Spelling (#4119)

CHANGELOG.md

@@ -417,7 +417,7 @@ BUG FIXES:
 DEPRECATIONS/CHANGES:
 
  * HSM config parameter requirements: When using Vault with an HSM, a new
-   paramter is required: `hmac_key_label`.  This performs a similar function to
+   parameter is required: `hmac_key_label`.  This performs a similar function to
    `key_label` but for the HMAC key Vault will use. Vault will generate a
    suitable key if this value is specified and `generate_key` is set true.
  * API HTTP client behavior: When calling `NewClient` the API no longer
@@ -694,7 +694,7 @@ FEATURES:
  * **GCP IAM Auth Backend**: There is now an authentication backend that allows
    using GCP IAM credentials to retrieve Vault tokens. This is available as
    both a plugin and built-in to Vault.
- * **PingID Push Support for Path-Baased MFA (Enterprise)**: PingID Push can
+ * **PingID Push Support for Path-Based MFA (Enterprise)**: PingID Push can
    now be used for MFA with the new path-based MFA introduced in Vault
    Enterprise 0.8.
  * **Permitted DNS Domains Support in PKI**: The `pki` backend now supports
@@ -820,7 +820,7 @@ IMPROVEMENTS:
    client certificate verification when `tls_require_and_verify_client_cert` is
    enabled [GH-3034]
  * storage/cockroachdb: Add CockroachDB storage backend [GH-2713]
- * storage/couchdb: Add CouchhDB storage backend [GH-2880]
+ * storage/couchdb: Add CouchDB storage backend [GH-2880]
  * storage/mssql: Add `max_parallel` [GH-3026]
  * storage/postgresql: Add `max_parallel` [GH-3026]
  * storage/postgresql: Improve listing speed [GH-2945]

Makefile

@@ -15,7 +15,7 @@ GO_VERSION_MIN=1.9
 
 default: dev
 
-# bin generates the releaseable binaries for Vault
+# bin generates the releasable binaries for Vault
 bin: prep
 	@CGO_ENABLED=0 BUILD_TAGS='$(BUILD_TAGS)' sh -c "'$(CURDIR)/scripts/build.sh'"
 

api/logical.go

@@ -178,7 +178,7 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
 	wrappedSecret := new(Secret)
 	buf := bytes.NewBufferString(secret.Data["response"].(string))
 	if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
-		return nil, fmt.Errorf("error unmarshaling wrapped secret: %s", err)
+		return nil, fmt.Errorf("error unmarshalling wrapped secret: %s", err)
 	}
 
 	return wrappedSecret, nil

api/secret_test.go

@@ -1190,7 +1190,7 @@ func TestSecret_TokenMetadata(t *testing.T) {
 			false,
 		},
 		{
-			"real_auth_metdata",
+			"real_auth_metadata",
 			&api.Secret{
 				Auth: &api.SecretAuth{
 					Metadata: map[string]string{"foo": "bar"},

api/sys_auth.go

@@ -78,7 +78,7 @@ func (c *Sys) DisableAuth(path string) error {
 }
 
 // Structures for the requests/resposne are all down here. They aren't
-// individually documentd because the map almost directly to the raw HTTP API
+// individually documented because the map almost directly to the raw HTTP API
 // documentation. Please refer to that documentation for more details.
 
 type EnableAuthOptions struct {

builtin/credential/approle/path_role.go

@@ -88,7 +88,7 @@ type roleIDStorageEntry struct {
 // role/<role_name>/bound-cidr-list - For updating the param
 // role/<role_name>/period - For updating the param
 // role/<role_name>/role-id - For fetching the role_id of an role
-// role/<role_name>/secret-id - For issuing a secret_id against an role, also to list the secret_id_accessorss
+// role/<role_name>/secret-id - For issuing a secret_id against an role, also to list the secret_id_accessors
 // role/<role_name>/custom-secret-id - For assigning a custom SecretID against an role
 // role/<role_name>/secret-id/lookup - For reading the properties of a secret_id
 // role/<role_name>/secret-id/destroy - For deleting a secret_id

builtin/credential/approle/validation.go

@@ -235,7 +235,7 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
 	}
 
 	// If there exists a single use left, delete the SecretID entry from
-	// the storage but do not fail the validation request. Subsequest
+	// the storage but do not fail the validation request. Subsequent
 	// requests to use the same SecretID will fail.
 	if result.SecretIDNumUses == 1 {
 		// Delete the secret IDs accessor first

builtin/credential/aws/backend.go

@@ -46,7 +46,7 @@ type backend struct {
 	// tidy the blacklist and whitelist entries.
 	tidyCooldownPeriod time.Duration
 
-	// nextTidyTime holds the time at which the periodic func should initiatite
+	// nextTidyTime holds the time at which the periodic func should initiate
 	// the tidy operations. This is set by the periodicFunc based on the value
 	// of tidyCooldownPeriod.
 	nextTidyTime time.Time

builtin/credential/aws/backend_test.go

@@ -1173,7 +1173,7 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("bad: failed to login: resp:%#v\nerr:%v", resp, err)
 	}
 
-	// Attempt to re-login with the identity signture
+	// Attempt to re-login with the identity signature
 	delete(loginInput, "pkcs7")
 	loginInput["identity"] = identityDoc
 	loginInput["signature"] = identityDocSig

builtin/credential/aws/path_config_certificate.go

@@ -416,14 +416,14 @@ func (b *backend) pathConfigCertificateCreateUpdate(ctx context.Context, req *lo
 }
 
 // Struct awsPublicCert holds the AWS Public Key that is used to verify the PKCS#7 signature
-// of the instnace identity document.
+// of the instance identity document.
 type awsPublicCert struct {
 	AWSPublicCert string `json:"aws_public_cert"`
 	Type          string `json:"type"`
 }
 
 const pathConfigCertificateSyn = `
-Adds the AWS Public Key that is used to verify the PKCS#7 signature of the identidy document.
+Adds the AWS Public Key that is used to verify the PKCS#7 signature of the identity document.
 `
 
 const pathConfigCertificateDesc = `

builtin/credential/aws/path_login.go

@@ -841,7 +841,7 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
 
 // handleRoleTagLogin is used to fetch the role tag of the instance and
 // verifies it to be correct.  Then the policies for the login request will be
-// set off of the role tag, if certain creteria satisfies.
+// set off of the role tag, if certain criteria satisfies.
 func (b *backend) handleRoleTagLogin(ctx context.Context, s logical.Storage, roleName string, roleEntry *awsRoleEntry, instance *ec2.Instance) (*roleTagLoginResponse, error) {
 	if roleEntry == nil {
 		return nil, fmt.Errorf("nil role entry")
@@ -1467,7 +1467,7 @@ func buildHttpRequest(method, endpoint string, parsedUrl *url.URL, body string,
 	// The use cases we want to support, in order of increasing complexity, are:
 	// 1. All defaults (client assumes sts.amazonaws.com and server has no override)
 	// 2. Alternate STS regions: client wants to go to a specific region, in which case
-	//    Vault must be confiugred with that endpoint as well. The client's signed request
+	//    Vault must be configured with that endpoint as well. The client's signed request
 	//    will include a signature over what the client expects the Host header to be,
 	//    so we cannot change that and must match.
 	// 3. Alternate STS regions with a proxy that is transparent to Vault's clients.
@@ -1477,14 +1477,14 @@ func buildHttpRequest(method, endpoint string, parsedUrl *url.URL, body string,
 	// It's also annoying because:
 	// 1. The AWS Sigv4 algorithm requires the Host header to be defined
 	// 2. Some of the official SDKs (at least botocore and aws-sdk-go) don't actually
-	//    incude an explicit Host header in the HTTP requests they generate, relying on
+	//    include an explicit Host header in the HTTP requests they generate, relying on
 	//    the underlying HTTP library to do that for them.
 	// 3. To get a validly signed request, the SDKs check if a Host header has been set
 	//    and, if not, add an inferred host header (based on the URI) to the internal
 	//    data structure used for calculating the signature, but never actually expose
 	//    that to clients. So then they just "hope" that the underlying library actually
 	//    adds the right Host header which was included in the signature calculation.
-	// We could either explicity require all Vault clients to explicitly add the Host header
+	// We could either explicitly require all Vault clients to explicitly add the Host header
 	// in the encoded request, or we could also implicitly infer it from the URI.
 	// We choose to support both -- allow you to explicitly set a Host header, but if not,
 	// infer one from the URI.
@@ -1706,7 +1706,7 @@ implemented based on that inferred type.
 
 An EC2 instance is authenticated using the PKCS#7 signature of the instance identity
 document and a client created nonce. This nonce should be unique and should be used by
-the instance for all future logins, unless 'disallow_reauthenitcation' option on the
+the instance for all future logins, unless 'disallow_reauthentication' option on the
 registered role is enabled, in which case client nonce is optional.
 
 First login attempt, creates a whitelist entry in Vault associating the instance to the nonce

builtin/credential/aws/path_role_tag.go

@@ -390,7 +390,7 @@ func createRoleTagNonce() (string, error) {
 	}
 }
 
-// Struct roleTag represents a role tag in a struc form.
+// Struct roleTag represents a role tag in a struct form.
 type roleTag struct {
 	Version                  string        `json:"version"`
 	InstanceID               string        `json:"instance_id"`

builtin/credential/cert/backend_test.go

@@ -1444,7 +1444,7 @@ func Test_Renew(t *testing.T) {
 		t.Fatal("expected error")
 	}
 
-	// Put the policies back, this shold be okay
+	// Put the policies back, this should be okay
 	fd.Raw["policies"] = "bar,foo"
 	resp, err = b.pathCertWrite(context.Background(), req, fd)
 	if err != nil {

builtin/credential/cert/cli.go

@@ -42,7 +42,7 @@ func (h *CLIHandler) Help() string {
 	help := `
 Usage: vault login -method=cert [CONFIG K=V...]
 
-  The certificate auth method allows uers to authenticate with a
+  The certificate auth method allows users to authenticate with a
   client certificate passed with the request. The -client-cert and -client-key
   flags are included with the "vault login" command, NOT as configuration to the
   auth method.

builtin/credential/cert/path_login.go

@@ -266,7 +266,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d
 func (b *backend) matchesConstraints(clientCert *x509.Certificate, trustedChain []*x509.Certificate, config *ParsedCert) bool {
 	return !b.checkForChainInCRLs(trustedChain) &&
 		b.matchesNames(clientCert, config) &&
-		b.matchesCertificateExtenions(clientCert, config)
+		b.matchesCertificateExtensions(clientCert, config)
 }
 
 // matchesNames verifies that the certificate matches at least one configured
@@ -297,9 +297,9 @@ func (b *backend) matchesNames(clientCert *x509.Certificate, config *ParsedCert)
 	return false
 }
 
-// matchesCertificateExtenions verifies that the certificate matches configured
+// matchesCertificateExtensions verifies that the certificate matches configured
 // required extensions
-func (b *backend) matchesCertificateExtenions(clientCert *x509.Certificate, config *ParsedCert) bool {
+func (b *backend) matchesCertificateExtensions(clientCert *x509.Certificate, config *ParsedCert) bool {
 	// If no required extensions, nothing to check here
 	if len(config.Entry.RequiredExtensions) == 0 {
 		return true

builtin/credential/ldap/backend.go

@@ -421,5 +421,5 @@ to set of policies.
 
 Configuration of the server is done through the "config" and "groups"
 endpoints by a user with root access. Authentication is then done
-by suppying the two fields for "login".
+by supplying the two fields for "login".
 `

builtin/credential/ldap/backend_test.go

@@ -449,7 +449,7 @@ func testAccStepLogin(t *testing.T, user string, pass string) logicaltest.TestSt
 		},
 		Unauthenticated: true,
 
-		// Verifies user tesla maps to groups via local group (engineers) as well as remote group (Scientiests)
+		// Verifies user tesla maps to groups via local group (engineers) as well as remote group (Scientists)
 		Check: logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
 	}
 }
@@ -463,7 +463,7 @@ func testAccStepLoginNoGroupDN(t *testing.T, user string, pass string) logicalte
 		},
 		Unauthenticated: true,
 
-		// Verifies a search without defined GroupDN returns a warnting rather than failing
+		// Verifies a search without defined GroupDN returns a warning rather than failing
 		Check: func(resp *logical.Response) error {
 			if len(resp.Warnings) != 1 {
 				return fmt.Errorf("expected a warning due to no group dn, got: %#v", resp.Warnings)

builtin/credential/okta/backend.go

@@ -106,7 +106,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 		Data: map[string]interface{}{},
 	}
 
-	// More about Okta's Auth transation state here:
+	// More about Okta's Auth transaction state here:
 	// https://developer.okta.com/docs/api/resources/authn#transaction-state
 
 	// If lockout failures are not configured to be hidden, the status needs to
@@ -321,5 +321,5 @@ groups are pulled down from Okta.
 
 Configuration of the connection is done through the "config" and "policies"
 endpoints by a user with root access. Authentication is then done
-by suppying the two fields for "login".
+by supplying the two fields for "login".
 `

builtin/credential/okta/path_config.go

@@ -40,7 +40,7 @@ func pathConfig(b *backend) *framework.Path {
 			},
 			"base_url": &framework.FieldSchema{
 				Type:        framework.TypeString,
-				Description: `The base domain to use for the Okta API. When not specified in the configuraiton, "okta.com" is used.`,
+				Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`,
 			},
 			"production": &framework.FieldSchema{
 				Type:        framework.TypeBool,

builtin/credential/radius/backend.go

@@ -59,8 +59,8 @@ a RADIUS server, checking username and associating users
 to set of policies.
 
 Configuration of the server is done through the "config" and "users"
-endpoints by a user with approriate access mandated by policy.
-Authentication is then done by suppying the two fields for "login".
+endpoints by a user with appropriate access mandated by policy.
+Authentication is then done by supplying the two fields for "login".
 
 The backend optionally allows to grant a set of policies to any 
 user that successfully authenticates against the RADIUS server, 

builtin/credential/userpass/backend.go

@@ -56,5 +56,5 @@ are supported.
 
 The username/password combination is configured using the "users/"
 endpoints by a user with root access. Authentication is then done
-by suppying the two fields for "login".
+by supplying the two fields for "login".
 `

builtin/logical/aws/path_config_root.go

@@ -91,6 +91,6 @@ Configure the root credentials that are used to manage IAM.
 const pathConfigRootHelpDesc = `
 Before doing anything, the AWS backend needs credentials that are able
 to manage IAM policies, users, access keys, etc. This endpoint is used
-to configure those credentials. They don't necessarilly need to be root
+to configure those credentials. They don't necessarily need to be root
 keys as long as they have permission to manage IAM.
 `

builtin/logical/cassandra/path_config_connection.go

@@ -213,7 +213,7 @@ Configure the connection information to talk to Cassandra.
 const pathConfigConnectionHelpDesc = `
 This path configures the connection information used to connect to Cassandra.
 
-"hosts" is a comma-deliniated list of hostnames in the Cassandra cluster.
+"hosts" is a comma-delimited list of hostnames in the Cassandra cluster.
 
 "username" and "password" are self-explanatory, although the given user
 must have superuser access within Cassandra. Note that since this backend

builtin/logical/cassandra/path_roles.go

@@ -186,7 +186,7 @@ If no "creation_cql" parameter is given, a default will be used:
 This default should be suitable for Cassandra installations using the password
 authenticator but not configured to use authorization.
 
-Similarly, the "rollback_cql" is used if user creation fails, in the absense of
+Similarly, the "rollback_cql" is used if user creation fails, in the absence of
 Cassandra transactions. The default should be suitable for almost any
 instance of Cassandra:
 

builtin/logical/cassandra/test-fixtures/cassandra.yaml

@@ -250,7 +250,7 @@ commit_failure_policy: stop
 #
 # Valid values are either "auto" (omitting the value) or a value greater 0.
 #
-# Note that specifying a too large value will result in long running GCs and possbily
+# Note that specifying a too large value will result in long running GCs and possibly
 # out-of-memory errors. Keep the value at a small fraction of the heap.
 #
 # If you constantly see "prepared statements discarded in the last minute because
@@ -259,7 +259,7 @@ commit_failure_policy: stop
 # i.e. use bind markers for variable parts.
 #
 # Do only change the default value, if you really have more prepared statements than
-# fit in the cache. In most cases it is not neccessary to change this value.
+# fit in the cache. In most cases it is not necessary to change this value.
 # Constantly re-preparing statements is a performance penalty.
 #
 # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater
@@ -1021,7 +1021,7 @@ client_encryption_options:
     keystore: conf/.keystore
     keystore_password: cassandra
     # require_client_auth: false
-    # Set trustore and truststore_password if require_client_auth is true
+    # Set truststore and truststore_password if require_client_auth is true
     # truststore: conf/.truststore
     # truststore_password: cassandra
     # More advanced defaults below:
@@ -1080,7 +1080,7 @@ windows_timer_interval: 1
 
 # Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from
 # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by
-# the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys
+# the "key_alias" is the only key that will be used for encrypt operations; previously used keys
 # can still (and should!) be in the keystore and will be used on decrypt operations
 # (to handle the case of key rotation).
 #
@@ -1114,7 +1114,7 @@ transparent_data_encryption_options:
 # tombstones seen in memory so we can return them to the coordinator, which
 # will use them to make sure other replicas also know about the deleted rows.
 # With workloads that generate a lot of tombstones, this can cause performance
-# problems and even exaust the server heap.
+# problems and even exhaust the server heap.
 # (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)
 # Adjust the thresholds here if you understand the dangers and want to
 # scan more tombstones anyway.  These thresholds may also be adjusted at runtime

builtin/logical/database/backend_test.go

@@ -614,7 +614,7 @@ func TestBackend_roleCrud(t *testing.T) {
 	}
 
 	if !reflect.DeepEqual(expected, actual) {
-		t.Fatalf("Statements did not match, exepected %#v, got %#v", expected, actual)
+		t.Fatalf("Statements did not match, expected %#v, got %#v", expected, actual)
 	}
 
 	// Delete the role

builtin/logical/database/dbplugin/client.go

@@ -67,7 +67,7 @@ func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunne
 		return nil, errors.New("unsupported client type")
 	}
 
-	// Wrap RPC implimentation in DatabasePluginClient
+	// Wrap RPC implementation in DatabasePluginClient
 	return &DatabasePluginClient{
 		client:   client,
 		Database: db,

builtin/logical/database/dbplugin/plugin.go

@@ -46,7 +46,7 @@ func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRu
 		var ok bool
 		db, ok = dbRaw.(Database)
 		if !ok {
-			return nil, fmt.Errorf("unsuported database type: %s", pluginName)
+			return nil, fmt.Errorf("unsupported database type: %s", pluginName)
 		}
 
 		transport = "builtin"

builtin/logical/database/dbplugin/plugin_test.go

@@ -258,7 +258,7 @@ func TestPlugin_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	err = db.RevokeUser(context.Background(), dbplugin.Statements{}, us)
 	if err != nil {
 		t.Fatalf("err: %s", err)
@@ -398,7 +398,7 @@ func TestPlugin_NetRPC_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	err = db.RevokeUser(context.Background(), dbplugin.Statements{}, us)
 	if err != nil {
 		t.Fatalf("err: %s", err)

builtin/logical/database/path_creds_create.go

@@ -70,7 +70,7 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 			db, err = b.createDBObj(ctx, req.Storage, role.DBName)
 			if err != nil {
 				unlockFunc()
-				return nil, fmt.Errorf("cound not retrieve db with name: %s, got error: %s", role.DBName, err)
+				return nil, fmt.Errorf("could not retrieve db with name: %s, got error: %s", role.DBName, err)
 			}
 		}
 

builtin/logical/database/secret_creds.go

@@ -64,7 +64,7 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
 			db, err = b.createDBObj(ctx, req.Storage, role.DBName)
 			if err != nil {
 				unlockFunc()
-				return nil, fmt.Errorf("cound not retrieve db with name: %s, got error: %s", role.DBName, err)
+				return nil, fmt.Errorf("could not retrieve db with name: %s, got error: %s", role.DBName, err)
 			}
 		}
 
@@ -123,7 +123,7 @@ func (b *databaseBackend) secretCredsRevoke() framework.OperationFunc {
 			db, err = b.createDBObj(ctx, req.Storage, role.DBName)
 			if err != nil {
 				unlockFunc()
-				return nil, fmt.Errorf("cound not retrieve db with name: %s, got error: %s", role.DBName, err)
+				return nil, fmt.Errorf("could not retrieve db with name: %s, got error: %s", role.DBName, err)
 			}
 		}
 

builtin/logical/mssql/secret_creds.go

@@ -141,7 +141,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
 
 	// can't drop if not all database users are dropped
 	if rows.Err() != nil {
-		return nil, fmt.Errorf("cound not generate sql statements for all rows: %s", rows.Err())
+		return nil, fmt.Errorf("could not generate sql statements for all rows: %s", rows.Err())
 	}
 	if lastStmtError != nil {
 		return nil, fmt.Errorf("could not perform all sql statements: %s", lastStmtError)

builtin/logical/mysql/path_role_create.go

@@ -59,8 +59,8 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
 	// - the token display name, truncated to role.displaynameLength (default 4)
 	// - a UUID
 	//
-	// the entire contactenated string is then truncated to role.usernameLength,
-	// which by default is 16 due to limitations in older but still-prevalant
+	// the entire concatenated string is then truncated to role.usernameLength,
+	// which by default is 16 due to limitations in older but still-prevalent
 	// versions of MySQL.
 	roleName := name
 	if len(roleName) > role.RolenameLength {

builtin/logical/nomad/backend_test.go

@@ -212,7 +212,7 @@ func TestBackend_renew_revoke(t *testing.T) {
 	if err := mapstructure.Decode(resp.Data, &d); err != nil {
 		t.Fatal(err)
 	}
-	t.Logf("[WARN] Generated token: %s with accesor %s", d.Token, d.Accessor)
+	t.Logf("[WARN] Generated token: %s with accessor %s", d.Token, d.Accessor)
 
 	// Build a client and verify that the credentials work
 	nomadapiConfig := nomadapi.DefaultConfig()

builtin/logical/nomad/path_creds_create.go

@@ -56,7 +56,7 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
 	// Generate a name for the token
 	tokenName := fmt.Sprintf("vault-%s-%s-%d", name, req.DisplayName, time.Now().UnixNano())
 
-	// Handling nomad maximum token lenght
+	// Handling nomad maximum token length
 	// https://github.com/hashicorp/nomad/blob/d9276e22b3b74674996fb548cdb6bc4c70d5b0e4/nomad/structs/structs.go#L115
 	if len(tokenName) > 64 {
 		tokenName = tokenName[0:63]

builtin/logical/pki/backend_test.go

@@ -592,7 +592,7 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s
 					return fmt.Errorf("expected an error response but did not get one")
 				}
 				if !strings.Contains(resp.Data["error"].(string), "2048") {
-					return fmt.Errorf("recieved an error but not about a 1024-bit key, error was: %s", resp.Data["error"].(string))
+					return fmt.Errorf("received an error but not about a 1024-bit key, error was: %s", resp.Data["error"].(string))
 				}
 
 				return nil
@@ -2445,7 +2445,7 @@ func TestBackend_SignVerbatim(t *testing.T) {
 	}
 }
 
-func TestBackend_Root_Idempotentcy(t *testing.T) {
+func TestBackend_Root_Idempotency(t *testing.T) {
 	coreConfig := &vault.CoreConfig{
 		LogicalBackends: map[string]logical.Factory{
 			"pki": Factory,

builtin/logical/pki/cert_util.go

@@ -385,7 +385,7 @@ func validateNames(data *dataBundle, names []string) string {
 						splitDisplay := strings.Split(data.req.DisplayName, "@")
 						if len(splitDisplay) == 2 {
 							// Compare the sanitized name against the hostname
-							// portion of the email address in the roken
+							// portion of the email address in the broken
 							// display name
 							if strings.HasSuffix(sanitizedName, "."+splitDisplay[1]) {
 								continue
@@ -515,7 +515,7 @@ func generateCert(ctx context.Context,
 		return nil, err
 	}
 	if data.params == nil {
-		return nil, errutil.InternalError{Err: "nil paramaters received from parameter bundle generation"}
+		return nil, errutil.InternalError{Err: "nil parameters received from parameter bundle generation"}
 	}
 
 	if isCA {
@@ -562,7 +562,7 @@ func generateIntermediateCSR(b *backend, data *dataBundle) (*certutil.ParsedCSRB
 		return nil, err
 	}
 	if data.params == nil {
-		return nil, errutil.InternalError{Err: "nil paramaters received from parameter bundle generation"}
+		return nil, errutil.InternalError{Err: "nil parameters received from parameter bundle generation"}
 	}
 
 	parsedBundle, err := createCSR(data)
@@ -668,7 +668,7 @@ func signCert(b *backend,
 		return nil, err
 	}
 	if data.params == nil {
-		return nil, errutil.InternalError{Err: "nil paramaters received from parameter bundle generation"}
+		return nil, errutil.InternalError{Err: "nil parameters received from parameter bundle generation"}
 	}
 
 	data.params.IsCA = isCA
@@ -966,7 +966,7 @@ func generateCreationBundle(b *backend, data *dataBundle) error {
 	return nil
 }
 
-// addKeyUsages adds approrpiate key usages to the template given the creation
+// addKeyUsages adds appropriate key usages to the template given the creation
 // information
 func addKeyUsages(data *dataBundle, certTemplate *x509.Certificate) {
 	if data.params.IsCA {

builtin/logical/pki/path_roles_test.go

@@ -246,7 +246,7 @@ func TestPki_RoleOUOrganizationUpgrade(t *testing.T) {
 	}
 	organization := resp.Data["organization"].([]string)
 	if len(organization) != 2 {
-		t.Fatalf("organziation should have 2 values")
+		t.Fatalf("organization should have 2 values")
 	}
 
 	// Check that old key usage value is nil

builtin/logical/pki/path_tidy.go

@@ -164,7 +164,7 @@ seconds or a string duration like "72h".
 All certificates and/or revocation information currently stored in the backend
 will be checked when this endpoint is hit. The expiration of the
 certificate/revocation information of each certificate being held in
-certificate storage or in revocation infomation will then be checked. If the
+certificate storage or in revocation information will then be checked. If the
 current time, minus the value of 'safety_buffer', is greater than the
 expiration, it will be removed.
 `

builtin/logical/postgresql/backend.go

@@ -100,7 +100,7 @@ func (b *backend) DB(ctx context.Context, s logical.Storage) (*sql.DB, error) {
 		conn = connConfig.ConnectionString
 	}
 
-	// Ensure timezone is set to UTC for all the conenctions
+	// Ensure timezone is set to UTC for all the connections
 	if strings.HasPrefix(conn, "postgres://") || strings.HasPrefix(conn, "postgresql://") {
 		if strings.Contains(conn, "?") {
 			conn += "&timezone=utc"

builtin/logical/rabbitmq/backend.go

@@ -89,7 +89,7 @@ func (b *backend) Client(ctx context.Context, s logical.Storage) (*rabbithole.Cl
 	b.lock.Lock()
 	defer b.lock.Unlock()
 
-	// If the client was creted during the lock switch, return it
+	// If the client was created during the lock switch, return it
 	if b.client != nil {
 		return b.client, nil
 	}

builtin/logical/ssh/path_roles.go

@@ -273,7 +273,7 @@ func pathRoles(b *backend) *framework.Path {
 				Description: `
 				[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
 				When supplied, this value specifies a custom format for the key id of a signed certificate.
-				The following variables are availble for use: '{{token_display_name}}' - The display name of
+				The following variables are available for use: '{{token_display_name}}' - The display name of
 				the token used to make the request. '{{role_name}}' - The name of the role signing the request.
 				'{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
 				`,
@@ -490,7 +490,7 @@ func (b *backend) getRole(ctx context.Context, s logical.Storage, n string) (*ss
 }
 
 // parseRole converts a sshRole object into its map[string]interface representation,
-// with appropriate values for each KeyType. If the KeyType is invalid, it will retun
+// with appropriate values for each KeyType. If the KeyType is invalid, it will return
 // an error.
 func (b *backend) parseRole(role *sshRole) (map[string]interface{}, error) {
 	var result map[string]interface{}

builtin/logical/ssh/path_verify.go

@@ -95,7 +95,7 @@ Validate the OTP provided by Vault SSH Agent.
 `
 
 const pathVerifyHelpDesc = `
-This path will be used by Vault SSH Agent runnin in the remote hosts. The OTP
+This path will be used by Vault SSH Agent running in the remote hosts. The OTP
 provided by the client is sent to Vault for validation by the agent. If Vault
 finds an entry for the OTP, it responds with the username and IP it is associated
 with. Agent uses this information to authenticate the client. Vault deletes the

builtin/logical/transit/path_config.go

@@ -180,5 +180,5 @@ const pathConfigHelpSyn = `Configure a named encryption key`
 const pathConfigHelpDesc = `
 This path is used to configure the named key. Currently, this
 supports adjusting the minimum version of the key allowed to
-be used for decryption via the min_decryption_version paramter.
+be used for decryption via the min_decryption_version parameter.
 `

builtin/logical/transit/path_encrypt.go

@@ -43,7 +43,7 @@ type BatchResponseItem struct {
 	// request item
 	Ciphertext string `json:"ciphertext,omitempty" structs:"ciphertext" mapstructure:"ciphertext"`
 
-	// Plaintext for the ciphertext present in the corresponsding batch
+	// Plaintext for the ciphertext present in the corresponding batch
 	// request item
 	Plaintext string `json:"plaintext,omitempty" structs:"plaintext" mapstructure:"plaintext"`
 

builtin/logical/transit/path_export.go

@@ -114,7 +114,7 @@ func (b *backend) pathPolicyExportRead(ctx context.Context, req *logical.Request
 		}
 
 		if versionValue < p.MinDecryptionVersion {
-			return logical.ErrorResponse("version for export is below minimun decryption version"), logical.ErrInvalidRequest
+			return logical.ErrorResponse("version for export is below minimum decryption version"), logical.ErrInvalidRequest
 		}
 		key, ok := p.Keys[strconv.Itoa(versionValue)]
 		if !ok {

builtin/logical/transit/path_export_test.go

@@ -258,7 +258,7 @@ func TestTransit_Export_KeysNotMarkedExportable_ReturnsError(t *testing.T) {
 		t.Fatal(err)
 	}
 	if !rsp.IsError() {
-		t.Fatal("Key not marked as exportble but was exported.")
+		t.Fatal("Key not marked as exportable but was exported.")
 	}
 }
 
@@ -407,7 +407,7 @@ func TestTransit_Export_EncryptionKey_DoesNotExportHMACKey(t *testing.T) {
 		t.Error("could not cast to keys object")
 	}
 	if len(hmacKeys) != len(encryptionKeys) {
-		t.Errorf("hmac (%d) and encyryption (%d) key count don't match",
+		t.Errorf("hmac (%d) and encryption (%d) key count don't match",
 			len(hmacKeys), len(encryptionKeys))
 	}
 

builtin/logical/transit/path_random_test.go

@@ -73,7 +73,7 @@ func TestTransit_Random(t *testing.T) {
 		}
 		rand2 := getResponse()
 		if len(rand1) != numBytes || len(rand2) != numBytes {
-			t.Fatal("length of output random bytes not what is exepcted")
+			t.Fatal("length of output random bytes not what is expected")
 		}
 		if reflect.DeepEqual(rand1, rand2) {
 			t.Fatal("found identical ouputs")

builtin/plugin/backend_test.go

@@ -42,7 +42,7 @@ func TestBackend_Factory(t *testing.T) {
 
 func TestBackend_PluginMain(t *testing.T) {
 	args := []string{}
-	if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" && os.Getenv(pluginutil.PluginMetadaModeEnv) != "true" {
+	if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" && os.Getenv(pluginutil.PluginMetadataModeEnv) != "true" {
 		return
 	}
 

command/auth.go

@@ -81,7 +81,7 @@ func (c *AuthCommand) Run(args []string) int {
 				"WARNING! The -method-help flag is deprecated. Please use "+
 					"\"vault auth help\" instead. This flag will be removed in "+
 					"Vault 0.11 (or later).") + "\n")
-			// Parse the args to pull out the method, surpressing any errors because
+			// Parse the args to pull out the method, suppressing any errors because
 			// there could be other flags that we don't care about.
 			f := flag.NewFlagSet("", flag.ContinueOnError)
 			f.Usage = func() {}

command/base.go

@@ -192,7 +192,7 @@ func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets {
 				Completion: complete.PredictFiles("*"),
 				Usage: "Path on the local disk to a single PEM-encoded CA " +
 					"certificate to verify the Vault server's SSL certificate. This " +
-					"takes precendence over -ca-path.",
+					"takes precedence over -ca-path.",
 			})
 
 			f.StringVar(&StringVar{

command/base_helpers.go

@@ -151,14 +151,14 @@ func parseArgsDataString(stdin io.Reader, args []string) (map[string]string, err
 	return result, nil
 }
 
-// truncateToSeconds truncates the given duaration to the number of seconds. If
+// truncateToSeconds truncates the given duration to the number of seconds. If
 // the duration is less than 1s, it is returned as 0. The integer represents
 // the whole number unit of seconds for the duration.
 func truncateToSeconds(d time.Duration) int {
 	d = d.Truncate(1 * time.Second)
 
 	// Handle the case where someone requested a ridiculously short increment -
-	// incremenents must be larger than a second.
+	// increments must be larger than a second.
 	if d < 1*time.Second {
 		return 0
 	}

command/base_predict.go

@@ -67,7 +67,7 @@ func PredictClient() *api.Client {
 }
 
 // PredictVaultAvailableMounts returns a predictor for the available mounts in
-// Vault. For now, there is no way to programatically get this list. If, in the
+// Vault. For now, there is no way to programmatically get this list. If, in the
 // future, such a list exists, we can adapt it here. Until then, it's
 // hard-coded.
 func (b *BaseCommand) PredictVaultAvailableMounts() complete.Predictor {
@@ -88,7 +88,7 @@ func (b *BaseCommand) PredictVaultAvailableMounts() complete.Predictor {
 }
 
 // PredictVaultAvailableAuths returns a predictor for the available auths in
-// Vault. For now, there is no way to programatically get this list. If, in the
+// Vault. For now, there is no way to programmatically get this list. If, in the
 // future, such a list exists, we can adapt it here. Until then, it's
 // hard-coded.
 func (b *BaseCommand) PredictVaultAvailableAuths() complete.Predictor {

command/login.go

@@ -222,7 +222,7 @@ func (c *LoginCommand) Run(args []string) int {
 		stdin = c.testStdin
 	}
 
-	// If the user provided a token, pass it along to the auth provier.
+	// If the user provided a token, pass it along to the auth provider.
 	if authMethod == "token" && len(args) > 0 && !strings.Contains(args[0], "=") {
 		args = append([]string{"token=" + args[0]}, args[1:]...)
 	}
@@ -349,7 +349,7 @@ func (c *LoginCommand) Run(args []string) int {
 
 // extractToken extracts the token from the given secret, automatically
 // unwrapping responses and handling error conditions if unwrap is true. The
-// result also returns whether it was a wrapped resonse that was not unwrapped.
+// result also returns whether it was a wrapped response that was not unwrapped.
 func (c *LoginCommand) extractToken(client *api.Client, secret *api.Secret, unwrap bool) (*api.Secret, bool, error) {
 	switch {
 	case secret == nil:

command/login_test.go

@@ -211,7 +211,7 @@ func TestLoginCommand_Run(t *testing.T) {
 
 		// Verify the token was not stored
 		if storedToken, err := tokenHelper.Get(); err != nil || storedToken != "" {
-			t.Fatalf("expted token to not be stored: %s: %q", err, storedToken)
+			t.Fatalf("expected token to not be stored: %s: %q", err, storedToken)
 		}
 	})
 

command/main.go

@@ -138,7 +138,7 @@ func RunCustom(args []string, runOpts *RunOptions) int {
 		return 1
 	}
 
-	// Only use colored UI if stdoout is a tty, and not disabled
+	// Only use colored UI if stdout is a tty, and not disabled
 	if isTerminal && color && format == "table" {
 		ui.Ui = &cli.ColoredUi{
 			ErrorColor: cli.UiColorRed,

command/operator_init.go

@@ -383,7 +383,7 @@ func (c *OperatorInitCommand) consulAuto(client *api.Client, req *api.InitReques
 		// Update the client to connect to this Vault server
 		client.SetAddress(vaultAddr)
 
-		// Let the client know that initialization is perfomed on the
+		// Let the client know that initialization is performed on the
 		// discovered node.
 		c.UI.Output(wrapAtLength(fmt.Sprintf(
 			"Discovered an initialized Vault node at %q with Consul service name "+

command/server.go

@@ -900,7 +900,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
 		case <-c.ShutdownCh:
 			c.UI.Output("==> Vault shutdown triggered")
 
-			// Stop the listners so that we don't process further client requests.
+			// Stop the listeners so that we don't process further client requests.
 			c.cleanupGuard.Do(listenerCloseFunc)
 
 			// Shutdown will wait until after Vault is sealed, which means the
@@ -1196,7 +1196,7 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m
 		case <-c.ShutdownCh:
 			c.UI.Output("==> Vault shutdown triggered")
 
-			// Stop the listners so that we don't process further client requests.
+			// Stop the listeners so that we don't process further client requests.
 			c.cleanupGuard.Do(testCluster.Cleanup)
 
 			// Shutdown will wait until after Vault is sealed, which means the

command/server/config.go

@@ -173,11 +173,11 @@ type Telemetry struct {
 	CirconusCheckID string `hcl:"circonus_check_id"`
 	// CirconusCheckForceMetricActivation will force enabling metrics, as they are encountered,
 	// if the metric already exists and is NOT active. If check management is enabled, the default
-	// behavior is to add new metrics as they are encoutered. If the metric already exists in the
+	// behavior is to add new metrics as they are encountered. If the metric already exists in the
 	// check, it will *NOT* be activated. This setting overrides that behavior.
 	// Default: "false"
 	CirconusCheckForceMetricActivation string `hcl:"circonus_check_force_metric_activation"`
-	// CirconusCheckInstanceID serves to uniquely identify the metrics comming from this "instance".
+	// CirconusCheckInstanceID serves to uniquely identify the metrics coming from this "instance".
 	// It can be used to maintain metric continuity with transient or ephemeral instances as
 	// they move around within an infrastructure.
 	// Default: hostname:app

command/unwrap_test.go

@@ -139,7 +139,7 @@ func TestUnwrapCommand_Run(t *testing.T) {
 		cmd.client = client
 		cmd.client.SetToken(wrappedToken)
 
-		// Intentionally don't pass the token here - it shoudl use the local token
+		// Intentionally don't pass the token here - it should use the local token
 		code := cmd.Run([]string{})
 		if exp := 0; code != exp {
 			t.Errorf("expected %d to be %d", code, exp)

helper/certutil/types.go

@@ -211,7 +211,7 @@ func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) {
 			result.CAChain = append(result.CAChain, certBlock)
 		}
 
-	// For backwards compabitibility
+	// For backwards compatibility
 	case len(c.IssuingCA) > 0:
 		pemBlock, _ = pem.Decode([]byte(c.IssuingCA))
 		if pemBlock == nil {
@@ -523,7 +523,7 @@ func (p *ParsedCSRBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateK
 }
 
 // GetTLSConfig returns a TLS config generally suitable for client
-// authentiation. The returned TLS config can be modified slightly
+// authentication. The returned TLS config can be modified slightly
 // to be made suitable for a server requiring client authentication;
 // specifically, you should set the value of ClientAuth in the returned
 // config to match your needs.

helper/compressutil/compress.go

@@ -33,7 +33,7 @@ const (
 )
 
 // SnappyReadCloser embeds the snappy reader which implements the io.Reader
-// interface. The decompress procedure in this utility expectes an
+// interface. The decompress procedure in this utility expects an
 // io.ReadCloser. This type implements the io.Closer interface to retain the
 // generic way of decompression.
 type SnappyReadCloser struct {

helper/compressutil/compress_test.go

@@ -82,7 +82,7 @@ func TestCompressUtil_CompressDecompress(t *testing.T) {
 	if len(compressedJSONBytes) == 0 {
 		t.Fatal("failed to compress data in lzw format")
 	}
-	// Check the presense of the canary
+	// Check the presence of the canary
 	if compressedJSONBytes[0] != CompressionCanaryLzw {
 		t.Fatalf("bad: compression canary: expected: %d actual: %d", CompressionCanaryLzw, compressedJSONBytes[0])
 	}
@@ -113,7 +113,7 @@ func TestCompressUtil_CompressDecompress(t *testing.T) {
 	if len(compressedJSONBytes) == 0 {
 		t.Fatal("failed to compress data in lzw format")
 	}
-	// Check the presense of the canary
+	// Check the presence of the canary
 	if compressedJSONBytes[0] != CompressionCanaryGzip {
 		t.Fatalf("bad: compression canary: expected: %d actual: %d", CompressionCanaryGzip, compressedJSONBytes[0])
 	}
@@ -145,7 +145,7 @@ func TestCompressUtil_CompressDecompress(t *testing.T) {
 	if len(compressedJSONBytes) == 0 {
 		t.Fatal("failed to compress data in lzw format")
 	}
-	// Check the presense of the canary
+	// Check the presence of the canary
 	if compressedJSONBytes[0] != CompressionCanaryGzip {
 		t.Fatalf("bad: compression canary: expected: %d actual: %d", CompressionCanaryGzip, compressedJSONBytes[0])
 	}
@@ -177,7 +177,7 @@ func TestCompressUtil_CompressDecompress(t *testing.T) {
 	if len(compressedJSONBytes) == 0 {
 		t.Fatal("failed to compress data in lzw format")
 	}
-	// Check the presense of the canary
+	// Check the presence of the canary
 	if compressedJSONBytes[0] != CompressionCanaryGzip {
 		t.Fatalf("bad: compression canary: expected: %d actual: %d", CompressionCanaryGzip, compressedJSONBytes[0])
 	}
@@ -209,7 +209,7 @@ func TestCompressUtil_CompressDecompress(t *testing.T) {
 	if len(compressedJSONBytes) == 0 {
 		t.Fatal("failed to compress data in lzw format")
 	}
-	// Check the presense of the canary
+	// Check the presence of the canary
 	if compressedJSONBytes[0] != CompressionCanaryGzip {
 		t.Fatalf("bad: compression canary: expected: %d actual: %d",
 			CompressionCanaryGzip, compressedJSONBytes[0])

helper/consts/consts.go

@@ -1,7 +1,7 @@
 package consts
 
 const (
-	// ExpirationRestoreWorkerCount specifies the numer of workers to use while
+	// ExpirationRestoreWorkerCount specifies the number of workers to use while
 	// restoring leases into the expiration manager
 	ExpirationRestoreWorkerCount = 64
 )

helper/jsonutil/json.go

@@ -91,7 +91,7 @@ func DecodeJSONFromReader(r io.Reader, out interface{}) error {
 
 	dec := json.NewDecoder(r)
 
-	// While decoding JSON values, intepret the integer values as `json.Number`s instead of `float64`.
+	// While decoding JSON values, interpret the integer values as `json.Number`s instead of `float64`.
 	dec.UseNumber()
 
 	// Since 'out' is an interface representing a pointer, pass it to the decoder without an '&'

helper/keysutil/lock_manager.go

@@ -162,7 +162,7 @@ func (lm *LockManager) GetPolicyShared(ctx context.Context, storage logical.Stor
 		return p, lock, err
 	}
 
-	// Try again while asking for an exlusive lock
+	// Try again while asking for an exclusive lock
 	p, lock, _, err = lm.getPolicyCommon(ctx, PolicyRequest{
 		Storage: storage,
 		Name:    name,
@@ -201,7 +201,7 @@ func (lm *LockManager) GetPolicyUpsert(ctx context.Context, req PolicyRequest) (
 		return p, lock, false, err
 	}
 
-	// Try again while asking for an exlusive lock
+	// Try again while asking for an exclusive lock
 	p, lock, upserted, err := lm.getPolicyCommon(ctx, req, exclusive)
 	if err != nil || p == nil || lock == nil {
 		return p, lock, upserted, err

helper/keysutil/policy.go

@@ -185,7 +185,7 @@ func (kem deprecatedKeyEntryMap) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&intermediate)
 }
 
-// MarshalJSON implements JSON unmarshaling
+// MarshalJSON implements JSON unmarshalling
 func (kem deprecatedKeyEntryMap) UnmarshalJSON(data []byte) error {
 	intermediate := map[string]KeyEntry{}
 	if err := jsonutil.DecodeJSON(data, &intermediate); err != nil {

helper/kv-builder/builder_test.go

@@ -119,7 +119,7 @@ func TestBuilder_sameKeyMultipleTimes(t *testing.T) {
 	}
 }
 
-func TestBuilder_specialCharacteresInKey(t *testing.T) {
+func TestBuilder_specialCharactersInKey(t *testing.T) {
 	var b Builder
 	b.Stdin = bytes.NewBufferString("{\"foo\": \"bay\"}")
 	err := b.Add("@foo=bar", "-foo=baz", "-")

helper/locksutil/locks.go

@@ -13,11 +13,11 @@ type LockEntry struct {
 	sync.RWMutex
 }
 
-// CreateLocks returns an array so that the locks can be itterated over in
+// CreateLocks returns an array so that the locks can be iterated over in
 // order.
 //
 // This is only threadsafe if a process is using a single lock, or iterating
-// over the entire lock slice in order. Using a consistant order avoids
+// over the entire lock slice in order. Using a consistent order avoids
 // deadlocks because you can never have the following:
 //
 // Lock A, Lock B

helper/password/password_windows.go

@@ -12,7 +12,7 @@ var (
 	setConsoleModeProc = kernel32.MustFindProc("SetConsoleMode")
 )
 
-// Magic constant from MSDN to control whether charactesr read are
+// Magic constant from MSDN to control whether characters read are
 // repeated back on the console.
 //
 // http://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx

helper/pluginutil/runner.go

@@ -17,15 +17,15 @@ import (
 )
 
 // Looker defines the plugin Lookup function that looks into the plugin catalog
-// for availible plugins and returns a PluginRunner
+// for available plugins and returns a PluginRunner
 type Looker interface {
 	LookupPlugin(context.Context, string) (*PluginRunner, error)
 }
 
 // Wrapper interface defines the functions needed by the runner to wrap the
 // metadata needed to run a plugin process. This includes looking up Mlock
-// configuration and wrapping data in a respose wrapped token.
-// logical.SystemView implementataions satisfy this interface.
+// configuration and wrapping data in a response wrapped token.
+// logical.SystemView implementations satisfy this interface.
 type RunnerUtil interface {
 	ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
 	MlockEnabled() bool
@@ -48,7 +48,7 @@ type PluginRunner struct {
 	BuiltinFactory func() (interface{}, error) `json:"-" structs:"-"`
 }
 
-// Run takes a wrapper RunnerUtil instance along with the go-plugin paramaters and
+// Run takes a wrapper RunnerUtil instance along with the go-plugin parameters and
 // returns a configured plugin.Client with TLS Configured and a wrapping token set
 // on PluginUnwrapTokenEnv for plugin process consumption.
 func (r *PluginRunner) Run(ctx context.Context, wrapper RunnerUtil, pluginMap map[string]plugin.Plugin, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) {
@@ -56,7 +56,7 @@ func (r *PluginRunner) Run(ctx context.Context, wrapper RunnerUtil, pluginMap ma
 }
 
 // RunMetadataMode returns a configured plugin.Client that will dispense a plugin
-// in metadata mode. The PluginMetadaModeEnv is passed in as part of the Cmd to
+// in metadata mode. The PluginMetadataModeEnv is passed in as part of the Cmd to
 // plugin.Client, and consumed by the plugin process on pluginutil.VaultPluginTLSProvider.
 func (r *PluginRunner) RunMetadataMode(ctx context.Context, wrapper RunnerUtil, pluginMap map[string]plugin.Plugin, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) {
 	return r.runCommon(ctx, wrapper, pluginMap, hs, env, logger, true)
@@ -82,7 +82,7 @@ func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, plugin
 	var clientTLSConfig *tls.Config
 	if !isMetadataMode {
 		// Add the metadata mode ENV and set it to false
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMetadaModeEnv, "false"))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMetadataModeEnv, "false"))
 
 		// Get a CA TLS Certificate
 		certBytes, key, err := generateCert()
@@ -107,7 +107,7 @@ func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, plugin
 		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, wrapToken))
 	} else {
 		namedLogger = clogger.ResetNamed("plugin.metadata")
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMetadaModeEnv, "true"))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMetadataModeEnv, "true"))
 	}
 
 	secureConfig := &plugin.SecureConfig{

helper/pluginutil/tls.go

@@ -31,9 +31,9 @@ var (
 	// string. Used for testing.
 	PluginCACertPEMEnv = "VAULT_TESTING_PLUGIN_CA_PEM"
 
-	// PluginMetadaModeEnv is an ENV name used to disable TLS communication
+	// PluginMetadataModeEnv is an ENV name used to disable TLS communication
 	// to bootstrap mounting plugins.
-	PluginMetadaModeEnv = "VAULT_PLUGIN_METADATA_MODE"
+	PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"
 )
 
 // generateCert is used internally to create certificates for the plugin
@@ -128,10 +128,10 @@ func wrapServerConfig(ctx context.Context, sys RunnerUtil, certBytes []byte, key
 	return wrapInfo.Token, nil
 }
 
-// VaultPluginTLSProvider is run inside a plugin and retrives the response
+// VaultPluginTLSProvider is run inside a plugin and retrieves the response
 // wrapped TLS certificate from vault. It returns a configured TLS Config.
 func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, error) {
-	if os.Getenv(PluginMetadaModeEnv) == "true" {
+	if os.Getenv(PluginMetadataModeEnv) == "true" {
 		return nil
 	}
 

helper/strutil/strutil.go

@@ -104,7 +104,7 @@ func ParseKeyValues(input string, out map[string]string, sep string) error {
 // * Base64 encoded string containing comma separated list of
 //   `<key>=<value>` pairs
 //
-// Input will be parsed into the output paramater, which should
+// Input will be parsed into the output parameter, which should
 // be a non-nil map[string]string.
 func ParseArbitraryKeyValues(input string, out map[string]string, sep string) error {
 	input = strings.TrimSpace(input)
@@ -167,7 +167,7 @@ func ParseStringSlice(input string, sep string) []string {
 // * JSON string
 // * Base64 encoded JSON string
 // * `sep` separated list of values
-// * Base64-encoded string containting a `sep` separated list of values
+// * Base64-encoded string containing a `sep` separated list of values
 //
 // Note that the separator is ignored if the input is found to already be in a
 // structured format (e.g., JSON)
@@ -282,7 +282,7 @@ func EquivalentSlices(a, b []string) bool {
 	return true
 }
 
-// StrListDelete removes the first occurance of the given item from the slice
+// StrListDelete removes the first occurrence of the given item from the slice
 // of strings if the item exists.
 func StrListDelete(s []string, d string) []string {
 	if s == nil {

http/sys_init_test.go

@@ -62,7 +62,7 @@ func TestSysInit_pgpKeysEntries(t *testing.T) {
 
 	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
 		"secret_shares":   5,
-		"secret_threhold": 3,
+		"secret_threshold": 3,
 		"pgp_keys":        []string{"pgpkey1"},
 	})
 	testResponseStatus(t, resp, 400)

http/sys_wrapping_test.go

@@ -119,10 +119,10 @@ func TestHTTP_Wrapping(t *testing.T) {
 		}
 		creationTTL, _ := secret.Data["creation_ttl"].(json.Number).Int64()
 		if int(creationTTL) != wrapInfo.TTL {
-			t.Fatalf("mistmatched ttls: %d vs %d", creationTTL, wrapInfo.TTL)
+			t.Fatalf("mismatched ttls: %d vs %d", creationTTL, wrapInfo.TTL)
 		}
 		if secret.Data["creation_time"].(string) != wrapInfo.CreationTime.Format(time.RFC3339Nano) {
-			t.Fatalf("mistmatched creation times: %q vs %q", secret.Data["creation_time"].(string), wrapInfo.CreationTime.Format(time.RFC3339Nano))
+			t.Fatalf("mismatched creation times: %q vs %q", secret.Data["creation_time"].(string), wrapInfo.CreationTime.Format(time.RFC3339Nano))
 		}
 	}
 

logical/framework/backend.go

@@ -95,7 +95,7 @@ type periodicFunc func(context.Context, *logical.Request) error
 // OperationFunc is the callback called for an operation on a path.
 type OperationFunc func(context.Context, *logical.Request, *FieldData) (*logical.Response, error)
 
-// ExistenceFunc is the callback called for an existenc check on a path.
+// ExistenceFunc is the callback called for an existence check on a path.
 type ExistenceFunc func(context.Context, *logical.Request, *FieldData) (bool, error)
 
 // WALRollbackFunc is the callback for rollbacks.

logical/framework/field_data_test.go

@@ -224,7 +224,7 @@ func TestFieldDataGet(t *testing.T) {
 			[]string{},
 		},
 
-		"commma string slice type, string slice with one value": {
+		"comma string slice type, string slice with one value": {
 			map[string]*FieldSchema{
 				"foo": &FieldSchema{Type: TypeCommaStringSlice},
 			},
@@ -301,7 +301,7 @@ func TestFieldDataGet(t *testing.T) {
 			[]int{},
 		},
 
-		"commma int slice type, int slice with one value": {
+		"comma int slice type, int slice with one value": {
 			map[string]*FieldSchema{
 				"foo": &FieldSchema{Type: TypeCommaIntSlice},
 			},

logical/plugin/backend_server.go

@@ -28,7 +28,7 @@ type backendPluginServer struct {
 }
 
 func inMetadataMode() bool {
-	return os.Getenv(pluginutil.PluginMetadaModeEnv) == "true"
+	return os.Getenv(pluginutil.PluginMetadataModeEnv) == "true"
 }
 
 func (b *backendPluginServer) HandleRequest(args *HandleRequestArgs, reply *HandleRequestReply) error {

logical/plugin/pb/backend.proto

@@ -356,7 +356,7 @@ message InvalidateKeyArgs {
 
 // Backend is the interface that plugins must satisfy. The plugin should
 // implement the server for this service. Requests will first run the
-// HandleExistanceCheck rpc then run the HandleRequests rpc.
+// HandleExistenceCheck rpc then run the HandleRequests rpc.
 service Backend {
 	// HandleRequest is used to handle a request and generate a response.
 	// The plugins must check the operation type and handle appropriately.

logical/plugin/plugin.go

@@ -79,7 +79,7 @@ func NewBackend(ctx context.Context, pluginName string, sys pluginutil.LookRunne
 		var ok bool
 		backend, ok = backendRaw.(logical.Backend)
 		if !ok {
-			return nil, fmt.Errorf("unsuported backend type: %s", pluginName)
+			return nil, fmt.Errorf("unsupported backend type: %s", pluginName)
 		}
 
 	} else {

logical/plugin/serve.go

@@ -14,11 +14,11 @@ import (
 // dispensed rom the plugin server.
 const BackendPluginName = "backend"
 
-type TLSProdiverFunc func() (*tls.Config, error)
+type TLSProviderFunc func() (*tls.Config, error)
 
 type ServeOpts struct {
 	BackendFactoryFunc logical.Factory
-	TLSProviderFunc    TLSProdiverFunc
+	TLSProviderFunc    TLSProviderFunc
 	Logger             hclog.Logger
 }
 

logical/testing/testing.go

@@ -83,7 +83,7 @@ type TestStep struct {
 	// RemoteAddr, if set, will set the remote addr on the request.
 	RemoteAddr string
 
-	// ConnState, if set, will set the tls conneciton state
+	// ConnState, if set, will set the tls connection state
 	ConnState *tls.ConnectionState
 }
 

make.bat

@@ -13,7 +13,7 @@ REM Run target.
 for %%a in (%_TARGETS%) do (if x%1==x%%a goto %%a)
 goto usage
 
-REM bin generates the releaseable binaries for Vault
+REM bin generates the releasable binaries for Vault
 :bin
 	call :generate
 	call .\scripts\windows\build.bat "%CD%"

physical/etcd/etcd.go

@@ -22,7 +22,7 @@ var (
 	EtcdSemaphoreKeysEmptyError  = errors.New("lock queue is empty")
 	EtcdLockHeldError            = errors.New("lock already held")
 	EtcdLockNotHeldError         = errors.New("lock not held")
-	EtcdSemaphoreKeyRemovedError = errors.New("semaphore key removed before lock aquisition")
+	EtcdSemaphoreKeyRemovedError = errors.New("semaphore key removed before lock acquisition")
 	EtcdVersionUnknown           = errors.New("etcd: unknown API version")
 )
 

physical/etcd/etcd2.go

@@ -20,12 +20,12 @@ import (
 
 const (
 	// Ideally, this prefix would match the "_" used in the file backend, but
-	// that prefix has special meaining in etcd. Specifically, it excludes those
+	// that prefix has special meaning in etcd. Specifically, it excludes those
 	// entries from directory listings.
 	Etcd2NodeFilePrefix = "."
 
 	// The lock prefix can (and probably should) cause an entry to be excluded
-	// from diretory listings, so "_" works here.
+	// from directory listings, so "_" works here.
 	Etcd2NodeLockPrefix = "_"
 
 	// The delimiter is the same as the `-C` flag of etcdctl.
@@ -290,7 +290,7 @@ func (b *Etcd2Backend) nodePathDir(key string) string {
 }
 
 // nodePathLock returns an etcd directory path used specifically for semaphore
-// indicies based on the given key.
+// indices based on the given key.
 func (b *Etcd2Backend) nodePathLock(key string) string {
 	return filepath.Join(b.path, filepath.Dir(key), Etcd2NodeLockPrefix+filepath.Base(key)+"/")
 }
@@ -310,7 +310,7 @@ func (e *Etcd2Backend) HAEnabled() bool {
 	return e.haEnabled
 }
 
-// Etcd2Lock emplements a lock using and Etcd2 backend.
+// Etcd2Lock implements a lock using and Etcd2 backend.
 type Etcd2Lock struct {
 	kAPI                                 client.KeysAPI
 	value, semaphoreDirKey, semaphoreKey string
@@ -372,7 +372,7 @@ func (c *Etcd2Lock) isHeld() (bool, error) {
 		return false, nil
 	}
 
-	// Get the key of the curren holder of the lock.
+	// Get the key of the current holder of the lock.
 	currentSemaphoreKey, _, _, err := c.getSemaphoreKey()
 	if err != nil {
 		return false, err

physical/etcd/etcd3.go

@@ -242,7 +242,7 @@ func (e *EtcdBackend) HAEnabled() bool {
 	return e.haEnabled
 }
 
-// EtcdLock emplements a lock using and etcd backend.
+// EtcdLock implements a lock using and etcd backend.
 type EtcdLock struct {
 	lock sync.Mutex
 	held bool

physical/file/file.go

@@ -106,7 +106,7 @@ func (b *FileBackend) DeleteInternal(ctx context.Context, path string) error {
 	return err
 }
 
-// cleanupLogicalPath is used to remove all empty nodes, begining with deepest
+// cleanupLogicalPath is used to remove all empty nodes, beginning with deepest
 // one, aborting on first non-empty one, up to top-level node.
 func (b *FileBackend) cleanupLogicalPath(path string) error {
 	nodes := strings.Split(path, fmt.Sprintf("%c", os.PathSeparator))

physical/gcs/gcs.go

@@ -55,7 +55,7 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend,
 	ctx := context.Background()
 	client, err := newGCSClient(ctx, conf, logger)
 	if err != nil {
-		return nil, errwrap.Wrapf("error establishing strorage client: {{err}}", err)
+		return nil, errwrap.Wrapf("error establishing storage client: {{err}}", err)
 	}
 
 	// check client connectivity by getting bucket attributes

physical/gcs/gcs_test.go

@@ -61,7 +61,7 @@ func TestGCSBackend(t *testing.T) {
 			}
 
 			// ignore errors in deleting a single object, we only care about deleting the bucket
-			// occassionally we get "storage: object doesn't exist" which is fine
+			// occasionally we get "storage: object doesn't exist" which is fine
 			bucket.Object(objAttrs.Name).Delete(context.Background())
 		}
 

physical/mysql/mysql.go

@@ -264,7 +264,7 @@ func (m *MySQLBackend) List(ctx context.Context, prefix string) ([]string, error
 }
 
 // Establish a TLS connection with a given CA certificate
-// Register a tsl.Config associted with the same key as the dns param from sql.Open
+// Register a tsl.Config associated with the same key as the dns param from sql.Open
 // foo:bar@tcp(127.0.0.1:3306)/dbname?tls=default
 func setupMySQLTLSConfig(tlsCaFile string) error {
 	rootCertPool := x509.NewCertPool()

physical/spanner/spanner_ha.go

@@ -313,7 +313,7 @@ func (l *Lock) watchLock() {
 	}
 }
 
-// writeLock writes the given lock using the following algorith:
+// writeLock writes the given lock using the following algorithm:
 //
 // - lock does not exist
 //   - write the lock

physical/zookeeper/zookeeper.go

@@ -96,7 +96,7 @@ func NewZooKeeperBackend(conf map[string]string, logger log.Logger) (physical.Ba
 		},
 	}
 
-	// Authnetication info
+	// Authentication info
 	var schemaAndUser string
 	var useAddAuth bool
 	schemaAndUser, useAddAuth = conf["auth_info"]
@@ -172,7 +172,7 @@ func (c *ZooKeeperBackend) ensurePath(path string, value []byte) error {
 	return nil
 }
 
-// cleanupLogicalPath is used to remove all empty nodes, begining with deepest one,
+// cleanupLogicalPath is used to remove all empty nodes, beginning with deepest one,
 // aborting on first non-empty one, up to top-level node.
 func (c *ZooKeeperBackend) cleanupLogicalPath(path string) error {
 	nodes := strings.Split(path, "/")
@@ -312,7 +312,7 @@ func (c *ZooKeeperBackend) List(ctx context.Context, prefix string) ([]string, e
 			}
 		} else if stat.DataLength == 0 {
 			// No, we cannot differentiate here on number of children as node
-			// can have all it leafs remoed, and it still is a node.
+			// can have all it leafs removed, and it still is a node.
 			children = append(children, key+"/")
 		} else {
 			children = append(children, key[1:])

plugins/database/cassandra/cassandra_test.go

@@ -246,7 +246,7 @@ func TestCassandra_RevokeUser(t *testing.T) {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	err = db.RevokeUser(context.Background(), statements, username)
 	if err != nil {
 		t.Fatalf("err: %s", err)

plugins/database/cassandra/test-fixtures/cassandra.yaml

@@ -250,7 +250,7 @@ commit_failure_policy: stop
 #
 # Valid values are either "auto" (omitting the value) or a value greater 0.
 #
-# Note that specifying a too large value will result in long running GCs and possbily
+# Note that specifying a too large value will result in long running GCs and possibly
 # out-of-memory errors. Keep the value at a small fraction of the heap.
 #
 # If you constantly see "prepared statements discarded in the last minute because
@@ -259,7 +259,7 @@ commit_failure_policy: stop
 # i.e. use bind markers for variable parts.
 #
 # Do only change the default value, if you really have more prepared statements than
-# fit in the cache. In most cases it is not neccessary to change this value.
+# fit in the cache. In most cases it is not necessary to change this value.
 # Constantly re-preparing statements is a performance penalty.
 #
 # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater
@@ -1021,7 +1021,7 @@ client_encryption_options:
     keystore: conf/.keystore
     keystore_password: cassandra
     # require_client_auth: false
-    # Set trustore and truststore_password if require_client_auth is true
+    # Set truststore and truststore_password if require_client_auth is true
     # truststore: conf/.truststore
     # truststore_password: cassandra
     # More advanced defaults below:
@@ -1080,7 +1080,7 @@ windows_timer_interval: 1
 
 # Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from
 # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by
-# the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys
+# the "key_alias" is the only key that will be used for encrypt operations; previously used keys
 # can still (and should!) be in the keystore and will be used on decrypt operations
 # (to handle the case of key rotation).
 #
@@ -1114,7 +1114,7 @@ transparent_data_encryption_options:
 # tombstones seen in memory so we can return them to the coordinator, which
 # will use them to make sure other replicas also know about the deleted rows.
 # With workloads that generate a lot of tombstones, this can cause performance
-# problems and even exaust the server heap.
+# problems and even exhaust the server heap.
 # (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)
 # Adjust the thresholds here if you understand the dangers and want to
 # scan more tombstones anyway.  These thresholds may also be adjusted at runtime

plugins/database/hana/hana_test.go

@@ -66,7 +66,7 @@ func TestHANA_CreateUser(t *testing.T) {
 		RoleName:    "test-test",
 	}
 
-	// Test with no configured Creation Statememt
+	// Test with no configured Creation Statement
 	_, _, err = db.CreateUser(context.Background(), dbplugin.Statements{}, usernameConfig, time.Now().Add(time.Hour))
 	if err == nil {
 		t.Fatal("Expected error when no creation statement is provided")
@@ -113,7 +113,7 @@ func TestHANA_RevokeUser(t *testing.T) {
 		RoleName:    "test-test",
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	username, password, err := db.CreateUser(context.Background(), statements, usernameConfig, time.Now().Add(time.Hour))
 	if err != nil {
 		t.Fatalf("err: %s", err)
@@ -130,7 +130,7 @@ func TestHANA_RevokeUser(t *testing.T) {
 		t.Fatal("Credentials were not revoked")
 	}
 
-	// Test custom revoke statememt
+	// Test custom revoke statement
 	username, password, err = db.CreateUser(context.Background(), statements, usernameConfig, time.Now().Add(time.Hour))
 	if err != nil {
 		t.Fatalf("err: %s", err)

plugins/database/mongodb/connection_producer.go

@@ -88,7 +88,7 @@ func (c *mongoDBConnectionProducer) Initialize(ctx context.Context, conf map[str
 	return nil
 }
 
-// Connection creates or returns an exisitng a database connection. If the session fails
+// Connection creates or returns an existing a database connection. If the session fails
 // on a ping check, the session will be closed and then re-created.
 func (c *mongoDBConnectionProducer) Connection(_ context.Context) (interface{}, error) {
 	if !c.Initialized {

plugins/database/mongodb/mongodb.go

@@ -155,7 +155,7 @@ func (m *MongoDB) RenewUser(ctx context.Context, statements dbplugin.Statements,
 	return nil
 }
 
-// RevokeUser drops the specified user from the authentication databse. If none is provided
+// RevokeUser drops the specified user from the authentication database. If none is provided
 // in the revocation statement, the default "admin" authentication database will be assumed.
 func (m *MongoDB) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error {
 	session, err := m.getConnection(ctx)

plugins/database/mongodb/mongodb_test.go

@@ -206,7 +206,7 @@ func TestMongoDB_RevokeUser(t *testing.T) {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
-	// Test default revocation statememt
+	// Test default revocation statement
 	err = db.RevokeUser(context.Background(), statements, username)
 	if err != nil {
 		t.Fatalf("err: %s", err)

plugins/database/mssql/mssql.go

@@ -283,7 +283,7 @@ func (m *MSSQL) revokeUserDefault(ctx context.Context, username string) error {
 
 	// can't drop if not all database users are dropped
 	if rows.Err() != nil {
-		return fmt.Errorf("cound not generate sql statements for all rows: %s", rows.Err())
+		return fmt.Errorf("could not generate sql statements for all rows: %s", rows.Err())
 	}
 	if lastStmtError != nil {
 		return fmt.Errorf("could not perform all sql statements: %s", lastStmtError)

plugins/database/mssql/mssql_test.go

@@ -80,7 +80,7 @@ func TestMSSQL_CreateUser(t *testing.T) {
 		RoleName:    "test",
 	}
 
-	// Test with no configured Creation Statememt
+	// Test with no configured Creation Statement
 	_, _, err = db.CreateUser(context.Background(), dbplugin.Statements{}, usernameConfig, time.Now().Add(time.Minute))
 	if err == nil {
 		t.Fatal("Expected error when no creation statement is provided")
@@ -135,7 +135,7 @@ func TestMSSQL_RevokeUser(t *testing.T) {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	err = db.RevokeUser(context.Background(), statements, username)
 	if err != nil {
 		t.Fatalf("err: %s", err)
@@ -154,7 +154,7 @@ func TestMSSQL_RevokeUser(t *testing.T) {
 		t.Fatalf("Could not connect with new credentials: %s", err)
 	}
 
-	// Test custom revoke statememt
+	// Test custom revoke statement
 	statements.RevocationStatements = testMSSQLDrop
 	err = db.RevokeUser(context.Background(), statements, username)
 	if err != nil {