2015-03-04 07:34:32 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bufio"
|
2015-03-13 17:32:39 +00:00
|
|
|
"crypto/tls"
|
2015-04-28 16:36:03 +00:00
|
|
|
"crypto/x509"
|
|
|
|
|
"encoding/pem"
|
2015-03-04 07:34:32 +00:00
|
|
|
"flag"
|
2015-04-28 16:20:42 +00:00
|
|
|
"fmt"
|
2015-03-04 07:34:32 +00:00
|
|
|
"io"
|
2015-04-28 16:36:03 +00:00
|
|
|
"io/ioutil"
|
2015-03-13 17:32:39 +00:00
|
|
|
"net/http"
|
2015-03-16 03:41:36 +00:00
|
|
|
"os"
|
2015-04-28 16:36:03 +00:00
|
|
|
"path/filepath"
|
2015-06-30 19:01:23 +00:00
|
|
|
"strings"
|
2015-03-04 07:34:32 +00:00
|
|
|
|
2015-11-03 19:21:14 +00:00
|
|
|
"github.com/hashicorp/errwrap"
|
2015-03-13 17:32:39 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
2015-03-30 17:55:41 +00:00
|
|
|
"github.com/hashicorp/vault/command/token"
|
2015-03-04 07:34:32 +00:00
|
|
|
"github.com/mitchellh/cli"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// FlagSetFlags is an enum to define what flags are present in the
|
|
|
|
|
// default FlagSet returned by Meta.FlagSet.
|
|
|
|
|
type FlagSetFlags uint
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
FlagSetNone FlagSetFlags = 0
|
|
|
|
|
FlagSetServer FlagSetFlags = 1 << iota
|
|
|
|
|
FlagSetDefault = FlagSetServer
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Meta contains the meta-options and functionality that nearly every
|
|
|
|
|
// Vault command inherits.
|
|
|
|
|
type Meta struct {
|
2015-03-31 06:30:30 +00:00
|
|
|
ClientToken string
|
|
|
|
|
Ui cli.Ui
|
2015-03-04 07:49:37 +00:00
|
|
|
|
2015-04-13 00:51:38 +00:00
|
|
|
// The things below can be set, but aren't common
|
|
|
|
|
ForceAddress string // Address to force for API clients
|
|
|
|
|
ForceConfig *Config // Force a config, don't load from disk
|
|
|
|
|
|
2015-03-04 07:49:37 +00:00
|
|
|
// These are set by the command line flags.
|
2015-06-29 19:33:16 +00:00
|
|
|
flagAddress string
|
|
|
|
|
flagCACert string
|
|
|
|
|
flagCAPath string
|
|
|
|
|
flagClientCert string
|
|
|
|
|
flagClientKey string
|
|
|
|
|
flagInsecure bool
|
2015-03-30 17:25:24 +00:00
|
|
|
|
|
|
|
|
// These are internal and shouldn't be modified or access by anyone
|
|
|
|
|
// except Meta.
|
|
|
|
|
config *Config
|
2015-03-04 07:34:32 +00:00
|
|
|
}
|
|
|
|
|
|
2015-03-13 17:32:39 +00:00
|
|
|
// Client returns the API client to a Vault server given the configured
|
|
|
|
|
// flag settings for this command.
|
|
|
|
|
func (m *Meta) Client() (*api.Client, error) {
|
|
|
|
|
config := api.DefaultConfig()
|
2015-11-03 19:21:14 +00:00
|
|
|
|
|
|
|
|
err := config.ReadEnvironment()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errwrap.Wrapf("error reading environment: {{err}}", err)
|
2015-03-16 03:41:36 +00:00
|
|
|
}
|
2015-11-03 19:21:14 +00:00
|
|
|
|
2015-03-13 17:32:39 +00:00
|
|
|
if m.flagAddress != "" {
|
|
|
|
|
config.Address = m.flagAddress
|
|
|
|
|
}
|
2015-04-13 00:51:38 +00:00
|
|
|
if m.ForceAddress != "" {
|
|
|
|
|
config.Address = m.ForceAddress
|
2015-04-13 00:30:19 +00:00
|
|
|
}
|
2015-03-13 17:32:39 +00:00
|
|
|
// If we need custom TLS configuration, then set it
|
2015-08-17 19:16:32 +00:00
|
|
|
if m.flagCACert != "" || m.flagCAPath != "" || m.flagClientCert != "" || m.flagClientKey != "" || m.flagInsecure {
|
2015-11-03 19:21:14 +00:00
|
|
|
// We may have set items from the environment so start with the
|
|
|
|
|
// existing TLS config
|
|
|
|
|
tlsConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig
|
|
|
|
|
|
2015-04-28 16:36:03 +00:00
|
|
|
var certPool *x509.CertPool
|
|
|
|
|
var err error
|
|
|
|
|
if m.flagCACert != "" {
|
2015-11-03 19:21:14 +00:00
|
|
|
certPool, err = api.LoadCACert(m.flagCACert)
|
2015-04-28 16:36:03 +00:00
|
|
|
} else if m.flagCAPath != "" {
|
2015-11-03 19:21:14 +00:00
|
|
|
certPool, err = api.LoadCAPath(m.flagCAPath)
|
2015-04-28 16:36:03 +00:00
|
|
|
}
|
|
|
|
|
if err != nil {
|
2015-11-03 19:21:14 +00:00
|
|
|
return nil, errwrap.Wrapf("Error setting up CA path: {{err}}", err)
|
2015-04-28 16:36:03 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-03 19:21:14 +00:00
|
|
|
if certPool != nil {
|
|
|
|
|
tlsConfig.RootCAs = certPool
|
|
|
|
|
}
|
|
|
|
|
if m.flagInsecure {
|
|
|
|
|
tlsConfig.InsecureSkipVerify = true
|
2015-04-28 16:20:42 +00:00
|
|
|
}
|
2015-03-13 17:32:39 +00:00
|
|
|
|
2015-06-30 12:59:38 +00:00
|
|
|
if m.flagClientCert != "" && m.flagClientKey != "" {
|
2015-06-29 19:33:16 +00:00
|
|
|
tlsCert, err := tls.LoadX509KeyPair(m.flagClientCert, m.flagClientKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
tlsConfig.Certificates = []tls.Certificate{tlsCert}
|
2015-06-30 12:59:38 +00:00
|
|
|
} else if m.flagClientCert != "" || m.flagClientKey != "" {
|
|
|
|
|
return nil, fmt.Errorf("Both client cert and client key must be provided")
|
2015-06-29 19:33:16 +00:00
|
|
|
}
|
2015-03-13 17:32:39 +00:00
|
|
|
}
|
|
|
|
|
|
2015-03-31 06:10:59 +00:00
|
|
|
// Build the client
|
|
|
|
|
client, err := api.NewClient(config)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-31 06:30:30 +00:00
|
|
|
// If we have a token directly, then set that
|
|
|
|
|
token := m.ClientToken
|
|
|
|
|
|
2015-05-11 17:31:14 +00:00
|
|
|
// Try to set the token to what is already stored
|
|
|
|
|
if token == "" {
|
|
|
|
|
token = client.Token()
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-31 06:30:30 +00:00
|
|
|
// If we don't have a token, check the token helper
|
|
|
|
|
if token == "" {
|
|
|
|
|
// If we have a token, then set that
|
|
|
|
|
tokenHelper, err := m.TokenHelper()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
token, err = tokenHelper.Get()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2015-03-31 06:10:59 +00:00
|
|
|
}
|
2015-03-31 06:30:30 +00:00
|
|
|
|
|
|
|
|
// Set the token
|
2015-03-31 06:10:59 +00:00
|
|
|
if token != "" {
|
|
|
|
|
client.SetToken(token)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return client, nil
|
2015-03-13 17:32:39 +00:00
|
|
|
}
|
|
|
|
|
|
2015-03-30 17:25:24 +00:00
|
|
|
// Config loads the configuration and returns it. If the configuration
|
|
|
|
|
// is already loaded, it is returned.
|
|
|
|
|
func (m *Meta) Config() (*Config, error) {
|
|
|
|
|
if m.config != nil {
|
|
|
|
|
return m.config, nil
|
|
|
|
|
}
|
2015-04-13 00:51:38 +00:00
|
|
|
if m.ForceConfig != nil {
|
|
|
|
|
return m.ForceConfig, nil
|
|
|
|
|
}
|
2015-03-30 17:25:24 +00:00
|
|
|
|
|
|
|
|
var err error
|
|
|
|
|
m.config, err = LoadConfig("")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return m.config, nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-04 07:34:32 +00:00
|
|
|
// FlagSet returns a FlagSet with the common flags that every
|
|
|
|
|
// command implements. The exact behavior of FlagSet can be configured
|
|
|
|
|
// using the flags as the second parameter, for example to disable
|
|
|
|
|
// server settings on the commands that don't talk to a server.
|
|
|
|
|
func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
|
|
|
|
|
f := flag.NewFlagSet(n, flag.ContinueOnError)
|
|
|
|
|
|
2015-03-04 07:49:37 +00:00
|
|
|
// FlagSetServer tells us to enable the settings for selecting
|
|
|
|
|
// the server information.
|
|
|
|
|
if fs&FlagSetServer != 0 {
|
|
|
|
|
f.StringVar(&m.flagAddress, "address", "", "")
|
|
|
|
|
f.StringVar(&m.flagCACert, "ca-cert", "", "")
|
|
|
|
|
f.StringVar(&m.flagCAPath, "ca-path", "", "")
|
2015-06-29 19:33:16 +00:00
|
|
|
f.StringVar(&m.flagClientCert, "client-cert", "", "")
|
|
|
|
|
f.StringVar(&m.flagClientKey, "client-key", "", "")
|
2015-03-04 07:49:37 +00:00
|
|
|
f.BoolVar(&m.flagInsecure, "insecure", false, "")
|
2015-05-11 18:01:20 +00:00
|
|
|
f.BoolVar(&m.flagInsecure, "tls-skip-verify", false, "")
|
2015-03-04 07:49:37 +00:00
|
|
|
}
|
|
|
|
|
|
2015-03-04 07:34:32 +00:00
|
|
|
// Create an io.Writer that writes to our Ui properly for errors.
|
|
|
|
|
// This is kind of a hack, but it does the job. Basically: create
|
|
|
|
|
// a pipe, use a scanner to break it into lines, and output each line
|
|
|
|
|
// to the UI. Do this forever.
|
|
|
|
|
errR, errW := io.Pipe()
|
|
|
|
|
errScanner := bufio.NewScanner(errR)
|
|
|
|
|
go func() {
|
|
|
|
|
for errScanner.Scan() {
|
|
|
|
|
m.Ui.Error(errScanner.Text())
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
f.SetOutput(errW)
|
|
|
|
|
|
|
|
|
|
return f
|
|
|
|
|
}
|
2015-03-30 17:55:41 +00:00
|
|
|
|
|
|
|
|
// TokenHelper returns the token helper that is configured for Vault.
|
|
|
|
|
func (m *Meta) TokenHelper() (*token.Helper, error) {
|
|
|
|
|
config, err := m.Config()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
path := config.TokenHelper
|
|
|
|
|
if path == "" {
|
|
|
|
|
path = "disk"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
path = token.HelperPath(path)
|
|
|
|
|
return &token.Helper{Path: path}, nil
|
|
|
|
|
}
|
2015-04-28 16:36:03 +00:00
|
|
|
|
|
|
|
|
func (m *Meta) loadCACert(path string) (*x509.CertPool, error) {
|
|
|
|
|
certs, err := m.loadCertFromPEM(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("Error loading %s: %s", path, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result := x509.NewCertPool()
|
|
|
|
|
for _, cert := range certs {
|
|
|
|
|
result.AddCert(cert)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *Meta) loadCAPath(path string) (*x509.CertPool, error) {
|
|
|
|
|
result := x509.NewCertPool()
|
|
|
|
|
fn := func(path string, info os.FileInfo, err error) error {
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-10 14:23:40 +00:00
|
|
|
if info.IsDir() {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-28 16:36:03 +00:00
|
|
|
certs, err := m.loadCertFromPEM(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Error loading %s: %s", path, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, cert := range certs {
|
|
|
|
|
result.AddCert(cert)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return result, filepath.Walk(path, fn)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *Meta) loadCertFromPEM(path string) ([]*x509.Certificate, error) {
|
|
|
|
|
pemCerts, err := ioutil.ReadFile(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certs := make([]*x509.Certificate, 0, 5)
|
|
|
|
|
for len(pemCerts) > 0 {
|
|
|
|
|
var block *pem.Block
|
|
|
|
|
block, pemCerts = pem.Decode(pemCerts)
|
|
|
|
|
if block == nil {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certs = append(certs, cert)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return certs, nil
|
|
|
|
|
}
|
2015-06-30 19:01:23 +00:00
|
|
|
|
|
|
|
|
// generalOptionsUsage returns the usage documenation for commonly
|
|
|
|
|
// available options
|
|
|
|
|
func generalOptionsUsage() string {
|
|
|
|
|
general := `
|
|
|
|
|
-address=addr The address of the Vault server.
|
2015-08-07 22:13:30 +00:00
|
|
|
Overrides the VAULT_ADDR environment variable if set.
|
2015-06-30 19:01:23 +00:00
|
|
|
|
|
|
|
|
-ca-cert=path Path to a PEM encoded CA cert file to use to
|
|
|
|
|
verify the Vault server SSL certificate.
|
2015-08-07 22:13:30 +00:00
|
|
|
Overrides the VAULT_CACERT environment variable if set.
|
2015-06-30 19:01:23 +00:00
|
|
|
|
|
|
|
|
-ca-path=path Path to a directory of PEM encoded CA cert files
|
|
|
|
|
to verify the Vault server SSL certificate. If both
|
|
|
|
|
-ca-cert and -ca-path are specified, -ca-path is used.
|
2015-08-07 22:13:30 +00:00
|
|
|
Overrides the VAULT_CAPATH environment variable if set.
|
2015-06-30 19:01:23 +00:00
|
|
|
|
|
|
|
|
-client-cert=path Path to a PEM encoded client certificate for TLS
|
|
|
|
|
authentication to the Vault server. Must also specify
|
2015-08-07 22:13:30 +00:00
|
|
|
-client-key. Overrides the VAULT_CLIENT_CERT
|
|
|
|
|
environment variable if set.
|
2015-06-30 19:01:23 +00:00
|
|
|
|
|
|
|
|
-client-key=path Path to an unencrypted PEM encoded private key
|
|
|
|
|
matching the client certificate from -client-cert.
|
2015-08-07 22:13:30 +00:00
|
|
|
Overrides the VAULT_CLIENT_KEY environment variable
|
|
|
|
|
if set.
|
2015-06-30 19:01:23 +00:00
|
|
|
|
|
|
|
|
-tls-skip-verify Do not verify TLS certificate. This is highly
|
2015-08-07 22:13:30 +00:00
|
|
|
not recommended. Verification will also be skipped
|
|
|
|
|
if VAULT_SKIP_VERIFY is set.
|
2015-06-30 19:01:23 +00:00
|
|
|
`
|
|
|
|
|
return strings.TrimSpace(general)
|
|
|
|
|
}
|
