open-vault/api/plugin_helpers.go

package api

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/base64"
	"errors"
	"flag"
	"net/url"
	"os"

	squarejwt "gopkg.in/square/go-jose.v2/jwt"

	"github.com/hashicorp/errwrap"
)

var (
	// PluginMetadataModeEnv is an ENV name used to disable TLS communication
	// to bootstrap mounting plugins.
	PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"

	// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
	// plugin.
	PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
)

// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
// back to Vault.
type PluginAPIClientMeta struct {
	// These are set by the command line flags.
	flagCACert     string
	flagCAPath     string
	flagClientCert string
	flagClientKey  string
	flagInsecure   bool
}

// FlagSet returns the flag set for configuring the TLS connection
func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {
	fs := flag.NewFlagSet("vault plugin settings", flag.ContinueOnError)

	fs.StringVar(&f.flagCACert, "ca-cert", "", "")
	fs.StringVar(&f.flagCAPath, "ca-path", "", "")
	fs.StringVar(&f.flagClientCert, "client-cert", "", "")
	fs.StringVar(&f.flagClientKey, "client-key", "", "")
	fs.BoolVar(&f.flagInsecure, "tls-skip-verify", false, "")

	return fs
}

// GetTLSConfig will return a TLSConfig based off the values from the flags
func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig {
	// If we need custom TLS configuration, then set it
	if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure {
		t := &TLSConfig{
			CACert:        f.flagCACert,
			CAPath:        f.flagCAPath,
			ClientCert:    f.flagClientCert,
			ClientKey:     f.flagClientKey,
			TLSServerName: "",
			Insecure:      f.flagInsecure,
		}

		return t
	}

	return nil
}

// VaultPluginTLSProvider is run inside a plugin and retrieves the response
// wrapped TLS certificate from vault. It returns a configured TLS Config.
func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error) {
	if os.Getenv(PluginMetadataModeEnv) == "true" {
		return nil
	}

	return func() (*tls.Config, error) {
		unwrapToken := os.Getenv(PluginUnwrapTokenEnv)

		parsedJWT, err := squarejwt.ParseSigned(unwrapToken)
		if err != nil {
			return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
		}

		allClaims := make(map[string]interface{})
		if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {
			return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)
		}

		addrClaimRaw, ok := allClaims["addr"]
		if !ok {
			return nil, errors.New("could not validate addr claim")
		}
		vaultAddr, ok := addrClaimRaw.(string)
		if !ok {
			return nil, errors.New("could not parse addr claim")
		}
		if vaultAddr == "" {
			return nil, errors.New(`no vault api_addr found`)
		}

		// Sanity check the value
		if _, err := url.Parse(vaultAddr); err != nil {
			return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)
		}

		// Unwrap the token
		clientConf := DefaultConfig()
		clientConf.Address = vaultAddr
		if apiTLSConfig != nil {
			err := clientConf.ConfigureTLS(apiTLSConfig)
			if err != nil {
				return nil, errwrap.Wrapf("error configuring api client {{err}}", err)
			}
		}
		client, err := NewClient(clientConf)
		if err != nil {
			return nil, errwrap.Wrapf("error during api client creation: {{err}}", err)
		}

		// Reset token value to make sure nothing has been set by default
		client.ClearToken()

		secret, err := client.Logical().Unwrap(unwrapToken)
		if err != nil {
			return nil, errwrap.Wrapf("error during token unwrap request: {{err}}", err)
		}
		if secret == nil {
			return nil, errors.New("error during token unwrap request: secret is nil")
		}

		// Retrieve and parse the server's certificate
		serverCertBytesRaw, ok := secret.Data["ServerCert"].(string)
		if !ok {
			return nil, errors.New("error unmarshalling certificate")
		}

		serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)
		if err != nil {
			return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
		}

		serverCert, err := x509.ParseCertificate(serverCertBytes)
		if err != nil {
			return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
		}

		// Retrieve and parse the server's private key
		serverKeyB64, ok := secret.Data["ServerKey"].(string)
		if !ok {
			return nil, errors.New("error unmarshalling certificate")
		}

		serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)
		if err != nil {
			return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
		}

		serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)
		if err != nil {
			return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
		}

		// Add CA cert to the cert pool
		caCertPool := x509.NewCertPool()
		caCertPool.AddCert(serverCert)

		// Build a certificate object out of the server's cert and private key.
		cert := tls.Certificate{
			Certificate: [][]byte{serverCertBytes},
			PrivateKey:  serverKey,
			Leaf:        serverCert,
		}

		// Setup TLS config
		tlsConfig := &tls.Config{
			ClientCAs:  caCertPool,
			RootCAs:    caCertPool,
			ClientAuth: tls.RequireAndVerifyClientCert,
			// TLS 1.2 minimum
			MinVersion:   tls.VersionTLS12,
			Certificates: []tls.Certificate{cert},
			ServerName:   serverCert.Subject.CommonName,
		}

		return tlsConfig, nil
	}
}
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`package api`
Break tls code into helper library 2017-03-16 18:55:21 +00:00
			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/base64"`
			`"errors"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"flag"`
Break tls code into helper library 2017-03-16 18:55:21 +00:00			`"net/url"`
			`"os"`

Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`squarejwt "gopkg.in/square/go-jose.v2/jwt"`

Break tls code into helper library 2017-03-16 18:55:21 +00:00			`"github.com/hashicorp/errwrap"`
duplicates some constants defined in pluginutil to avoid depending on x/net/trace (#6703) 2019-05-08 23:21:23 +00:00			`)`

			`var (`
			`// PluginMetadataModeEnv is an ENV name used to disable TLS communication`
			`// to bootstrap mounting plugins.`
			`PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"`

			`// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the`
			`// plugin.`
			`PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"`
Break tls code into helper library 2017-03-16 18:55:21 +00:00			`)`

More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`// back to Vault.`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`type PluginAPIClientMeta struct {`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`// These are set by the command line flags.`
			`flagCACert string`
			`flagCAPath string`
			`flagClientCert string`
			`flagClientKey string`
			`flagInsecure bool`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00			`}`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`// FlagSet returns the flag set for configuring the TLS connection`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`func (f PluginAPIClientMeta) FlagSet() flag.FlagSet {`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`fs := flag.NewFlagSet("vault plugin settings", flag.ContinueOnError)`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`fs.StringVar(&f.flagCACert, "ca-cert", "", "")`
			`fs.StringVar(&f.flagCAPath, "ca-path", "", "")`
			`fs.StringVar(&f.flagClientCert, "client-cert", "", "")`
			`fs.StringVar(&f.flagClientKey, "client-key", "", "")`
			`fs.BoolVar(&f.flagInsecure, "tls-skip-verify", false, "")`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`return fs`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00			`}`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`// GetTLSConfig will return a TLSConfig based off the values from the flags`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`func (f PluginAPIClientMeta) GetTLSConfig() TLSConfig {`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`// If we need custom TLS configuration, then set it`
			`if f.flagCACert != "" \|\| f.flagCAPath != "" \|\| f.flagClientCert != "" \|\| f.flagClientKey != "" \|\| f.flagInsecure {`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`t := &TLSConfig{`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`CACert: f.flagCACert,`
			`CAPath: f.flagCAPath,`
			`ClientCert: f.flagClientCert,`
			`ClientKey: f.flagClientKey,`
			`TLSServerName: "",`
			`Insecure: f.flagInsecure,`
			`}`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`return t`
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 19:15:01 +00:00			`}`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`return nil`
Break tls code into helper library 2017-03-16 18:55:21 +00:00			`}`

Spelling (#4119) 2018-03-20 18:54:10 +00:00			`// VaultPluginTLSProvider is run inside a plugin and retrieves the response`
Comment and slight refactor of the TLS plugin helper 2017-03-16 21:14:49 +00:00			`// wrapped TLS certificate from vault. It returns a configured TLS Config.`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`func VaultPluginTLSProvider(apiTLSConfig TLSConfig) func() (tls.Config, error) {`
duplicates some constants defined in pluginutil to avoid depending on x/net/trace (#6703) 2019-05-08 23:21:23 +00:00			`if os.Getenv(PluginMetadataModeEnv) == "true" {`
Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth 2017-09-01 05:02:03 +00:00			`return nil`
			`}`

Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`return func() (*tls.Config, error) {`
duplicates some constants defined in pluginutil to avoid depending on x/net/trace (#6703) 2019-05-08 23:21:23 +00:00			`unwrapToken := os.Getenv(PluginUnwrapTokenEnv)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`parsedJWT, err := squarejwt.ParseSigned(unwrapToken)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`if err != nil {`
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`allClaims := make(map[string]interface{})`
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {`
			`return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`addrClaimRaw, ok := allClaims["addr"]`
			`if !ok {`
			`return nil, errors.New("could not validate addr claim")`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`vaultAddr, ok := addrClaimRaw.(string)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`if !ok {`
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 18:54:03 +00:00			`return nil, errors.New("could not parse addr claim")`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`
			`if vaultAddr == "" {`
Clarify api_addr related errors on VaultPluginTLSProvider (#3620) * Mention api_addr on VaultPluginTLSProvider logs, update docs * Clarify message and mention automatic api_address detection * Change error message to use api_addr * Change error messages to use api_addr 2017-12-05 17:01:35 +00:00			return nil, errors.New(`no vault api_addr found`)
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`// Sanity check the value`
			`if _, err := url.Parse(vaultAddr); err != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`// Unwrap the token`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`clientConf := DefaultConfig()`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`clientConf.Address = vaultAddr`
			`if apiTLSConfig != nil {`
Lazy-load plugin mounts (#3255) * Lazy load plugins to avoid setup-unwrap cycle * Remove commented blocks * Refactor NewTestCluster, use single core cluster on basic plugin tests * Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly * Add special path to mock plugin * Move ensureCoresSealed to vault/testing.go * Use same method for EnsureCoresSealed and Cleanup * Bump ensureCoresSealed timeout to 60s * Correctly handle nil opts on NewTestCluster * Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap * Check metadata flag directly on the plugin process * Plumb isMetadataMode down to PluginRunner * Add NOOP shims when running in metadata mode * Remove unused flag from the APIMetadata object * Remove setupSecretPlugins and setupCredentialPlugins functions * Move when we setup rollback manager to after the plugins are initialized * Fix tests * Fix merge issue * start rollback manager after the credential setup * Add guards against running certain client and server functions while in metadata mode * Call initialize once a plugin is loaded on the fly * Add more tests, update basic secret/auth plugin tests to trigger lazy loading * Skip mount if plugin removed from catalog * Fixup * Remove commented line on LookupPlugin * Fail on mount operation if plugin is re-added to catalog and mount is on existing path * Check type and special paths on startBackend * Fix merge conflicts * Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth 2017-09-01 05:02:03 +00:00			`err := clientConf.ConfigureTLS(apiTLSConfig)`
			`if err != nil {`
			`return nil, errwrap.Wrapf("error configuring api client {{err}}", err)`
			`}`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`
More rearranging of API and SDK 2019-04-15 17:38:08 +00:00			`client, err := NewClient(clientConf)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`if err != nil {`
			`return nil, errwrap.Wrapf("error during api client creation: {{err}}", err)`
			`}`

Fix automatic token set for plugin unwrap requests (#8058) * Fix automatic token set for plugin unwrap requests * Change to ClearToken helper-method 2020-01-02 09:40:13 +00:00			`// Reset token value to make sure nothing has been set by default`
			`client.ClearToken()`

Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`secret, err := client.Logical().Unwrap(unwrapToken)`
			`if err != nil {`
			`return nil, errwrap.Wrapf("error during token unwrap request: {{err}}", err)`
			`}`
			`if secret == nil {`
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs 2017-07-20 17:28:40 +00:00			`return nil, errors.New("error during token unwrap request: secret is nil")`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`// Retrieve and parse the server's certificate`
			`serverCertBytesRaw, ok := secret.Data["ServerCert"].(string)`
			`if !ok {`
			`return nil, errors.New("error unmarshalling certificate")`
			`}`

			`serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)`
			`if err != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`serverCert, err := x509.ParseCertificate(serverCertBytes)`
			`if err != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`// Retrieve and parse the server's private key`
			`serverKeyB64, ok := secret.Data["ServerKey"].(string)`
			`if !ok {`
			`return nil, errors.New("error unmarshalling certificate")`
			`}`

			`serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)`
			`if err != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)`
			`if err != nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`// Add CA cert to the cert pool`
			`caCertPool := x509.NewCertPool()`
			`caCertPool.AddCert(serverCert)`

			`// Build a certificate object out of the server's cert and private key.`
			`cert := tls.Certificate{`
			`Certificate: [][]byte{serverCertBytes},`
			`PrivateKey: serverKey,`
			`Leaf: serverCert,`
			`}`

			`// Setup TLS config`
			`tlsConfig := &tls.Config{`
			`ClientCAs: caCertPool,`
			`RootCAs: caCertPool,`
			`ClientAuth: tls.RequireAndVerifyClientCert,`
			`// TLS 1.2 minimum`
			`MinVersion: tls.VersionTLS12,`
			`Certificates: []tls.Certificate{cert},`
gRPC Backend Plugins (#3808) * Add grpc plugins * Add grpc plugins * Translate wrap info to/from proto * Add nil checks * Fix nil marshaling errors * Provide logging through the go-plugin logger * handle errors in the messages * Update the TLS config so bidirectional connections work * Add connectivity checks * Restart plugin and add timeouts where context is not availible * Add the response wrap data into the grpc system implementation * Add leaseoptions to pb.Auth * Add an error translator * Add tests for translating the proto objects * Fix rename of function * Add tracing to plugins for easier debugging * Handle plugin crashes with the go-plugin context * Add test for grpcStorage * Add tests for backend and system * Bump go-plugin for GRPCBroker * Remove RegisterLicense * Add casing translations for new proto messages * Use doneCtx in grpcClient * Use doneCtx in grpcClient * s/shutdown/shut down/ 2018-01-18 21:49:20 +00:00			`ServerName: serverCert.Subject.CommonName,`
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 21:40:11 +00:00			`}`

			`return tlsConfig, nil`
Break tls code into helper library 2017-03-16 18:55:21 +00:00			`}`
			`}`