open-vault/http/sys_seal.go

package http

import (
	"context"
	"encoding/base64"
	"encoding/hex"
	"errors"
	"fmt"
	"net/http"

	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/vault/helper/consts"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/vault"
	"github.com/hashicorp/vault/version"
)

func handleSysSeal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		req, statusCode, err := buildLogicalRequest(core, w, r)
		if err != nil || statusCode != 0 {
			respondError(w, statusCode, err)
			return
		}

		switch req.Operation {
		case logical.UpdateOperation:
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Seal with the token above
		// We use context.Background since there won't be a request context if the node isn't active
		if err := core.SealWithRequest(r.Context(), req); err != nil {
			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
				respondError(w, http.StatusForbidden, err)
				return
			}
			respondError(w, http.StatusInternalServerError, err)
			return
		}

		respondOk(w, nil)
	})
}

func handleSysStepDown(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		req, statusCode, err := buildLogicalRequest(core, w, r)
		if err != nil || statusCode != 0 {
			respondError(w, statusCode, err)
			return
		}

		switch req.Operation {
		case logical.UpdateOperation:
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Seal with the token above
		if err := core.StepDown(r.Context(), req); err != nil {
			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
				respondError(w, http.StatusForbidden, err)
				return
			}
			respondError(w, http.StatusInternalServerError, err)
			return
		}

		respondOk(w, nil)
	})
}

func handleSysUnseal(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "PUT":
		case "POST":
		default:
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		// Parse the request
		var req UnsealRequest
		if err := parseRequest(r, w, &req); err != nil {
			respondError(w, http.StatusBadRequest, err)
			return
		}
		if !req.Reset && req.Key == "" {
			respondError(
				w, http.StatusBadRequest,
				errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))
			return
		}

		if req.Reset {
			if !core.Sealed() {
				respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
				return
			}
			core.ResetUnsealProcess()
		} else {
			// Decode the key, which is base64 or hex encoded
			min, max := core.BarrierKeyLength()
			key, err := hex.DecodeString(req.Key)
			// We check min and max here to ensure that a string that is base64
			// encoded but also valid hex will not be valid and we instead base64
			// decode it
			if err != nil || len(key) < min || len(key) > max {
				key, err = base64.StdEncoding.DecodeString(req.Key)
				if err != nil {
					respondError(
						w, http.StatusBadRequest,
						errors.New("'key' must be a valid hex or base64 string"))
					return
				}
			}

			// Attempt the unseal
			ctx := context.Background()
			if core.SealAccess().RecoveryKeySupported() {
				_, err = core.UnsealWithRecoveryKeys(ctx, key)
			} else {
				_, err = core.Unseal(key)
			}
			if err != nil {
				switch {
				case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
				case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
				case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
				case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
				case errwrap.Contains(err, consts.ErrStandby.Error()):
				default:
					respondError(w, http.StatusInternalServerError, err)
					return
				}
				respondError(w, http.StatusBadRequest, err)
				return
			}
		}

		// Return the seal status
		handleSysSealStatusRaw(core, w, r)
	})
}

func handleSysSealStatus(core *vault.Core) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != "GET" {
			respondError(w, http.StatusMethodNotAllowed, nil)
			return
		}

		handleSysSealStatusRaw(core, w, r)
	})
}

func handleSysSealStatusRaw(core *vault.Core, w http.ResponseWriter, r *http.Request) {
	ctx := context.Background()

	sealed := core.Sealed()

	var sealConfig *vault.SealConfig
	var err error
	if core.SealAccess().RecoveryKeySupported() {
		sealConfig, err = core.SealAccess().RecoveryConfig(ctx)
	} else {
		sealConfig, err = core.SealAccess().BarrierConfig(ctx)
	}
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	if sealConfig == nil {
		respondOk(w, &SealStatusResponse{
			Type:         core.SealAccess().BarrierType(),
			Initialized:  false,
			Sealed:       true,
			RecoverySeal: core.SealAccess().RecoveryKeySupported(),
		})
		return
	}

	// Fetch the local cluster name and identifier
	var clusterName, clusterID string
	if !sealed {
		cluster, err := core.Cluster(ctx)
		if err != nil {
			respondError(w, http.StatusInternalServerError, err)
			return
		}
		if cluster == nil {
			respondError(w, http.StatusInternalServerError, fmt.Errorf("failed to fetch cluster details"))
			return
		}
		clusterName = cluster.Name
		clusterID = cluster.ID
	}

	progress, nonce := core.SecretProgress()

	respondOk(w, &SealStatusResponse{
		Type:         sealConfig.Type,
		Initialized:  true,
		Sealed:       sealed,
		T:            sealConfig.SecretThreshold,
		N:            sealConfig.SecretShares,
		Progress:     progress,
		Nonce:        nonce,
		Version:      version.GetVersion().VersionNumber(),
		ClusterName:  clusterName,
		ClusterID:    clusterID,
		RecoverySeal: core.SealAccess().RecoveryKeySupported(),
	})
}

type SealStatusResponse struct {
	Type         string `json:"type"`
	Initialized  bool   `json:"initialized"`
	Sealed       bool   `json:"sealed"`
	T            int    `json:"t"`
	N            int    `json:"n"`
	Progress     int    `json:"progress"`
	Nonce        string `json:"nonce"`
	Version      string `json:"version"`
	ClusterName  string `json:"cluster_name,omitempty"`
	ClusterID    string `json:"cluster_id,omitempty"`
	RecoverySeal bool   `json:"recovery_seal"`
}

type UnsealRequest struct {
	Key   string
	Reset bool
}
http: start the API server 2015-03-12 06:05:16 +00:00			`package http`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`"encoding/base64"`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`"encoding/hex"`
http: start the API server 2015-03-12 06:05:16 +00:00			`"errors"`
http: /sys/seal-status should return 400 if still uninitialized 2015-03-31 06:36:03 +00:00			`"fmt"`
http: start the API server 2015-03-12 06:05:16 +00:00			`"net/http"`

http: mask user error away from unseal since its not actionable 2015-03-12 18:26:59 +00:00			`"github.com/hashicorp/errwrap"`
Port some replication bits to OSS (#2386) 2017-02-16 20:15:02 +00:00			`"github.com/hashicorp/vault/helper/consts"`
http: /sys/seal requires a token 2015-03-31 18:45:44 +00:00			`"github.com/hashicorp/vault/logical"`
http: start the API server 2015-03-12 06:05:16 +00:00			`"github.com/hashicorp/vault/vault"`
Added Vault version informationto the 'status' command 2016-07-28 21:37:26 +00:00			`"github.com/hashicorp/vault/version"`
http: start the API server 2015-03-12 06:05:16 +00:00			`)`

			`func handleSysSeal(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Audit the client token accessors (#2037) 2016-10-29 21:01:49 +00:00			`req, statusCode, err := buildLogicalRequest(core, w, r)`
Enable audit-logging of seal and step-down commands. This pulls the logical request building code into its own function so that it's accessible from other HTTP handlers, then uses that with some added logic to the Seal() and StepDown() commands to have meaningful audit log entries. 2016-05-20 17:03:54 +00:00			`if err != nil \|\| statusCode != 0 {`
			`respondError(w, statusCode, err)`
			`return`
			`}`

			`switch req.Operation {`
			`case logical.UpdateOperation:`
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-08-31 21:55:22 +00:00			`default:`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

http: /sys/seal requires a token 2015-03-31 18:45:44 +00:00			`// Seal with the token above`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`// We use context.Background since there won't be a request context if the node isn't active`
Add request timeouts in normal request path and to expirations (#4971) * Add request timeouts in normal request path and to expirations * Add ability to adjust default max request duration * Some test fixes * Ensure tests have defaults set for max request duration * Add context cancel checking to inmem/file * Fix tests * Fix tests * Set default max request duration to basically infinity for this release for BC * Address feedback 2018-07-24 21:50:49 +00:00			`if err := core.SealWithRequest(r.Context(), req); err != nil {`
Set number of pester retries to zero by default and make seal command… (#2093) * Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500 * Fix build * Use 403 instead and update test * Change another 500 to 403 2016-11-16 19:08:09 +00:00			`if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {`
			`respondError(w, http.StatusForbidden, err)`
			`return`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`respondError(w, http.StatusInternalServerError, err)`
			`return`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`

			`respondOk(w, nil)`
			`})`
			`}`

Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093 2016-02-27 00:43:55 +00:00			`func handleSysStepDown(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Audit the client token accessors (#2037) 2016-10-29 21:01:49 +00:00			`req, statusCode, err := buildLogicalRequest(core, w, r)`
Enable audit-logging of seal and step-down commands. This pulls the logical request building code into its own function so that it's accessible from other HTTP handlers, then uses that with some added logic to the Seal() and StepDown() commands to have meaningful audit log entries. 2016-05-20 17:03:54 +00:00			`if err != nil \|\| statusCode != 0 {`
			`respondError(w, statusCode, err)`
			`return`
			`}`

			`switch req.Operation {`
			`case logical.UpdateOperation:`
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093 2016-02-27 00:43:55 +00:00			`default:`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

			`// Seal with the token above`
Add request timeouts in normal request path and to expirations (#4971) * Add request timeouts in normal request path and to expirations * Add ability to adjust default max request duration * Some test fixes * Ensure tests have defaults set for max request duration * Add context cancel checking to inmem/file * Fix tests * Fix tests * Set default max request duration to basically infinity for this release for BC * Address feedback 2018-07-24 21:50:49 +00:00			`if err := core.StepDown(r.Context(), req); err != nil {`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {`
			`respondError(w, http.StatusForbidden, err)`
			`return`
			`}`
Provide 'sys/step-down' and 'vault step-down' This endpoint causes the node it's hit to step down from active duty. It's a noop if the node isn't active or not running in HA mode. The node will wait one second before attempting to reacquire the lock, to give other nodes a chance to grab it. Fixes #1093 2016-02-27 00:43:55 +00:00			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`

			`respondOk(w, nil)`
			`})`
			`}`

http: start the API server 2015-03-12 06:05:16 +00:00			`func handleSysUnseal(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-08-31 21:55:22 +00:00			`switch r.Method {`
			`case "PUT":`
			`case "POST":`
			`default:`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

			`// Parse the request`
			`var req UnsealRequest`
Use 'http.MaxBytesReader' to limit request size (#2131) Fix 'connection reset by peer' error introduced by 300b72e 2016-12-01 18:59:00 +00:00			`if err := parseRequest(r, w, &req); err != nil {`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
			`}`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`if !req.Reset && req.Key == "" {`
http: start the API server 2015-03-12 06:05:16 +00:00			`respondError(`
			`w, http.StatusBadRequest,`
Fix error message grammar 2017-03-14 21:10:43 +00:00			`errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))`
http: start the API server 2015-03-12 06:05:16 +00:00			`return`
			`}`

Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`if req.Reset {`
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered 2018-07-24 20:57:25 +00:00			`if !core.Sealed() {`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))`
			`return`
			`}`
			`core.ResetUnsealProcess()`
			`} else {`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`// Decode the key, which is base64 or hex encoded`
			`min, max := core.BarrierKeyLength()`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`key, err := hex.DecodeString(req.Key)`
Provide base64 keys in addition to hex encoded. (#1734) * Provide base64 keys in addition to hex encoded. Accept these at unseal/rekey time. Also fix a bug where backup would not be honored when doing a rekey with no operation currently ongoing. 2016-08-15 20:01:15 +00:00			`// We check min and max here to ensure that a string that is base64`
			`// encoded but also valid hex will not be valid and we instead base64`
			`// decode it`
			`if err != nil \|\| len(key) < min \|\| len(key) > max {`
			`key, err = base64.StdEncoding.DecodeString(req.Key)`
			`if err != nil {`
			`respondError(`
			`w, http.StatusBadRequest,`
			`errors.New("'key' must be a valid hex or base64 string"))`
			`return`
			`}`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`}`

			`// Attempt the unseal`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`ctx := context.Background()`
Remove context from a few extraneous places 2018-01-19 08:44:06 +00:00			`if core.SealAccess().RecoveryKeySupported() {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`_, err = core.UnsealWithRecoveryKeys(ctx, key)`
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00			`} else {`
			`_, err = core.Unseal(key)`
			`}`
			`if err != nil {`
Error when an invalid (as opposed to incorrect) unseal key is given. (#1782) Fixes #1777 2016-08-24 18:15:25 +00:00			`switch {`
			`case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):`
			`case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):`
			`case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):`
			`case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):`
Port some replication bits to OSS (#2386) 2017-02-16 20:15:02 +00:00			`case errwrap.Contains(err, consts.ErrStandby.Error()):`
Error when an invalid (as opposed to incorrect) unseal key is given. (#1782) Fixes #1777 2016-08-24 18:15:25 +00:00			`default:`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
Error when an invalid (as opposed to incorrect) unseal key is given. (#1782) Fixes #1777 2016-08-24 18:15:25 +00:00			`respondError(w, http.StatusBadRequest, err)`
			`return`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`}`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`

			`// Return the seal status`
			`handleSysSealStatusRaw(core, w, r)`
			`})`
			`}`

			`func handleSysSealStatus(core *vault.Core) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method != "GET" {`
			`respondError(w, http.StatusMethodNotAllowed, nil)`
			`return`
			`}`

			`handleSysSealStatusRaw(core, w, r)`
			`})`
			`}`

			`func handleSysSealStatusRaw(core vault.Core, w http.ResponseWriter, r http.Request) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`ctx := context.Background()`

Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered 2018-07-24 20:57:25 +00:00			`sealed := core.Sealed()`
http: start the API server 2015-03-12 06:05:16 +00:00
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00			`var sealConfig *vault.SealConfig`
Tackle #4929 a different way (#4932) * Tackle #4929 a different way This turns c.sealed into an atomic, which allows us to call sealInternal without a lock. By doing so we can better control lock grabbing when a condition causing the standby loop to get out of active happens. This encapsulates that logic into two distinct pieces (although they could be combined into one), and makes lock guarding more understandable. * Re-add context canceling to the non-HA version of sealInternal * Return explicitly after stopCh triggered 2018-07-24 20:57:25 +00:00			`var err error`
Remove context from a few extraneous places 2018-01-19 08:44:06 +00:00			`if core.SealAccess().RecoveryKeySupported() {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`sealConfig, err = core.SealAccess().RecoveryConfig(ctx)`
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00			`} else {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`sealConfig, err = core.SealAccess().BarrierConfig(ctx)`
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00			`}`
http: start the API server 2015-03-12 06:05:16 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
Barrier unseal using recovery keys (#3541) * Barrier unseal using recovery keys * Remove tests 2017-11-07 20:15:39 +00:00
http: /sys/seal-status should return 400 if still uninitialized 2015-03-31 06:36:03 +00:00			`if sealConfig == nil {`
Send initialized information via sys/seal-status (#5424) 2018-09-27 21:03:37 +00:00			`respondOk(w, &SealStatusResponse{`
			`Type: core.SealAccess().BarrierType(),`
			`Initialized: false,`
			`Sealed: true,`
			`RecoverySeal: core.SealAccess().RecoveryKeySupported(),`
			`})`
http: /sys/seal-status should return 400 if still uninitialized 2015-03-31 06:36:03 +00:00			`return`
			`}`
http: start the API server 2015-03-12 06:05:16 +00:00
Add cluster information to 'vault status' 2016-07-29 18:13:53 +00:00			`// Fetch the local cluster name and identifier`
			`var clusterName, clusterID string`
			`if !sealed {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`cluster, err := core.Cluster(ctx)`
Add cluster information to 'vault status' 2016-07-29 18:13:53 +00:00			`if err != nil {`
			`respondError(w, http.StatusInternalServerError, err)`
			`return`
			`}`
Address review feedback from @jefferai 2016-08-10 19:22:12 +00:00			`if cluster == nil {`
			`respondError(w, http.StatusInternalServerError, fmt.Errorf("failed to fetch cluster details"))`
			`return`
			`}`
Add cluster information to 'vault status' 2016-07-29 18:13:53 +00:00			`clusterName = cluster.Name`
			`clusterID = cluster.ID`
			`}`

Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 16:47:06 +00:00			`progress, nonce := core.SecretProgress()`

http: start the API server 2015-03-12 06:05:16 +00:00			`respondOk(w, &SealStatusResponse{`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`Type: sealConfig.Type,`
Send initialized information via sys/seal-status (#5424) 2018-09-27 21:03:37 +00:00			`Initialized: true,`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`Sealed: sealed,`
			`T: sealConfig.SecretThreshold,`
			`N: sealConfig.SecretShares,`
			`Progress: progress,`
			`Nonce: nonce,`
			`Version: version.GetVersion().VersionNumber(),`
			`ClusterName: clusterName,`
			`ClusterID: clusterID,`
			`RecoverySeal: core.SealAccess().RecoveryKeySupported(),`
http: start the API server 2015-03-12 06:05:16 +00:00			`})`
			`}`

			`type SealStatusResponse struct {`
The big one (#5346) 2018-09-18 03:03:00 +00:00			Type string `json:"type"`
Send initialized information via sys/seal-status (#5424) 2018-09-27 21:03:37 +00:00			Initialized bool `json:"initialized"`
The big one (#5346) 2018-09-18 03:03:00 +00:00			Sealed bool `json:"sealed"`
			T int `json:"t"`
			N int `json:"n"`
			Progress int `json:"progress"`
			Nonce string `json:"nonce"`
			Version string `json:"version"`
			ClusterName string `json:"cluster_name,omitempty"`
			ClusterID string `json:"cluster_id,omitempty"`
			RecoverySeal bool `json:"recovery_seal"`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`

			`type UnsealRequest struct {`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00			`Key string`
			`Reset bool`
http: start the API server 2015-03-12 06:05:16 +00:00			`}`