open-vault/command/commands.go

841 lines
26 KiB
Go
Raw Normal View History

2017-09-05 04:05:53 +00:00
package command
import (
"os"
"os/signal"
"syscall"
"github.com/hashicorp/vault/audit"
2018-11-07 01:21:24 +00:00
"github.com/hashicorp/vault/builtin/plugin"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/sdk/version"
2017-09-05 04:05:53 +00:00
"github.com/mitchellh/cli"
2018-11-07 01:21:24 +00:00
/*
The builtinplugins package is initialized here because it, in turn,
initializes the database plugins.
They register multiple database drivers for the "database/sql" package.
*/
_ "github.com/hashicorp/vault/helper/builtinplugins"
2017-09-05 04:05:53 +00:00
auditFile "github.com/hashicorp/vault/builtin/audit/file"
auditSocket "github.com/hashicorp/vault/builtin/audit/socket"
auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
credAliCloud "github.com/hashicorp/vault-plugin-auth-alicloud"
2018-01-19 11:03:33 +00:00
credCentrify "github.com/hashicorp/vault-plugin-auth-centrify"
credCF "github.com/hashicorp/vault-plugin-auth-cf"
credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
credOIDC "github.com/hashicorp/vault-plugin-auth-jwt"
credKerb "github.com/hashicorp/vault-plugin-auth-kerberos"
2019-09-04 23:46:00 +00:00
credOCI "github.com/hashicorp/vault-plugin-auth-oci"
2017-09-05 04:05:53 +00:00
credAws "github.com/hashicorp/vault/builtin/credential/aws"
credCert "github.com/hashicorp/vault/builtin/credential/cert"
credGitHub "github.com/hashicorp/vault/builtin/credential/github"
credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
credOkta "github.com/hashicorp/vault/builtin/credential/okta"
credToken "github.com/hashicorp/vault/builtin/credential/token"
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
2018-11-07 01:21:24 +00:00
logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
logicalDb "github.com/hashicorp/vault/builtin/logical/database"
physAerospike "github.com/hashicorp/vault/physical/aerospike"
2018-08-13 21:03:24 +00:00
physAliCloudOSS "github.com/hashicorp/vault/physical/alicloudoss"
2017-09-05 04:05:53 +00:00
physAzure "github.com/hashicorp/vault/physical/azure"
physCassandra "github.com/hashicorp/vault/physical/cassandra"
physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
physConsul "github.com/hashicorp/vault/physical/consul"
physCouchDB "github.com/hashicorp/vault/physical/couchdb"
physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
physEtcd "github.com/hashicorp/vault/physical/etcd"
2018-07-16 14:18:09 +00:00
physFoundationDB "github.com/hashicorp/vault/physical/foundationdb"
2017-09-05 04:05:53 +00:00
physGCS "github.com/hashicorp/vault/physical/gcs"
physManta "github.com/hashicorp/vault/physical/manta"
2017-09-05 04:05:53 +00:00
physMSSQL "github.com/hashicorp/vault/physical/mssql"
physMySQL "github.com/hashicorp/vault/physical/mysql"
physOCI "github.com/hashicorp/vault/physical/oci"
2017-09-05 04:05:53 +00:00
physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
Raft Storage Backend (#6888) * Work on raft backend * Add logstore locally * Add encryptor and unsealable interfaces * Add clustering support to raft * Remove client and handler * Bootstrap raft on init * Cleanup raft logic a bit * More raft work * Work on TLS config * More work on bootstrapping * Fix build * More work on bootstrapping * More bootstrapping work * fix build * Remove consul dep * Fix build * merged oss/master into raft-storage * Work on bootstrapping * Get bootstrapping to work * Clean up FMS and node-id * Update local node ID logic * Cleanup node-id change * Work on snapshotting * Raft: Add remove peer API (#906) * Add remove peer API * Add some comments * Fix existing snapshotting (#909) * Raft get peers API (#912) * Read raft configuration * address review feedback * Use the Leadership Transfer API to step-down the active node (#918) * Raft join and unseal using Shamir keys (#917) * Raft join using shamir * Store AEAD instead of master key * Split the raft join process to answer the challenge after a successful unseal * get the follower to standby state * Make unseal work * minor changes * Some input checks * reuse the shamir seal access instead of new default seal access * refactor joinRaftSendAnswer function * Synchronously send answer in auto-unseal case * Address review feedback * Raft snapshots (#910) * Fix existing snapshotting * implement the noop snapshotting * Add comments and switch log libraries * add some snapshot tests * add snapshot test file * add TODO * More work on raft snapshotting * progress on the ConfigStore strategy * Don't use two buckets * Update the snapshot store logic to hide the file logic * Add more backend tests * Cleanup code a bit * [WIP] Raft recovery (#938) * Add recovery functionality * remove fmt.Printfs * Fix a few fsm bugs * Add max size value for raft backend (#942) * Add max size value for raft backend * Include physical.ErrValueTooLarge in the message * Raft snapshot Take/Restore API (#926) * Inital work on raft snapshot APIs * Always redirect snapshot install/download requests * More work on the snapshot APIs * Cleanup code a bit * On restore handle special cases * Use the seal to encrypt the sha sum file * Add sealer mechanism and fix some bugs * Call restore while state lock is held * Send restore cb trigger through raft log * Make error messages nicer * Add test helpers * Add snapshot test * Add shamir unseal test * Add more raft snapshot API tests * Fix locking * Change working to initalize * Add underlying raw object to test cluster core * Move leaderUUID to core * Add raft TLS rotation logic (#950) * Add TLS rotation logic * Cleanup logic a bit * Add/Remove from follower state on add/remove peer * add comments * Update more comments * Update request_forwarding_service.proto * Make sure we populate all nodes in the followerstate obj * Update times * Apply review feedback * Add more raft config setting (#947) * Add performance config setting * Add more config options and fix tests * Test Raft Recovery (#944) * Test raft recovery * Leave out a node during recovery * remove unused struct * Update physical/raft/snapshot_test.go * Update physical/raft/snapshot_test.go * fix vendoring * Switch to new raft interface * Remove unused files * Switch a gogo -> proto instance * Remove unneeded vault dep in go.sum * Update helper/testhelpers/testhelpers.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * Update vault/cluster/cluster.go * track active key within the keyring itself (#6915) * track active key within the keyring itself * lookup and store using the active key ID * update docstring * minor refactor * Small text fixes (#6912) * Update physical/raft/raft.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * review feedback * Move raft logical system into separate file * Update help text a bit * Enforce cluster addr is set and use it for raft bootstrapping * Fix tests * fix http test panic * Pull in latest raft-snapshot library * Add comment
2019-06-20 19:14:58 +00:00
physRaft "github.com/hashicorp/vault/physical/raft"
2017-09-05 04:05:53 +00:00
physS3 "github.com/hashicorp/vault/physical/s3"
physSpanner "github.com/hashicorp/vault/physical/spanner"
2017-09-05 04:05:53 +00:00
physSwift "github.com/hashicorp/vault/physical/swift"
physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
2019-04-15 18:51:33 +00:00
physFile "github.com/hashicorp/vault/sdk/physical/file"
physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
sr "github.com/hashicorp/vault/serviceregistration"
csr "github.com/hashicorp/vault/serviceregistration/consul"
ksr "github.com/hashicorp/vault/serviceregistration/kubernetes"
2017-09-05 04:05:53 +00:00
)
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format
2018-02-12 23:12:16 +00:00
const (
// EnvVaultCLINoColor is an env var that toggles colored UI output.
EnvVaultCLINoColor = `VAULT_CLI_NO_COLOR`
// EnvVaultFormat is the output format
EnvVaultFormat = `VAULT_FORMAT`
// EnvVaultLicense is an env var used in Vault Enterprise to provide a license blob
EnvVaultLicense = "VAULT_LICENSE"
// EnvVaultLicensePath is an env var used in Vault Enterprise to provide a
// path to a license file on disk
EnvVaultLicensePath = "VAULT_LICENSE_PATH"
Vault CLI: show detailed information with ListResponseWithInfo (#15417) * CLI: Add ability to display ListResponseWithInfos The Vault Server API includes a ListResponseWithInfo call, allowing LIST responses to contain additional information about their keys. This is in a key=value mapping format (both for each key, to get the additional metadata, as well as within each metadata). Expand the `vault list` CLI command with a `-detailed` flag (and env var VAULT_DETAILED_LISTS) to print this additional metadata. This looks roughly like the following: $ vault list -detailed pki/issuers Keys issuer_name ---- ----------- 0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a 35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a 382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a 8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a 8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a 9425d51f-cb81-426d-d6ad-5147d092094e n/a ae679732-b497-ab0d-3220-806a2b9d81ed n/a c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8 d41d2419-efce-0e36-c96b-e91179a24dc1 something Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow detailed printing of LIST responses in JSON When using the JSON formatter, only the absolute list of keys were returned. Reuse the `-detailed` flag value for the `-format=json` list response printer, allowing us to show the complete API response returned by Vault. This returns something like the following: { "request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "key_info": { "0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": { "issuer_name": "" }, "35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": { "issuer_name": "" }, "382fad1e-e99c-9c54-e147-bb1faa8033d3": { "issuer_name": "" }, "8bb4a793-2ad9-460c-9fa8-574c84a981f7": { "issuer_name": "" }, "8bd231d7-20e2-f21f-ae1a-7aa3319715e7": { "issuer_name": "" }, "9425d51f-cb81-426d-d6ad-5147d092094e": { "issuer_name": "" }, "ae679732-b497-ab0d-3220-806a2b9d81ed": { "issuer_name": "" }, "c5a44a1f-2ae4-2140-3acf-74b2609448cc": { "issuer_name": "utf8" }, "d41d2419-efce-0e36-c96b-e91179a24dc1": { "issuer_name": "something" } }, "keys": [ "0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7", "35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0", "382fad1e-e99c-9c54-e147-bb1faa8033d3", "8bb4a793-2ad9-460c-9fa8-574c84a981f7", "8bd231d7-20e2-f21f-ae1a-7aa3319715e7", "9425d51f-cb81-426d-d6ad-5147d092094e", "ae679732-b497-ab0d-3220-806a2b9d81ed", "c5a44a1f-2ae4-2140-3acf-74b2609448cc", "d41d2419-efce-0e36-c96b-e91179a24dc1" ] }, "warnings": null } Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use field on UI rather than secret.Data Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Only include headers from visitable key_infos Certain API endpoints return data from non-visitable key_infos, by virtue of using a hand-rolled response. Limit our headers to those from visitable key_infos. This means we won't return entire columns with n/a entries, if no key matches the key_info key that includes that header. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use setupEnv sourced detailed info Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix changelog environment variable Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix broken tests using setupEnv Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 17:00:50 +00:00
// EnvVaultDetailed is to output detailed information (e.g., ListResponseWithInfo).
EnvVaultDetailed = `VAULT_DETAILED`
// EnvVaultLogFormat is used to specify the log format. Supported values are "standard" and "json"
EnvVaultLogFormat = "VAULT_LOG_FORMAT"
// EnvVaultLogLevel is used to specify the log level applied to logging
// Supported log levels: Trace, Debug, Error, Warn, Info
EnvVaultLogLevel = "VAULT_LOG_LEVEL"
// DisableSSCTokens is an env var used to disable index bearing
// token functionality
DisableSSCTokens = "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS"
// flagNameAddress is the flag used in the base command to read in the
// address of the Vault server.
flagNameAddress = "address"
// flagnameCACert is the flag used in the base command to read in the CA
// cert.
flagNameCACert = "ca-cert"
// flagnameCAPath is the flag used in the base command to read in the CA
// cert path.
flagNameCAPath = "ca-path"
// flagNameClientCert is the flag used in the base command to read in the
// client key
flagNameClientKey = "client-key"
// flagNameClientCert is the flag used in the base command to read in the
// client cert
flagNameClientCert = "client-cert"
// flagNameTLSSkipVerify is the flag used in the base command to read in
// the option to ignore TLS certificate verification.
flagNameTLSSkipVerify = "tls-skip-verify"
// flagTLSServerName is the flag used in the base command to read in
// the TLS server name.
flagTLSServerName = "tls-server-name"
// flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable
flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys"
// flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable
flagNameAuditNonHMACResponseKeys = "audit-non-hmac-response-keys"
// flagNameDescription is the flag name used for tuning the secret and auth mount description parameter
flagNameDescription = "description"
// flagListingVisibility is the flag to toggle whether to show the mount in the UI-specific listing endpoint
flagNameListingVisibility = "listing-visibility"
// flagNamePassthroughRequestHeaders is the flag name used to set passthrough request headers to the backend
flagNamePassthroughRequestHeaders = "passthrough-request-headers"
2019-02-05 21:02:15 +00:00
// flagNameAllowedResponseHeaders is used to set allowed response headers from a plugin
flagNameAllowedResponseHeaders = "allowed-response-headers"
2018-10-15 16:56:24 +00:00
// flagNameTokenType is the flag name used to force a specific token type
flagNameTokenType = "token-type"
// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
flagNameAllowedManagedKeys = "allowed-managed-keys"
// flagNamePluginVersion selects what version of a plugin should be used.
flagNamePluginVersion = "plugin-version"
// flagNameUserLockoutThreshold is the flag name used for tuning the auth mount lockout threshold parameter
flagNameUserLockoutThreshold = "user-lockout-threshold"
// flagNameUserLockoutDuration is the flag name used for tuning the auth mount lockout duration parameter
flagNameUserLockoutDuration = "user-lockout-duration"
// flagNameUserLockoutCounterResetDuration is the flag name used for tuning the auth mount lockout counter reset parameter
flagNameUserLockoutCounterResetDuration = "user-lockout-counter-reset-duration"
// flagNameUserLockoutDisable is the flag name used for tuning the auth mount disable lockout parameter
flagNameUserLockoutDisable = "user-lockout-disable"
// flagNameDisableRedirects is used to prevent the client from honoring a single redirect as a response to a request
flagNameDisableRedirects = "disable-redirects"
// flagNameCombineLogs is used to specify whether log output should be combined and sent to stdout
flagNameCombineLogs = "combine-logs"
// flagNameLogFile is used to specify the path to the log file that Vault should use for logging
flagNameLogFile = "log-file"
// flagNameLogRotateBytes is the flag used to specify the number of bytes a log file should be before it is rotated.
flagNameLogRotateBytes = "log-rotate-bytes"
// flagNameLogRotateDuration is the flag used to specify the duration after which a log file should be rotated.
flagNameLogRotateDuration = "log-rotate-duration"
// flagNameLogRotateMaxFiles is the flag used to specify the maximum number of older/archived log files to keep.
flagNameLogRotateMaxFiles = "log-rotate-max-files"
// flagNameLogFormat is the flag used to specify the log format. Supported values are "standard" and "json"
flagNameLogFormat = "log-format"
// flagNameLogLevel is used to specify the log level applied to logging
// Supported log levels: Trace, Debug, Error, Warn, Info
flagNameLogLevel = "log-level"
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format
2018-02-12 23:12:16 +00:00
)
var (
auditBackends = map[string]audit.Factory{
"file": auditFile.Factory,
"socket": auditSocket.Factory,
"syslog": auditSyslog.Factory,
}
credentialBackends = map[string]logical.Factory{
2018-11-07 01:21:24 +00:00
"plugin": plugin.Factory,
}
logicalBackends = map[string]logical.Factory{
2018-11-07 01:21:24 +00:00
"plugin": plugin.Factory,
"database": logicalDb.Factory,
// This is also available in the plugin catalog, but is here due to the need to
// automatically mount it.
"kv": logicalKv.Factory,
}
physicalBackends = map[string]physical.Factory{
"aerospike": physAerospike.NewAerospikeBackend,
2018-08-13 21:03:24 +00:00
"alicloudoss": physAliCloudOSS.NewAliCloudOSSBackend,
"azure": physAzure.NewAzureBackend,
"cassandra": physCassandra.NewCassandraBackend,
"cockroachdb": physCockroachDB.NewCockroachDBBackend,
"consul": physConsul.NewConsulBackend,
"couchdb_transactional": physCouchDB.NewTransactionalCouchDBBackend,
"couchdb": physCouchDB.NewCouchDBBackend,
"dynamodb": physDynamoDB.NewDynamoDBBackend,
"etcd": physEtcd.NewEtcdBackend,
"file_transactional": physFile.NewTransactionalFileBackend,
"file": physFile.NewFileBackend,
2018-07-16 14:18:09 +00:00
"foundationdb": physFoundationDB.NewFDBBackend,
"gcs": physGCS.NewBackend,
"inmem_ha": physInmem.NewInmemHA,
"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
"inmem_transactional": physInmem.NewTransactionalInmem,
"inmem": physInmem.NewInmem,
2018-02-13 02:01:14 +00:00
"manta": physManta.NewMantaBackend,
"mssql": physMSSQL.NewMSSQLBackend,
"mysql": physMySQL.NewMySQLBackend,
"oci": physOCI.NewBackend,
"postgresql": physPostgreSQL.NewPostgreSQLBackend,
"s3": physS3.NewS3Backend,
"spanner": physSpanner.NewBackend,
"swift": physSwift.NewSwiftBackend,
Raft Storage Backend (#6888) * Work on raft backend * Add logstore locally * Add encryptor and unsealable interfaces * Add clustering support to raft * Remove client and handler * Bootstrap raft on init * Cleanup raft logic a bit * More raft work * Work on TLS config * More work on bootstrapping * Fix build * More work on bootstrapping * More bootstrapping work * fix build * Remove consul dep * Fix build * merged oss/master into raft-storage * Work on bootstrapping * Get bootstrapping to work * Clean up FMS and node-id * Update local node ID logic * Cleanup node-id change * Work on snapshotting * Raft: Add remove peer API (#906) * Add remove peer API * Add some comments * Fix existing snapshotting (#909) * Raft get peers API (#912) * Read raft configuration * address review feedback * Use the Leadership Transfer API to step-down the active node (#918) * Raft join and unseal using Shamir keys (#917) * Raft join using shamir * Store AEAD instead of master key * Split the raft join process to answer the challenge after a successful unseal * get the follower to standby state * Make unseal work * minor changes * Some input checks * reuse the shamir seal access instead of new default seal access * refactor joinRaftSendAnswer function * Synchronously send answer in auto-unseal case * Address review feedback * Raft snapshots (#910) * Fix existing snapshotting * implement the noop snapshotting * Add comments and switch log libraries * add some snapshot tests * add snapshot test file * add TODO * More work on raft snapshotting * progress on the ConfigStore strategy * Don't use two buckets * Update the snapshot store logic to hide the file logic * Add more backend tests * Cleanup code a bit * [WIP] Raft recovery (#938) * Add recovery functionality * remove fmt.Printfs * Fix a few fsm bugs * Add max size value for raft backend (#942) * Add max size value for raft backend * Include physical.ErrValueTooLarge in the message * Raft snapshot Take/Restore API (#926) * Inital work on raft snapshot APIs * Always redirect snapshot install/download requests * More work on the snapshot APIs * Cleanup code a bit * On restore handle special cases * Use the seal to encrypt the sha sum file * Add sealer mechanism and fix some bugs * Call restore while state lock is held * Send restore cb trigger through raft log * Make error messages nicer * Add test helpers * Add snapshot test * Add shamir unseal test * Add more raft snapshot API tests * Fix locking * Change working to initalize * Add underlying raw object to test cluster core * Move leaderUUID to core * Add raft TLS rotation logic (#950) * Add TLS rotation logic * Cleanup logic a bit * Add/Remove from follower state on add/remove peer * add comments * Update more comments * Update request_forwarding_service.proto * Make sure we populate all nodes in the followerstate obj * Update times * Apply review feedback * Add more raft config setting (#947) * Add performance config setting * Add more config options and fix tests * Test Raft Recovery (#944) * Test raft recovery * Leave out a node during recovery * remove unused struct * Update physical/raft/snapshot_test.go * Update physical/raft/snapshot_test.go * fix vendoring * Switch to new raft interface * Remove unused files * Switch a gogo -> proto instance * Remove unneeded vault dep in go.sum * Update helper/testhelpers/testhelpers.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * Update vault/cluster/cluster.go * track active key within the keyring itself (#6915) * track active key within the keyring itself * lookup and store using the active key ID * update docstring * minor refactor * Small text fixes (#6912) * Update physical/raft/raft.go Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com> * review feedback * Move raft logical system into separate file * Update help text a bit * Enforce cluster addr is set and use it for raft bootstrapping * Fix tests * fix http test panic * Pull in latest raft-snapshot library * Add comment
2019-06-20 19:14:58 +00:00
"raft": physRaft.NewRaftBackend,
"zookeeper": physZooKeeper.NewZooKeeperBackend,
}
serviceRegistrations = map[string]sr.Factory{
"consul": csr.NewServiceRegistration,
"kubernetes": ksr.NewServiceRegistration,
}
initCommandsEnt = func(ui, serverCmdUi cli.Ui, runOpts *RunOptions) {}
)
2017-09-05 04:05:53 +00:00
// Commands is the mapping of all the available commands.
var Commands map[string]cli.CommandFactory
func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) {
loginHandlers := map[string]LoginHandler{
"alicloud": &credAliCloud.CLIHandler{},
2018-02-05 15:56:57 +00:00
"aws": &credAws.CLIHandler{},
"centrify": &credCentrify.CLIHandler{},
"cert": &credCert.CLIHandler{},
2019-09-04 23:46:00 +00:00
"cf": &credCF.CLIHandler{},
"gcp": &credGcp.CLIHandler{},
2018-02-05 15:56:57 +00:00
"github": &credGitHub.CLIHandler{},
"kerberos": &credKerb.CLIHandler{},
2018-02-05 15:56:57 +00:00
"ldap": &credLdap.CLIHandler{},
2019-09-04 23:46:00 +00:00
"oci": &credOCI.CLIHandler{},
"oidc": &credOIDC.CLIHandler{},
2018-02-05 15:56:57 +00:00
"okta": &credOkta.CLIHandler{},
"pcf": &credCF.CLIHandler{}, // Deprecated.
2017-09-05 04:05:53 +00:00
"radius": &credUserpass.CLIHandler{
DefaultMount: "radius",
},
"token": &credToken.CLIHandler{},
"userpass": &credUserpass.CLIHandler{
DefaultMount: "userpass",
},
}
getBaseCommand := func() *BaseCommand {
return &BaseCommand{
UI: ui,
tokenHelper: runOpts.TokenHelper,
flagAddress: runOpts.Address,
client: runOpts.Client,
}
}
2017-09-05 04:05:53 +00:00
Commands = map[string]cli.CommandFactory{
2018-07-25 02:02:27 +00:00
"agent": func() (cli.Command, error) {
return &AgentCommand{
BaseCommand: &BaseCommand{
UI: serverCmdUi,
},
ShutdownCh: MakeShutdownCh(),
}, nil
},
"audit": func() (cli.Command, error) {
return &AuditCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"audit disable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuditDisableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"audit enable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuditEnableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"audit list": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuditListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth tune": func() (cli.Command, error) {
return &AuthTuneCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
"auth": func() (cli.Command, error) {
return &AuthCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth disable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthDisableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth enable": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthEnableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"auth help": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthHelpCommand{
BaseCommand: getBaseCommand(),
Handlers: loginHandlers,
2017-09-05 04:05:53 +00:00
}, nil
},
"auth list": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &AuthListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
2022-02-18 16:50:05 +00:00
"auth move": func() (cli.Command, error) {
return &AuthMoveCommand{
BaseCommand: getBaseCommand(),
}, nil
},
Vault Debug (#7375) * cli: initial work on debug; server-status target * debug: add metrics capture target (#7376) * check against DR secondary * debug: add compression * refactor check into preflight func * debug: set short test time on tests, fix exit code bug * debug: use temp dir for output on tests * debug: use mholt/archiver for compression * first pass on adding pprof * use logger for output * refactor polling target capture logic * debug: poll and collect replication status * debug: poll and collect host-info; rename output files and collection refactor * fix comments * add archive test; fix bugs found * rename flag name to singular target * add target output test; scaffold other tests cases * debug/test: add pprof and index file tests * debug/test: add min timing check tests * debug: fix index gen race and collection goroutine race * debug: extend archive tests, handle race between program exit and polling goroutines * update docstring * debug: correctly add to pollingWg * debug: add config target support * debug: don't wait on interrupt shutdown; add file exists unit tests * move pprof bits into its goroutine * debug: skip empty metrics and some pprof file creation if permission denied, add matching unit test * address comments and feedback * Vault debug using run.Group (#7658) * debug: switch to use oklog/run.Group * debug: use context to cancel requests and interrupt rungroups. * debug: trigger the first interval properly * debug: metrics collection should use metrics interval * debug: add missing continue on metrics error * debug: remove the use of buffered chan to trigger first interval * debug: don't shadow BaseCommand's client, properly block on interval capture failures * debug: actually use c.cachedClient everywhere * go mod vendor * debug: run all pprof in goroutines; bump pprof timings in tests to reduce flakiness * debug: update help text
2019-10-15 22:39:19 +00:00
"debug": func() (cli.Command, error) {
return &DebugCommand{
BaseCommand: getBaseCommand(),
ShutdownCh: MakeShutdownCh(),
}, nil
},
"delete": func() (cli.Command, error) {
return &DeleteCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"lease": func() (cli.Command, error) {
return &LeaseCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"lease renew": func() (cli.Command, error) {
return &LeaseRenewCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"lease lookup": func() (cli.Command, error) {
return &LeaseLookupCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"lease revoke": func() (cli.Command, error) {
return &LeaseRevokeCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"list": func() (cli.Command, error) {
return &ListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"login": func() (cli.Command, error) {
return &LoginCommand{
BaseCommand: getBaseCommand(),
Handlers: loginHandlers,
}, nil
},
2018-08-10 16:17:17 +00:00
"namespace": func() (cli.Command, error) {
return &NamespaceCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace list": func() (cli.Command, error) {
return &NamespaceListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace lookup": func() (cli.Command, error) {
return &NamespaceLookupCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace create": func() (cli.Command, error) {
return &NamespaceCreateCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace patch": func() (cli.Command, error) {
return &NamespacePatchCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2018-08-10 16:17:17 +00:00
"namespace delete": func() (cli.Command, error) {
return &NamespaceDeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace lock": func() (cli.Command, error) {
return &NamespaceAPILockCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"namespace unlock": func() (cli.Command, error) {
return &NamespaceAPIUnlockCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator": func() (cli.Command, error) {
return &OperatorCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator diagnose": func() (cli.Command, error) {
return &OperatorDiagnoseCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator generate-root": func() (cli.Command, error) {
return &OperatorGenerateRootCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator init": func() (cli.Command, error) {
return &OperatorInitCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator key-status": func() (cli.Command, error) {
return &OperatorKeyStatusCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator migrate": func() (cli.Command, error) {
return &OperatorMigrateCommand{
BaseCommand: getBaseCommand(),
PhysicalBackends: physicalBackends,
ShutdownCh: MakeShutdownCh(),
}, nil
},
"operator raft": func() (cli.Command, error) {
return &OperatorRaftCommand{
BaseCommand: getBaseCommand(),
}, nil
},
Autopilot: Server Stabilization, State and Dead Server Cleanup (#10856) * k8s doc: update for 0.9.1 and 0.8.0 releases (#10825) * k8s doc: update for 0.9.1 and 0.8.0 releases * Update website/content/docs/platform/k8s/helm/configuration.mdx Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Autopilot initial commit * Move autopilot related backend implementations to its own file * Abstract promoter creation * Add nil check for health * Add server state oss no-ops * Config ext stub for oss * Make way for non-voters * s/health/state * s/ReadReplica/NonVoter * Add synopsis and description * Remove struct tags from AutopilotConfig * Use var for config storage path * Handle nin-config when reading * Enable testing autopilot by using inmem cluster * First passing test * Only report the server as known if it is present in raft config * Autopilot defaults to on for all existing and new clusters * Add locking to some functions * Persist initial config * Clarify the command usage doc * Add health metric for each node * Fix audit logging issue * Don't set DisablePerformanceStandby to true in test * Use node id label for health metric * Log updates to autopilot config * Less aggressively consume config loading failures * Return a mutable config * Return early from known servers if raft config is unable to be pulled * Update metrics name * Reduce log level for potentially noisy log * Add knob to disable autopilot * Don't persist if default config is in use * Autopilot: Dead server cleanup (#10857) * Dead server cleanup * Initialize channel in any case * Fix a bunch of tests * Fix panic * Add follower locking in heartbeat tracker * Add LastContactFailureThreshold to config * Add log when marking node as dead * Update follower state locking in heartbeat tracker * Avoid follower states being nil * Pull test to its own file * Add execution status to state response * Optionally enable autopilot in some tests * Updates * Added API function to fetch autopilot configuration * Add test for default autopilot configuration * Configuration tests * Add State API test * Update test * Added TestClusterOptions.PhysicalFactoryConfig * Update locking * Adjust locking in heartbeat tracker * s/last_contact_failure_threshold/left_server_last_contact_threshold * Add disabling autopilot as a core config option * Disable autopilot in some tests * s/left_server_last_contact_threshold/dead_server_last_contact_threshold * Set the lastheartbeat of followers to now when setting up active node * Don't use config defaults from CLI command * Remove config file support * Remove HCL test as well * Persist only supplied config; merge supplied config with default to operate * Use pointer to structs for storing follower information * Test update * Retrieve non voter status from configbucket and set it up when a node comes up * Manage desired suffrage * Consider bucket being created already * Move desired suffrage to its own entry * s/DesiredSuffrageKey/LocalNodeConfigKey * s/witnessSuffrage/recordSuffrage * Fix test compilation * Handle local node config post a snapshot install * Commit to storage first; then record suffrage in fsm * No need of local node config being nili case, post snapshot restore * Reconcile autopilot config when a new leader takes over duty * Grab fsm lock when recording suffrage * s/Suffrage/DesiredSuffrage in FollowerState * Instantiate autopilot only in leader * Default to old ways in more scenarios * Make API gracefully handle 404 * Address some feedback * Make IsDead an atomic.Value * Simplify follower hearbeat tracking * Use uber.atomic * Don't have multiple causes for having autopilot disabled * Don't remove node from follower states if we fail to remove the dead server * Autopilot server removals map (#11019) * Don't remove node from follower states if we fail to remove the dead server * Use map to track dead server removals * Use lock and map * Use delegate lock * Adjust when to remove entry from map * Only hold the lock while accessing map * Fix race * Don't set default min_quorum * Fix test * Ensure follower states is not nil before starting autopilot * Fix race Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-03-03 18:59:50 +00:00
"operator raft autopilot get-config": func() (cli.Command, error) {
return &OperatorRaftAutopilotGetConfigCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft autopilot set-config": func() (cli.Command, error) {
return &OperatorRaftAutopilotSetConfigCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft autopilot state": func() (cli.Command, error) {
return &OperatorRaftAutopilotStateCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft list-peers": func() (cli.Command, error) {
return &OperatorRaftListPeersCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft join": func() (cli.Command, error) {
return &OperatorRaftJoinCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft remove-peer": func() (cli.Command, error) {
return &OperatorRaftRemovePeerCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft snapshot": func() (cli.Command, error) {
return &OperatorRaftSnapshotCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft snapshot restore": func() (cli.Command, error) {
return &OperatorRaftSnapshotRestoreCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator raft snapshot save": func() (cli.Command, error) {
return &OperatorRaftSnapshotSaveCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator rekey": func() (cli.Command, error) {
return &OperatorRekeyCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator rotate": func() (cli.Command, error) {
return &OperatorRotateCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator seal": func() (cli.Command, error) {
return &OperatorSealCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator step-down": func() (cli.Command, error) {
return &OperatorStepDownCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator usage": func() (cli.Command, error) {
return &OperatorUsageCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"operator unseal": func() (cli.Command, error) {
return &OperatorUnsealCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"operator members": func() (cli.Command, error) {
return &OperatorMembersCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"patch": func() (cli.Command, error) {
return &PatchCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
"path-help": func() (cli.Command, error) {
return &PathHelpCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"plugin": func() (cli.Command, error) {
return &PluginCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin deregister": func() (cli.Command, error) {
return &PluginDeregisterCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin info": func() (cli.Command, error) {
return &PluginInfoCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin list": func() (cli.Command, error) {
return &PluginListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin register": func() (cli.Command, error) {
return &PluginRegisterCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin reload": func() (cli.Command, error) {
return &PluginReloadCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"plugin reload-status": func() (cli.Command, error) {
return &PluginReloadStatusCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy": func() (cli.Command, error) {
return &PolicyCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"policy delete": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &PolicyDeleteCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"policy fmt": func() (cli.Command, error) {
return &PolicyFmtCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy list": func() (cli.Command, error) {
return &PolicyListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy read": func() (cli.Command, error) {
return &PolicyReadCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"policy write": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &PolicyWriteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"print": func() (cli.Command, error) {
return &PrintCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"print token": func() (cli.Command, error) {
return &PrintTokenCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"read": func() (cli.Command, error) {
return &ReadCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets": func() (cli.Command, error) {
return &SecretsCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets disable": func() (cli.Command, error) {
return &SecretsDisableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets enable": func() (cli.Command, error) {
return &SecretsEnableCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets list": func() (cli.Command, error) {
return &SecretsListCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets move": func() (cli.Command, error) {
return &SecretsMoveCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"secrets tune": func() (cli.Command, error) {
return &SecretsTuneCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"server": func() (cli.Command, error) {
return &ServerCommand{
BaseCommand: &BaseCommand{
UI: serverCmdUi,
tokenHelper: runOpts.TokenHelper,
flagAddress: runOpts.Address,
2017-09-05 04:05:53 +00:00
},
AuditBackends: auditBackends,
CredentialBackends: credentialBackends,
LogicalBackends: logicalBackends,
PhysicalBackends: physicalBackends,
ServiceRegistrations: serviceRegistrations,
ShutdownCh: MakeShutdownCh(),
SighupCh: MakeSighupCh(),
SigUSR2Ch: MakeSigUSR2Ch(),
2017-09-05 04:05:53 +00:00
}, nil
},
"ssh": func() (cli.Command, error) {
return &SSHCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"status": func() (cli.Command, error) {
return &StatusCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token": func() (cli.Command, error) {
return &TokenCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token create": func() (cli.Command, error) {
2017-09-05 04:05:53 +00:00
return &TokenCreateCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token capabilities": func() (cli.Command, error) {
return &TokenCapabilitiesCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token lookup": func() (cli.Command, error) {
return &TokenLookupCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token renew": func() (cli.Command, error) {
return &TokenRenewCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"token revoke": func() (cli.Command, error) {
return &TokenRevokeCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"unwrap": func() (cli.Command, error) {
return &UnwrapCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"version": func() (cli.Command, error) {
return &VersionCommand{
VersionInfo: version.GetVersion(),
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"version-history": func() (cli.Command, error) {
return &VersionHistoryCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
"write": func() (cli.Command, error) {
return &WriteCommand{
BaseCommand: getBaseCommand(),
2017-09-05 04:05:53 +00:00
}, nil
},
"kv": func() (cli.Command, error) {
return &KVCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv put": func() (cli.Command, error) {
return &KVPutCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv patch": func() (cli.Command, error) {
return &KVPatchCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv rollback": func() (cli.Command, error) {
return &KVRollbackCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv get": func() (cli.Command, error) {
return &KVGetCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv delete": func() (cli.Command, error) {
return &KVDeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv list": func() (cli.Command, error) {
return &KVListCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv destroy": func() (cli.Command, error) {
return &KVDestroyCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv undelete": func() (cli.Command, error) {
return &KVUndeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv enable-versioning": func() (cli.Command, error) {
return &KVEnableVersioningCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata": func() (cli.Command, error) {
return &KVMetadataCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata put": func() (cli.Command, error) {
return &KVMetadataPutCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata patch": func() (cli.Command, error) {
return &KVMetadataPatchCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata get": func() (cli.Command, error) {
return &KVMetadataGetCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"kv metadata delete": func() (cli.Command, error) {
return &KVMetadataDeleteCommand{
BaseCommand: getBaseCommand(),
}, nil
},
"monitor": func() (cli.Command, error) {
return &MonitorCommand{
BaseCommand: getBaseCommand(),
ShutdownCh: MakeShutdownCh(),
}, nil
},
PKI Health Check Command (#17750) * Stub out initial health check command This command will be used to generate health check results for the PKI engine. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Start common health check implementation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add common health check utilities These utilities will collect helpers not specific to PKI health checks, such as formatting longer durations more legibly. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add PKI health check common utils Many health checks will need issuer and/or CRL information in order to execute. We've centrally located these helpers to avoid particular health checks from needing to reimplement them each time. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Adding ca_validity_period health check Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Begin using health-checks in PKI command Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow parsing raw requests afterwards This shifts the last of the logic difference between Read(...) and ReadRaw(...) to a new helper, allowing ReadRaw(...) requests to be parsed into the same response structure afterwards as Read(...); this allows API callers to fetch the raw secret and inspect the raw response object in case something went wrong (error code &c) -- and when the request succeeds, they can still get the api.Secret out. This will be used with the PKI health check functionality, making both LIST and READ operations use ReadRaw, and optionally parsing the secret afterwards. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add crl_validity_period health check Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tests for PKI health check Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix bug in raw reading with contexts When reading raw objects, don't manually call the context cancellation: this causes timeouts and/or EOF errors when attempting to read or parse the response body. See message in client.RawRequestWithContext(...) for more information. This was causing the test suite to randomly fail, due to the context cancelling. The test suite's client usually had a default timeout, whereas the CLI didn't, and thus didn't exhibit the same issue. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix typo in permissions message Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move %v->%w for errs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 14:27:56 +00:00
"pki health-check": func() (cli.Command, error) {
return &PKIHealthCheckCommand{
BaseCommand: getBaseCommand(),
}, nil
},
2017-09-05 04:05:53 +00:00
}
initCommandsEnt(ui, serverCmdUi, runOpts)
2017-09-05 04:05:53 +00:00
}
// MakeShutdownCh returns a channel that can be used for shutdown
// notifications for commands. This channel will send a message for every
// SIGINT or SIGTERM received.
func MakeShutdownCh() chan struct{} {
resultCh := make(chan struct{})
shutdownCh := make(chan os.Signal, 4)
signal.Notify(shutdownCh, os.Interrupt, syscall.SIGTERM)
go func() {
<-shutdownCh
close(resultCh)
}()
return resultCh
}
// MakeSighupCh returns a channel that can be used for SIGHUP
// reloading. This channel will send a message for every
// SIGHUP received.
func MakeSighupCh() chan struct{} {
resultCh := make(chan struct{})
signalCh := make(chan os.Signal, 4)
signal.Notify(signalCh, syscall.SIGHUP)
go func() {
for {
<-signalCh
resultCh <- struct{}{}
}
}()
return resultCh
}