open-vault/command/meta.go

package command

import (
	"bufio"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"net/http"
	"os"
	"path/filepath"
	"strconv"
	"time"

	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/command/token"
	"github.com/mitchellh/cli"
)

// EnvVaultAddress can be used to set the address of Vault
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultInsecure = "VAULT_INSECURE"

// FlagSetFlags is an enum to define what flags are present in the
// default FlagSet returned by Meta.FlagSet.
type FlagSetFlags uint

const (
	FlagSetNone    FlagSetFlags = 0
	FlagSetServer  FlagSetFlags = 1 << iota
	FlagSetDefault              = FlagSetServer
)

// Meta contains the meta-options and functionality that nearly every
// Vault command inherits.
type Meta struct {
	ClientToken string
	Ui          cli.Ui

	// The things below can be set, but aren't common
	ForceAddress string  // Address to force for API clients
	ForceConfig  *Config // Force a config, don't load from disk

	// These are set by the command line flags.
	flagAddress  string
	flagCACert   string
	flagCAPath   string
	flagInsecure bool

	// These are internal and shouldn't be modified or access by anyone
	// except Meta.
	config *Config
}

// Client returns the API client to a Vault server given the configured
// flag settings for this command.
func (m *Meta) Client() (*api.Client, error) {
	config := api.DefaultConfig()
	if v := os.Getenv(EnvVaultAddress); v != "" {
		config.Address = v
	}
	if m.flagAddress != "" {
		config.Address = m.flagAddress
	}
	if m.ForceAddress != "" {
		config.Address = m.ForceAddress
	}
	if v := os.Getenv(EnvVaultCACert); v != "" {
		m.flagCACert = v
	}
	if v := os.Getenv(EnvVaultCAPath); v != "" {
		m.flagCAPath = v
	}
	if v := os.Getenv(EnvVaultInsecure); v != "" {
		var err error
		m.flagInsecure, err = strconv.ParseBool(v)
		if err != nil {
			return nil, fmt.Errorf("Invalid value passed in for -insecure flag: %s", err)
		}
	}
	// If we need custom TLS configuration, then set it
	if m.flagCACert != "" || m.flagCAPath != "" || m.flagInsecure {
		var certPool *x509.CertPool
		var err error
		if m.flagCACert != "" {
			certPool, err = m.loadCACert(m.flagCACert)
		} else if m.flagCAPath != "" {
			certPool, err = m.loadCAPath(m.flagCAPath)
		}
		if err != nil {
			return nil, fmt.Errorf("Error setting up CA path: %s", err)
		}

		tlsConfig := &tls.Config{
			InsecureSkipVerify: m.flagInsecure,
			MinVersion:         tls.VersionTLS12,
			RootCAs:            certPool,
		}

		client := *http.DefaultClient
		client.Transport = &http.Transport{
			Proxy: http.ProxyFromEnvironment,
			Dial: (&net.Dialer{
				Timeout:   30 * time.Second,
				KeepAlive: 30 * time.Second,
			}).Dial,
			TLSClientConfig:     tlsConfig,
			TLSHandshakeTimeout: 10 * time.Second,
		}

		config.HttpClient = &client
	}

	// Build the client
	client, err := api.NewClient(config)
	if err != nil {
		return nil, err
	}

	// If we have a token directly, then set that
	token := m.ClientToken

	// Try to set the token to what is already stored
	if token == "" {
		token = client.Token()
	}

	// If we don't have a token, check the token helper
	if token == "" {
		// If we have a token, then set that
		tokenHelper, err := m.TokenHelper()
		if err != nil {
			return nil, err
		}
		token, err = tokenHelper.Get()
		if err != nil {
			return nil, err
		}
	}

	// Set the token
	if token != "" {
		client.SetToken(token)
	}

	return client, nil
}

// Config loads the configuration and returns it. If the configuration
// is already loaded, it is returned.
func (m *Meta) Config() (*Config, error) {
	if m.config != nil {
		return m.config, nil
	}
	if m.ForceConfig != nil {
		return m.ForceConfig, nil
	}

	var err error
	m.config, err = LoadConfig("")
	if err != nil {
		return nil, err
	}

	return m.config, nil
}

// FlagSet returns a FlagSet with the common flags that every
// command implements. The exact behavior of FlagSet can be configured
// using the flags as the second parameter, for example to disable
// server settings on the commands that don't talk to a server.
func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
	f := flag.NewFlagSet(n, flag.ContinueOnError)

	// FlagSetServer tells us to enable the settings for selecting
	// the server information.
	if fs&FlagSetServer != 0 {
		f.StringVar(&m.flagAddress, "address", "", "")
		f.StringVar(&m.flagCACert, "ca-cert", "", "")
		f.StringVar(&m.flagCAPath, "ca-path", "", "")
		f.BoolVar(&m.flagInsecure, "insecure", false, "")
		f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")
	}

	// Create an io.Writer that writes to our Ui properly for errors.
	// This is kind of a hack, but it does the job. Basically: create
	// a pipe, use a scanner to break it into lines, and output each line
	// to the UI. Do this forever.
	errR, errW := io.Pipe()
	errScanner := bufio.NewScanner(errR)
	go func() {
		for errScanner.Scan() {
			m.Ui.Error(errScanner.Text())
		}
	}()
	f.SetOutput(errW)

	return f
}

// TokenHelper returns the token helper that is configured for Vault.
func (m *Meta) TokenHelper() (*token.Helper, error) {
	config, err := m.Config()
	if err != nil {
		return nil, err
	}

	path := config.TokenHelper
	if path == "" {
		path = "disk"
	}

	path = token.HelperPath(path)
	return &token.Helper{Path: path}, nil
}

func (m *Meta) loadCACert(path string) (*x509.CertPool, error) {
	certs, err := m.loadCertFromPEM(path)
	if err != nil {
		return nil, fmt.Errorf("Error loading %s: %s", path, err)
	}

	result := x509.NewCertPool()
	for _, cert := range certs {
		result.AddCert(cert)
	}

	return result, nil
}

func (m *Meta) loadCAPath(path string) (*x509.CertPool, error) {
	result := x509.NewCertPool()
	fn := func(path string, info os.FileInfo, err error) error {
		if err != nil {
			return err
		}

		if info.IsDir() {
			return nil
		}

		certs, err := m.loadCertFromPEM(path)
		if err != nil {
			return fmt.Errorf("Error loading %s: %s", path, err)
		}

		for _, cert := range certs {
			result.AddCert(cert)
		}
		return nil
	}

	return result, filepath.Walk(path, fn)
}

func (m *Meta) loadCertFromPEM(path string) ([]*x509.Certificate, error) {
	pemCerts, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, err
	}

	certs := make([]*x509.Certificate, 0, 5)
	for len(pemCerts) > 0 {
		var block *pem.Block
		block, pemCerts = pem.Decode(pemCerts)
		if block == nil {
			break
		}
		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
			continue
		}

		cert, err := x509.ParseCertificate(block.Bytes)
		if err != nil {
			return nil, err
		}

		certs = append(certs, cert)
	}

	return certs, nil
}
command/auth 2015-03-04 07:34:32 +00:00			`package command`

			`import (`
			`"bufio"`
command/init 2015-03-13 17:32:39 +00:00			`"crypto/tls"`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`"crypto/x509"`
			`"encoding/pem"`
command/auth 2015-03-04 07:34:32 +00:00			`"flag"`
command/*: lets try to remove this before 0.1.0 2015-04-28 16:20:42 +00:00			`"fmt"`
command/auth 2015-03-04 07:34:32 +00:00			`"io"`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`"io/ioutil"`
command/init 2015-03-13 17:32:39 +00:00			`"net"`
			`"net/http"`
command/meta: VAULT_ADDR to set the addr via env var 2015-03-16 03:41:36 +00:00			`"os"`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`"path/filepath"`
This adds one bugfix and one feature enhancement. Bugfix: When walking a given CA path, the walk gives both files and directories to the function. However, both were being passed in to be read as certificates, with the result that "." (the given directory for the CA path) would cause an error. This fixes that problem by simply checking whether the given path in the walk is a directory or a file. Feature enhancement: VAULT_CACERT, VAULT_CAPATH, and VAULT_INSECURE now perform as expected. 2015-05-10 14:23:40 +00:00			`"strconv"`
command/init 2015-03-13 17:32:39 +00:00			`"time"`
command/auth 2015-03-04 07:34:32 +00:00
command/init 2015-03-13 17:32:39 +00:00			`"github.com/hashicorp/vault/api"`
command/auth: setting tokens works 2015-03-30 17:55:41 +00:00			`"github.com/hashicorp/vault/command/token"`
command/auth 2015-03-04 07:34:32 +00:00			`"github.com/mitchellh/cli"`
			`)`

command/meta: VAULT_ADDR to set the addr via env var 2015-03-16 03:41:36 +00:00			`// EnvVaultAddress can be used to set the address of Vault`
			`const EnvVaultAddress = "VAULT_ADDR"`
This adds one bugfix and one feature enhancement. Bugfix: When walking a given CA path, the walk gives both files and directories to the function. However, both were being passed in to be read as certificates, with the result that "." (the given directory for the CA path) would cause an error. This fixes that problem by simply checking whether the given path in the walk is a directory or a file. Feature enhancement: VAULT_CACERT, VAULT_CAPATH, and VAULT_INSECURE now perform as expected. 2015-05-10 14:23:40 +00:00			`const EnvVaultCACert = "VAULT_CACERT"`
			`const EnvVaultCAPath = "VAULT_CAPATH"`
			`const EnvVaultInsecure = "VAULT_INSECURE"`
command/meta: VAULT_ADDR to set the addr via env var 2015-03-16 03:41:36 +00:00
command/auth 2015-03-04 07:34:32 +00:00			`// FlagSetFlags is an enum to define what flags are present in the`
			`// default FlagSet returned by Meta.FlagSet.`
			`type FlagSetFlags uint`

			`const (`
			`FlagSetNone FlagSetFlags = 0`
			`FlagSetServer FlagSetFlags = 1 << iota`
			`FlagSetDefault = FlagSetServer`
			`)`

			`// Meta contains the meta-options and functionality that nearly every`
			`// Vault command inherits.`
			`type Meta struct {`
command/meta: tests passing 2015-03-31 06:30:30 +00:00			`ClientToken string`
			`Ui cli.Ui`
command/meta: server options 2015-03-04 07:49:37 +00:00
command/meta: can force config 2015-04-13 00:51:38 +00:00			`// The things below can be set, but aren't common`
			`ForceAddress string // Address to force for API clients`
			`ForceConfig *Config // Force a config, don't load from disk`

command/meta: server options 2015-03-04 07:49:37 +00:00			`// These are set by the command line flags.`
			`flagAddress string`
			`flagCACert string`
			`flagCAPath string`
			`flagInsecure bool`
command: load configuration 2015-03-30 17:25:24 +00:00
			`// These are internal and shouldn't be modified or access by anyone`
			`// except Meta.`
			`config *Config`
command/auth 2015-03-04 07:34:32 +00:00			`}`

command/init 2015-03-13 17:32:39 +00:00			`// Client returns the API client to a Vault server given the configured`
			`// flag settings for this command.`
			`func (m Meta) Client() (api.Client, error) {`
			`config := api.DefaultConfig()`
command/meta: VAULT_ADDR to set the addr via env var 2015-03-16 03:41:36 +00:00			`if v := os.Getenv(EnvVaultAddress); v != "" {`
			`config.Address = v`
			`}`
command/init 2015-03-13 17:32:39 +00:00			`if m.flagAddress != "" {`
			`config.Address = m.flagAddress`
			`}`
command/meta: can force config 2015-04-13 00:51:38 +00:00			`if m.ForceAddress != "" {`
			`config.Address = m.ForceAddress`
command: can force address 2015-04-13 00:30:19 +00:00			`}`
This adds one bugfix and one feature enhancement. Bugfix: When walking a given CA path, the walk gives both files and directories to the function. However, both were being passed in to be read as certificates, with the result that "." (the given directory for the CA path) would cause an error. This fixes that problem by simply checking whether the given path in the walk is a directory or a file. Feature enhancement: VAULT_CACERT, VAULT_CAPATH, and VAULT_INSECURE now perform as expected. 2015-05-10 14:23:40 +00:00			`if v := os.Getenv(EnvVaultCACert); v != "" {`
			`m.flagCACert = v`
			`}`
			`if v := os.Getenv(EnvVaultCAPath); v != "" {`
			`m.flagCAPath = v`
			`}`
			`if v := os.Getenv(EnvVaultInsecure); v != "" {`
			`var err error`
			`m.flagInsecure, err = strconv.ParseBool(v)`
			`if err != nil {`
			`return nil, fmt.Errorf("Invalid value passed in for -insecure flag: %s", err)`
			`}`
			`}`
command/init 2015-03-13 17:32:39 +00:00			`// If we need custom TLS configuration, then set it`
			`if m.flagCACert != "" \|\| m.flagCAPath != "" \|\| m.flagInsecure {`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`var certPool *x509.CertPool`
			`var err error`
			`if m.flagCACert != "" {`
			`certPool, err = m.loadCACert(m.flagCACert)`
			`} else if m.flagCAPath != "" {`
			`certPool, err = m.loadCAPath(m.flagCAPath)`
			`}`
			`if err != nil {`
			`return nil, fmt.Errorf("Error setting up CA path: %s", err)`
			`}`

command/init 2015-03-13 17:32:39 +00:00			`tlsConfig := &tls.Config{`
			`InsecureSkipVerify: m.flagInsecure,`
command: Set minimum TLS version to 1.2 2015-04-13 20:00:01 +00:00			`MinVersion: tls.VersionTLS12,`
command: support custom CAs 2015-04-28 16:36:03 +00:00			`RootCAs: certPool,`
command/*: lets try to remove this before 0.1.0 2015-04-28 16:20:42 +00:00			`}`
command/init 2015-03-13 17:32:39 +00:00
			`client := *http.DefaultClient`
			`client.Transport = &http.Transport{`
			`Proxy: http.ProxyFromEnvironment,`
			`Dial: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`}).Dial,`
			`TLSClientConfig: tlsConfig,`
			`TLSHandshakeTimeout: 10 * time.Second,`
			`}`

			`config.HttpClient = &client`
			`}`

command/meta: add token to client if we have it 2015-03-31 06:10:59 +00:00			`// Build the client`
			`client, err := api.NewClient(config)`
			`if err != nil {`
			`return nil, err`
			`}`

command/meta: tests passing 2015-03-31 06:30:30 +00:00			`// If we have a token directly, then set that`
			`token := m.ClientToken`

command/meta: don't read token file if token is already set [GH-162] 2015-05-11 17:31:14 +00:00			`// Try to set the token to what is already stored`
			`if token == "" {`
			`token = client.Token()`
			`}`

command/meta: tests passing 2015-03-31 06:30:30 +00:00			`// If we don't have a token, check the token helper`
			`if token == "" {`
			`// If we have a token, then set that`
			`tokenHelper, err := m.TokenHelper()`
			`if err != nil {`
			`return nil, err`
			`}`
			`token, err = tokenHelper.Get()`
			`if err != nil {`
			`return nil, err`
			`}`
command/meta: add token to client if we have it 2015-03-31 06:10:59 +00:00			`}`
command/meta: tests passing 2015-03-31 06:30:30 +00:00
			`// Set the token`
command/meta: add token to client if we have it 2015-03-31 06:10:59 +00:00			`if token != "" {`
			`client.SetToken(token)`
			`}`

			`return client, nil`
command/init 2015-03-13 17:32:39 +00:00			`}`

command: load configuration 2015-03-30 17:25:24 +00:00			`// Config loads the configuration and returns it. If the configuration`
			`// is already loaded, it is returned.`
			`func (m Meta) Config() (Config, error) {`
			`if m.config != nil {`
			`return m.config, nil`
			`}`
command/meta: can force config 2015-04-13 00:51:38 +00:00			`if m.ForceConfig != nil {`
			`return m.ForceConfig, nil`
			`}`
command: load configuration 2015-03-30 17:25:24 +00:00
			`var err error`
			`m.config, err = LoadConfig("")`
			`if err != nil {`
			`return nil, err`
			`}`

			`return m.config, nil`
			`}`

command/auth 2015-03-04 07:34:32 +00:00			`// FlagSet returns a FlagSet with the common flags that every`
			`// command implements. The exact behavior of FlagSet can be configured`
			`// using the flags as the second parameter, for example to disable`
			`// server settings on the commands that don't talk to a server.`
			`func (m Meta) FlagSet(n string, fs FlagSetFlags) flag.FlagSet {`
			`f := flag.NewFlagSet(n, flag.ContinueOnError)`

command/meta: server options 2015-03-04 07:49:37 +00:00			`// FlagSetServer tells us to enable the settings for selecting`
			`// the server information.`
			`if fs&FlagSetServer != 0 {`
			`f.StringVar(&m.flagAddress, "address", "", "")`
			`f.StringVar(&m.flagCACert, "ca-cert", "", "")`
			`f.StringVar(&m.flagCAPath, "ca-path", "", "")`
			`f.BoolVar(&m.flagInsecure, "insecure", false, "")`
command/*: -tls-skip-verify [GH-130] 2015-05-11 18:01:20 +00:00			`f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")`
command/meta: server options 2015-03-04 07:49:37 +00:00			`}`

command/auth 2015-03-04 07:34:32 +00:00			`// Create an io.Writer that writes to our Ui properly for errors.`
			`// This is kind of a hack, but it does the job. Basically: create`
			`// a pipe, use a scanner to break it into lines, and output each line`
			`// to the UI. Do this forever.`
			`errR, errW := io.Pipe()`
			`errScanner := bufio.NewScanner(errR)`
			`go func() {`
			`for errScanner.Scan() {`
			`m.Ui.Error(errScanner.Text())`
			`}`
			`}()`
			`f.SetOutput(errW)`

			`return f`
			`}`
command/auth: setting tokens works 2015-03-30 17:55:41 +00:00
			`// TokenHelper returns the token helper that is configured for Vault.`
			`func (m Meta) TokenHelper() (token.Helper, error) {`
			`config, err := m.Config()`
			`if err != nil {`
			`return nil, err`
			`}`

			`path := config.TokenHelper`
			`if path == "" {`
			`path = "disk"`
			`}`

			`path = token.HelperPath(path)`
			`return &token.Helper{Path: path}, nil`
			`}`
command: support custom CAs 2015-04-28 16:36:03 +00:00
			`func (m Meta) loadCACert(path string) (x509.CertPool, error) {`
			`certs, err := m.loadCertFromPEM(path)`
			`if err != nil {`
			`return nil, fmt.Errorf("Error loading %s: %s", path, err)`
			`}`

			`result := x509.NewCertPool()`
			`for _, cert := range certs {`
			`result.AddCert(cert)`
			`}`

			`return result, nil`
			`}`

			`func (m Meta) loadCAPath(path string) (x509.CertPool, error) {`
			`result := x509.NewCertPool()`
			`fn := func(path string, info os.FileInfo, err error) error {`
			`if err != nil {`
			`return err`
			`}`

This adds one bugfix and one feature enhancement. Bugfix: When walking a given CA path, the walk gives both files and directories to the function. However, both were being passed in to be read as certificates, with the result that "." (the given directory for the CA path) would cause an error. This fixes that problem by simply checking whether the given path in the walk is a directory or a file. Feature enhancement: VAULT_CACERT, VAULT_CAPATH, and VAULT_INSECURE now perform as expected. 2015-05-10 14:23:40 +00:00			`if info.IsDir() {`
			`return nil`
			`}`

command: support custom CAs 2015-04-28 16:36:03 +00:00			`certs, err := m.loadCertFromPEM(path)`
			`if err != nil {`
			`return fmt.Errorf("Error loading %s: %s", path, err)`
			`}`

			`for _, cert := range certs {`
			`result.AddCert(cert)`
			`}`
			`return nil`
			`}`

			`return result, filepath.Walk(path, fn)`
			`}`

			`func (m Meta) loadCertFromPEM(path string) ([]x509.Certificate, error) {`
			`pemCerts, err := ioutil.ReadFile(path)`
			`if err != nil {`
			`return nil, err`
			`}`

			`certs := make([]*x509.Certificate, 0, 5)`
			`for len(pemCerts) > 0 {`
			`var block *pem.Block`
			`block, pemCerts = pem.Decode(pemCerts)`
			`if block == nil {`
			`break`
			`}`
			`if block.Type != "CERTIFICATE" \|\| len(block.Headers) != 0 {`
			`continue`
			`}`

			`cert, err := x509.ParseCertificate(block.Bytes)`
			`if err != nil {`
			`return nil, err`
			`}`

			`certs = append(certs, cert)`
			`}`

			`return certs, nil`
			`}`