open-vault/command/init.go

package command

import (
	"fmt"
	"strings"

	"github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/helper/pgpkeys"
)

// InitCommand is a Command that initializes a new Vault server.
type InitCommand struct {
	Meta
}

func (c *InitCommand) Run(args []string) int {
	var threshold, shares int
	var pgpKeys pgpkeys.PubKeyFilesFlag
	flags := c.Meta.FlagSet("init", FlagSetDefault)
	flags.Usage = func() { c.Ui.Error(c.Help()) }
	flags.IntVar(&shares, "key-shares", 5, "")
	flags.IntVar(&threshold, "key-threshold", 3, "")
	flags.Var(&pgpKeys, "pgp-keys", "")
	if err := flags.Parse(args); err != nil {
		return 1
	}

	client, err := c.Client()
	if err != nil {
		c.Ui.Error(fmt.Sprintf(
			"Error initializing client: %s", err))
		return 1
	}

	resp, err := client.Sys().Init(&api.InitRequest{
		SecretShares:    shares,
		SecretThreshold: threshold,
		PGPKeys:         pgpKeys,
	})
	if err != nil {
		c.Ui.Error(fmt.Sprintf(
			"Error initializing Vault: %s", err))
		return 1
	}

	for i, key := range resp.Keys {
		c.Ui.Output(fmt.Sprintf("Key %d: %s", i+1, key))
	}

	c.Ui.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))

	c.Ui.Output(fmt.Sprintf(
		"\n"+
			"Vault initialized with %d keys and a key threshold of %d. Please\n"+
			"securely distribute the above keys. When the Vault is re-sealed,\n"+
			"restarted, or stopped, you must provide at least %d of these keys\n"+
			"to unseal it again.\n\n"+
			"Vault does not store the master key. Without at least %d keys,\n"+
			"your Vault will remain permanently sealed.",
		shares,
		threshold,
		threshold,
		threshold,
	))

	return 0
}

func (c *InitCommand) Synopsis() string {
	return "Initialize a new Vault server"
}

func (c *InitCommand) Help() string {
	helpText := `
Usage: vault init [options]

  Initialize a new Vault server.

  This command connects to a Vault server and initializes it for the
  first time. This sets up the initial set of master keys and sets up the
  backend data store structure.

  This command can't be called on an already-initialized Vault.

General Options:

  ` + generalOptionsUsage() + `

Init Options:

  -key-shares=5           The number of key shares to split the master key
                          into.

  -key-threshold=3        The number of key shares required to reconstruct
                          the master key.

  -pgp-keys               If provided, must be a comma-separated list of
                          files on disk containing binary- or base64-format
                          public PGP keys, or Keybase usernames specified as
                          "keybase:<username>". The number of given entries
                          must match 'key-shares'. The output unseal keys will
                          encrypted and hex-encoded, in order, with the given
                          public keys.  If you want to use them with the 'vault
                          unseal' command, you will need to hex decode and
                          decrypt; this will be the plaintext unseal key.
`
	return strings.TrimSpace(helpText)
}
command/init 2015-03-13 17:32:39 +00:00			`package command`

			`import (`
			`"fmt"`
			`"strings"`

			`"github.com/hashicorp/vault/api"`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`"github.com/hashicorp/vault/helper/pgpkeys"`
command/init 2015-03-13 17:32:39 +00:00			`)`

			`// InitCommand is a Command that initializes a new Vault server.`
			`type InitCommand struct {`
			`Meta`
			`}`

			`func (c *InitCommand) Run(args []string) int {`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`var threshold, shares int`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`var pgpKeys pgpkeys.PubKeyFilesFlag`
command/init 2015-03-13 17:32:39 +00:00			`flags := c.Meta.FlagSet("init", FlagSetDefault)`
			`flags.Usage = func() { c.Ui.Error(c.Help()) }`
Address comments from review. 2015-08-25 22:33:58 +00:00			`flags.IntVar(&shares, "key-shares", 5, "")`
command/init 2015-03-13 17:32:39 +00:00			`flags.IntVar(&threshold, "key-threshold", 3, "")`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`flags.Var(&pgpKeys, "pgp-keys", "")`
command/init 2015-03-13 17:32:39 +00:00			`if err := flags.Parse(args); err != nil {`
			`return 1`
			`}`

			`client, err := c.Client()`
			`if err != nil {`
			`c.Ui.Error(fmt.Sprintf(`
			`"Error initializing client: %s", err))`
			`return 1`
			`}`

			`resp, err := client.Sys().Init(&api.InitRequest{`
			`SecretShares: shares,`
			`SecretThreshold: threshold,`
Address comments from review. 2015-08-25 22:33:58 +00:00			`PGPKeys: pgpKeys,`
command/init 2015-03-13 17:32:39 +00:00			`})`
			`if err != nil {`
			`c.Ui.Error(fmt.Sprintf(`
			`"Error initializing Vault: %s", err))`
			`return 1`
			`}`

command/init: make the output a little nicer 2015-03-13 17:38:19 +00:00			`for i, key := range resp.Keys {`
			`c.Ui.Output(fmt.Sprintf("Key %d: %s", i+1, key))`
command/init 2015-03-13 17:32:39 +00:00			`}`

command/init: show root token 2015-03-29 23:25:53 +00:00			`c.Ui.Output(fmt.Sprintf("Initial Root Token: %s", resp.RootToken))`

command/init: make the output a little nicer 2015-03-13 17:38:19 +00:00			`c.Ui.Output(fmt.Sprintf(`
			`"\n"+`
Changed phrasing for unseal key notification 2015-05-29 00:02:09 +00:00			`"Vault initialized with %d keys and a key threshold of %d. Please\n"+`
Updated phrasing to note restarts, stop, and other sealing scenarios 2015-05-29 00:07:38 +00:00			`"securely distribute the above keys. When the Vault is re-sealed,\n"+`
			`"restarted, or stopped, you must provide at least %d of these keys\n"+`
			`"to unseal it again.\n\n"+`
			`"Vault does not store the master key. Without at least %d keys,\n"+`
			`"your Vault will remain permanently sealed.",`
command/init: make the output a little nicer 2015-03-13 17:38:19 +00:00			`shares,`
			`threshold,`
			`threshold,`
Changed phrasing for unseal key notification 2015-05-29 00:02:09 +00:00			`threshold,`
command/init: make the output a little nicer 2015-03-13 17:38:19 +00:00			`))`

command/init 2015-03-13 17:32:39 +00:00			`return 0`
			`}`

			`func (c *InitCommand) Synopsis() string {`
			`return "Initialize a new Vault server"`
			`}`

			`func (c *InitCommand) Help() string {`
			helpText := `
			`Usage: vault init [options]`

			`Initialize a new Vault server.`

			`This command connects to a Vault server and initializes it for the`
			`first time. This sets up the initial set of master keys and sets up the`
			`backend data store structure.`

			`This command can't be called on an already-initialized Vault.`

			`General Options:`

command: source general options docs from common source 2015-06-30 19:01:23 +00:00			` + generalOptionsUsage() + `
command/init 2015-03-13 17:32:39 +00:00
			`Init Options:`

			`-key-shares=5 The number of key shares to split the master key`
			`into.`

			`-key-threshold=3 The number of key shares required to reconstruct`
			`the master key.`

Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`-pgp-keys If provided, must be a comma-separated list of`
Update CLI help text for init/rekey regarding base64-encoded keys 2015-10-08 15:09:30 +00:00			`files on disk containing binary- or base64-format`
update init/rekey documentation around keybase entries 2016-01-04 19:17:51 +00:00			`public PGP keys, or Keybase usernames specified as`
			`"keybase:<username>". The number of given entries`
			`must match 'key-shares'. The output unseal keys will`
			`encrypted and hex-encoded, in order, with the given`
			`public keys. If you want to use them with the 'vault`
			`unseal' command, you will need to hex decode and`
			`decrypt; this will be the plaintext unseal key.`
command/init 2015-03-13 17:32:39 +00:00			`
			`return strings.TrimSpace(helpText)`
			`}`