2015-11-03 19:21:14 +00:00
command/init 2015-03-13 17:32:39 +00:00			`if m.flagAddress != "" {`
			`config.Address = m.flagAddress`
			`}`
command/meta: can force config 2015-04-13 00:51:38 +00:00			`if m.ForceAddress != "" {`
			`config.Address = m.ForceAddress`
command: can force address 2015-04-13 00:30:19 +00:00			`}`
command/init 2015-03-13 17:32:39 +00:00			`// If we need custom TLS configuration, then set it`
command: Fixing setup of client certificates 2015-08-17 19:16:32 +00:00			`if m.flagCACert != "" \|\| m.flagCAPath != "" \|\| m.flagClientCert != "" \|\| m.flagClientKey != "" \|\| m.flagInsecure {`
Move environment variable reading logic to API. This allows the same environment variables to be read, parsed, and used from any API client as was previously handled in the CLI. The CLI now uses the API environment variable reading capability, then overrides any values from command line flags, if necessary. Fixes #618 2015-11-03 19:21:14 +00:00			`// We may have set items from the environment so start with the`
			`// existing TLS config`
			`tlsConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig`

Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 16:23:25 +00:00			`rootConfig := &rootcerts.Config{`
			`CAFile: m.flagCACert,`
			`CAPath: m.flagCAPath,`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`}`
Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 16:23:25 +00:00			`if err := rootcerts.ConfigureTLS(tlsConfig, rootConfig); err != nil {`
			`return nil, err`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`}`

Move environment variable reading logic to API. This allows the same environment variables to be read, parsed, and used from any API client as was previously handled in the CLI. The CLI now uses the API environment variable reading capability, then overrides any values from command line flags, if necessary. Fixes #618 2015-11-03 19:21:14 +00:00			`if m.flagInsecure {`
			`tlsConfig.InsecureSkipVerify = true`
command/*: lets try to remove this before 0.1.0 2015-04-28 16:20:42 +00:00			`}`
command/init 2015-03-13 17:32:39 +00:00
Better error messages. 2015-06-30 12:59:38 +00:00			`if m.flagClientCert != "" && m.flagClientKey != "" {`
Initial sketch for client TLS auth 2015-06-29 19:33:16 +00:00			`tlsCert, err := tls.LoadX509KeyPair(m.flagClientCert, m.flagClientKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`tlsConfig.Certificates = []tls.Certificate{tlsCert}`
Better error messages. 2015-06-30 12:59:38 +00:00			`} else if m.flagClientCert != "" \|\| m.flagClientKey != "" {`
			`return nil, fmt.Errorf("Both client cert and client key must be provided")`
Initial sketch for client TLS auth 2015-06-29 19:33:16 +00:00			`}`
command/init 2015-03-13 17:32:39 +00:00			`}`

command/meta: add token to client if we have it 2015-03-31 06:10:59 +00:00			`// Build the client`
			`client, err := api.NewClient(config)`
			`if err != nil {`
			`return nil, err`
			`}`

Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`client.SetWrappingLookupFunc(m.DefaultWrappingLookupFunc)`

command/meta: tests passing 2015-03-31 06:30:30 +00:00			`// If we have a token directly, then set that`
			`token := m.ClientToken`

command/meta: don't read token file if token is already set [GH-162] 2015-05-11 17:31:14 +00:00			`// Try to set the token to what is already stored`
			`if token == "" {`
			`token = client.Token()`
			`}`

command/meta: tests passing 2015-03-31 06:30:30 +00:00			`// If we don't have a token, check the token helper`
			`if token == "" {`
Move token helper out of meta 2016-04-01 18:23:15 +00:00			`if m.TokenHelper != nil {`
			`// If we have a token, then set that`
Remove config from Meta; it's only used right now with the token helper. 2016-04-01 20:02:18 +00:00			`tokenHelper, err := m.TokenHelper()`
Move token helper out of meta 2016-04-01 18:23:15 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`token, err = tokenHelper.Get()`
			`if err != nil {`
			`return nil, err`
			`}`
command/meta: tests passing 2015-03-31 06:30:30 +00:00			`}`
command/meta: add token to client if we have it 2015-03-31 06:10:59 +00:00			`}`
command/meta: tests passing 2015-03-31 06:30:30 +00:00
			`// Set the token`
command/meta: add token to client if we have it 2015-03-31 06:10:59 +00:00			`if token != "" {`
			`client.SetToken(token)`
			`}`

			`return client, nil`
command/init 2015-03-13 17:32:39 +00:00			`}`

command/auth 2015-03-04 07:34:32 +00:00			`// FlagSet returns a FlagSet with the common flags that every`
			`// command implements. The exact behavior of FlagSet can be configured`
			`// using the flags as the second parameter, for example to disable`
			`// server settings on the commands that don't talk to a server.`
			`func (m Meta) FlagSet(n string, fs FlagSetFlags) flag.FlagSet {`
			`f := flag.NewFlagSet(n, flag.ContinueOnError)`

command/meta: server options 2015-03-04 07:49:37 +00:00			`// FlagSetServer tells us to enable the settings for selecting`
			`// the server information.`
			`if fs&FlagSetServer != 0 {`
			`f.StringVar(&m.flagAddress, "address", "", "")`
			`f.StringVar(&m.flagCACert, "ca-cert", "", "")`
			`f.StringVar(&m.flagCAPath, "ca-path", "", "")`
Initial sketch for client TLS auth 2015-06-29 19:33:16 +00:00			`f.StringVar(&m.flagClientCert, "client-cert", "", "")`
			`f.StringVar(&m.flagClientKey, "client-key", "", "")`
Add wrap support to API/CLI 2016-05-02 05:58:58 +00:00			`f.StringVar(&m.flagWrapTTL, "wrap-ttl", "", "")`
command/meta: server options 2015-03-04 07:49:37 +00:00			`f.BoolVar(&m.flagInsecure, "insecure", false, "")`
command/*: -tls-skip-verify [GH-130] 2015-05-11 18:01:20 +00:00			`f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")`
command/meta: server options 2015-03-04 07:49:37 +00:00			`}`

command/auth 2015-03-04 07:34:32 +00:00			`// Create an io.Writer that writes to our Ui properly for errors.`
			`// This is kind of a hack, but it does the job. Basically: create`
			`// a pipe, use a scanner to break it into lines, and output each line`
			`// to the UI. Do this forever.`
			`errR, errW := io.Pipe()`
			`errScanner := bufio.NewScanner(errR)`
			`go func() {`
			`for errScanner.Scan() {`
			`m.Ui.Error(errScanner.Text())`
			`}`
			`}()`
			`f.SetOutput(errW)`

			`return f`
			`}`
command/auth: setting tokens works 2015-03-30 17:55:41 +00:00
Speling police 2016-05-15 16:58:36 +00:00			`// GeneralOptionsUsage returns the usage documentation for commonly`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00			`// available options`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`func GeneralOptionsUsage() string {`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00			general := `
			`-address=addr The address of the Vault server.`
command/meta.go: document environment variables Document the environment variables which, if set, can provide default values for configuration options. Fixes #476 2015-08-07 22:13:30 +00:00			`Overrides the VAULT_ADDR environment variable if set.`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00
			`-ca-cert=path Path to a PEM encoded CA cert file to use to`
			`verify the Vault server SSL certificate.`
command/meta.go: document environment variables Document the environment variables which, if set, can provide default values for configuration options. Fixes #476 2015-08-07 22:13:30 +00:00			`Overrides the VAULT_CACERT environment variable if set.`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00
			`-ca-path=path Path to a directory of PEM encoded CA cert files`
			`to verify the Vault server SSL certificate. If both`
Fix help text around preference of ca-cert/ca-path. Fixes #1360 2016-05-02 04:08:59 +00:00			`-ca-cert and -ca-path are specified, -ca-cert is used.`
command/meta.go: document environment variables Document the environment variables which, if set, can provide default values for configuration options. Fixes #476 2015-08-07 22:13:30 +00:00			`Overrides the VAULT_CAPATH environment variable if set.`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00
			`-client-cert=path Path to a PEM encoded client certificate for TLS`
			`authentication to the Vault server. Must also specify`
Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 20:50:12 +00:00			`-client-key. Overrides the VAULT_CLIENT_CERT`
command/meta.go: document environment variables Document the environment variables which, if set, can provide default values for configuration options. Fixes #476 2015-08-07 22:13:30 +00:00			`environment variable if set.`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00
			`-client-key=path Path to an unencrypted PEM encoded private key`
			`matching the client certificate from -client-cert.`
command/meta.go: document environment variables Document the environment variables which, if set, can provide default values for configuration options. Fixes #476 2015-08-07 22:13:30 +00:00			`Overrides the VAULT_CLIENT_KEY environment variable`
			`if set.`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00
			`-tls-skip-verify Do not verify TLS certificate. This is highly`
Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 20:50:12 +00:00			`not recommended. Verification will also be skipped`
command/meta.go: document environment variables Document the environment variables which, if set, can provide default values for configuration options. Fixes #476 2015-08-07 22:13:30 +00:00			`if VAULT_SKIP_VERIFY is set.`
Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 20:50:12 +00:00			`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00
			`general += AdditionalOptionsUsage()`
Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 20:50:12 +00:00			`return general`
command: source general options docs from common source 2015-06-30 19:01:23 +00:00			`}`