open-vault/meta/meta.go

234 lines
7 KiB
Go
Raw Normal View History

2016-04-01 17:16:05 +00:00
package meta
2015-03-04 07:34:32 +00:00
import (
"bufio"
"flag"
"io"
2017-10-23 20:42:56 +00:00
"os"
2015-03-04 07:34:32 +00:00
"github.com/hashicorp/errwrap"
2015-03-13 17:32:39 +00:00
"github.com/hashicorp/vault/api"
2015-03-30 17:55:41 +00:00
"github.com/hashicorp/vault/command/token"
2017-10-23 20:42:56 +00:00
"github.com/hashicorp/vault/helper/flag-slice"
2015-03-04 07:34:32 +00:00
"github.com/mitchellh/cli"
)
// FlagSetFlags is an enum to define what flags are present in the
// default FlagSet returned by Meta.FlagSet.
type FlagSetFlags uint
type TokenHelperFunc func() (token.TokenHelper, error)
2016-04-01 18:23:15 +00:00
2015-03-04 07:34:32 +00:00
const (
FlagSetNone FlagSetFlags = 0
FlagSetServer FlagSetFlags = 1 << iota
FlagSetDefault = FlagSetServer
)
var (
additionalOptionsUsage = func() string {
return `
-wrap-ttl="" Indicates that the response should be wrapped in a
cubbyhole token with the requested TTL. The response
can be fetched by calling the "sys/wrapping/unwrap"
endpoint, passing in the wrapping token's ID. This
is a numeric string with an optional suffix
"s", "m", or "h"; if no suffix is specified it will
be parsed as seconds. May also be specified via
VAULT_WRAP_TTL.
2017-10-23 20:42:56 +00:00
-policy-override Indicates that any soft-mandatory Sentinel policies
be overridden.
`
}
)
2015-03-04 07:34:32 +00:00
// Meta contains the meta-options and functionality that nearly every
// Vault command inherits.
type Meta struct {
2015-03-31 06:30:30 +00:00
ClientToken string
Ui cli.Ui
2015-03-04 07:49:37 +00:00
2015-04-13 00:51:38 +00:00
// The things below can be set, but aren't common
ForceAddress string // Address to force for API clients
2015-04-13 00:51:38 +00:00
2015-03-04 07:49:37 +00:00
// These are set by the command line flags.
2017-10-23 20:42:56 +00:00
flagAddress string
flagCACert string
flagCAPath string
flagClientCert string
flagClientKey string
flagWrapTTL string
flagInsecure bool
flagMFA []string
flagPolicyOverride bool
2015-03-30 17:25:24 +00:00
2016-04-01 18:23:15 +00:00
// Queried if no token can be found
TokenHelper TokenHelperFunc
2015-03-04 07:34:32 +00:00
}
func (m *Meta) DefaultWrappingLookupFunc(operation, path string) string {
if m.flagWrapTTL != "" {
return m.flagWrapTTL
}
2016-09-29 04:01:28 +00:00
return api.DefaultWrappingLookupFunc(operation, path)
}
2015-03-13 17:32:39 +00:00
// Client returns the API client to a Vault server given the configured
// flag settings for this command.
func (m *Meta) Client() (*api.Client, error) {
config := api.DefaultConfig()
err := config.ReadEnvironment()
if err != nil {
return nil, errwrap.Wrapf("error reading environment: {{err}}", err)
}
2015-03-13 17:32:39 +00:00
if m.flagAddress != "" {
config.Address = m.flagAddress
}
2015-04-13 00:51:38 +00:00
if m.ForceAddress != "" {
config.Address = m.ForceAddress
2015-04-13 00:30:19 +00:00
}
2015-03-13 17:32:39 +00:00
// If we need custom TLS configuration, then set it
if m.flagCACert != "" || m.flagCAPath != "" || m.flagClientCert != "" || m.flagClientKey != "" || m.flagInsecure {
2016-08-02 20:17:45 +00:00
t := &api.TLSConfig{
CACert: m.flagCACert,
CAPath: m.flagCAPath,
ClientCert: m.flagClientCert,
ClientKey: m.flagClientKey,
TLSServerName: "",
Insecure: m.flagInsecure,
}
config.ConfigureTLS(t)
2015-03-13 17:32:39 +00:00
}
// Build the client
client, err := api.NewClient(config)
if err != nil {
return nil, err
}
client.SetWrappingLookupFunc(m.DefaultWrappingLookupFunc)
2017-10-23 20:42:56 +00:00
var mfaCreds []string
// Extract the MFA credentials from environment variable first
if os.Getenv(api.EnvVaultMFA) != "" {
mfaCreds = []string{os.Getenv(api.EnvVaultMFA)}
}
// If CLI MFA flags were supplied, prefer that over environment variable
if len(m.flagMFA) != 0 {
mfaCreds = m.flagMFA
}
client.SetMFACreds(mfaCreds)
client.SetPolicyOverride(m.flagPolicyOverride)
2015-03-31 06:30:30 +00:00
// If we have a token directly, then set that
token := m.ClientToken
// Try to set the token to what is already stored
if token == "" {
token = client.Token()
}
2015-03-31 06:30:30 +00:00
// If we don't have a token, check the token helper
if token == "" {
2016-04-01 18:23:15 +00:00
if m.TokenHelper != nil {
// If we have a token, then set that
tokenHelper, err := m.TokenHelper()
2016-04-01 18:23:15 +00:00
if err != nil {
return nil, err
}
token, err = tokenHelper.Get()
if err != nil {
return nil, err
}
2015-03-31 06:30:30 +00:00
}
}
2015-03-31 06:30:30 +00:00
// Set the token
if token != "" {
client.SetToken(token)
}
return client, nil
2015-03-13 17:32:39 +00:00
}
2015-03-04 07:34:32 +00:00
// FlagSet returns a FlagSet with the common flags that every
// command implements. The exact behavior of FlagSet can be configured
// using the flags as the second parameter, for example to disable
// server settings on the commands that don't talk to a server.
func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
f := flag.NewFlagSet(n, flag.ContinueOnError)
2015-03-04 07:49:37 +00:00
// FlagSetServer tells us to enable the settings for selecting
// the server information.
if fs&FlagSetServer != 0 {
f.StringVar(&m.flagAddress, "address", "", "")
f.StringVar(&m.flagCACert, "ca-cert", "", "")
f.StringVar(&m.flagCAPath, "ca-path", "", "")
2015-06-29 19:33:16 +00:00
f.StringVar(&m.flagClientCert, "client-cert", "", "")
f.StringVar(&m.flagClientKey, "client-key", "", "")
2016-05-02 05:58:58 +00:00
f.StringVar(&m.flagWrapTTL, "wrap-ttl", "", "")
2015-03-04 07:49:37 +00:00
f.BoolVar(&m.flagInsecure, "insecure", false, "")
2015-05-11 18:01:20 +00:00
f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")
2017-10-23 20:42:56 +00:00
f.BoolVar(&m.flagPolicyOverride, "policy-override", false, "")
f.Var((*sliceflag.StringFlag)(&m.flagMFA), "mfa", "")
2015-03-04 07:49:37 +00:00
}
2015-03-04 07:34:32 +00:00
// Create an io.Writer that writes to our Ui properly for errors.
// This is kind of a hack, but it does the job. Basically: create
// a pipe, use a scanner to break it into lines, and output each line
// to the UI. Do this forever.
errR, errW := io.Pipe()
errScanner := bufio.NewScanner(errR)
go func() {
for errScanner.Scan() {
m.Ui.Error(errScanner.Text())
}
}()
f.SetOutput(errW)
return f
}
2015-03-30 17:55:41 +00:00
2016-05-15 16:58:36 +00:00
// GeneralOptionsUsage returns the usage documentation for commonly
// available options
2016-04-01 17:16:05 +00:00
func GeneralOptionsUsage() string {
general := `
-address=addr The address of the Vault server.
Overrides the VAULT_ADDR environment variable if set.
-ca-cert=path Path to a PEM encoded CA cert file to use to
verify the Vault server SSL certificate.
Overrides the VAULT_CACERT environment variable if set.
-ca-path=path Path to a directory of PEM encoded CA cert files
to verify the Vault server SSL certificate. If both
-ca-cert and -ca-path are specified, -ca-cert is used.
Overrides the VAULT_CAPATH environment variable if set.
-client-cert=path Path to a PEM encoded client certificate for TLS
authentication to the Vault server. Must also specify
-client-key. Overrides the VAULT_CLIENT_CERT
environment variable if set.
-client-key=path Path to an unencrypted PEM encoded private key
matching the client certificate from -client-cert.
Overrides the VAULT_CLIENT_KEY environment variable
if set.
-tls-skip-verify Do not verify TLS certificate. This is highly
not recommended. Verification will also be skipped
if VAULT_SKIP_VERIFY is set.
`
general += additionalOptionsUsage()
return general
}