luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Errwrap everywhere (#4252) 

* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
This commit is contained in:
Vishal Nayak 2018-04-05 11:49:21 -04:00 committed by GitHub
parent ef60ded908
commit 28e3eb9e2c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
159 changed files with 811 additions and 741 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
api/client.go
View File

@ -160,7 +160,7 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error {
}
foundClientCert = true
case t.ClientCert != "" || t.ClientKey != "":
return fmt.Errorf("Both client cert and client key must be provided")
return fmt.Errorf("both client cert and client key must be provided")
}
if t.CACert != "" || t.CAPath != "" {
@ -232,7 +232,7 @@ func (c *Config) ReadEnvironment() error {
if t := os.Getenv(EnvVaultClientTimeout); t != "" {
clientTimeout, err := parseutil.ParseDurationSecond(t)
if err != nil {
return fmt.Errorf("Could not parse %s", EnvVaultClientTimeout)
return fmt.Errorf("could not parse %q", EnvVaultClientTimeout)
}
envClientTimeout = clientTimeout
}
@ -240,7 +240,7 @@ func (c *Config) ReadEnvironment() error {
var err error
envInsecure, err = strconv.ParseBool(v)
if err != nil {
return fmt.Errorf("Could not parse VAULT_SKIP_VERIFY")
return fmt.Errorf("could not parse VAULT_SKIP_VERIFY")
}
}
if v := os.Getenv(EnvVaultTLSServerName); v != "" {
@ -348,7 +348,7 @@ func (c *Client) SetAddress(addr string) error {
var err error
if c.addr, err = url.Parse(addr); err != nil {
return fmt.Errorf("failed to set address: %v", err)
return errwrap.Wrapf("failed to set address: {{err}}", err)
}
return nil
@ -539,7 +539,7 @@ func (c *Client) RawRequest(r *Request) (*Response, error) {
return !unicode.IsPrint(c)
})
if idx != -1 {
return nil, fmt.Errorf("Configured Vault token contains non-printable characters and cannot be used.")
return nil, fmt.Errorf("configured Vault token contains non-printable characters and cannot be used")
}
redirectCount := 0
@ -560,8 +560,8 @@ START:
}
if err != nil {
if strings.Contains(err.Error(), "tls: oversized") {
err = fmt.Errorf(
"%s\n\n"+
err = errwrap.Wrapf(
"{{err}}\n\n"+
"This error usually means that the server is running with TLS disabled\n"+
"but the client is configured to use TLS. Please either enable TLS\n"+
"on the server or run the client with -address set to an address\n"+

7
api/logical.go
View File

@ -7,6 +7,7 @@ import (
"net/http"
"os"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil"
)
@ -213,10 +214,10 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
secret, err := c.Read(wrappedResponseLocation)
if err != nil {
return nil, fmt.Errorf("error reading %s: %s", wrappedResponseLocation, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error reading %q: {{err}}", wrappedResponseLocation), err)
}
if secret == nil {
return nil, fmt.Errorf("no value found at %s", wrappedResponseLocation)
return nil, fmt.Errorf("no value found at %q", wrappedResponseLocation)
}
if secret.Data == nil {
return nil, fmt.Errorf("\"data\" not found in wrapping response")
@ -228,7 +229,7 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
wrappedSecret := new(Secret)
buf := bytes.NewBufferString(secret.Data["response"].(string))
if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
return nil, fmt.Errorf("error unmarshalling wrapped secret: %s", err)
return nil, errwrap.Wrapf("error unmarshalling wrapped secret: {{err}}", err)
}
return wrappedSecret, nil

3
api/secret.go
View File

@ -5,6 +5,7 @@ import (
"io"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil"
"github.com/hashicorp/vault/helper/parseutil"
)
@ -190,7 +191,7 @@ func (s *Secret) TokenIsRenewable() (bool, error) {
renewable, err := parseutil.ParseBool(s.Data["renewable"])
if err != nil {
return false, fmt.Errorf("could not convert renewable value to a boolean: %v", err)
return false, errwrap.Wrapf("could not convert renewable value to a boolean: {{err}}", err)
}
return renewable, nil

10
api/ssh_agent.go
View File

@ -7,6 +7,7 @@ import (
"io/ioutil"
"os"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-rootcerts"
@ -141,12 +142,12 @@ func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) {
func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
root, err := hcl.Parse(string(contents))
if err != nil {
return nil, fmt.Errorf("ssh_helper: error parsing config: %s", err)
return nil, errwrap.Wrapf("error parsing config: {{err}}", err)
}
list, ok := root.Node.(*ast.ObjectList)
if !ok {
return nil, fmt.Errorf("ssh_helper: error parsing config: file doesn't contain a root object")
return nil, fmt.Errorf("error parsing config: file doesn't contain a root object")
}
valid := []string{
@ -170,7 +171,7 @@ func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
}
if c.VaultAddr == "" {
return nil, fmt.Errorf("ssh_helper: missing config 'vault_addr'")
return nil, fmt.Errorf("missing config 'vault_addr'")
}
return &c, nil
}
@ -248,8 +249,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf(
"invalid key '%s' on line %d", key, item.Assign.Line))
result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
}
}

5
builtin/audit/file/backend.go
View File

@ -10,6 +10,7 @@ import (
"strings"
"sync"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/audit"
"github.com/hashicorp/vault/helper/salt"
"github.com/hashicorp/vault/logical"
@ -46,7 +47,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
switch format {
case "json", "jsonx":
default:
return nil, fmt.Errorf("unknown format type %s", format)
return nil, fmt.Errorf("unknown format type %q", format)
}
// Check if hashing of accessor is disabled
@ -113,7 +114,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
// otherwise it will be too late to catch later without problems
// (ref: https://github.com/hashicorp/vault/issues/550)
if err := b.open(); err != nil {
return nil, fmt.Errorf("sanity check failed; unable to open %s for writing: %v", path, err)
return nil, errwrap.Wrapf(fmt.Sprintf("sanity check failed; unable to open %q for writing: {{err}}", path), err)
}
}

2
builtin/audit/socket/backend.go
View File

@ -50,7 +50,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
switch format {
case "json", "jsonx":
default:
return nil, fmt.Errorf("unknown format type %s", format)
return nil, fmt.Errorf("unknown format type %q", format)
}
// Check if hashing of accessor is disabled

2
builtin/audit/syslog/backend.go
View File

@ -40,7 +40,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
switch format {
case "json", "jsonx":
default:
return nil, fmt.Errorf("unknown format type %s", format)
return nil, fmt.Errorf("unknown format type %q", format)
}
// Check if hashing of accessor is disabled

5
builtin/credential/app-id/path_login.go
View File

@ -9,6 +9,7 @@ import (
"net"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -168,7 +169,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, a
if raw, ok := appsMap["cidr_block"]; ok {
_, cidr, err := net.ParseCIDR(raw.(string))
if err != nil {
return "", nil, fmt.Errorf("invalid restriction cidr: %s", err)
return "", nil, errwrap.Wrapf("invalid restriction cidr: {{err}}", err)
}
var addr string
@ -187,7 +188,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, a
apps, ok := appsRaw.(string)
if !ok {
return "", nil, fmt.Errorf("internal error: mapping is not a string")
return "", nil, fmt.Errorf("mapping is not a string")
}
// Verify that the app is in the list

4
builtin/credential/approle/path_login.go
View File

@ -101,10 +101,10 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, data
// Ensure that the Role still exists.
role, err := b.roleEntry(ctx, req.Storage, strings.ToLower(roleName))
if err != nil {
return nil, fmt.Errorf("failed to validate role %s during renewal:%s", roleName, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to validate role %q during renewal: {{err}}", roleName), err)
}
if role == nil {
return nil, fmt.Errorf("role %s does not exist during renewal", roleName)
return nil, fmt.Errorf("role %q does not exist during renewal", roleName)
}
resp := &logical.Response{Auth: req.Auth}

49
builtin/credential/approle/path_role.go
View File

@ -7,6 +7,7 @@ import (
"time"
"github.com/fatih/structs"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/cidrutil"
"github.com/hashicorp/vault/helper/consts"
@ -579,7 +580,7 @@ func (b *backend) pathRoleSecretIDList(ctx context.Context, req *logical.Request
roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
// Listing works one level at a time. Get the first level of data
@ -673,7 +674,7 @@ func (b *backend) setRoleEntry(ctx context.Context, s logical.Storage, roleName
// Check if the index from the role_id to role already exists
roleIDIndex, err := b.roleIDEntry(ctx, s, role.RoleID)
if err != nil {
return fmt.Errorf("failed to read role_id index: %v", err)
return errwrap.Wrapf("failed to read role_id index: {{err}}", err)
}
// If the entry exists, make sure that it belongs to the current role
@ -768,7 +769,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
if role == nil && req.Operation == logical.CreateOperation {
hmacKey, err := uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("failed to create role_id: %v\n", err)
return nil, errwrap.Wrapf("failed to create role_id: {{err}}", err)
}
role = &roleStorageEntry{
HMACKey: hmacKey,
@ -784,7 +785,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
} else if req.Operation == logical.CreateOperation {
roleID, err := uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("failed to generate role_id: %v\n", err)
return nil, errwrap.Wrapf("failed to generate role_id: {{err}}", err)
}
role.RoleID = roleID
}
@ -807,7 +808,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
if len(role.BoundCIDRList) != 0 {
valid, err := cidrutil.ValidateCIDRListSlice(role.BoundCIDRList)
if err != nil {
return nil, fmt.Errorf("failed to validate CIDR blocks: %v", err)
return nil, errwrap.Wrapf("failed to validate CIDR blocks: {{err}}", err)
}
if !valid {
return logical.ErrorResponse("invalid CIDR blocks"), nil
@ -953,7 +954,7 @@ func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, data *
})
if err != nil {
lockRelease()
return nil, fmt.Errorf("failed to create secondary index for role_id %q: %v", role.RoleID, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to create secondary index for role_id %q: {{err}}", role.RoleID), err)
}
resp.AddWarning("Role identifier was missing an index back to role name. A new index has been added. Please report this observation.")
}
@ -985,12 +986,12 @@ func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, data
// Just before the role is deleted, remove all the SecretIDs issued as part of the role.
if err = b.flushRoleSecrets(ctx, req.Storage, roleName, role.HMACKey); err != nil {
return nil, fmt.Errorf("failed to invalidate the secrets belonging to role %q: %v", roleName, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to invalidate the secrets belonging to role %q: {{err}}", roleName), err)
}
// Delete the reverse mapping from RoleID to the role
if err = b.roleIDEntryDelete(ctx, req.Storage, role.RoleID); err != nil {
return nil, fmt.Errorf("failed to delete the mapping from RoleID to role %q: %v", roleName, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to delete the mapping from RoleID to role %q: {{err}}", roleName), err)
}
// After deleting the SecretIDs and the RoleID, delete the role itself
@ -1033,13 +1034,13 @@ func (b *backend) pathRoleSecretIDLookupUpdate(ctx context.Context, req *logical
// Create the HMAC of the secret ID using the per-role HMAC key
secretIDHMAC, err := createHMAC(role.HMACKey, secretID)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of secret_id: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of secret_id: {{err}}", err)
}
// Create the HMAC of the roleName using the per-role HMAC key
roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
// Create the index at which the secret_id would've been stored
@ -1110,12 +1111,12 @@ func (b *backend) pathRoleSecretIDDestroyUpdateDelete(ctx context.Context, req *
secretIDHMAC, err := createHMAC(role.HMACKey, secretID)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of secret_id: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of secret_id: {{err}}", err)
}
roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC)
@ -1140,7 +1141,7 @@ func (b *backend) pathRoleSecretIDDestroyUpdateDelete(ctx context.Context, req *
// Delete the storage entry that corresponds to the SecretID
if err := req.Storage.Delete(ctx, entryIndex); err != nil {
return nil, fmt.Errorf("failed to delete secret_id: %v", err)
return nil, errwrap.Wrapf("failed to delete secret_id: {{err}}", err)
}
return nil, nil
@ -1180,12 +1181,12 @@ func (b *backend) pathRoleSecretIDAccessorLookupUpdate(ctx context.Context, req
return nil, err
}
if accessorEntry == nil {
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q\n", secretIDAccessor)
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor)
}
roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, accessorEntry.SecretIDHMAC)
@ -1221,12 +1222,12 @@ func (b *backend) pathRoleSecretIDAccessorDestroyUpdateDelete(ctx context.Contex
return nil, err
}
if accessorEntry == nil {
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q\n", secretIDAccessor)
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor)
}
roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, accessorEntry.SecretIDHMAC)
@ -1242,7 +1243,7 @@ func (b *backend) pathRoleSecretIDAccessorDestroyUpdateDelete(ctx context.Contex
// Delete the storage entry that corresponds to the SecretID
if err := req.Storage.Delete(ctx, entryIndex); err != nil {
return nil, fmt.Errorf("failed to delete secret_id: %v", err)
return nil, errwrap.Wrapf("failed to delete secret_id: {{err}}", err)
}
return nil, nil
@ -1274,7 +1275,7 @@ func (b *backend) pathRoleBoundCIDRListUpdate(ctx context.Context, req *logical.
valid, err := cidrutil.ValidateCIDRListSlice(role.BoundCIDRList)
if err != nil {
return nil, fmt.Errorf("failed to validate CIDR blocks: %v", err)
return nil, errwrap.Wrapf("failed to validate CIDR blocks: {{err}}", err)
}
if !valid {
return logical.ErrorResponse("failed to validate CIDR blocks"), nil
@ -1978,7 +1979,7 @@ func (b *backend) pathRoleTokenMaxTTLDelete(ctx context.Context, req *logical.Re
func (b *backend) pathRoleSecretIDUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
secretID, err := uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("failed to generate secret_id: %v", err)
return nil, errwrap.Wrapf("failed to generate secret_id: {{err}}", err)
}
return b.handleRoleSecretIDCommon(ctx, req, data, secretID)
}
@ -2019,7 +2020,7 @@ func (b *backend) handleRoleSecretIDCommon(ctx context.Context, req *logical.Req
if len(secretIDCIDRs) != 0 {
valid, err := cidrutil.ValidateCIDRListSlice(secretIDCIDRs)
if err != nil {
return nil, fmt.Errorf("failed to validate CIDR blocks: %v", err)
return nil, errwrap.Wrapf("failed to validate CIDR blocks: {{err}}", err)
}
if !valid {
return logical.ErrorResponse("failed to validate CIDR blocks"), nil
@ -2047,7 +2048,7 @@ func (b *backend) handleRoleSecretIDCommon(ctx context.Context, req *logical.Req
}
if secretIDStorage, err = b.registerSecretIDEntry(ctx, req.Storage, roleName, secretID, role.HMACKey, secretIDStorage); err != nil {
return nil, fmt.Errorf("failed to store secret_id: %v", err)
return nil, errwrap.Wrapf("failed to store secret_id: {{err}}", err)
}
return &logical.Response{
@ -2091,7 +2092,7 @@ func (b *backend) setRoleIDEntry(ctx context.Context, s logical.Storage, roleID
// roleIDEntry is used to read the storage entry that maps RoleID to Role
func (b *backend) roleIDEntry(ctx context.Context, s logical.Storage, roleID string) (*roleIDStorageEntry, error) {
if roleID == "" {
return nil, fmt.Errorf("missing roleID")
return nil, fmt.Errorf("missing role id")
}
lock := b.roleIDLock(roleID)
@ -2121,7 +2122,7 @@ func (b *backend) roleIDEntry(ctx context.Context, s logical.Storage, roleID str
// RoleID to the Role itself.
func (b *backend) roleIDEntryDelete(ctx context.Context, s logical.Storage, roleID string) error {
if roleID == "" {
return fmt.Errorf("missing roleID")
return fmt.Errorf("missing role id")
}
lock := b.roleIDLock(roleID)

9
builtin/credential/approle/path_tidy_user_id.go
View File

@ -6,6 +6,7 @@ import (
"sync/atomic"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -65,18 +66,18 @@ func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {
secretIDEntry, err := s.Get(ctx, entryIndex)
if err != nil {
lock.Unlock()
return fmt.Errorf("error fetching SecretID %s: %s", secretIDHMAC, err)
return errwrap.Wrapf(fmt.Sprintf("error fetching SecretID %q: {{err}}", secretIDHMAC), err)
}
if secretIDEntry == nil {
result = multierror.Append(result, fmt.Errorf("entry for SecretID %s is nil", secretIDHMAC))
result = multierror.Append(result, fmt.Errorf("entry for SecretID %q is nil", secretIDHMAC))
lock.Unlock()
continue
}
if secretIDEntry.Value == nil || len(secretIDEntry.Value) == 0 {
lock.Unlock()
return fmt.Errorf("found entry for SecretID %s but actual SecretID is empty", secretIDHMAC)
return fmt.Errorf("found entry for SecretID %q but actual SecretID is empty", secretIDHMAC)
}
var result secretIDStorageEntry
@ -96,7 +97,7 @@ func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {
if err := s.Delete(ctx, entryIndex); err != nil {
lock.Unlock()
return fmt.Errorf("error deleting SecretID %s from storage: %s", secretIDHMAC, err)
return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)
}
}

32
builtin/credential/approle/validation.go
View File

@ -76,7 +76,7 @@ func (b *backend) validateRoleID(ctx context.Context, s logical.Storage, roleID
return nil, "", err
}
if roleIDIndex == nil {
return nil, "", fmt.Errorf("invalid role_id %q\n", roleID)
return nil, "", fmt.Errorf("invalid role_id %q", roleID)
}
lock := b.roleLock(roleIDIndex.Name)
@ -160,12 +160,12 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
hmacKey string, roleBoundCIDRList []string) (bool, map[string]string, error) {
secretIDHMAC, err := createHMAC(hmacKey, secretID)
if err != nil {
return false, nil, fmt.Errorf("failed to create HMAC of secret_id: %v", err)
return false, nil, errwrap.Wrapf("failed to create HMAC of secret_id: {{err}}", err)
}
roleNameHMAC, err := createHMAC(hmacKey, roleName)
if err != nil {
return false, nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return false, nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC)
@ -204,7 +204,7 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
}
if belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, result.CIDRList); !belongs || err != nil {
return false, nil, fmt.Errorf("source address %q unauthorized through CIDR restrictions on the secret ID: %v", req.Connection.RemoteAddr, err)
return false, nil, errwrap.Wrapf(fmt.Sprintf("source address %q unauthorized through CIDR restrictions on the secret ID: {{err}}", req.Connection.RemoteAddr), err)
}
}
@ -238,16 +238,16 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
return false, nil, err
}
if err := req.Storage.Delete(ctx, entryIndex); err != nil {
return false, nil, fmt.Errorf("failed to delete secret ID: %v", err)
return false, nil, errwrap.Wrapf("failed to delete secret ID: {{err}}", err)
}
} else {
// If the use count is greater than one, decrement it and update the last updated time.
result.SecretIDNumUses -= 1
result.LastUpdatedTime = time.Now()
if entry, err := logical.StorageEntryJSON(entryIndex, &result); err != nil {
return false, nil, fmt.Errorf("failed to create storage entry while decrementing the secret ID use count: %v", err)
return false, nil, errwrap.Wrapf("failed to create storage entry while decrementing the secret ID use count: {{err}}", err)
} else if err = req.Storage.Put(ctx, entry); err != nil {
return false, nil, fmt.Errorf("failed to decrement the secret ID use count: %v", err)
return false, nil, errwrap.Wrapf("failed to decrement the secret ID use count: {{err}}", err)
}
}
@ -266,7 +266,7 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
}
if belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, result.CIDRList); !belongs || err != nil {
return false, nil, fmt.Errorf("source address %q unauthorized through CIDR restrictions on the secret ID: %v", req.Connection.RemoteAddr, err)
return false, nil, errwrap.Wrapf(fmt.Sprintf("source address %q unauthorized through CIDR restrictions on the secret ID: {{err}}", req.Connection.RemoteAddr), err)
}
}
@ -282,7 +282,7 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st
if len(roleBoundCIDRList) != 0 {
subset, err := cidrutil.SubsetBlocks(roleBoundCIDRList, secretIDCIDRs)
if !subset || err != nil {
return fmt.Errorf("failed to verify subset relationship between CIDR blocks on the role %q and CIDR blocks on the secret ID %q: %v", roleBoundCIDRList, secretIDCIDRs, err)
return errwrap.Wrapf(fmt.Sprintf("failed to verify subset relationship between CIDR blocks on the role %q and CIDR blocks on the secret ID %q: {{err}}", roleBoundCIDRList, secretIDCIDRs), err)
}
}
}
@ -354,7 +354,7 @@ func (b *backend) nonLockedSecretIDStorageEntry(ctx context.Context, s logical.S
if persistNeeded {
if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleNameHMAC, secretIDHMAC, &result); err != nil {
return nil, fmt.Errorf("failed to upgrade role storage entry %s", err)
return nil, errwrap.Wrapf("failed to upgrade role storage entry {{err}}", err)
}
}
@ -394,11 +394,11 @@ func (b *backend) nonLockedSetSecretIDStorageEntry(ctx context.Context, s logica
func (b *backend) registerSecretIDEntry(ctx context.Context, s logical.Storage, roleName, secretID, hmacKey string, secretEntry *secretIDStorageEntry) (*secretIDStorageEntry, error) {
secretIDHMAC, err := createHMAC(hmacKey, secretID)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of secret ID: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of secret ID: {{err}}", err)
}
roleNameHMAC, err := createHMAC(hmacKey, roleName)
if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err)
return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
lock := b.secretIDLock(secretIDHMAC)
@ -519,7 +519,7 @@ func (b *backend) createSecretIDAccessorEntry(ctx context.Context, s logical.Sto
}); err != nil {
return err
} else if err = s.Put(ctx, entry); err != nil {
return fmt.Errorf("failed to persist accessor index entry: %v", err)
return errwrap.Wrapf("failed to persist accessor index entry: {{err}}", err)
}
return nil
@ -539,7 +539,7 @@ func (b *backend) deleteSecretIDAccessorEntry(ctx context.Context, s logical.Sto
// Delete the accessor of the SecretID first
if err := s.Delete(ctx, accessorEntryIndex); err != nil {
return fmt.Errorf("failed to delete accessor storage entry: %v", err)
return errwrap.Wrapf("failed to delete accessor storage entry: {{err}}", err)
}
return nil
@ -550,7 +550,7 @@ func (b *backend) deleteSecretIDAccessorEntry(ctx context.Context, s logical.Sto
func (b *backend) flushRoleSecrets(ctx context.Context, s logical.Storage, roleName, hmacKey string) error {
roleNameHMAC, err := createHMAC(hmacKey, roleName)
if err != nil {
return fmt.Errorf("failed to create HMAC of role_name: %v", err)
return errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
}
// Acquire the custom lock to perform listing of SecretIDs
@ -568,7 +568,7 @@ func (b *backend) flushRoleSecrets(ctx context.Context, s logical.Storage, roleN
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC)
if err := s.Delete(ctx, entryIndex); err != nil {
lock.Unlock()
return fmt.Errorf("error deleting SecretID %q from storage: %v", secretIDHMAC, err)
return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)
}
lock.Unlock()
}

2
builtin/credential/aws/backend.go
View File

@ -227,7 +227,7 @@ func (b *backend) resolveArnToRealUniqueId(ctx context.Context, s logical.Storag
// Sigh
region := getAnyRegionForAwsPartition(entity.Partition)
if region == nil {
return "", fmt.Errorf("Unable to resolve partition %q to a region", entity.Partition)
return "", fmt.Errorf("unable to resolve partition %q to a region", entity.Partition)
}
iamClient, err := b.clientIAM(ctx, s, region.ID(), entity.AccountNumber)
if err != nil {

3
builtin/credential/aws/cli.go
View File

@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/awsutil"
)
@ -36,7 +37,7 @@ func GenerateLoginData(accessKey, secretKey, sessionToken, headerValue string) (
_, err = creds.Get()
if err != nil {
return nil, fmt.Errorf("failed to retrieve credentials from credential chain: %v", err)
return nil, errwrap.Wrapf("failed to retrieve credentials from credential chain: {{err}}", err)
}
// Use the credentials we've found to construct an STS session

9
builtin/credential/aws/client.go
View File

@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/awsutil"
"github.com/hashicorp/vault/logical"
@ -103,12 +104,12 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
if b.defaultAWSAccountID == "" {
client := sts.New(session.New(stsConfig))
if client == nil {
return nil, fmt.Errorf("could not obtain sts client: %v", err)
return nil, errwrap.Wrapf("could not obtain sts client: {{err}}", err)
}
inputParams := &sts.GetCallerIdentityInput{}
identity, err := client.GetCallerIdentity(inputParams)
if err != nil {
return nil, fmt.Errorf("unable to fetch current caller: %v", err)
return nil, errwrap.Wrapf("unable to fetch current caller: {{err}}", err)
}
if identity == nil {
return nil, fmt.Errorf("got nil result from GetCallerIdentity")
@ -116,7 +117,7 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
b.defaultAWSAccountID = *identity.Account
}
if b.defaultAWSAccountID != accountID {
return nil, fmt.Errorf("unable to fetch client for account ID %s -- default client is for account %s", accountID, b.defaultAWSAccountID)
return nil, fmt.Errorf("unable to fetch client for account ID %q -- default client is for account %q", accountID, b.defaultAWSAccountID)
}
}
@ -168,7 +169,7 @@ func (b *backend) stsRoleForAccount(ctx context.Context, s logical.Storage, acco
// Check if an STS configuration exists for the AWS account
sts, err := b.lockedAwsStsEntry(ctx, s, accountID)
if err != nil {
return "", fmt.Errorf("error fetching STS config for account ID %q: %q\n", accountID, err)
return "", errwrap.Wrapf(fmt.Sprintf("error fetching STS config for account ID %q: {{err}}", accountID), err)
}
// An empty STS role signifies the master account
if sts != nil {

2
builtin/credential/aws/path_config_certificate.go
View File

@ -206,7 +206,7 @@ func (b *backend) awsPublicCertificates(ctx context.Context, s logical.Storage,
return nil, err
}
if certEntry == nil {
return nil, fmt.Errorf("certificate storage has a nil entry under the name:%s\n", cert)
return nil, fmt.Errorf("certificate storage has a nil entry under the name: %q", cert)
}
// Append relevant certificates only
if (isPkcs && certEntry.Type == "pkcs7") ||

35
builtin/credential/aws/path_login.go
View File

@ -21,6 +21,7 @@ import (
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/fullsailor/pkcs7"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/jsonutil"
@ -167,7 +168,7 @@ func (b *backend) validateInstance(ctx context.Context, s logical.Storage, insta
},
})
if err != nil {
return nil, fmt.Errorf("error fetching description for instance ID %q: %q\n", instanceID, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error fetching description for instance ID %q: {{err}}", instanceID), err)
}
if status == nil {
return nil, fmt.Errorf("nil output from describe instances")
@ -310,7 +311,7 @@ func (b *backend) parseIdentityDocument(ctx context.Context, s logical.Storage,
// Parse the signature from asn1 format into a struct
pkcs7Data, err := pkcs7.Parse(pkcs7BER.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse the BER encoded PKCS#7 signature: %v\n", err)
return nil, errwrap.Wrapf("failed to parse the BER encoded PKCS#7 signature: {{err}}", err)
}
// Get the public certificates that are used to verify the signature.
@ -494,19 +495,19 @@ func (b *backend) verifyInstanceMeetsRoleRequirements(ctx context.Context,
iamInstanceProfileEntity, err := parseIamArn(iamInstanceProfileARN)
if err != nil {
return nil, fmt.Errorf("failed to parse IAM instance profile ARN %q; error: %v", iamInstanceProfileARN, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to parse IAM instance profile ARN %q: {{err}}", iamInstanceProfileARN), err)
}
// Use instance profile ARN to fetch the associated role ARN
iamClient, err := b.clientIAM(ctx, s, identityDoc.Region, identityDoc.AccountID)
if err != nil {
return nil, fmt.Errorf("could not fetch IAM client: %v", err)
return nil, errwrap.Wrapf("could not fetch IAM client: {{err}}", err)
} else if iamClient == nil {
return nil, fmt.Errorf("received a nil iamClient")
}
iamRoleARN, err := b.instanceIamRoleARN(iamClient, iamInstanceProfileEntity.FriendlyName)
if err != nil {
return nil, fmt.Errorf("IAM role ARN could not be fetched: %v", err)
return nil, errwrap.Wrapf("IAM role ARN could not be fetched: {{err}}", err)
}
if iamRoleARN == "" {
return nil, fmt.Errorf("IAM role ARN could not be fetched")
@ -878,7 +879,7 @@ func (b *backend) handleRoleTagLogin(ctx context.Context, s logical.Storage, rol
// If instance_id was set on the role tag, check if the same instance is attempting to login
if rTag.InstanceID != "" && rTag.InstanceID != *instance.InstanceId {
return nil, fmt.Errorf("role tag is being used by an unauthorized instance.")
return nil, fmt.Errorf("role tag is being used by an unauthorized instance")
}
// Check if the role tag is blacklisted
@ -959,7 +960,7 @@ func (b *backend) pathLoginRenewIam(ctx context.Context, req *logical.Request, d
}
_, err := b.validateInstance(ctx, req.Storage, instanceID, instanceRegion, req.Auth.Metadata["account_id"])
if err != nil {
return nil, fmt.Errorf("failed to verify instance ID %q: %v", instanceID, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to verify instance ID %q: {{err}}", instanceID), err)
}
} else {
return nil, fmt.Errorf("unrecognized entity_type in metadata: %q", roleEntry.InferredEntityType)
@ -990,11 +991,11 @@ func (b *backend) pathLoginRenewIam(ctx context.Context, req *logical.Request, d
if fullArn == "" {
entity, err := parseIamArn(canonicalArn)
if err != nil {
return nil, fmt.Errorf("error parsing ARN %q: %v", canonicalArn, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error parsing ARN %q: {{err}}", canonicalArn), err)
}
fullArn, err = b.fullArn(ctx, entity, req.Storage)
if err != nil {
return nil, fmt.Errorf("error looking up full ARN of entity %v: %v", entity, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error looking up full ARN of entity %v: {{err}}", entity), err)
}
if fullArn == "" {
return nil, fmt.Errorf("got empty string back when looking up full ARN of entity %v", entity)
@ -1045,7 +1046,7 @@ func (b *backend) pathLoginRenewEc2(ctx context.Context, req *logical.Request, d
// Cross check that the instance is still in 'running' state
_, err := b.validateInstance(ctx, req.Storage, instanceID, region, accountID)
if err != nil {
return nil, fmt.Errorf("failed to verify instance ID %q: %q", instanceID, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to verify instance ID %q: {{err}}", instanceID), err)
}
storedIdentity, err := whitelistIdentityEntry(ctx, req.Storage, instanceID)
@ -1395,12 +1396,12 @@ func validateVaultHeaderValue(headers http.Header, requestUrl *url.URL, required
}
}
if providedValue == "" {
return fmt.Errorf("didn't find %s", iamServerIdHeader)
return fmt.Errorf("missing header %q", iamServerIdHeader)
}
// NOT doing a constant time compare here since the value is NOT intended to be secret
if providedValue != requiredHeaderValue {
return fmt.Errorf("expected %s but got %s", requiredHeaderValue, providedValue)
return fmt.Errorf("expected %q but got %q", requiredHeaderValue, providedValue)
}
if authzHeaders, ok := headers["Authorization"]; ok {
@ -1494,7 +1495,7 @@ func parseIamRequestHeaders(headersB64 string) (http.Header, error) {
var headersDecoded map[string]interface{}
err = jsonutil.DecodeJSON(headersJson, &headersDecoded)
if err != nil {
return nil, fmt.Errorf("failed to JSON decode iam_request_headers %q: %v", headersJson, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to JSON decode iam_request_headers %q: {{err}}", headersJson), err)
}
headers := make(http.Header)
for k, v := range headersDecoded {
@ -1533,7 +1534,7 @@ func submitCallerIdentityRequest(method, endpoint string, parsedUrl *url.URL, bo
}
response, err := client.Do(request)
if err != nil {
return nil, fmt.Errorf("error making request: %v", err)
return nil, errwrap.Wrapf("error making request: {{err}}", err)
}
if response != nil {
defer response.Body.Close()
@ -1617,7 +1618,7 @@ func (b *backend) fullArn(ctx context.Context, e *iamEntity, s logical.Storage)
// Not assuming path is reliable for any entity types
client, err := b.clientIAM(ctx, s, getAnyRegionForAwsPartition(e.Partition).ID(), e.AccountNumber)
if err != nil {
return "", fmt.Errorf("error creating IAM client: %v", err)
return "", errwrap.Wrapf("error creating IAM client: {{err}}", err)
}
switch e.Type {
@ -1627,7 +1628,7 @@ func (b *backend) fullArn(ctx context.Context, e *iamEntity, s logical.Storage)
}
resp, err := client.GetUser(&input)
if err != nil {
return "", fmt.Errorf("error fetching user %q: %v", e.FriendlyName, err)
return "", errwrap.Wrapf(fmt.Sprintf("error fetching user %q: {{err}}", e.FriendlyName), err)
}
if resp == nil {
return "", fmt.Errorf("nil response from GetUser")
@ -1641,7 +1642,7 @@ func (b *backend) fullArn(ctx context.Context, e *iamEntity, s logical.Storage)
}
resp, err := client.GetRole(&input)
if err != nil {
return "", fmt.Errorf("error fetching role %q: %v", e.FriendlyName, err)
return "", errwrap.Wrapf(fmt.Sprintf("error fetching role %q: {{err}}", e.FriendlyName), err)
}
if resp == nil {
return "", fmt.Errorf("nil response form GetRole")

9
builtin/credential/aws/path_role.go
View File

@ -6,6 +6,7 @@ import (
"strings"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/policyutil"
@ -244,7 +245,7 @@ func (b *backend) lockedAWSRole(ctx context.Context, s logical.Storage, roleName
}
needUpgrade, err := b.upgradeRoleEntry(ctx, s, roleEntry)
if err != nil {
return nil, fmt.Errorf("error upgrading roleEntry: %v", err)
return nil, errwrap.Wrapf("error upgrading roleEntry: {{err}}", err)
}
if needUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) {
b.roleMutex.Lock()
@ -261,11 +262,11 @@ func (b *backend) lockedAWSRole(ctx context.Context, s logical.Storage, roleName
}
// now re-check to see if we need to upgrade
if needUpgrade, err = b.upgradeRoleEntry(ctx, s, roleEntry); err != nil {
return nil, fmt.Errorf("error upgrading roleEntry: %v", err)
return nil, errwrap.Wrapf("error upgrading roleEntry: {{err}}", err)
}
if needUpgrade {
if err = b.nonLockedSetAWSRole(ctx, s, roleName, roleEntry); err != nil {
return nil, fmt.Errorf("error saving upgraded roleEntry: %v", err)
return nil, errwrap.Wrapf("error saving upgraded roleEntry: {{err}}", err)
}
}
}
@ -789,7 +790,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
if roleEntry.HMACKey == "" {
roleEntry.HMACKey, err = uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("failed to generate role HMAC key: %v", err)
return nil, errwrap.Wrapf("failed to generate role HMAC key: {{err}}", err)
}
}

4
builtin/credential/aws/path_role_tag.go
View File

@ -341,7 +341,7 @@ func (b *backend) parseAndVerifyRoleTagValue(ctx context.Context, s logical.Stor
return nil, err
}
default:
return nil, fmt.Errorf("unrecognized item %s in tag", tagItem)
return nil, fmt.Errorf("unrecognized item %q in tag", tagItem)
}
}
@ -354,7 +354,7 @@ func (b *backend) parseAndVerifyRoleTagValue(ctx context.Context, s logical.Stor
return nil, err
}
if roleEntry == nil {
return nil, fmt.Errorf("entry not found for %s", rTag.Role)
return nil, fmt.Errorf("entry not found for %q", rTag.Role)
}
// Create a HMAC of the plaintext value of role tag and compare it with the given value.

9
builtin/credential/aws/path_tidy_identity_whitelist.go
View File

@ -6,6 +6,7 @@ import (
"sync/atomic"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -50,15 +51,15 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
for _, instanceID := range identities {
identityEntry, err := s.Get(ctx, "whitelist/identity/"+instanceID)
if err != nil {
return fmt.Errorf("error fetching identity of instanceID %s: %s", instanceID, err)
return errwrap.Wrapf(fmt.Sprintf("error fetching identity of instanceID %q: {{err}}", instanceID), err)
}
if identityEntry == nil {
return fmt.Errorf("identity entry for instanceID %s is nil", instanceID)
return fmt.Errorf("identity entry for instanceID %q is nil", instanceID)
}
if identityEntry.Value == nil || len(identityEntry.Value) == 0 {
return fmt.Errorf("found identity entry for instanceID %s but actual identity is empty", instanceID)
return fmt.Errorf("found identity entry for instanceID %q but actual identity is empty", instanceID)
}
var result whitelistIdentity
@ -68,7 +69,7 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
if err := s.Delete(ctx, "whitelist/identity"+instanceID); err != nil {
return fmt.Errorf("error deleting identity of instanceID %s from storage: %s", instanceID, err)
return errwrap.Wrapf(fmt.Sprintf("error deleting identity of instanceID %q from storage: {{err}}", instanceID), err)
}
}
}

9
builtin/credential/aws/path_tidy_roletag_blacklist.go
View File

@ -6,6 +6,7 @@ import (
"sync/atomic"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -49,15 +50,15 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
for _, tag := range tags {
tagEntry, err := s.Get(ctx, "blacklist/roletag/"+tag)
if err != nil {
return fmt.Errorf("error fetching tag %s: %s", tag, err)
return errwrap.Wrapf(fmt.Sprintf("error fetching tag %q: {{err}}", tag), err)
}
if tagEntry == nil {
return fmt.Errorf("tag entry for tag %s is nil", tag)
return fmt.Errorf("tag entry for tag %q is nil", tag)
}
if tagEntry.Value == nil || len(tagEntry.Value) == 0 {
return fmt.Errorf("found entry for tag %s but actual tag is empty", tag)
return fmt.Errorf("found entry for tag %q but actual tag is empty", tag)
}
var result roleTagBlacklistEntry
@ -67,7 +68,7 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
if err := s.Delete(ctx, "blacklist/roletag"+tag); err != nil {
return fmt.Errorf("error deleting tag %s from storage: %s", tag, err)
return errwrap.Wrapf(fmt.Sprintf("error deleting tag %q from storage: {{err}}", tag), err)
}
}
}

4
builtin/credential/cert/path_config.go
View File

@ -2,8 +2,8 @@ package cert
import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -52,7 +52,7 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
var result config
if entry != nil {
if err := entry.DecodeJSON(&result); err != nil {
return nil, fmt.Errorf("error reading configuration: %s", err)
return nil, errwrap.Wrapf("error reading configuration: {{err}}", err)
}
}
return &result, nil

13
builtin/credential/cert/path_crls.go
View File

@ -8,6 +8,7 @@ import (
"strings"
"github.com/fatih/structs"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -54,7 +55,7 @@ func (b *backend) populateCRLs(ctx context.Context, storage logical.Storage) err
keys, err := storage.List(ctx, "crls/")
if err != nil {
return fmt.Errorf("error listing CRLs: %v", err)
return errwrap.Wrapf("error listing CRLs: {{err}}", err)
}
if keys == nil || len(keys) == 0 {
return nil
@ -64,7 +65,7 @@ func (b *backend) populateCRLs(ctx context.Context, storage logical.Storage) err
entry, err := storage.Get(ctx, "crls/"+key)
if err != nil {
b.crls = nil
return fmt.Errorf("error loading CRL %s: %v", key, err)
return errwrap.Wrapf(fmt.Sprintf("error loading CRL %q: {{err}}", key), err)
}
if entry == nil {
continue
@ -73,7 +74,7 @@ func (b *backend) populateCRLs(ctx context.Context, storage logical.Storage) err
err = entry.DecodeJSON(&crlInfo)
if err != nil {
b.crls = nil
return fmt.Errorf("error decoding CRL %s: %v", key, err)
return errwrap.Wrapf(fmt.Sprintf("error decoding CRL %q: {{err}}", key), err)
}
b.crls[key] = crlInfo
}
@ -103,20 +104,20 @@ func parseSerialString(input string) (*big.Int, error) {
case strings.Count(input, ":") > 0:
serialBytes := certutil.ParseHexFormatted(input, ":")
if serialBytes == nil {
return nil, fmt.Errorf("error parsing serial %s", input)
return nil, fmt.Errorf("error parsing serial %q", input)
}
ret.SetBytes(serialBytes)
case strings.Count(input, "-") > 0:
serialBytes := certutil.ParseHexFormatted(input, "-")
if serialBytes == nil {
return nil, fmt.Errorf("error parsing serial %s", input)
return nil, fmt.Errorf("error parsing serial %q", input)
}
ret.SetBytes(serialBytes)
default:
var success bool
ret, success = ret.SetString(input, 0)
if !success {
return nil, fmt.Errorf("error parsing serial %s", input)
return nil, fmt.Errorf("error parsing serial %q", input)
}
}

5
builtin/credential/github/cli.go
View File

@ -6,6 +6,7 @@ import (
"os"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/password"
)
@ -42,12 +43,12 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
return nil, fmt.Errorf("user interrupted")
}
return nil, fmt.Errorf("An error occurred attempting to "+
return nil, errwrap.Wrapf("An error occurred attempting to "+
"ask for a token. The raw error message is shown below, but usually "+
"this is because you attempted to pipe a value into the command or "+
"you are executing outside of a terminal (tty). If you want to pipe "+
"the value, pass \"-\" as the argument to read from stdin. The raw "+
"error was: %s", err)
"error was: {{err}}", err)
}
}

3
builtin/credential/github/path_config.go
View File

@ -6,6 +6,7 @@ import (
"net/url"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -127,7 +128,7 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
var result config
if entry != nil {
if err := entry.DecodeJSON(&result); err != nil {
return nil, fmt.Errorf("error reading configuration: %s", err)
return nil, errwrap.Wrapf("error reading configuration: {{err}}", err)
}
}

3
builtin/credential/github/path_login.go
View File

@ -7,6 +7,7 @@ import (
"strings"
"github.com/google/go-github/github"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -163,7 +164,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, t
if config.BaseURL != "" {
parsedURL, err := url.Parse(config.BaseURL)
if err != nil {
return nil, nil, fmt.Errorf("Successfully parsed base_url when set but failing to parse now: %s", err)
return nil, nil, errwrap.Wrapf("successfully parsed base_url when set but failing to parse now: {{err}}", err)
}
client.BaseURL = parsedURL
}

11
builtin/credential/ldap/backend.go
View File

@ -9,6 +9,7 @@ import (
"text/template"
"github.com/go-ldap/ldap"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/mfa"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
@ -270,7 +271,7 @@ func (b *backend) getUserBindDN(cfg *ConfigEntry, c *ldap.Conn, username string)
err = c.UnauthenticatedBind(cfg.BindDN)
}
if err != nil {
return bindDN, fmt.Errorf("LDAP bind (service) failed: %v", err)
return bindDN, errwrap.Wrapf("LDAP bind (service) failed: {{err}}", err)
}
filter := fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username))
@ -284,7 +285,7 @@ func (b *backend) getUserBindDN(cfg *ConfigEntry, c *ldap.Conn, username string)
SizeLimit: math.MaxInt32,
})
if err != nil {
return bindDN, fmt.Errorf("LDAP search for binddn failed: %v", err)
return bindDN, errwrap.Wrapf("LDAP search for binddn failed: {{err}}", err)
}
if len(result.Entries) != 1 {
return bindDN, fmt.Errorf("LDAP search for binddn 0 or not unique")
@ -319,7 +320,7 @@ func (b *backend) getUserDN(cfg *ConfigEntry, c *ldap.Conn, bindDN string) (stri
SizeLimit: math.MaxInt32,
})
if err != nil {
return userDN, fmt.Errorf("LDAP search failed for detecting user: %v", err)
return userDN, errwrap.Wrapf("LDAP search failed for detecting user: {{err}}", err)
}
for _, e := range result.Entries {
userDN = e.DN
@ -373,7 +374,7 @@ func (b *backend) getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, u
// Example template "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
t, err := template.New("queryTemplate").Parse(cfg.GroupFilter)
if err != nil {
return nil, fmt.Errorf("LDAP search failed due to template compilation error: %v", err)
return nil, errwrap.Wrapf("LDAP search failed due to template compilation error: {{err}}", err)
}
// Build context to pass to template - we will be exposing UserDn and Username.
@ -402,7 +403,7 @@ func (b *backend) getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, u
SizeLimit: math.MaxInt32,
})
if err != nil {
return nil, fmt.Errorf("LDAP search failed: %v", err)
return nil, errwrap.Wrapf("LDAP search failed: {{err}}", err)
}
for _, e := range result.Entries {

9
builtin/credential/ldap/path_config.go
View File

@ -12,6 +12,7 @@ import (
"text/template"
"github.com/go-ldap/ldap"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/helper/consts"
@ -253,7 +254,7 @@ func (b *backend) newConfigEntry(d *framework.FieldData) (*ConfigEntry, error) {
// Validate the template before proceeding
_, err := template.New("queryTemplate").Parse(groupfilter)
if err != nil {
return nil, fmt.Errorf("invalid groupfilter (%v)", err)
return nil, errwrap.Wrapf("invalid groupfilter: {{err}}", err)
}
cfg.GroupFilter = groupfilter
@ -275,7 +276,7 @@ func (b *backend) newConfigEntry(d *framework.FieldData) (*ConfigEntry, error) {
}
_, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse certificate %s", err.Error())
return nil, errwrap.Wrapf("failed to parse certificate: {{err}}", err)
}
cfg.Certificate = certificate
}
@ -429,7 +430,7 @@ func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
for _, uut := range urls {
u, err := url.Parse(uut)
if err != nil {
retErr = multierror.Append(retErr, fmt.Errorf("error parsing url %q: %s", uut, err.Error()))
retErr = multierror.Append(retErr, errwrap.Wrapf(fmt.Sprintf("error parsing url %q: {{err}}", uut), err))
continue
}
host, port, err := net.SplitHostPort(u.Host)
@ -480,7 +481,7 @@ func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
retErr = nil
break
}
retErr = multierror.Append(retErr, fmt.Errorf("error connecting to host %q: %s", uut, err.Error()))
retErr = multierror.Append(retErr, errwrap.Wrapf(fmt.Sprintf("error connecting to host %q: {{err}}", uut), err))
}
return conn, retErr.ErrorOrNil()

23
builtin/credential/token/cli.go
View File

@ -7,6 +7,7 @@ import (
"strconv"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/password"
)
@ -26,7 +27,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
if x, ok := m["lookup"]; ok {
parsed, err := strconv.ParseBool(x)
if err != nil {
return nil, fmt.Errorf("Failed to parse \"lookup\" as boolean: %s", err)
return nil, errwrap.Wrapf("Failed to parse \"lookup\" as boolean: {{err}}", err)
}
lookup = parsed
}
@ -51,12 +52,12 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
return nil, fmt.Errorf("user interrupted")
}
return nil, fmt.Errorf("An error occurred attempting to "+
return nil, errwrap.Wrapf("An error occurred attempting to "+
"ask for a token. The raw error message is shown below, but usually "+
"this is because you attempted to pipe a value into the command or "+
"you are executing outside of a terminal (tty). If you want to pipe "+
"the value, pass \"-\" as the argument to read from stdin. The raw "+
"error was: %s", err)
"error was: {{err}}", err)
}
}
@ -86,10 +87,10 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
secret, err := c.Auth().Token().LookupSelf()
if err != nil {
return nil, fmt.Errorf("Error looking up token: %s", err)
return nil, errwrap.Wrapf("error looking up token: {{err}}", err)
}
if secret == nil {
return nil, fmt.Errorf("Empty response from lookup-self")
return nil, fmt.Errorf("empty response from lookup-self")
}
// Return an auth struct that "looks" like the response from an auth method.
@ -97,27 +98,27 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
// mirror that data here.
id, err := secret.TokenID()
if err != nil {
return nil, fmt.Errorf("Error accessing token ID: %s", err)
return nil, errwrap.Wrapf("error accessing token ID: {{err}}", err)
}
accessor, err := secret.TokenAccessor()
if err != nil {
return nil, fmt.Errorf("Error accessing token accessor: %s", err)
return nil, errwrap.Wrapf("error accessing token accessor: {{err}}", err)
}
policies, err := secret.TokenPolicies()
if err != nil {
return nil, fmt.Errorf("Error accessing token policies: %s", err)
return nil, errwrap.Wrapf("error accessing token policies: {{err}}", err)
}
metadata, err := secret.TokenMetadata()
if err != nil {
return nil, fmt.Errorf("Error accessing token metadata: %s", err)
return nil, errwrap.Wrapf("error accessing token metadata: {{err}}", err)
}
dur, err := secret.TokenTTL()
if err != nil {
return nil, fmt.Errorf("Error converting token TTL: %s", err)
return nil, errwrap.Wrapf("error converting token TTL: {{err}}", err)
}
renewable, err := secret.TokenIsRenewable()
if err != nil {
return nil, fmt.Errorf("Error checking if token is renewable: %s", err)
return nil, errwrap.Wrapf("error checking if token is renewable: {{err}}", err)
}
return &api.Secret{
Auth: &api.SecretAuth{

3
builtin/logical/aws/client.go
View File

@ -9,6 +9,7 @@ import (
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/awsutil"
"github.com/hashicorp/vault/logical"
@ -26,7 +27,7 @@ func getRootConfig(ctx context.Context, s logical.Storage, clientType string) (*
if entry != nil {
var config rootConfig
if err := entry.DecodeJSON(&config); err != nil {
return nil, fmt.Errorf("error reading root configuration: %s", err)
return nil, errwrap.Wrapf("error reading root configuration: {{err}}", err)
}
credsConfig.AccessKey = config.AccessKey

3
builtin/logical/aws/path_sts.go
View File

@ -5,6 +5,7 @@ import (
"fmt"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -47,7 +48,7 @@ func (b *backend) pathSTSRead(ctx context.Context, req *logical.Request, d *fram
// Read the policy
policy, err := req.Storage.Get(ctx, "policy/"+policyName)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err)
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
}
if policy == nil {
return logical.ErrorResponse(fmt.Sprintf(

3
builtin/logical/aws/path_user.go
View File

@ -6,6 +6,7 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
"github.com/mitchellh/mapstructure"
@ -36,7 +37,7 @@ func (b *backend) pathUserRead(ctx context.Context, req *logical.Request, d *fra
// Read the policy
policy, err := req.Storage.Get(ctx, "policy/"+policyName)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err)
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
}
if policy == nil {
return logical.ErrorResponse(fmt.Sprintf(

5
builtin/logical/aws/secret_access_keys.go
View File

@ -12,6 +12,7 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -174,7 +175,7 @@ func (b *backend) secretAccessKeysCreate(
UserName: username,
})
if err != nil {
return nil, fmt.Errorf("Error writing WAL entry: %s", err)
return nil, errwrap.Wrapf("error writing WAL entry: {{err}}", err)
}
// Create the user
@ -223,7 +224,7 @@ func (b *backend) secretAccessKeysCreate(
// the secret because it'll get rolled back anyways, so we have to return
// an error here.
if err := framework.DeleteWAL(ctx, s, walId); err != nil {
return nil, fmt.Errorf("Failed to commit WAL entry: %s", err)
return nil, errwrap.Wrapf("failed to commit WAL entry: {{err}}", err)
}
// Return the info!

3
builtin/logical/cassandra/backend.go
View File

@ -92,8 +92,7 @@ func (b *backend) DB(ctx context.Context, s logical.Storage) (*gocql.Session, er
return nil, err
}
if entry == nil {
return nil,
fmt.Errorf("Configure the DB connection with config/connection first")
return nil, fmt.Errorf("configure the DB connection with config/connection first")
}
config := &sessionConfig{}

5
builtin/logical/cassandra/secret_creds.go
View File

@ -4,6 +4,7 @@ import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -44,7 +45,7 @@ func (b *backend) secretCredsRenew(ctx context.Context, req *logical.Request, d
role, err := getRole(ctx, req.Storage, roleName)
if err != nil {
return nil, fmt.Errorf("unable to load role: %s", err)
return nil, errwrap.Wrapf("unable to load role: {{err}}", err)
}
resp := &logical.Response{Secret: req.Secret}
@ -70,7 +71,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
err = session.Query(fmt.Sprintf("DROP USER '%s'", username)).Exec()
if err != nil {
return nil, fmt.Errorf("error removing user %s", username)
return nil, fmt.Errorf("error removing user %q", username)
}
return nil, nil

11
builtin/logical/cassandra/util.go
View File

@ -7,6 +7,7 @@ import (
"time"
"github.com/gocql/gocql"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/tlsutil"
"github.com/hashicorp/vault/logical"
@ -39,7 +40,7 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
var tlsConfig *tls.Config
if len(cfg.Certificate) > 0 || len(cfg.IssuingCA) > 0 {
if len(cfg.Certificate) > 0 && len(cfg.PrivateKey) == 0 {
return nil, fmt.Errorf("Found certificate for TLS authentication but no private key")
return nil, fmt.Errorf("found certificate for TLS authentication but no private key")
}
certBundle := &certutil.CertBundle{}
@ -53,12 +54,12 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
parsedCertBundle, err := certBundle.ToParsedCertBundle()
if err != nil {
return nil, fmt.Errorf("failed to parse certificate bundle: %s", err)
return nil, errwrap.Wrapf("failed to parse certificate bundle: {{err}}", err)
}
tlsConfig, err = parsedCertBundle.GetTLSConfig(certutil.TLSClient)
if err != nil || tlsConfig == nil {
return nil, fmt.Errorf("failed to get TLS configuration: tlsConfig:%#v err:%v", tlsConfig, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to get TLS configuration: tlsConfig: %#v; {{err}}", tlsConfig), err)
}
tlsConfig.InsecureSkipVerify = cfg.InsecureTLS
@ -82,13 +83,13 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
session, err := clusterConfig.CreateSession()
if err != nil {
return nil, fmt.Errorf("Error creating session: %s", err)
return nil, errwrap.Wrapf("error creating session: {{err}}", err)
}
// Verify the info
err = session.Query(`LIST USERS`).Exec()
if err != nil {
return nil, fmt.Errorf("Error validating connection info: %s", err)
return nil, errwrap.Wrapf("error validating connection info: {{err}}", err)
}
return session, nil

7
builtin/logical/consul/path_config.go
View File

@ -4,6 +4,7 @@ import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -46,14 +47,12 @@ func readConfigAccess(ctx context.Context, storage logical.Storage) (*accessConf
return nil, nil, err
}
if entry == nil {
return nil, fmt.Errorf(
"Access credentials for the backend itself haven't been configured. Please configure them at the '/config/access' endpoint"),
nil
return nil, fmt.Errorf("access credentials for the backend itself haven't been configured; please configure them at the '/config/access' endpoint"), nil
}
conf := &accessConfig{}
if err := entry.DecodeJSON(conf); err != nil {
return nil, nil, fmt.Errorf("error reading consul access configuration: %s", err)
return nil, nil, errwrap.Wrapf("error reading consul access configuration: {{err}}", err)
}
return conf, nil, nil

3
builtin/logical/consul/path_token.go
View File

@ -6,6 +6,7 @@ import (
"time"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -31,7 +32,7 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
entry, err := req.Storage.Get(ctx, "policy/"+role)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err)
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
}
if entry == nil {
return logical.ErrorResponse(fmt.Sprintf("role %q not found", role)), nil

3
builtin/logical/consul/secret_token.go
View File

@ -4,6 +4,7 @@ import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -41,7 +42,7 @@ func (b *backend) secretTokenRenew(ctx context.Context, req *logical.Request, d
entry, err := req.Storage.Get(ctx, "policy/"+role)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err)
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
}
if entry == nil {
return logical.ErrorResponse(fmt.Sprintf("issuing role %q not found", role)), nil

2
builtin/logical/database/backend.go
View File

@ -96,7 +96,7 @@ func (b *databaseBackend) DatabaseConfig(ctx context.Context, s logical.Storage,
return nil, errwrap.Wrapf("failed to read connection configuration: {{err}}", err)
}
if entry == nil {
return nil, fmt.Errorf("failed to find entry for connection with name: %s", name)
return nil, fmt.Errorf("failed to find entry for connection with name: %q", name)
}
var config DatabaseConfig

2
builtin/logical/database/dbplugin/plugin.go
View File

@ -54,7 +54,7 @@ func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRu
var ok bool
db, ok = dbRaw.(Database)
if !ok {
return nil, fmt.Errorf("unsupported database type: %s", pluginName)
return nil, fmt.Errorf("unsupported database type: %q", pluginName)
}
transport = "builtin"

6
builtin/logical/database/secret_creds.go
View File

@ -32,7 +32,7 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
roleNameRaw, ok := req.Secret.InternalData["role"]
if !ok {
return nil, fmt.Errorf("could not find role with name: %s", req.Secret.InternalData["role"])
return nil, fmt.Errorf("could not find role with name: %q", req.Secret.InternalData["role"])
}
role, err := b.Role(ctx, req.Storage, roleNameRaw.(string))
@ -40,7 +40,7 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
return nil, err
}
if role == nil {
return nil, fmt.Errorf("error during renew: could not find role with name %s", req.Secret.InternalData["role"])
return nil, fmt.Errorf("error during renew: could not find role with name %q", req.Secret.InternalData["role"])
}
// Get the Database object
@ -96,7 +96,7 @@ func (b *databaseBackend) secretCredsRevoke() framework.OperationFunc {
return nil, err
}
if role == nil {
return nil, fmt.Errorf("error during revoke: could not find role with name %s", req.Secret.InternalData["role"])
return nil, fmt.Errorf("error during revoke: could not find role with name %q", req.Secret.InternalData["role"])
}
// Get our connection

5
builtin/logical/mssql/secret_creds.go
View File

@ -5,6 +5,7 @@ import (
"database/sql"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -143,10 +144,10 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
// can't drop if not all database users are dropped
if rows.Err() != nil {
return nil, fmt.Errorf("could not generate sql statements for all rows: %s", rows.Err())
return nil, errwrap.Wrapf("could not generate sql statements for all rows: {{err}}", rows.Err())
}
if lastStmtError != nil {
return nil, fmt.Errorf("could not perform all sql statements: %s", lastStmtError)
return nil, errwrap.Wrapf("could not perform all sql statements: {{err}}", lastStmtError)
}
// Drop this login

5
builtin/logical/pki/crl_util.go
View File

@ -8,6 +8,7 @@ import (
"fmt"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
)
@ -66,7 +67,7 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
cert, err := x509.ParseCertificate(certEntry.Value)
if err != nil {
return nil, fmt.Errorf("error parsing certificate: %s", err)
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
}
if cert == nil {
return nil, fmt.Errorf("got a nil certificate")
@ -104,7 +105,7 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
case errutil.UserError:
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
case errutil.InternalError:
return nil, fmt.Errorf("error encountered during CRL building: %s", crlErr)
return nil, errwrap.Wrapf("error encountered during CRL building: {{err}}", crlErr)
}
resp := &logical.Response{

4
builtin/logical/pki/path_config_ca.go
View File

@ -2,8 +2,8 @@ package pki
import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
@ -62,7 +62,7 @@ func (b *backend) pathCAWrite(ctx context.Context, req *logical.Request, data *f
cb, err := parsedBundle.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("error converting raw values into cert bundle: %s", err)
return nil, errwrap.Wrapf("error converting raw values into cert bundle: {{err}}", err)
}
entry, err := logical.StorageEntryJSON("config/ca_bundle", cb)

2
builtin/logical/pki/path_config_urls.go
View File

@ -76,7 +76,7 @@ func writeURLs(ctx context.Context, req *logical.Request, entries *urlEntries) e
return err
}
if entry == nil {
return fmt.Errorf("Unable to marshal entry into JSON")
return fmt.Errorf("unable to marshal entry into JSON")
}
err = req.Storage.Put(ctx, entry)

7
builtin/logical/pki/path_intermediate.go
View File

@ -5,6 +5,7 @@ import (
"encoding/base64"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
@ -87,7 +88,7 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
csrb, err := parsedBundle.ToCSRBundle()
if err != nil {
return nil, fmt.Errorf("Error converting raw CSR bundle to CSR bundle: %s", err)
return nil, errwrap.Wrapf("error converting raw CSR bundle to CSR bundle: {{err}}", err)
}
resp = &logical.Response{
@ -197,12 +198,12 @@ func (b *backend) pathSetSignedIntermediate(ctx context.Context, req *logical.Re
}
if err := inputBundle.Verify(); err != nil {
return nil, fmt.Errorf("verification of parsed bundle failed: %s", err)
return nil, errwrap.Wrapf("verification of parsed bundle failed: {{err}}", err)
}
cb, err = inputBundle.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("error converting raw values into cert bundle: %s", err)
return nil, errwrap.Wrapf("error converting raw values into cert bundle: {{err}}", err)
}
entry, err = logical.StorageEntryJSON("config/ca_bundle", cb)

2
builtin/logical/pki/path_issue_sign.go
View File

@ -297,7 +297,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
Value: parsedBundle.CertificateBytes,
})
if err != nil {
return nil, fmt.Errorf("unable to store certificate locally: %v", err)
return nil, errwrap.Wrapf("unable to store certificate locally: {{err}}", err)
}
}

3
builtin/logical/pki/path_revoke.go
View File

@ -5,6 +5,7 @@ import (
"fmt"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -68,7 +69,7 @@ func (b *backend) pathRotateCRLRead(ctx context.Context, req *logical.Request, d
case errutil.UserError:
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
case errutil.InternalError:
return nil, fmt.Errorf("Error encountered during CRL building: %s", crlErr)
return nil, errwrap.Wrapf("error encountered during CRL building: {{err}}", crlErr)
default:
return &logical.Response{
Data: map[string]interface{}{

10
builtin/logical/pki/path_root.go
View File

@ -309,17 +309,17 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
}
if err := parsedBundle.Verify(); err != nil {
return nil, fmt.Errorf("verification of parsed bundle failed: %s", err)
return nil, errwrap.Wrapf("verification of parsed bundle failed: {{err}}", err)
}
signingCB, err := signingBundle.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("Error converting raw signing bundle to cert bundle: %s", err)
return nil, errwrap.Wrapf("error converting raw signing bundle to cert bundle: {{err}}", err)
}
cb, err := parsedBundle.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("Error converting raw cert bundle to cert bundle: %s", err)
return nil, errwrap.Wrapf("error converting raw cert bundle to cert bundle: {{err}}", err)
}
resp := &logical.Response{
@ -366,7 +366,7 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
Value: parsedBundle.CertificateBytes,
})
if err != nil {
return nil, fmt.Errorf("Unable to store certificate locally: %v", err)
return nil, errwrap.Wrapf("unable to store certificate locally: {{err}}", err)
}
if parsedBundle.Certificate.MaxPathLen == 0 {
@ -413,7 +413,7 @@ func (b *backend) pathCASignSelfIssued(ctx context.Context, req *logical.Request
signingCB, err := signingBundle.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("Error converting raw signing bundle to cert bundle: %s", err)
return nil, errwrap.Wrapf("error converting raw signing bundle to cert bundle: {{err}}", err)
}
urls := &urlEntries{}

18
builtin/logical/pki/path_tidy.go
View File

@ -60,13 +60,13 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
if tidyCertStore {
serials, err := req.Storage.List(ctx, "certs/")
if err != nil {
return nil, fmt.Errorf("error fetching list of certs: %s", err)
return nil, errwrap.Wrapf("error fetching list of certs: {{err}}", err)
}
for _, serial := range serials {
certEntry, err := req.Storage.Get(ctx, "certs/"+serial)
if err != nil {
return nil, fmt.Errorf("error fetching certificate %s: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error fetching certificate %q: {{err}}", serial), err)
}
if certEntry == nil {
@ -91,12 +91,12 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
cert, err := x509.ParseCertificate(certEntry.Value)
if err != nil {
return nil, fmt.Errorf("unable to parse stored certificate with serial %s: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("unable to parse stored certificate with serial %q: {{err}}", serial), err)
}
if time.Now().After(cert.NotAfter.Add(bufferDuration)) {
if err := req.Storage.Delete(ctx, "certs/"+serial); err != nil {
return nil, fmt.Errorf("error deleting serial %s from storage: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from storage: {{err}}", serial), err)
}
}
}
@ -110,14 +110,14 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
revokedSerials, err := req.Storage.List(ctx, "revoked/")
if err != nil {
return nil, fmt.Errorf("error fetching list of revoked certs: %s", err)
return nil, errwrap.Wrapf("error fetching list of revoked certs: {{err}}", err)
}
var revInfo revocationInfo
for _, serial := range revokedSerials {
revokedEntry, err := req.Storage.Get(ctx, "revoked/"+serial)
if err != nil {
return nil, fmt.Errorf("unable to fetch revoked cert with serial %s: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("unable to fetch revoked cert with serial %q: {{err}}", serial), err)
}
if revokedEntry == nil {
@ -142,17 +142,17 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
err = revokedEntry.DecodeJSON(&revInfo)
if err != nil {
return nil, fmt.Errorf("error decoding revocation entry for serial %s: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error decoding revocation entry for serial %q: {{err}}", serial), err)
}
revokedCert, err := x509.ParseCertificate(revInfo.CertificateBytes)
if err != nil {
return nil, fmt.Errorf("unable to parse stored revoked certificate with serial %s: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("unable to parse stored revoked certificate with serial %q: {{err}}", serial), err)
}
if time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
if err := req.Storage.Delete(ctx, "revoked/"+serial); err != nil {
return nil, fmt.Errorf("error deleting serial %s from revoked list: %s", serial, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from revoked list: {{err}}", serial), err)
}
tidiedRevoked = true
}

5
builtin/logical/postgresql/secret_creds.go
View File

@ -7,6 +7,7 @@ import (
"strings"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -224,10 +225,10 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
// can't drop if not all privileges are revoked
if rows.Err() != nil {
return nil, fmt.Errorf("could not generate revocation statements for all rows: %s", rows.Err())
return nil, errwrap.Wrapf("could not generate revocation statements for all rows: {{err}}", rows.Err())
}
if lastStmtError != nil {
return nil, fmt.Errorf("could not perform all revocation statements: %s", lastStmtError)
return nil, errwrap.Wrapf("could not perform all revocation statements: {{err}}", lastStmtError)
}
// Drop this user

6
builtin/logical/rabbitmq/path_config_connection.go
View File

@ -2,8 +2,8 @@ package rabbitmq
import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
"github.com/michaelklishin/rabbit-hole"
@ -63,12 +63,12 @@ func (b *backend) pathConnectionUpdate(ctx context.Context, req *logical.Request
// Create RabbitMQ management client
client, err := rabbithole.NewClient(uri, username, password)
if err != nil {
return nil, fmt.Errorf("failed to create client: %s", err)
return nil, errwrap.Wrapf("failed to create client: {{err}}", err)
}
// Verify that configured credentials is capable of listing
if _, err = client.ListUsers(); err != nil {
return nil, fmt.Errorf("failed to validate the connection: %s", err)
return nil, errwrap.Wrapf("failed to validate the connection: {{err}}", err)
}
}

7
builtin/logical/rabbitmq/path_role_create.go
View File

@ -4,6 +4,8 @@ import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -82,11 +84,12 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr
Write: permission.Write,
Read: permission.Read,
}); err != nil {
outerErr := errwrap.Wrapf(fmt.Sprintf("failed to update permissions to the %q user: {{err}}", username), err)
// Delete the user because it's in an unknown state
if _, rmErr := client.DeleteUser(username); rmErr != nil {
return nil, fmt.Errorf("failed to delete user:%s, err: %s. %s", username, err, rmErr)
return nil, multierror.Append(errwrap.Wrapf("failed to delete user: {{err}}", rmErr), outerErr)
}
return nil, fmt.Errorf("failed to update permissions to the %s user. err:%s", username, err)
return nil, outerErr
}
}

3
builtin/logical/rabbitmq/secret_creds.go
View File

@ -4,6 +4,7 @@ import (
"context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
@ -62,7 +63,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
}
if _, err = client.DeleteUser(username); err != nil {
return nil, fmt.Errorf("could not delete user: %s", err)
return nil, errwrap.Wrapf("could not delete user: {{err}}", err)
}
return nil, nil

11
builtin/logical/ssh/communicator.go
View File

@ -11,6 +11,7 @@ import (
"os"
"path/filepath"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
"golang.org/x/crypto/ssh"
@ -277,7 +278,7 @@ func checkSCPStatus(r *bufio.Reader) error {
// Treat any non-zero (really 1 and 2) as fatal errors
message, _, err := r.ReadLine()
if err != nil {
return fmt.Errorf("Error reading error message: %s", err)
return errwrap.Wrapf("error reading error message: {{err}}", err)
}
return errors.New(string(message))
@ -298,7 +299,7 @@ func scpUploadFile(dst string, src io.Reader, w io.Writer, r *bufio.Reader, fi *
// so that we can determine the length, since SCP is length-prefixed.
tf, err := ioutil.TempFile("", "vault-ssh-upload")
if err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err)
return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
}
defer os.Remove(tf.Name())
defer tf.Close()
@ -312,17 +313,17 @@ func scpUploadFile(dst string, src io.Reader, w io.Writer, r *bufio.Reader, fi *
// Sync the file so that the contents are definitely on disk, then
// read the length of it.
if err := tf.Sync(); err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err)
return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
}
// Seek the file to the beginning so we can re-read all of it
if _, err := tf.Seek(0, 0); err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err)
return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
}
tfi, err := tf.Stat()
if err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err)
return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
}
size = tfi.Size()

13
builtin/logical/ssh/path_config_ca.go
View File

@ -8,6 +8,7 @@ import (
"encoding/pem"
"fmt"
"github.com/hashicorp/errwrap"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -65,7 +66,7 @@ Read operations will return the public key, if already stored/generated.`,
func (b *backend) pathConfigCARead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
publicKeyEntry, err := caKey(ctx, req.Storage, caPublicKey)
if err != nil {
return nil, fmt.Errorf("failed to read CA public key: %v", err)
return nil, errwrap.Wrapf("failed to read CA public key: {{err}}", err)
}
if publicKeyEntry == nil {
@ -106,7 +107,7 @@ func caKey(ctx context.Context, storage logical.Storage, keyType string) (*keySt
entry, err := storage.Get(ctx, path)
if err != nil {
return nil, fmt.Errorf("failed to read CA key of type %q: %v", keyType, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to read CA key of type %q: {{err}}", keyType), err)
}
if entry == nil {
@ -202,12 +203,12 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request,
publicKeyEntry, err := caKey(ctx, req.Storage, caPublicKey)
if err != nil {
return nil, fmt.Errorf("failed to read CA public key: %v", err)
return nil, errwrap.Wrapf("failed to read CA public key: {{err}}", err)
}
privateKeyEntry, err := caKey(ctx, req.Storage, caPrivateKey)
if err != nil {
return nil, fmt.Errorf("failed to read CA private key: %v", err)
return nil, errwrap.Wrapf("failed to read CA private key: {{err}}", err)
}
if (publicKeyEntry != nil && publicKeyEntry.Key != "") || (privateKeyEntry != nil && privateKeyEntry.Key != "") {
@ -239,12 +240,12 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request,
if err != nil {
var mErr *multierror.Error
mErr = multierror.Append(mErr, fmt.Errorf("failed to store CA private key: %v", err))
mErr = multierror.Append(mErr, errwrap.Wrapf("failed to store CA private key: {{err}}", err))
// If storing private key fails, the corresponding public key should be
// removed
if delErr := req.Storage.Delete(ctx, caPublicKeyStoragePath); delErr != nil {
mErr = multierror.Append(mErr, fmt.Errorf("failed to cleanup CA public key: %v", delErr))
mErr = multierror.Append(mErr, errwrap.Wrapf("failed to cleanup CA public key: {{err}}", delErr))
return nil, mErr
}

2
builtin/logical/ssh/path_config_zeroaddress.go
View File

@ -146,7 +146,7 @@ func (r *zeroAddressRoles) remove(roleName string) error {
}
length := len(r.Roles)
if index >= length || index < 0 {
return fmt.Errorf("invalid index [%d]", index)
return fmt.Errorf("invalid index %d", index)
}
// If slice has zero or one item, remove the item by setting slice to nil.
if length < 2 {

13
builtin/logical/ssh/path_creds_create.go
View File

@ -6,6 +6,7 @@ import (
"net"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -55,7 +56,7 @@ func (b *backend) pathCredsCreateWrite(ctx context.Context, req *logical.Request
role, err := b.getRole(ctx, req.Storage, roleName)
if err != nil {
return nil, fmt.Errorf("error retrieving role: %v", err)
return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
}
if role == nil {
return logical.ErrorResponse(fmt.Sprintf("Role %q not found", roleName)), nil
@ -97,7 +98,7 @@ func (b *backend) pathCredsCreateWrite(ctx context.Context, req *logical.Request
zeroAddressEntry, err := b.getZeroAddressRoles(ctx, req.Storage)
if err != nil {
return nil, fmt.Errorf("error retrieving zero-address roles: %v", err)
return nil, errwrap.Wrapf("error retrieving zero-address roles: {{err}}", err)
}
var zeroAddressRoles []string
if zeroAddressEntry != nil {
@ -171,7 +172,7 @@ func (b *backend) GenerateDynamicCredential(ctx context.Context, req *logical.Re
// Fetch the host key to be used for dynamic key installation
keyEntry, err := req.Storage.Get(ctx, fmt.Sprintf("keys/%s", role.KeyName))
if err != nil {
return "", "", fmt.Errorf("key %q not found. err: %v", role.KeyName, err)
return "", "", errwrap.Wrapf(fmt.Sprintf("key %q not found: {{err}}", role.KeyName), err)
}
if keyEntry == nil {
@ -180,13 +181,13 @@ func (b *backend) GenerateDynamicCredential(ctx context.Context, req *logical.Re
var hostKey sshHostKey
if err := keyEntry.DecodeJSON(&hostKey); err != nil {
return "", "", fmt.Errorf("error reading the host key: %v", err)
return "", "", errwrap.Wrapf("error reading the host key: {{err}}", err)
}
// Generate a new RSA key pair with the given key length.
dynamicPublicKey, dynamicPrivateKey, err := generateRSAKeys(role.KeyBits)
if err != nil {
return "", "", fmt.Errorf("error generating key: %v", err)
return "", "", errwrap.Wrapf("error generating key: {{err}}", err)
}
if len(role.KeyOptionSpecs) != 0 {
@ -196,7 +197,7 @@ func (b *backend) GenerateDynamicCredential(ctx context.Context, req *logical.Re
// Add the public key to authorized_keys file in target machine
err = b.installPublicKeyInTarget(ctx, role.AdminUser, username, ip, role.Port, hostKey.Key, dynamicPublicKey, role.InstallScript, true)
if err != nil {
return "", "", fmt.Errorf("failed to add public key to authorized_keys file in target: %v", err)
return "", "", errwrap.Wrapf("failed to add public key to authorized_keys file in target: {{err}}", err)
}
return dynamicPublicKey, dynamicPrivateKey, nil
}

5
builtin/logical/ssh/path_roles.go
View File

@ -7,6 +7,7 @@ import (
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/cidrutil"
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/logical"
@ -305,7 +306,7 @@ func (b *backend) pathRoleWrite(ctx context.Context, req *logical.Request, d *fr
if cidrList != "" {
valid, err := cidrutil.ValidateCIDRListString(cidrList, ",")
if err != nil {
return nil, fmt.Errorf("failed to validate cidr_list: %v", err)
return nil, errwrap.Wrapf("failed to validate cidr_list: {{err}}", err)
}
if !valid {
return logical.ErrorResponse("failed to validate cidr_list"), nil
@ -317,7 +318,7 @@ func (b *backend) pathRoleWrite(ctx context.Context, req *logical.Request, d *fr
if excludeCidrList != "" {
valid, err := cidrutil.ValidateCIDRListString(excludeCidrList, ",")
if err != nil {
return nil, fmt.Errorf("failed to validate exclude_cidr_list entry: %v", err)
return nil, errwrap.Wrapf("failed to validate exclude_cidr_list entry: {{err}}", err)
}
if !valid {
return logical.ErrorResponse(fmt.Sprintf("failed to validate exclude_cidr_list entry: %v", err)), nil

9
builtin/logical/ssh/path_sign.go
View File

@ -10,6 +10,7 @@ import (
"strings"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/strutil"
@ -151,7 +152,7 @@ func (b *backend) pathSignCertificate(ctx context.Context, req *logical.Request,
privateKeyEntry, err := caKey(ctx, req.Storage, caPrivateKey)
if err != nil {
return nil, fmt.Errorf("failed to read CA private key: %v", err)
return nil, errwrap.Wrapf("failed to read CA private key: {{err}}", err)
}
if privateKeyEntry == nil || privateKeyEntry.Key == "" {
return nil, fmt.Errorf("failed to read CA private key")
@ -159,7 +160,7 @@ func (b *backend) pathSignCertificate(ctx context.Context, req *logical.Request,
signer, err := ssh.ParsePrivateKey([]byte(privateKeyEntry.Key))
if err != nil {
return nil, fmt.Errorf("failed to parse stored CA private key: %v", err)
return nil, errwrap.Wrapf("failed to parse stored CA private key: {{err}}", err)
}
cBundle := creationBundle{
@ -312,7 +313,7 @@ func (b *backend) calculateCriticalOptions(data *framework.FieldData, role *sshR
}
if len(notAllowedOptions) != 0 {
return nil, fmt.Errorf("Critical options not on allowed list: %v", notAllowedOptions)
return nil, fmt.Errorf("critical options not on allowed list: %v", notAllowedOptions)
}
}
@ -376,7 +377,7 @@ func (b *backend) calculateTTL(data *framework.FieldData, role *sshRole) (time.D
if !specifiedTTL {
ttl = maxTTL
} else {
return 0, fmt.Errorf("ttl is larger than maximum allowed (%d)", maxTTL/time.Second)
return 0, fmt.Errorf("ttl is larger than maximum allowed %d", maxTTL/time.Second)
}
}

2
builtin/logical/ssh/secret_dynamic_key.go
View File

@ -55,7 +55,7 @@ func (b *backend) secretDynamicKeyRevoke(ctx context.Context, req *logical.Reque
// Fetch the host key using the key name
hostKey, err := b.getKey(ctx, req.Storage, intSec.HostKeyName)
if err != nil {
return nil, fmt.Errorf("key %q not found error: %v", intSec.HostKeyName, err)
return nil, errwrap.Wrapf(fmt.Sprintf("key %q not found error: {{err}}", intSec.HostKeyName), err)
}
if hostKey == nil {
return nil, fmt.Errorf("key %q not found", intSec.HostKeyName)

13
builtin/logical/ssh/util.go
View File

@ -13,6 +13,7 @@ import (
"strings"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
log "github.com/hashicorp/go-hclog"
@ -24,7 +25,7 @@ import (
func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) {
privateKey, err := rsa.GenerateKey(rand.Reader, keyBits)
if err != nil {
return "", "", fmt.Errorf("error generating RSA key-pair: %v", err)
return "", "", errwrap.Wrapf("error generating RSA key-pair: {{err}}", err)
}
privateKeyRsa = string(pem.EncodeToMemory(&pem.Block{
@ -34,7 +35,7 @@ func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, er
sshPublicKey, err := ssh.NewPublicKey(privateKey.Public())
if err != nil {
return "", "", fmt.Errorf("error generating RSA key-pair: %v", err)
return "", "", errwrap.Wrapf("error generating RSA key-pair: {{err}}", err)
}
publicKeyRsa = "ssh-rsa " + base64.StdEncoding.EncodeToString(sshPublicKey.Marshal())
return
@ -62,7 +63,7 @@ func (b *backend) installPublicKeyInTarget(ctx context.Context, adminUser, usern
err = comm.Upload(publicKeyFileName, bytes.NewBufferString(dynamicPublicKey), nil)
if err != nil {
return fmt.Errorf("error uploading public key: %v", err)
return errwrap.Wrapf("error uploading public key: {{err}}", err)
}
// Transfer the script required to install or uninstall the key to the remote
@ -71,14 +72,14 @@ func (b *backend) installPublicKeyInTarget(ctx context.Context, adminUser, usern
scriptFileName := fmt.Sprintf("%s.sh", publicKeyFileName)
err = comm.Upload(scriptFileName, bytes.NewBufferString(installScript), nil)
if err != nil {
return fmt.Errorf("error uploading install script: %v", err)
return errwrap.Wrapf("error uploading install script: {{err}}", err)
}
// Create a session to run remote command that triggers the script to install
// or uninstall the key.
session, err := comm.NewSession()
if err != nil {
return fmt.Errorf("unable to create SSH Session using public keys: %v", err)
return errwrap.Wrapf("unable to create SSH Session using public keys: {{err}}", err)
}
if session == nil {
return fmt.Errorf("invalid session object")
@ -117,7 +118,7 @@ func roleContainsIP(ctx context.Context, s logical.Storage, roleName string, ip
roleEntry, err := s.Get(ctx, fmt.Sprintf("roles/%s", roleName))
if err != nil {
return false, fmt.Errorf("error retrieving role %v", err)
return false, errwrap.Wrapf("error retrieving role {{err}}", err)
}
if roleEntry == nil {
return false, fmt.Errorf("role %q not found", roleName)

3
builtin/logical/totp/path_keys.go
View File

@ -11,6 +11,7 @@ import (
"strconv"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
otplib "github.com/pquerna/otp"
@ -355,7 +356,7 @@ func (b *backend) pathKeyCreate(ctx context.Context, req *logical.Request, data
} else {
barcode, err := keyObject.Image(qrSize, qrSize)
if err != nil {
return nil, fmt.Errorf("failed to generate QR code image: %v", err)
return nil, errwrap.Wrapf("failed to generate QR code image: {{err}}", err)
}
var buff bytes.Buffer

4
builtin/logical/transit/path_decrypt.go
View File

@ -3,8 +3,8 @@ package transit
import (
"context"
"encoding/base64"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -58,7 +58,7 @@ func (b *backend) pathDecryptWrite(ctx context.Context, req *logical.Request, d
if batchInputRaw != nil {
err = mapstructure.Decode(batchInputRaw, &batchInputItems)
if err != nil {
return nil, fmt.Errorf("failed to parse batch input: %v", err)
return nil, errwrap.Wrapf("failed to parse batch input: {{err}}", err)
}
if len(batchInputItems) == 0 {

3
builtin/logical/transit/path_encrypt.go
View File

@ -6,6 +6,7 @@ import (
"fmt"
"sync"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/helper/keysutil"
"github.com/hashicorp/vault/logical"
@ -146,7 +147,7 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
if batchInputRaw != nil {
err = mapstructure.Decode(batchInputRaw, &batchInputItems)
if err != nil {
return nil, fmt.Errorf("failed to parse batch input: %v", err)
return nil, errwrap.Wrapf("failed to parse batch input: {{err}}", err)
}
if len(batchInputItems) == 0 {

5
builtin/logical/transit/path_keys.go
View File

@ -13,6 +13,7 @@ import (
"golang.org/x/crypto/ed25519"
"github.com/fatih/structs"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/keysutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -277,7 +278,7 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
} else {
ver, err := strconv.Atoi(k)
if err != nil {
return nil, fmt.Errorf("invalid version %q: %v", k, err)
return nil, errwrap.Wrapf(fmt.Sprintf("invalid version %q: {{err}}", k), err)
}
derived, err := p.DeriveKey(context, ver)
if err != nil {
@ -298,7 +299,7 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
// API
derBytes, err := x509.MarshalPKIXPublicKey(v.RSAKey.Public())
if err != nil {
return nil, fmt.Errorf("error marshaling RSA public key: %v", err)
return nil, errwrap.Wrapf("error marshaling RSA public key: {{err}}", err)
}
pemBlock := &pem.Block{
Type: "PUBLIC KEY",

3
builtin/logical/transit/path_rewrap.go
View File

@ -5,6 +5,7 @@ import (
"encoding/base64"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
@ -59,7 +60,7 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
if batchInputRaw != nil {
err = mapstructure.Decode(batchInputRaw, &batchInputItems)
if err != nil {
return nil, fmt.Errorf("failed to parse batch input: %v", err)
return nil, errwrap.Wrapf("failed to parse batch input: {{err}}", err)
}
if len(batchInputItems) == 0 {

2
command/base_flags.go
View File

@ -648,7 +648,7 @@ func newStringMapValue(def map[string]string, target *map[string]string, hidden
func (s *stringMapValue) Set(val string) error {
idx := strings.Index(val, "=")
if idx == -1 {
return fmt.Errorf("Missing = in KV pair: %s", val)
return fmt.Errorf("missing = in KV pair: %q", val)
}
if *s.target == nil {

3
command/config.go
View File

@ -77,8 +77,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf(
"invalid key '%s' on line %d", key, item.Assign.Line))
result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
}
}

10
command/config/config.go
View File

@ -5,6 +5,7 @@ import (
"io/ioutil"
"os"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/hcl"
"github.com/hashicorp/hcl/hcl/ast"
@ -56,7 +57,7 @@ func LoadConfig(path string) (*DefaultConfig, error) {
// NOTE: requires HOME env var to be set
path, err := homedir.Expand(path)
if err != nil {
return nil, fmt.Errorf("Error expanding config path %s: %s", path, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error expanding config path %q: {{err}}", path), err)
}
contents, err := ioutil.ReadFile(path)
@ -66,7 +67,7 @@ func LoadConfig(path string) (*DefaultConfig, error) {
conf, err := ParseConfig(string(contents))
if err != nil {
return nil, fmt.Errorf("Error parsing config file at %s: %q. Ensure that the file is valid; Ansible Vault is known to conflict with it.", path, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error parsing config file at %q: {{err}}; ensure that the file is valid; Ansible Vault is known to conflict with it.", path), err)
}
return conf, nil
@ -82,7 +83,7 @@ func ParseConfig(contents string) (*DefaultConfig, error) {
// Top-level item should be the object list
list, ok := root.Node.(*ast.ObjectList)
if !ok {
return nil, fmt.Errorf("Failed to parse config: does not contain a root object")
return nil, fmt.Errorf("failed to parse config; does not contain a root object")
}
valid := []string{
@ -119,8 +120,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf(
"invalid key '%s' on line %d", key, item.Assign.Line))
result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
}
}

2
command/format.go
View File

@ -161,7 +161,7 @@ func (t TableFormatter) OutputList(ui cli.Ui, secret *api.Secret, data interface
for i, v := range list {
typed, ok := v.(string)
if !ok {
return fmt.Errorf("Error: %v is not a string", v)
return fmt.Errorf("%v is not a string", v)
}
keys[i] = typed
}

7
command/operator_generate_root.go
View File

@ -9,6 +9,7 @@ import (
"os"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/password"
@ -252,14 +253,14 @@ func (c *OperatorGenerateRootCommand) Run(args []string) int {
// verifyOTP verifies the given OTP code is exactly 16 bytes.
func (c *OperatorGenerateRootCommand) verifyOTP(otp string) error {
if len(otp) == 0 {
return fmt.Errorf("No OTP passed in")
return fmt.Errorf("no OTP passed in")
}
otpBytes, err := base64.StdEncoding.DecodeString(otp)
if err != nil {
return fmt.Errorf("Error decoding base64 OTP value: %s", err)
return errwrap.Wrapf("error decoding base64 OTP value: {{err}}", err)
}
if otpBytes == nil || len(otpBytes) != 16 {
return fmt.Errorf("Decoded OTP value is invalid or wrong length")
return fmt.Errorf("decoded OTP value is invalid or wrong length")
}
return nil

24
command/server.go
View File

@ -1037,7 +1037,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
isLeader, _, _, err := core.Leader()
if err != nil && err != vault.ErrHANotEnabled {
return nil, fmt.Errorf("failed to check active status: %v", err)
return nil, errwrap.Wrapf("failed to check active status: {{err}}", err)
}
if err == nil {
leaderCount := 5
@ -1050,7 +1050,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
time.Sleep(1 * time.Second)
isLeader, _, _, err = core.Leader()
if err != nil {
return nil, fmt.Errorf("failed to check active status: %v", err)
return nil, errwrap.Wrapf("failed to check active status: {{err}}", err)
}
leaderCount--
}
@ -1072,13 +1072,13 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
}
resp, err := core.HandleRequest(req)
if err != nil {
return nil, fmt.Errorf("failed to create root token with ID %s: %s", coreConfig.DevToken, err)
return nil, errwrap.Wrapf(fmt.Sprintf("failed to create root token with ID %q: {{err}}", coreConfig.DevToken), err)
}
if resp == nil {
return nil, fmt.Errorf("nil response when creating root token with ID %s", coreConfig.DevToken)
return nil, fmt.Errorf("nil response when creating root token with ID %q", coreConfig.DevToken)
}
if resp.Auth == nil {
return nil, fmt.Errorf("nil auth when creating root token with ID %s", coreConfig.DevToken)
return nil, fmt.Errorf("nil auth when creating root token with ID %q", coreConfig.DevToken)
}
init.RootToken = resp.Auth.ClientToken
@ -1088,7 +1088,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
req.Data = nil
resp, err = core.HandleRequest(req)
if err != nil {
return nil, fmt.Errorf("failed to revoke initial root token: %s", err)
return nil, errwrap.Wrapf("failed to revoke initial root token: {{err}}", err)
}
}
@ -1355,7 +1355,7 @@ func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
if val, ok := list.Config["tls_disable"]; ok {
disable, err := parseutil.ParseBool(val)
if err != nil {
return "", fmt.Errorf("tls_disable: %s", err)
return "", errwrap.Wrapf("tls_disable: {{err}}", err)
}
if disable {
@ -1483,7 +1483,7 @@ func (c *ServerCommand) setupTelemetry(config *server.Config) error {
sink, err := datadog.NewDogStatsdSink(telConfig.DogStatsDAddr, metricsConf.HostName)
if err != nil {
return fmt.Errorf("failed to start DogStatsD sink. Got: %s", err)
return errwrap.Wrapf("failed to start DogStatsD sink: {{err}}", err)
}
sink.SetTags(tags)
fanout = append(fanout, sink)
@ -1512,7 +1512,7 @@ func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]rel
for _, relFunc := range relFuncs {
if relFunc != nil {
if err := relFunc(nil); err != nil {
reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("Error encountered reloading listener: %v", err))
reloadErrors = multierror.Append(reloadErrors, errwrap.Wrapf("error encountered reloading listener: {{err}}", err))
}
}
}
@ -1521,7 +1521,7 @@ func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]rel
for _, relFunc := range relFuncs {
if relFunc != nil {
if err := relFunc(nil); err != nil {
reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("Error encountered reloading file audit device at path %s: %v", strings.TrimPrefix(k, "audit_file|"), err))
reloadErrors = multierror.Append(reloadErrors, errwrap.Wrapf(fmt.Sprintf("error encountered reloading file audit device at path %q: {{err}}", strings.TrimPrefix(k, "audit_file|")), err))
}
}
}
@ -1548,7 +1548,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error {
// Open the PID file
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
if err != nil {
return fmt.Errorf("could not open pid file: %v", err)
return errwrap.Wrapf("could not open pid file: {{err}}", err)
}
defer pidFile.Close()
@ -1556,7 +1556,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error {
pid := os.Getpid()
_, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
if err != nil {
return fmt.Errorf("could not write to pid file: %v", err)
return errwrap.Wrapf("could not write to pid file: {{err}}", err)
}
return nil
}

26
command/server/config.go
View File

@ -10,6 +10,7 @@ import (
"strings"
"time"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-multierror"
@ -430,49 +431,49 @@ func ParseConfig(d string, logger log.Logger) (*Config, error) {
// Look for storage but still support old backend
if o := list.Filter("storage"); len(o.Items) > 0 {
if err := parseStorage(&result, o, "storage"); err != nil {
return nil, fmt.Errorf("error parsing 'storage': %s", err)
return nil, errwrap.Wrapf("error parsing 'storage': {{err}}", err)
}
} else {
if o := list.Filter("backend"); len(o.Items) > 0 {
if err := parseStorage(&result, o, "backend"); err != nil {
return nil, fmt.Errorf("error parsing 'backend': %s", err)
return nil, errwrap.Wrapf("error parsing 'backend': {{err}}", err)
}
}
}
if o := list.Filter("ha_storage"); len(o.Items) > 0 {
if err := parseHAStorage(&result, o, "ha_storage"); err != nil {
return nil, fmt.Errorf("error parsing 'ha_storage': %s", err)
return nil, errwrap.Wrapf("error parsing 'ha_storage': {{err}}", err)
}
} else {
if o := list.Filter("ha_backend"); len(o.Items) > 0 {
if err := parseHAStorage(&result, o, "ha_backend"); err != nil {
return nil, fmt.Errorf("error parsing 'ha_backend': %s", err)
return nil, errwrap.Wrapf("error parsing 'ha_backend': {{err}}", err)
}
}
}
if o := list.Filter("hsm"); len(o.Items) > 0 {
if err := parseSeal(&result, o, "hsm"); err != nil {
return nil, fmt.Errorf("error parsing 'hsm': %s", err)
return nil, errwrap.Wrapf("error parsing 'hsm': {{err}}", err)
}
}
if o := list.Filter("seal"); len(o.Items) > 0 {
if err := parseSeal(&result, o, "seal"); err != nil {
return nil, fmt.Errorf("error parsing 'seal': %s", err)
return nil, errwrap.Wrapf("error parsing 'seal': {{err}}", err)
}
}
if o := list.Filter("listener"); len(o.Items) > 0 {
if err := parseListeners(&result, o); err != nil {
return nil, fmt.Errorf("error parsing 'listener': %s", err)
return nil, errwrap.Wrapf("error parsing 'listener': {{err}}", err)
}
}
if o := list.Filter("telemetry"); len(o.Items) > 0 {
if err := parseTelemetry(&result, o); err != nil {
return nil, fmt.Errorf("error parsing 'telemetry': %s", err)
return nil, errwrap.Wrapf("error parsing 'telemetry': {{err}}", err)
}
}
@ -493,9 +494,7 @@ func LoadConfigDir(dir string, logger log.Logger) (*Config, error) {
return nil, err
}
if !fi.IsDir() {
return nil, fmt.Errorf(
"configuration path must be a directory: %s",
dir)
return nil, fmt.Errorf("configuration path must be a directory: %q", dir)
}
var files []string
@ -534,7 +533,7 @@ func LoadConfigDir(dir string, logger log.Logger) (*Config, error) {
for _, f := range files {
config, err := LoadConfigFile(f, logger)
if err != nil {
return nil, fmt.Errorf("Error loading %s: %s", f, err)
return nil, errwrap.Wrapf(fmt.Sprintf("error loading %q: {{err}}", f), err)
}
if result == nil {
@ -866,8 +865,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf(
"invalid key '%s' on line %d", key, item.Assign.Line))
result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
}
}

20
command/server/listener.go
View File

@ -32,7 +32,7 @@ var BuiltinListeners = map[string]ListenerFactory{
func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {
f, ok := BuiltinListeners[t]
if !ok {
return nil, nil, nil, fmt.Errorf("unknown listener type: %s", t)
return nil, nil, nil, fmt.Errorf("unknown listener type: %q", t)
}
return f(config, logger, ui)
@ -58,12 +58,12 @@ func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.List
Behavior: behavior,
}
if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
return nil, fmt.Errorf("failed parsing proxy_protocol_authorized_addrs: %v", err)
return nil, errwrap.Wrapf("failed parsing proxy_protocol_authorized_addrs: {{err}}", err)
}
newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
if err != nil {
return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %s", err)
return nil, errwrap.Wrapf("failed configuring PROXY protocol wrapper: {{err}}", err)
}
return newLn, nil
@ -79,7 +79,7 @@ func listenerWrapTLS(
if v, ok := config["tls_disable"]; ok {
disabled, err := parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err)
return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable': {{err}}", err)
}
if disabled {
return ln, props, nil, nil
@ -128,21 +128,21 @@ PASSPHRASECORRECT:
tlsConf.NextProtos = []string{"h2", "http/1.1"}
tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]
if !ok {
return nil, nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
return nil, nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
}
tlsConf.ClientAuth = tls.RequestClientCert
if v, ok := config["tls_cipher_suites"]; ok {
ciphers, err := tlsutil.ParseCiphers(v.(string))
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %v", err)
return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_cipher_suites': {{err}}", err)
}
tlsConf.CipherSuites = ciphers
}
if v, ok := config["tls_prefer_server_cipher_suites"]; ok {
preferServer, err := parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_prefer_server_cipher_suites': %v", err)
return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_prefer_server_cipher_suites': {{err}}", err)
}
tlsConf.PreferServerCipherSuites = preferServer
}
@ -151,7 +151,7 @@ PASSPHRASECORRECT:
if v, ok := config["tls_require_and_verify_client_cert"]; ok {
requireVerifyCerts, err = parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_require_and_verify_client_cert': %v", err)
return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_require_and_verify_client_cert': {{err}}", err)
}
if requireVerifyCerts {
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
@ -160,7 +160,7 @@ PASSPHRASECORRECT:
caPool := x509.NewCertPool()
data, err := ioutil.ReadFile(tlsClientCaFile.(string))
if err != nil {
return nil, nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %v", err)
return nil, nil, nil, errwrap.Wrapf("failed to read tls_client_ca_file: {{err}}", err)
}
if !caPool.AppendCertsFromPEM(data) {
@ -172,7 +172,7 @@ PASSPHRASECORRECT:
if v, ok := config["tls_disable_client_certs"]; ok {
disableClientCerts, err := parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable_client_certs': %v", err)
return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable_client_certs': {{err}}", err)
}
if disableClientCerts && requireVerifyCerts {
return nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")

10
command/ssh.go
View File

@ -11,6 +11,7 @@ import (
"strings"
"syscall"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/builtin/logical/ssh"
"github.com/mitchellh/cli"
@ -697,15 +698,14 @@ func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
}
secret, err := c.client.Logical().Write(mountPoint+"/lookup", data)
if err != nil {
return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err)
return "", errwrap.Wrapf(fmt.Sprintf("error finding roles for IP %q: {{err}}", ip), err)
}
if secret == nil || secret.Data == nil {
return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err)
return "", errwrap.Wrapf(fmt.Sprintf("error finding roles for IP %q: {{err}}", ip), err)
}
if secret.Data["roles"] == nil {
return "", fmt.Errorf("No matching roles found for IP %q", ip)
return "", fmt.Errorf("no matching roles found for IP %q", ip)
}
if len(secret.Data["roles"].([]interface{})) == 1 {
@ -716,7 +716,7 @@ func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
roleNames += item.(string) + ", "
}
roleNames = strings.TrimRight(roleNames, ", ")
return "", fmt.Errorf("Roles:%q. "+`
return "", fmt.Errorf("Roles: %q. "+`
Multiple roles are registered for this IP.
Select a role using '-role' option.
Note that all roles may not be permitted, based on ACLs.`, roleNames)

17
command/token/helper_external.go
View File

@ -8,6 +8,8 @@ import (
"path/filepath"
"runtime"
"strings"
"github.com/hashicorp/errwrap"
)
// ExternalTokenHelperPath takes the configured path to a helper and expands it to
@ -59,11 +61,10 @@ type ExternalTokenHelper struct {
func (h *ExternalTokenHelper) Erase() error {
cmd, err := h.cmd("erase")
if err != nil {
return fmt.Errorf("Error: %s", err)
return err
}
if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf(
"Error: %s\n\n%s", err, string(output))
return errwrap.Wrapf(fmt.Sprintf("%q: {{err}}", string(output)), err)
}
return nil
}
@ -73,13 +74,12 @@ func (h *ExternalTokenHelper) Get() (string, error) {
var buf, stderr bytes.Buffer
cmd, err := h.cmd("get")
if err != nil {
return "", fmt.Errorf("Error: %s", err)
return "", err
}
cmd.Stdout = &buf
cmd.Stderr = &stderr
if err := cmd.Run(); err != nil {
return "", fmt.Errorf(
"Error: %s\n\n%s", err, stderr.String())
return "", errwrap.Wrapf(fmt.Sprintf("%q: {{err}}", stderr.String()), err)
}
return buf.String(), nil
@ -90,12 +90,11 @@ func (h *ExternalTokenHelper) Store(v string) error {
buf := bytes.NewBufferString(v)
cmd, err := h.cmd("store")
if err != nil {
return fmt.Errorf("Error: %s", err)
return err
}
cmd.Stdin = buf
if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf(
"Error: %s\n\n%s", err, string(output))
return errwrap.Wrapf(fmt.Sprintf("%q: {{err}}", string(output)), err)
}
return nil

2
command/token/helper_internal.go
View File

@ -23,7 +23,7 @@ type InternalTokenHelper struct {
func (i *InternalTokenHelper) populateTokenPath() {
homePath, err := homedir.Dir()
if err != nil {
panic(fmt.Errorf("error getting user's home directory: %v", err))
panic(fmt.Sprintf("error getting user's home directory: %v", err))
}
i.tokenPath = homePath + "/.vault-token"
}

11
helper/certutil/types.go
View File

@ -20,6 +20,7 @@ import (
"math/big"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil"
)
@ -293,10 +294,10 @@ func (p *ParsedCertBundle) Verify() error {
if p.PrivateKey != nil && p.Certificate != nil {
equal, err := ComparePublicKeys(p.Certificate.PublicKey, p.PrivateKey.Public())
if err != nil {
return fmt.Errorf("could not compare public and private keys: %s", err)
return errwrap.Wrapf("could not compare public and private keys: {{err}}", err)
}
if !equal {
return fmt.Errorf("Public key of certificate does not match private key")
return fmt.Errorf("public key of certificate does not match private key")
}
}
@ -307,7 +308,7 @@ func (p *ParsedCertBundle) Verify() error {
return fmt.Errorf("certificate %d of certificate chain is not a certificate authority", i+1)
}
if !bytes.Equal(certPath[i].Certificate.AuthorityKeyId, caCert.Certificate.SubjectKeyId) {
return fmt.Errorf("certificate %d of certificate chain ca trust path is incorrect (%s/%s)",
return fmt.Errorf("certificate %d of certificate chain ca trust path is incorrect (%q/%q)",
i+1, certPath[i].Certificate.Subject.CommonName, caCert.Certificate.Subject.CommonName)
}
}
@ -556,13 +557,13 @@ func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error) {
// Technically we only need one cert, but this doesn't duplicate code
certBundle, err := p.ToCertBundle()
if err != nil {
return nil, fmt.Errorf("Error converting parsed bundle to string bundle when getting TLS config: %s", err)
return nil, errwrap.Wrapf("error converting parsed bundle to string bundle when getting TLS config: {{err}}", err)
}
caPool := x509.NewCertPool()
ok := caPool.AppendCertsFromPEM([]byte(certBundle.CAChain[0]))
if !ok {
return nil, fmt.Errorf("Could not append CA certificate")
return nil, fmt.Errorf("could not append CA certificate")
}
if usage&TLSServer > 0 {

5
helper/cidrutil/cidr.go
View File

@ -5,6 +5,7 @@ import (
"net"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/strutil"
)
@ -102,7 +103,7 @@ func Subset(cidr1, cidr2 string) (bool, error) {
ip1, net1, err := net.ParseCIDR(cidr1)
if err != nil {
return false, fmt.Errorf("failed to parse the CIDR to be checked against: %q", err)
return false, errwrap.Wrapf("failed to parse the CIDR to be checked against: {{err}}", err)
}
zeroAddr := false
@ -120,7 +121,7 @@ func Subset(cidr1, cidr2 string) (bool, error) {
ip2, net2, err := net.ParseCIDR(cidr2)
if err != nil {
return false, fmt.Errorf("failed to parse the CIDR that needs to be checked: %q", err)
return false, errwrap.Wrapf("failed to parse the CIDR that needs to be checked: {{err}}", err)
}
zeroAddr = false

7
helper/compressutil/compress.go
View File

@ -8,6 +8,7 @@ import (
"io"
"github.com/golang/snappy"
"github.com/hashicorp/errwrap"
)
const (
@ -107,7 +108,7 @@ func Compress(data []byte, config *CompressionConfig) ([]byte, error) {
}
if err != nil {
return nil, fmt.Errorf("failed to create a compression writer; err: %v", err)
return nil, errwrap.Wrapf("failed to create a compression writer: {{err}}", err)
}
if writer == nil {
@ -117,7 +118,7 @@ func Compress(data []byte, config *CompressionConfig) ([]byte, error) {
// Compress the input and place it in the same buffer containing the
// canary byte.
if _, err = writer.Write(data); err != nil {
return nil, fmt.Errorf("failed to compress input data; err: %v", err)
return nil, errwrap.Wrapf("failed to compress input data: err: {{err}}", err)
}
// Close the io.WriteCloser
@ -172,7 +173,7 @@ func Decompress(data []byte) ([]byte, bool, error) {
return nil, true, nil
}
if err != nil {
return nil, false, fmt.Errorf("failed to create a compression reader; err: %v", err)
return nil, false, errwrap.Wrapf("failed to create a compression reader: {{err}}", err)
}
if reader == nil {
return nil, false, fmt.Errorf("failed to create a compression reader")

2
helper/flag-kv/flag.go
View File

@ -16,7 +16,7 @@ func (v *Flag) String() string {
func (v *Flag) Set(raw string) error {
idx := strings.Index(raw, "=")
if idx == -1 {
return fmt.Errorf("No '=' value in arg: %s", raw)
return fmt.Errorf("no '=' value in arg: %q", raw)
}
if *v == nil {

13
helper/identity/identity.go
View File

@ -4,6 +4,7 @@ import (
"fmt"
"github.com/gogo/protobuf/proto"
"github.com/hashicorp/errwrap"
)
func (g *Group) Clone() (*Group, error) {
@ -13,13 +14,13 @@ func (g *Group) Clone() (*Group, error) {
marshaledGroup, err := proto.Marshal(g)
if err != nil {
return nil, fmt.Errorf("failed to marshal group: %v", err)
return nil, errwrap.Wrapf("failed to marshal group: {{err}}", err)
}
var clonedGroup Group
err = proto.Unmarshal(marshaledGroup, &clonedGroup)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal group: %v", err)
return nil, errwrap.Wrapf("failed to unmarshal group: {{err}}", err)
}
return &clonedGroup, nil
@ -32,13 +33,13 @@ func (e *Entity) Clone() (*Entity, error) {
marshaledEntity, err := proto.Marshal(e)
if err != nil {
return nil, fmt.Errorf("failed to marshal entity: %v", err)
return nil, errwrap.Wrapf("failed to marshal entity: {{err}}", err)
}
var clonedEntity Entity
err = proto.Unmarshal(marshaledEntity, &clonedEntity)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal entity: %v", err)
return nil, errwrap.Wrapf("failed to unmarshal entity: {{err}}", err)
}
return &clonedEntity, nil
@ -51,13 +52,13 @@ func (p *Alias) Clone() (*Alias, error) {
marshaledAlias, err := proto.Marshal(p)
if err != nil {
return nil, fmt.Errorf("failed to marshal alias: %v", err)
return nil, errwrap.Wrapf("failed to marshal alias: {{err}}", err)
}
var clonedAlias Alias
err = proto.Unmarshal(marshaledAlias, &clonedAlias)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal alias: %v", err)
return nil, errwrap.Wrapf("failed to unmarshal alias: {{err}}", err)
}
return &clonedAlias, nil

3
helper/jsonutil/json.go
View File

@ -7,6 +7,7 @@ import (
"fmt"
"io"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/compressutil"
)
@ -64,7 +65,7 @@ func DecodeJSON(data []byte, out interface{}) error {
// Decompress the data if it was compressed in the first place
decompressedBytes, uncompressed, err := compressutil.Decompress(data)
if err != nil {
return fmt.Errorf("failed to decompress JSON: err: %v", err)
return errwrap.Wrapf("failed to decompress JSON: {{err}}", err)
}
if !uncompressed && (decompressedBytes == nil || len(decompressedBytes) == 0) {
return fmt.Errorf("decompressed data being decoded is invalid")

9
helper/keysutil/lock_manager.go
View File

@ -8,6 +8,7 @@ import (
"sync"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil"
"github.com/hashicorp/vault/logical"
)
@ -270,7 +271,7 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
if keyData.ArchivedKeys != nil {
err = keyData.Policy.storeArchive(ctx, storage, keyData.ArchivedKeys)
if err != nil {
return fmt.Errorf("failed to restore archived keys for policy %q: %v", name, err)
return errwrap.Wrapf(fmt.Sprintf("failed to restore archived keys for policy %q: {{err}}", name), err)
}
}
@ -283,7 +284,7 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
// Restore the policy. This will also attempt to adjust the archive.
err = keyData.Policy.Persist(ctx, storage)
if err != nil {
return fmt.Errorf("failed to restore the policy %q: %v", name, err)
return errwrap.Wrapf(fmt.Sprintf("failed to restore the policy %q: {{err}}", name), err)
}
// Update the cache to contain the restored policy
@ -484,12 +485,12 @@ func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage
err = storage.Delete(ctx, "policy/"+name)
if err != nil {
return fmt.Errorf("error deleting policy %s: %s", name, err)
return errwrap.Wrapf(fmt.Sprintf("error deleting policy %q: {{err}}", name), err)
}
err = storage.Delete(ctx, "archive/"+name)
if err != nil {
return fmt.Errorf("error deleting archive %s: %s", name, err)
return errwrap.Wrapf(fmt.Sprintf("error deleting archive %q: {{err}}", name), err)
}
if lm.CacheActive() {

5
helper/keysutil/policy.go
View File

@ -30,6 +30,7 @@ import (
"golang.org/x/crypto/ed25519"
"golang.org/x/crypto/hkdf"
"github.com/hashicorp/errwrap"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/helper/jsonutil"
@ -1227,7 +1228,7 @@ func (p *Policy) Rotate(ctx context.Context, storage logical.Storage) (retErr er
entry.EC_Y = privKey.Y
derBytes, err := x509.MarshalPKIXPublicKey(privKey.Public())
if err != nil {
return fmt.Errorf("error marshaling public key: %s", err)
return errwrap.Wrapf("error marshaling public key: {{err}}", err)
}
pemBlock := &pem.Block{
Type: "PUBLIC KEY",
@ -1308,7 +1309,7 @@ func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out strin
}
err := p.Persist(ctx, storage)
if err != nil {
return "", fmt.Errorf("failed to persist policy with backup info: %v", err)
return "", errwrap.Wrapf("failed to persist policy with backup info: {{err}}", err)
}
// Load the archive only after persisting the policy as the archive can get

5
helper/kv-builder/builder.go
View File

@ -8,6 +8,7 @@ import (
"os"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil"
"github.com/mitchellh/mapstructure"
)
@ -30,7 +31,7 @@ func (b *Builder) Map() map[string]interface{} {
func (b *Builder) Add(args ...string) error {
for _, a := range args {
if err := b.add(a); err != nil {
return fmt.Errorf("Invalid key/value pair '%s': %s", a, err)
return errwrap.Wrapf(fmt.Sprintf("invalid key/value pair %q: {{err}}", a), err)
}
}
@ -87,7 +88,7 @@ func (b *Builder) add(raw string) error {
if value[0] == '@' {
contents, err := ioutil.ReadFile(value[1:])
if err != nil {
return fmt.Errorf("error reading file: %s", err)
return errwrap.Wrapf("error reading file: {{err}}", err)
}
value = string(contents)

4
helper/mfa/duo/path_duo_access.go
View File

@ -70,7 +70,7 @@ func GetDuoAuthClient(ctx context.Context, req *logical.Request, config *DuoConf
return nil, err
}
if check == nil {
return nil, fmt.Errorf("Could not connect to Duo; got nil result back from API check call")
return nil, fmt.Errorf("could not connect to Duo; got nil result back from API check call")
}
var msg, detail string
if check.StatResult.Message != nil {
@ -80,7 +80,7 @@ func GetDuoAuthClient(ctx context.Context, req *logical.Request, config *DuoConf
detail = *check.StatResult.Message_Detail
}
if check.StatResult.Stat != "OK" {
return nil, fmt.Errorf("Could not connect to Duo: %s (%s)", msg, detail)
return nil, fmt.Errorf("could not connect to Duo: %q (%q)", msg, detail)
}
return duoAuthClient, nil
}

2
helper/password/password_solaris.go
View File

@ -13,7 +13,7 @@ import (
func read(f *os.File) (string, error) {
fd := int(f.Fd())
if !isTerminal(fd) {
return "", fmt.Errorf("File descriptor %d is not a terminal", fd)
return "", fmt.Errorf("file descriptor %d is not a terminal", fd)
}
oldState, err := makeRaw(fd)

2
helper/password/password_unix.go
View File

@ -12,7 +12,7 @@ import (
func read(f *os.File) (string, error) {
fd := int(f.Fd())
if !terminal.IsTerminal(fd) {
return "", fmt.Errorf("File descriptor %d is not a terminal", fd)
return "", fmt.Errorf("file descriptor %d is not a terminal", fd)
}
oldState, err := terminal.MakeRaw(fd)

19
helper/pgpkeys/encrypt_decrypt.go
View File

@ -5,6 +5,7 @@ import (
"encoding/base64"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/keybase/go-crypto/openpgp"
"github.com/keybase/go-crypto/openpgp/packet"
)
@ -17,7 +18,7 @@ import (
// thoroughly tested in the init and rekey command unit tests
func EncryptShares(input [][]byte, pgpKeys []string) ([]string, [][]byte, error) {
if len(input) != len(pgpKeys) {
return nil, nil, fmt.Errorf("Mismatch between number items to encrypt and number of PGP keys")
return nil, nil, fmt.Errorf("mismatch between number items to encrypt and number of PGP keys")
}
encryptedShares := make([][]byte, 0, len(pgpKeys))
entities, err := GetEntities(pgpKeys)
@ -28,11 +29,11 @@ func EncryptShares(input [][]byte, pgpKeys []string) ([]string, [][]byte, error)
ctBuf := bytes.NewBuffer(nil)
pt, err := openpgp.Encrypt(ctBuf, []*openpgp.Entity{entity}, nil, nil, nil)
if err != nil {
return nil, nil, fmt.Errorf("Error setting up encryption for PGP message: %s", err)
return nil, nil, errwrap.Wrapf("error setting up encryption for PGP message: {{err}}", err)
}
_, err = pt.Write(input[i])
if err != nil {
return nil, nil, fmt.Errorf("Error encrypting PGP message: %s", err)
return nil, nil, errwrap.Wrapf("error encrypting PGP message: {{err}}", err)
}
pt.Close()
encryptedShares = append(encryptedShares, ctBuf.Bytes())
@ -72,11 +73,11 @@ func GetEntities(pgpKeys []string) ([]*openpgp.Entity, error) {
for _, keystring := range pgpKeys {
data, err := base64.StdEncoding.DecodeString(keystring)
if err != nil {
return nil, fmt.Errorf("Error decoding given PGP key: %s", err)
return nil, errwrap.Wrapf("error decoding given PGP key: {{err}}", err)
}
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(data)))
if err != nil {
return nil, fmt.Errorf("Error parsing given PGP key: %s", err)
return nil, errwrap.Wrapf("error parsing given PGP key: {{err}}", err)
}
ret = append(ret, entity)
}
@ -91,23 +92,23 @@ func GetEntities(pgpKeys []string) ([]*openpgp.Entity, error) {
func DecryptBytes(encodedCrypt, privKey string) (*bytes.Buffer, error) {
privKeyBytes, err := base64.StdEncoding.DecodeString(privKey)
if err != nil {
return nil, fmt.Errorf("Error decoding base64 private key: %s", err)
return nil, errwrap.Wrapf("error decoding base64 private key: {{err}}", err)
}
cryptBytes, err := base64.StdEncoding.DecodeString(encodedCrypt)
if err != nil {
return nil, fmt.Errorf("Error decoding base64 crypted bytes: %s", err)
return nil, errwrap.Wrapf("error decoding base64 crypted bytes: {{err}}", err)
}
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(privKeyBytes)))
if err != nil {
return nil, fmt.Errorf("Error parsing private key: %s", err)
return nil, errwrap.Wrapf("error parsing private key: {{err}}", err)
}
entityList := &openpgp.EntityList{entity}
md, err := openpgp.ReadMessage(bytes.NewBuffer(cryptBytes), entityList, nil, nil)
if err != nil {
return nil, fmt.Errorf("Error decrypting the messages: %s", err)
return nil, errwrap.Wrapf("error decrypting the messages: {{err}}", err)
}
ptBuf := bytes.NewBuffer(nil)

7
helper/pgpkeys/flag.go
View File

@ -8,6 +8,7 @@ import (
"os"
"strings"
"github.com/hashicorp/errwrap"
"github.com/keybase/go-crypto/openpgp"
)
@ -115,16 +116,16 @@ func ReadPGPFile(path string) (string, error) {
entityList, err := openpgp.ReadArmoredKeyRing(keyReader)
if err == nil {
if len(entityList) != 1 {
return "", fmt.Errorf("more than one key found in file %s", path)
return "", fmt.Errorf("more than one key found in file %q", path)
}
if entityList[0] == nil {
return "", fmt.Errorf("primary key was nil for file %s", path)
return "", fmt.Errorf("primary key was nil for file %q", path)
}
serializedEntity := bytes.NewBuffer(nil)
err = entityList[0].Serialize(serializedEntity)
if err != nil {
return "", fmt.Errorf("error serializing entity for file %s: %s", path, err)
return "", errwrap.Wrapf(fmt.Sprintf("error serializing entity for file %q: {{err}}", path), err)
}
return base64.StdEncoding.EncodeToString(serializedEntity.Bytes()), nil

11
helper/pgpkeys/keybase.go
View File

@ -6,6 +6,7 @@ import (
"fmt"
"strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/jsonutil"
"github.com/keybase/go-crypto/openpgp"
@ -75,7 +76,7 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
}
if out.Status.Name != "OK" {
return nil, fmt.Errorf("got non-OK response: %s", out.Status.Name)
return nil, fmt.Errorf("got non-OK response: %q", out.Status.Name)
}
missingNames := make([]string, 0, len(usernames))
@ -92,16 +93,16 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
return nil, err
}
if len(entityList) != 1 {
return nil, fmt.Errorf("primary key could not be parsed for user %s", usernames[i])
return nil, fmt.Errorf("primary key could not be parsed for user %q", usernames[i])
}
if entityList[0] == nil {
return nil, fmt.Errorf("primary key was nil for user %s", usernames[i])
return nil, fmt.Errorf("primary key was nil for user %q", usernames[i])
}
serializedEntity.Reset()
err = entityList[0].Serialize(serializedEntity)
if err != nil {
return nil, fmt.Errorf("error serializing entity for user %s: %s", usernames[i], err)
return nil, errwrap.Wrapf(fmt.Sprintf("error serializing entity for user %q: {{err}}", usernames[i]), err)
}
// The API returns values in the same ordering requested, so this should properly match
@ -109,7 +110,7 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
}
if len(missingNames) > 0 {
return nil, fmt.Errorf("unable to fetch keys for user(s) %s from keybase", strings.Join(missingNames, ","))
return nil, fmt.Errorf("unable to fetch keys for user(s) %q from keybase", strings.Join(missingNames, ","))
}
return ret, nil

15
helper/pluginutil/tls.go
View File

@ -10,7 +10,6 @@ import (
"crypto/x509/pkix"
"encoding/base64"
"errors"
"fmt"
"net/url"
"os"
"time"
@ -79,7 +78,7 @@ func generateCert() ([]byte, *ecdsa.PrivateKey, error) {
func createClientTLSConfig(certBytes []byte, key *ecdsa.PrivateKey) (*tls.Config, error) {
clientCert, err := x509.ParseCertificate(certBytes)
if err != nil {
return nil, fmt.Errorf("error parsing generated plugin certificate: %v", err)
return nil, errwrap.Wrapf("error parsing generated plugin certificate: {{err}}", err)
}
cert := tls.Certificate{
@ -137,7 +136,7 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
// Parse the JWT and retrieve the vault address
wt, err := jws.ParseJWT([]byte(unwrapToken))
if err != nil {
return nil, fmt.Errorf("error decoding token: %s", err)
return nil, errwrap.Wrapf("error decoding token: {{err}}", err)
}
if wt == nil {
return nil, errors.New("nil decoded token")
@ -157,7 +156,7 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
// Sanity check the value
if _, err := url.Parse(vaultAddr); err != nil {
return nil, fmt.Errorf("error parsing the vault api_addr: %s", err)
return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)
}
// Unwrap the token
@ -190,12 +189,12 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)
if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err)
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
}
serverCert, err := x509.ParseCertificate(serverCertBytes)
if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err)
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
}
// Retrieve and parse the server's private key
@ -206,12 +205,12 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)
if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err)
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
}
serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)
if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err)
return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
}
// Add CA cert to the cert pool

7
helper/salt/salt.go
View File

@ -9,6 +9,7 @@ import (
"fmt"
"hash"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical"
)
@ -78,7 +79,7 @@ func NewSalt(ctx context.Context, view logical.Storage, config *Config) (*Salt,
if view != nil {
raw, err = view.Get(ctx, config.Location)
if err != nil {
return nil, fmt.Errorf("failed to read salt: %v", err)
return nil, errwrap.Wrapf("failed to read salt: {{err}}", err)
}
}
@ -91,7 +92,7 @@ func NewSalt(ctx context.Context, view logical.Storage, config *Config) (*Salt,
if s.salt == "" {
s.salt, err = uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("failed to generate uuid: %v", err)
return nil, errwrap.Wrapf("failed to generate uuid: {{err}}", err)
}
s.generated = true
if view != nil {
@ -100,7 +101,7 @@ func NewSalt(ctx context.Context, view logical.Storage, config *Config) (*Salt,
Value: []byte(s.salt),
}
if err := view.Put(ctx, raw); err != nil {
return nil, fmt.Errorf("failed to persist salt: %v", err)
return nil, errwrap.Wrapf("failed to persist salt: {{err}}", err)
}
}
}

7
helper/strutil/strutil.go
View File

@ -7,6 +7,7 @@ import (
"sort"
"strings"
"github.com/hashicorp/errwrap"
glob "github.com/ryanuber/go-glob"
)
@ -89,7 +90,7 @@ func ParseKeyValues(input string, out map[string]string, sep string) error {
key := strings.TrimSpace(shards[0])
value := strings.TrimSpace(shards[1])
if key == "" || value == "" {
return fmt.Errorf("invalid <key,value> pair: key:'%s' value:'%s'", key, value)
return fmt.Errorf("invalid <key,value> pair: key: %q value: %q", key, value)
}
out[key] = value
}
@ -129,14 +130,14 @@ func ParseArbitraryKeyValues(input string, out map[string]string, sep string) er
// If JSON unmarshalling fails, consider that the input was
// supplied as a comma separated string of 'key=value' pairs.
if err = ParseKeyValues(input, out, sep); err != nil {
return fmt.Errorf("failed to parse the input: %v", err)
return errwrap.Wrapf("failed to parse the input: {{err}}", err)
}
}
// Validate the parsed input
for key, value := range out {
if key != "" && value == "" {
return fmt.Errorf("invalid value for key '%s'", key)
return fmt.Errorf("invalid value for key %q", key)
}
}

6
helper/xor/xor.go
View File

@ -3,6 +3,8 @@ package xor
import (
"encoding/base64"
"fmt"
"github.com/hashicorp/errwrap"
)
// XORBytes takes two byte slices and XORs them together, returning the final
@ -28,7 +30,7 @@ func XORBytes(a, b []byte) ([]byte, error) {
func XORBase64(a, b string) ([]byte, error) {
aBytes, err := base64.StdEncoding.DecodeString(a)
if err != nil {
return nil, fmt.Errorf("error decoding first base64 value: %v", err)
return nil, errwrap.Wrapf("error decoding first base64 value: {{err}}", err)
}
if aBytes == nil || len(aBytes) == 0 {
return nil, fmt.Errorf("decoded first base64 value is nil or empty")
@ -36,7 +38,7 @@ func XORBase64(a, b string) ([]byte, error) {
bBytes, err := base64.StdEncoding.DecodeString(b)
if err != nil {
return nil, fmt.Errorf("error decoding second base64 value: %v", err)
return nil, errwrap.Wrapf("error decoding second base64 value: {{err}}", err)
}
if bBytes == nil || len(bBytes) == 0 {
return nil, fmt.Errorf("decoded second base64 value is nil or empty")

2
http/handler.go
View File

@ -134,7 +134,7 @@ func wrappingVerificationFunc(core *vault.Core, req *logical.Request) error {
valid, err := core.ValidateWrappingToken(req)
if err != nil {
return fmt.Errorf("error validating wrapping token: %v", err)
return errwrap.Wrapf("error validating wrapping token: {{err}}", err)
}
if !valid {
return fmt.Errorf("wrapping token is not valid or does not exist")

3
http/sys_generate_root.go
View File

@ -36,8 +36,7 @@ func handleSysGenerateRootAttemptGet(core *vault.Core, w http.ResponseWriter, r
return
}
if barrierConfig == nil {
respondError(w, http.StatusBadRequest, fmt.Errorf(
"server is not yet initialized"))
respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))
return
}

Some files were not shown because too many files have changed in this diff Show More