open-vault/command/operator_unseal.go

package command

import (
	"fmt"
	"io"
	"os"
	"strings"

	"github.com/hashicorp/go-secure-stdlib/password"
	"github.com/hashicorp/vault/api"
	"github.com/mitchellh/cli"
	"github.com/posener/complete"
)

var (
	_ cli.Command             = (*OperatorUnsealCommand)(nil)
	_ cli.CommandAutocomplete = (*OperatorUnsealCommand)(nil)
)

type OperatorUnsealCommand struct {
	*BaseCommand

	flagReset   bool
	flagMigrate bool

	testOutput io.Writer // for tests
}

func (c *OperatorUnsealCommand) Synopsis() string {
	return "Unseals the Vault server"
}

func (c *OperatorUnsealCommand) Help() string {
	helpText := `
Usage: vault operator unseal [options] [KEY]

  Provide a portion of the root key to unseal a Vault server. Vault starts
  in a sealed state. It cannot perform operations until it is unsealed. This
  command accepts a portion of the root key (an "unseal key").

  The unseal key can be supplied as an argument to the command, but this is
  not recommended as the unseal key will be available in your history:

      $ vault operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=

  Instead, run the command with no arguments and it will prompt for the key:

      $ vault operator unseal
      Key (will be hidden): IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=

` + c.Flags().Help()

	return strings.TrimSpace(helpText)
}

func (c *OperatorUnsealCommand) Flags() *FlagSets {
	set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat)

	f := set.NewFlagSet("Command Options")

	f.BoolVar(&BoolVar{
		Name:       "reset",
		Aliases:    []string{},
		Target:     &c.flagReset,
		Default:    false,
		EnvVar:     "",
		Completion: complete.PredictNothing,
		Usage:      "Discard any previously entered keys to the unseal process.",
	})

	f.BoolVar(&BoolVar{
		Name:       "migrate",
		Aliases:    []string{},
		Target:     &c.flagMigrate,
		Default:    false,
		EnvVar:     "",
		Completion: complete.PredictNothing,
		Usage:      "Indicate that this share is provided with the intent that it is part of a seal migration process.",
	})

	return set
}

func (c *OperatorUnsealCommand) AutocompleteArgs() complete.Predictor {
	return complete.PredictAnything
}

func (c *OperatorUnsealCommand) AutocompleteFlags() complete.Flags {
	return c.Flags().Completions()
}

func (c *OperatorUnsealCommand) Run(args []string) int {
	f := c.Flags()

	if err := f.Parse(args); err != nil {
		c.UI.Error(err.Error())
		return 1
	}

	unsealKey := ""

	args = f.Args()
	switch len(args) {
	case 0:
		// We will prompt for the unseal key later
	case 1:
		unsealKey = strings.TrimSpace(args[0])
	default:
		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
		return 1
	}

	client, err := c.Client()
	if err != nil {
		c.UI.Error(err.Error())
		return 2
	}

	if c.flagReset {
		status, err := client.Sys().ResetUnsealProcess()
		if err != nil {
			c.UI.Error(fmt.Sprintf("Error resetting unseal process: %s", err))
			return 2
		}
		return OutputSealStatus(c.UI, client, status)
	}

	if unsealKey == "" {
		// Override the output
		writer := (io.Writer)(os.Stdout)
		if c.testOutput != nil {
			writer = c.testOutput
		}

		fmt.Fprintf(writer, "Unseal Key (will be hidden): ")
		value, err := password.Read(os.Stdin)
		fmt.Fprintf(writer, "\n")
		if err != nil {
			c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+
				"ask for an unseal key. The raw error message is shown below, but "+
				"usually this is because you attempted to pipe a value into the "+
				"unseal command or you are executing outside of a terminal (tty). "+
				"You should run the unseal command from a terminal for maximum "+
				"security. If this is not an option, the unseal key can be provided "+
				"as the first argument to the unseal command. The raw error "+
				"was:\n\n%s", err)))
			return 1
		}
		unsealKey = strings.TrimSpace(value)
	}

	status, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{
		Key:     unsealKey,
		Migrate: c.flagMigrate,
	})
	if err != nil {
		c.UI.Error(fmt.Sprintf("Error unsealing: %s", err))
		return 2
	}

	return OutputSealStatus(c.UI, client, status)
}
command/unseal 2015-03-04 07:57:23 +00:00			`package command`

			`import (`
command/unseal: forward error along 2015-03-04 08:35:02 +00:00			`"fmt"`
update unseal command 2017-09-05 04:05:27 +00:00			`"io"`
helper/password: for reading passwords securely 2015-03-04 08:31:35 +00:00			`"os"`
command/unseal 2015-03-04 07:57:23 +00:00			`"strings"`
helper/password: for reading passwords securely 2015-03-04 08:31:35 +00:00
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) * Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter 2021-07-16 00:17:31 +00:00			`"github.com/hashicorp/go-secure-stdlib/password"`
Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`"github.com/hashicorp/vault/api"`
update unseal command 2017-09-05 04:05:27 +00:00			`"github.com/mitchellh/cli"`
			`"github.com/posener/complete"`
command/unseal 2015-03-04 07:57:23 +00:00			`)`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`var (`
			`_ cli.Command = (*OperatorUnsealCommand)(nil)`
			`_ cli.CommandAutocomplete = (*OperatorUnsealCommand)(nil)`
			`)`
update unseal command 2017-09-05 04:05:27 +00:00
Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`type OperatorUnsealCommand struct {`
update unseal command 2017-09-05 04:05:27 +00:00			`*BaseCommand`

Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`flagReset bool`
			`flagMigrate bool`
update unseal command 2017-09-05 04:05:27 +00:00
			`testOutput io.Writer // for tests`
			`}`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`func (c *OperatorUnsealCommand) Synopsis() string {`
update unseal command 2017-09-05 04:05:27 +00:00			`return "Unseals the Vault server"`
			`}`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`func (c *OperatorUnsealCommand) Help() string {`
update unseal command 2017-09-05 04:05:27 +00:00			helpText := `
Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`Usage: vault operator unseal [options] [KEY]`
update unseal command 2017-09-05 04:05:27 +00:00
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> 2021-12-07 01:12:20 +00:00			`Provide a portion of the root key to unseal a Vault server. Vault starts`
update unseal command 2017-09-05 04:05:27 +00:00			`in a sealed state. It cannot perform operations until it is unsealed. This`
Rename master key to root key (#13324) * See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.) * Restore accidentally deleted line * Add changelog * Update root->recovery * Fix test Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> 2021-12-07 01:12:20 +00:00			`command accepts a portion of the root key (an "unseal key").`
update unseal command 2017-09-05 04:05:27 +00:00
			`The unseal key can be supplied as an argument to the command, but this is`
			`not recommended as the unseal key will be available in your history:`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`$ vault operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=`
update unseal command 2017-09-05 04:05:27 +00:00
			`Instead, run the command with no arguments and it will prompt for the key:`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`$ vault operator unseal`
update unseal command 2017-09-05 04:05:27 +00:00			`Key (will be hidden): IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=`

			` + c.Flags().Help()

			`return strings.TrimSpace(helpText)`
			`}`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`func (c OperatorUnsealCommand) Flags() FlagSets {`
CLI Enhancements (#3897) * Use Colored UI if stdout is a tty * Add format options to operator unseal * Add format test on operator unseal * Add -no-color output flag, and use BasicUi if no-color flag is provided * Move seal status formatting logic to OutputSealStatus * Apply no-color to warnings from DeprecatedCommands as well * Add OutputWithFormat to support arbitrary data, add format option to auth list * Add ability to output arbitrary list data on TableFormatter * Clear up switch logic on format * Add format option for list-related commands * Add format option to rest of commands that returns a client API response * Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead * Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead * Remove -no-color flag, use env var exclusively to toggle colored output * Fix compile * Remove -no-color flag in main.go * Add missing FlagSetOutputFormat * Fix generate-root/decode test * Migrate init functions to main.go * Add no-color flag back as hidden * Handle non-supported data types for TableFormatter.OutputList * Pull formatting much further up to remove the need to use c.flagFormat (#3950) * Pull formatting much further up to remove the need to use c.flagFormat Also remove OutputWithFormat as the logic can cause issues. * Use const for env var * Minor updates * Remove unnecessary check * Fix SSH output and some tests * Fix tests * Make race detector not run on generate root since it kills Travis these days * Update docs * Update docs * Address review feedback * Handle --format as well as -format 2018-02-12 23:12:16 +00:00			`set := c.flagSet(FlagSetHTTP \| FlagSetOutputFormat)`
update unseal command 2017-09-05 04:05:27 +00:00
			`f := set.NewFlagSet("Command Options")`

			`f.BoolVar(&BoolVar{`
			`Name: "reset",`
			`Aliases: []string{},`
			`Target: &c.flagReset,`
			`Default: false,`
			`EnvVar: "",`
			`Completion: complete.PredictNothing,`
			`Usage: "Discard any previously entered keys to the unseal process.",`
			`})`

Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`f.BoolVar(&BoolVar{`
			`Name: "migrate",`
			`Aliases: []string{},`
			`Target: &c.flagMigrate,`
			`Default: false,`
			`EnvVar: "",`
			`Completion: complete.PredictNothing,`
			`Usage: "Indicate that this share is provided with the intent that it is part of a seal migration process.",`
			`})`

update unseal command 2017-09-05 04:05:27 +00:00			`return set`
			`}`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`func (c *OperatorUnsealCommand) AutocompleteArgs() complete.Predictor {`
Use a unified helper for seal output 2017-09-21 17:38:39 +00:00			`return complete.PredictAnything`
update unseal command 2017-09-05 04:05:27 +00:00			`}`
command/unseal: tests 2015-03-14 03:17:55 +00:00
Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`func (c *OperatorUnsealCommand) AutocompleteFlags() complete.Flags {`
update unseal command 2017-09-05 04:05:27 +00:00			`return c.Flags().Completions()`
command/unseal 2015-03-04 07:57:23 +00:00			`}`

Add "operator" subcommand 2017-09-08 02:03:12 +00:00			`func (c *OperatorUnsealCommand) Run(args []string) int {`
update unseal command 2017-09-05 04:05:27 +00:00			`f := c.Flags()`

			`if err := f.Parse(args); err != nil {`
			`c.UI.Error(err.Error())`
command/unseal 2015-03-04 07:57:23 +00:00			`return 1`
			`}`

update unseal command 2017-09-05 04:05:27 +00:00			`unsealKey := ""`

			`args = f.Args()`
			`switch len(args) {`
			`case 0:`
minor improvements to unseal inline docs (#6449) 2019-03-21 12:57:46 +00:00			`// We will prompt for the unseal key later`
update unseal command 2017-09-05 04:05:27 +00:00			`case 1:`
			`unsealKey = strings.TrimSpace(args[0])`
			`default:`
			`c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))`
			`return 1`
website: imageoptim 2015-03-13 19:58:21 +00:00			`}`

update unseal command 2017-09-05 04:05:27 +00:00			`client, err := c.Client()`
Improve unseal CLI message 2015-05-19 07:34:18 +00:00			`if err != nil {`
update unseal command 2017-09-05 04:05:27 +00:00			`c.UI.Error(err.Error())`
Improve unseal CLI message 2015-05-19 07:34:18 +00:00			`return 2`
			`}`

update unseal command 2017-09-05 04:05:27 +00:00			`if c.flagReset {`
			`status, err := client.Sys().ResetUnsealProcess()`
			`if err != nil {`
			`c.UI.Error(fmt.Sprintf("Error resetting unseal process: %s", err))`
			`return 2`
			`}`
Use a unified helper for seal output 2017-09-21 17:38:39 +00:00			`return OutputSealStatus(c.UI, client, status)`
Improve unseal CLI message 2015-05-19 07:34:18 +00:00			`}`

update unseal command 2017-09-05 04:05:27 +00:00			`if unsealKey == "" {`
			`// Override the output`
			`writer := (io.Writer)(os.Stdout)`
			`if c.testOutput != nil {`
			`writer = c.testOutput`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`}`
update unseal command 2017-09-05 04:05:27 +00:00
Use a unified helper for seal output 2017-09-21 17:38:39 +00:00			`fmt.Fprintf(writer, "Unseal Key (will be hidden): ")`
update unseal command 2017-09-05 04:05:27 +00:00			`value, err := password.Read(os.Stdin)`
			`fmt.Fprintf(writer, "\n")`
			`if err != nil {`
			`c.UI.Error(wrapAtLength(fmt.Sprintf("An error occurred attempting to "+`
			`"ask for an unseal key. The raw error message is shown below, but "+`
			`"usually this is because you attempted to pipe a value into the "+`
			`"unseal command or you are executing outside of a terminal (tty). "+`
			`"You should run the unseal command from a terminal for maximum "+`
minor improvements to unseal inline docs (#6449) 2019-03-21 12:57:46 +00:00			`"security. If this is not an option, the unseal key can be provided "+`
			`"as the first argument to the unseal command. The raw error "+`
update unseal command 2017-09-05 04:05:27 +00:00			`"was:\n\n%s", err)))`
			`return 1`
command/unseal: tests 2015-03-14 03:17:55 +00:00			`}`
update unseal command 2017-09-05 04:05:27 +00:00			`unsealKey = strings.TrimSpace(value)`
helper/password: for reading passwords securely 2015-03-04 08:31:35 +00:00			`}`

Seal migration (OSS) (#781) 2018-10-23 06:34:02 +00:00			`status, err := client.Sys().UnsealWithOptions(&api.UnsealOpts{`
			`Key: unsealKey,`
			`Migrate: c.flagMigrate,`
			`})`
website: imageoptim 2015-03-13 19:58:21 +00:00			`if err != nil {`
update unseal command 2017-09-05 04:05:27 +00:00			`c.UI.Error(fmt.Sprintf("Error unsealing: %s", err))`
			`return 2`
website: imageoptim 2015-03-13 19:58:21 +00:00			`}`

Use a unified helper for seal output 2017-09-21 17:38:39 +00:00			`return OutputSealStatus(c.UI, client, status)`
command/unseal 2015-03-04 07:57:23 +00:00			`}`