open-vault/api/sys_generate_root.go

package api

import "context"

func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error) {
	return c.generateRootStatusCommon("/v1/sys/generate-root/attempt")
}

func (c *Sys) GenerateDROperationTokenStatus() (*GenerateRootStatusResponse, error) {
	return c.generateRootStatusCommon("/v1/sys/replication/dr/secondary/generate-operation-token/attempt")
}

func (c *Sys) GenerateRecoveryOperationTokenStatus() (*GenerateRootStatusResponse, error) {
	return c.generateRootStatusCommon("/v1/sys/generate-recovery-token/attempt")
}

func (c *Sys) generateRootStatusCommon(path string) (*GenerateRootStatusResponse, error) {
	r := c.c.NewRequest("GET", path)

	ctx, cancelFunc := context.WithCancel(context.Background())
	defer cancelFunc()
	resp, err := c.c.RawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	var result GenerateRootStatusResponse
	err = resp.DecodeJSON(&result)
	return &result, err
}

func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error) {
	return c.generateRootInitCommon("/v1/sys/generate-root/attempt", otp, pgpKey)
}

func (c *Sys) GenerateDROperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error) {
	return c.generateRootInitCommon("/v1/sys/replication/dr/secondary/generate-operation-token/attempt", otp, pgpKey)
}

func (c *Sys) GenerateRecoveryOperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error) {
	return c.generateRootInitCommon("/v1/sys/generate-recovery-token/attempt", otp, pgpKey)
}

func (c *Sys) generateRootInitCommon(path, otp, pgpKey string) (*GenerateRootStatusResponse, error) {
	body := map[string]interface{}{
		"otp":     otp,
		"pgp_key": pgpKey,
	}

	r := c.c.NewRequest("PUT", path)
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	ctx, cancelFunc := context.WithCancel(context.Background())
	defer cancelFunc()
	resp, err := c.c.RawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	var result GenerateRootStatusResponse
	err = resp.DecodeJSON(&result)
	return &result, err
}

func (c *Sys) GenerateRootCancel() error {
	return c.generateRootCancelCommon("/v1/sys/generate-root/attempt")
}

func (c *Sys) GenerateDROperationTokenCancel() error {
	return c.generateRootCancelCommon("/v1/sys/replication/dr/secondary/generate-operation-token/attempt")
}

func (c *Sys) GenerateRecoveryOperationTokenCancel() error {
	return c.generateRootCancelCommon("/v1/sys/generate-recovery-token/attempt")
}

func (c *Sys) generateRootCancelCommon(path string) error {
	r := c.c.NewRequest("DELETE", path)

	ctx, cancelFunc := context.WithCancel(context.Background())
	defer cancelFunc()
	resp, err := c.c.RawRequestWithContext(ctx, r)
	if err == nil {
		defer resp.Body.Close()
	}
	return err
}

func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error) {
	return c.generateRootUpdateCommon("/v1/sys/generate-root/update", shard, nonce)
}

func (c *Sys) GenerateDROperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error) {
	return c.generateRootUpdateCommon("/v1/sys/replication/dr/secondary/generate-operation-token/update", shard, nonce)
}

func (c *Sys) GenerateRecoveryOperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error) {
	return c.generateRootUpdateCommon("/v1/sys/generate-recovery-token/update", shard, nonce)
}

func (c *Sys) generateRootUpdateCommon(path, shard, nonce string) (*GenerateRootStatusResponse, error) {
	body := map[string]interface{}{
		"key":   shard,
		"nonce": nonce,
	}

	r := c.c.NewRequest("PUT", path)
	if err := r.SetJSONBody(body); err != nil {
		return nil, err
	}

	ctx, cancelFunc := context.WithCancel(context.Background())
	defer cancelFunc()
	resp, err := c.c.RawRequestWithContext(ctx, r)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	var result GenerateRootStatusResponse
	err = resp.DecodeJSON(&result)
	return &result, err
}

type GenerateRootStatusResponse struct {
	Nonce            string `json:"nonce"`
	Started          bool   `json:"started"`
	Progress         int    `json:"progress"`
	Required         int    `json:"required"`
	Complete         bool   `json:"complete"`
	EncodedToken     string `json:"encoded_token"`
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
	OTP              string `json:"otp"`
	OTPLength        int    `json:"otp_length"`
}
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`package api`

API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`import "context"`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`func (c Sys) GenerateRootStatus() (GenerateRootStatusResponse, error) {`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`return c.generateRootStatusCommon("/v1/sys/generate-root/attempt")`
			`}`

			`func (c Sys) GenerateDROperationTokenStatus() (GenerateRootStatusResponse, error) {`
Update the path for generating DR Operation tokens (#3578) 2017-11-14 01:28:34 +00:00			`return c.generateRootStatusCommon("/v1/sys/replication/dr/secondary/generate-operation-token/attempt")`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`}`

Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 04:55:31 +00:00			`func (c Sys) GenerateRecoveryOperationTokenStatus() (GenerateRootStatusResponse, error) {`
			`return c.generateRootStatusCommon("/v1/sys/generate-recovery-token/attempt")`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func (c Sys) generateRootStatusCommon(path string) (GenerateRootStatusResponse, error) {`
			`r := c.c.NewRequest("GET", path)`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00
			`ctx, cancelFunc := context.WithCancel(context.Background())`
			`defer cancelFunc()`
			`resp, err := c.c.RawRequestWithContext(ctx, r)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`var result GenerateRootStatusResponse`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`err = resp.DecodeJSON(&result)`
			`return &result, err`
			`}`

Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`func (c Sys) GenerateRootInit(otp, pgpKey string) (GenerateRootStatusResponse, error) {`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`return c.generateRootInitCommon("/v1/sys/generate-root/attempt", otp, pgpKey)`
			`}`

			`func (c Sys) GenerateDROperationTokenInit(otp, pgpKey string) (GenerateRootStatusResponse, error) {`
Update the path for generating DR Operation tokens (#3578) 2017-11-14 01:28:34 +00:00			`return c.generateRootInitCommon("/v1/sys/replication/dr/secondary/generate-operation-token/attempt", otp, pgpKey)`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`}`

Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 04:55:31 +00:00			`func (c Sys) GenerateRecoveryOperationTokenInit(otp, pgpKey string) (GenerateRootStatusResponse, error) {`
			`return c.generateRootInitCommon("/v1/sys/generate-recovery-token/attempt", otp, pgpKey)`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func (c Sys) generateRootInitCommon(path, otp, pgpKey string) (GenerateRootStatusResponse, error) {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`body := map[string]interface{}{`
			`"otp": otp,`
			`"pgp_key": pgpKey,`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`r := c.c.NewRequest("PUT", path)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err := r.SetJSONBody(body); err != nil {`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`return nil, err`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`ctx, cancelFunc := context.WithCancel(context.Background())`
			`defer cancelFunc()`
			`resp, err := c.c.RawRequestWithContext(ctx, r)`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`if err != nil {`
			`return nil, err`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`defer resp.Body.Close()`

			`var result GenerateRootStatusResponse`
			`err = resp.DecodeJSON(&result)`
			`return &result, err`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`func (c *Sys) GenerateRootCancel() error {`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`return c.generateRootCancelCommon("/v1/sys/generate-root/attempt")`
			`}`

			`func (c *Sys) GenerateDROperationTokenCancel() error {`
Update the path for generating DR Operation tokens (#3578) 2017-11-14 01:28:34 +00:00			`return c.generateRootCancelCommon("/v1/sys/replication/dr/secondary/generate-operation-token/attempt")`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`}`

Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 04:55:31 +00:00			`func (c *Sys) GenerateRecoveryOperationTokenCancel() error {`
			`return c.generateRootCancelCommon("/v1/sys/generate-recovery-token/attempt")`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func (c *Sys) generateRootCancelCommon(path string) error {`
			`r := c.c.NewRequest("DELETE", path)`
API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00
			`ctx, cancelFunc := context.WithCancel(context.Background())`
			`defer cancelFunc()`
			`resp, err := c.c.RawRequestWithContext(ctx, r)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err == nil {`
			`defer resp.Body.Close()`
			`}`
			`return err`
			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`func (c Sys) GenerateRootUpdate(shard, nonce string) (GenerateRootStatusResponse, error) {`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`return c.generateRootUpdateCommon("/v1/sys/generate-root/update", shard, nonce)`
			`}`

			`func (c Sys) GenerateDROperationTokenUpdate(shard, nonce string) (GenerateRootStatusResponse, error) {`
Update the path for generating DR Operation tokens (#3578) 2017-11-14 01:28:34 +00:00			`return c.generateRootUpdateCommon("/v1/sys/replication/dr/secondary/generate-operation-token/update", shard, nonce)`
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`}`

Recovery Mode (#7559) * Initial work * rework * s/dr/recovery * Add sys/raw support to recovery mode (#7577) * Factor the raw paths out so they can be run with a SystemBackend. # Conflicts: # vault/logical_system.go * Add handleLogicalRecovery which is like handleLogical but is only sufficient for use with the sys-raw endpoint in recovery mode. No authentication is done yet. * Integrate with recovery-mode. We now handle unauthenticated sys/raw requests, albeit on path v1/raw instead v1/sys/raw. * Use sys/raw instead raw during recovery. * Don't bother persisting the recovery token. Authenticate sys/raw requests with it. * RecoveryMode: Support generate-root for autounseals (#7591) * Recovery: Abstract config creation and log settings * Recovery mode integration test. (#7600) * Recovery: Touch up (#7607) * Recovery: Touch up * revert the raw backend creation changes * Added recovery operation token prefix * Move RawBackend to its own file * Update API path and hit it using CLI flag on generate-root * Fix a panic triggered when handling a request that yields a nil response. (#7618) * Improve integ test to actually make changes while in recovery mode and verify they're still there after coming back in regular mode. * Refuse to allow a second recovery token to be generated. * Resize raft cluster to size 1 and start as leader (#7626) * RecoveryMode: Setup raft cluster post unseal (#7635) * Setup raft cluster post unseal in recovery mode * Remove marking as unsealed as its not needed * Address review comments * Accept only one seal config in recovery mode as there is no scope for migration 2019-10-15 04:55:31 +00:00			`func (c Sys) GenerateRecoveryOperationTokenUpdate(shard, nonce string) (GenerateRootStatusResponse, error) {`
			`return c.generateRootUpdateCommon("/v1/sys/generate-recovery-token/update", shard, nonce)`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`func (c Sys) generateRootUpdateCommon(path, shard, nonce string) (GenerateRootStatusResponse, error) {`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`body := map[string]interface{}{`
			`"key": shard,`
			`"nonce": nonce,`
			`}`

Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565) * Add API and Command code for generating a DR Operation Token * Update generate root to accept different token strategies 2017-11-10 18:19:42 +00:00			`r := c.c.NewRequest("PUT", path)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err := r.SetJSONBody(body); err != nil {`
			`return nil, err`
			`}`

API: Add context to each raw request call (#4987) 2018-07-24 22:49:55 +00:00			`ctx, cancelFunc := context.WithCancel(context.Background())`
			`defer cancelFunc()`
			`resp, err := c.c.RawRequestWithContext(ctx, r)`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`var result GenerateRootStatusResponse`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`err = resp.DecodeJSON(&result)`
			`return &result, err`
			`}`

RootGeneration->GenerateRoot 2016-01-15 15:55:35 +00:00			`type GenerateRootStatusResponse struct {`
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format 2018-02-12 23:12:16 +00:00			Nonce string `json:"nonce"`
			Started bool `json:"started"`
			Progress int `json:"progress"`
			Required int `json:"required"`
			Complete bool `json:"complete"`
generate token functions to share common names (#3576) 2017-11-13 20:44:26 +00:00			EncodedToken string `json:"encoded_token"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			EncodedRootToken string `json:"encoded_root_token"`
			PGPFingerprint string `json:"pgp_fingerprint"`
Sync some ns stuff to api/command 2018-08-22 18:37:40 +00:00			OTP string `json:"otp"`
			OTPLength int `json:"otp_length"`
Add the ability to generate root tokens via unseal keys. 2016-01-09 02:21:02 +00:00			`}`