command/unseal: can accept key from command-line

command/unseal.go

@@ -33,7 +33,12 @@ func (c *UnsealCommand) Run(args []string) int {
 		return 2
 	}
 
+	args = flags.Args()
+
 	value := c.Key
+	if len(args) > 0 {
+		value = args[0]
+	}
 	if value == "" {
 		fmt.Printf("Key (will be hidden): ")
 		value, err = password.Read(os.Stdin)
@@ -77,7 +82,7 @@ func (c *UnsealCommand) Synopsis() string {
 
 func (c *UnsealCommand) Help() string {
 	helpText := `
-Usage: vault unseal [options]
+Usage: vault unseal [options] [key]
 
   Unseal the vault by entering a portion of the master key. Once all
   portions are entered, the Vault will be unsealed.
@@ -87,6 +92,10 @@ Usage: vault unseal [options]
   in any way until the vault is unsealed. This command allows you to enter
   a portion of the master key to unseal the vault.
 
+  The unseal key can be specified via the command line, but this is
+  not recommended. The key may then live in your terminal history. This
+  only exists to assist in scripting.
+
 General Options:
 
   -address=TODO           The address of the Vault server.

command/unseal_test.go

@@ -36,3 +36,30 @@ func TestUnseal(t *testing.T) {
 		t.Fatal("should not be sealed")
 	}
 }
+
+func TestUnseal_arg(t *testing.T) {
+	core := vault.TestCore(t)
+	key, _ := vault.TestCoreInit(t, core)
+	ln, addr := http.TestServer(t, core)
+	defer ln.Close()
+
+	ui := new(cli.MockUi)
+	c := &UnsealCommand{
+		Meta: Meta{
+			Ui: ui,
+		},
+	}
+
+	args := []string{"-address", addr, hex.EncodeToString(key)}
+	if code := c.Run(args); code != 0 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+
+	sealed, err := core.Sealed()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if sealed {
+		t.Fatal("should not be sealed")
+	}
+}