Bump API/SDK and adapt to move from SDK stuff

2020-02-15 14:58:05 -05:00 · 2020-02-15 14:58:05 -05:00 · 844b2c3a5d
parent 7779c077e6
commit 844b2c3a5d
18 changed files with 59 additions and 461 deletions
--- a/command/agent.go
+++ b/command/agent.go
@ -35,8 +35,8 @@ import (
 	"github.com/hashicorp/vault/command/agent/sink/file"
 	"github.com/hashicorp/vault/command/agent/sink/inmem"
 	"github.com/hashicorp/vault/command/agent/template"
+	"github.com/hashicorp/vault/internalshared/gatedwriter"
 	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/gatedwriter"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/version"
--- a/command/agent/cache/listener.go
+++ b/command/agent/cache/listener.go
@ -9,7 +9,7 @@ import (

 	"github.com/hashicorp/vault/command/agent/config"
 	"github.com/hashicorp/vault/command/server"
-	"github.com/hashicorp/vault/sdk/helper/listenerutil"
+	"github.com/hashicorp/vault/internalshared/listenerutil"
 )

 func StartListener(lnConfig *config.Listener) (net.Listener, *tls.Config, error) {
--- a/command/debug.go
+++ b/command/debug.go
@ -14,7 +14,7 @@ import (

 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
-	"github.com/hashicorp/vault/sdk/helper/gatedwriter"
+	"github.com/hashicorp/vault/internalshared/gatedwriter"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/version"
--- a/command/server.go
+++ b/command/server.go
@ -40,12 +40,12 @@ import (
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
 	vaulthttp "github.com/hashicorp/vault/http"
-	"github.com/hashicorp/vault/sdk/helper/gatedwriter"
+	"github.com/hashicorp/vault/internalshared/gatedwriter"
+	"github.com/hashicorp/vault/internalshared/reloadutil"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/mlock"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
-	"github.com/hashicorp/vault/sdk/helper/reload"
 	"github.com/hashicorp/vault/sdk/helper/useragent"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/physical"
@ -97,36 +97,36 @@ type ServerCommand struct {
 	cleanupGuard sync.Once

 	reloadFuncsLock *sync.RWMutex
-	reloadFuncs     *map[string][]reload.ReloadFunc
+	reloadFuncs     *map[string][]reloadutil.ReloadFunc
 	startedCh       chan (struct{}) // for tests
 	reloadedCh      chan (struct{}) // for tests

 	// new stuff
-	flagConfigs          []string
-	flagLogLevel         string
-	flagLogFormat        string
-	flagRecovery         bool
-	flagDev              bool
-	flagDevRootTokenID   string
-	flagDevListenAddr    string
-	flagDevNoStoreToken  bool
-	flagDevPluginDir     string
-	flagDevPluginInit    bool
-	flagDevHA            bool
-	flagDevLatency       int
-	flagDevLatencyJitter int
-	flagDevLeasedKV      bool
-	flagDevKVV1          bool
-	flagDevSkipInit      bool
-	flagDevThreeNode     bool
-	flagDevFourCluster   bool
-	flagDevTransactional bool
-	flagDevAutoSeal      bool
-	flagTestVerifyOnly   bool
-	flagCombineLogs      bool
-	flagTestServerConfig bool
-	flagDevConsul        bool
-  flagExitOnCoreShutdown bool
+	flagConfigs            []string
+	flagLogLevel           string
+	flagLogFormat          string
+	flagRecovery           bool
+	flagDev                bool
+	flagDevRootTokenID     string
+	flagDevListenAddr      string
+	flagDevNoStoreToken    bool
+	flagDevPluginDir       string
+	flagDevPluginInit      bool
+	flagDevHA              bool
+	flagDevLatency         int
+	flagDevLatencyJitter   int
+	flagDevLeasedKV        bool
+	flagDevKVV1            bool
+	flagDevSkipInit        bool
+	flagDevThreeNode       bool
+	flagDevFourCluster     bool
+	flagDevTransactional   bool
+	flagDevAutoSeal        bool
+	flagTestVerifyOnly     bool
+	flagCombineLogs        bool
+	flagTestServerConfig   bool
+	flagDevConsul          bool
+	flagExitOnCoreShutdown bool
 }

 type ServerListener struct {
@ -2483,7 +2483,7 @@ func (c *ServerCommand) setupTelemetry(config *server.Config) (*metricsutil.Metr
 	return metricHelper, nil
 }

-func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reload.ReloadFunc, configPath []string) error {
+func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string) error {
 	lock.RLock()
 	defer lock.RUnlock()

--- a/command/server/listener.go
+++ b/command/server/listener.go
@ -10,12 +10,12 @@ import (
 	"net"

 	"github.com/hashicorp/vault/helper/proxyutil"
-	"github.com/hashicorp/vault/sdk/helper/reload"
+	"github.com/hashicorp/vault/internalshared/reloadutil"
 	"github.com/mitchellh/cli"
 )

 // ListenerFactory is the factory function to create a listener.
-type ListenerFactory func(map[string]interface{}, io.Writer, cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error)
+type ListenerFactory func(map[string]interface{}, io.Writer, cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error)

 // BuiltinListeners is the list of built-in listener types.
 var BuiltinListeners = map[string]ListenerFactory{
@ -24,7 +24,7 @@ var BuiltinListeners = map[string]ListenerFactory{

 // NewListener creates a new listener of the given type with the given
 // configuration. The type is looked up in the BuiltinListeners map.
-func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {
+func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) {
 	f, ok := BuiltinListeners[t]
 	if !ok {
 		return nil, nil, nil, fmt.Errorf("unknown listener type: %q", t)
--- a/command/server/listener_tcp.go
+++ b/command/server/listener_tcp.go
@ -9,13 +9,13 @@ import (
 	"time"

 	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/vault/sdk/helper/listenerutil"
+	"github.com/hashicorp/vault/internalshared/listenerutil"
+	"github.com/hashicorp/vault/internalshared/reloadutil"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
-	"github.com/hashicorp/vault/sdk/helper/reload"
 	"github.com/mitchellh/cli"
 )

-func tcpListenerFactory(config map[string]interface{}, _ io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {
+func tcpListenerFactory(config map[string]interface{}, _ io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) {
 	bindProto := "tcp"
 	var addr string
 	addrRaw, ok := config["address"]
--- a/go.mod
+++ b/go.mod
@ -88,12 +88,13 @@ require (
 	github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20191017213228-e8cf7060a4d0
 	github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.0.0-20200124190647-0026e6bed4fb
 	github.com/hashicorp/vault-plugin-secrets-openldap v0.0.0-20200215165936-237ad8919d2c
-	github.com/hashicorp/vault/api v1.0.5-0.20200214222743-c39f5634b39f
-	github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5
+	github.com/hashicorp/vault/api v1.0.5-0.20200215195706-26a747400a65
+	github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500
 	github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4
 	github.com/jackc/fake v0.0.0-20150926172116-812a484cc733 // indirect
 	github.com/jackc/pgx v3.3.0+incompatible // indirect
 	github.com/jcmturner/gokrb5/v8 v8.0.0
+	github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f
 	github.com/jefferai/jsonx v1.0.0
 	github.com/joyent/triton-go v0.0.0-20190112182421-51ffac552869
 	github.com/keybase/go-crypto v0.0.0-20190403132359-d65b6b94177f
--- a/internalshared/listenerutil/listener.go
+++ b/internalshared/listenerutil/listener.go
@ -11,8 +11,8 @@ import (
 	"strconv"

 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/internalshared/reloadutil"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
-	"github.com/hashicorp/vault/sdk/helper/reload"
 	"github.com/hashicorp/vault/sdk/helper/tlsutil"
 	"github.com/jefferai/isbadcipher"
 	"github.com/mitchellh/cli"
@ -71,7 +71,7 @@ func WrapTLS(
 	ln net.Listener,
 	props map[string]string,
 	config map[string]interface{},
-	ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, *tls.Config, error) {
+	ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, *tls.Config, error) {
 	props["tls"] = "disabled"

 	if v, ok := config["tls_disable"]; ok {
@ -95,7 +95,7 @@ func WrapTLS(
 	}
 	keyFile := keyFileRaw.(string)

-	cg := reload.NewCertificateGetter(certFile, keyFile, "")
+	cg := reloadutil.NewCertificateGetter(certFile, keyFile, "")
 	if err := cg.Reload(config); err != nil {
 		// We try the key without a passphrase first and if we get an incorrect
 		// passphrase response, try again after prompting for a passphrase
@ -103,7 +103,7 @@ func WrapTLS(
 			var passphrase string
 			passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", keyFile))
 			if err == nil {
-				cg = reload.NewCertificateGetter(certFile, keyFile, passphrase)
+				cg = reloadutil.NewCertificateGetter(certFile, keyFile, passphrase)
 				if err = cg.Reload(config); err == nil {
 					goto PASSPHRASECORRECT
 				}
--- a/internalshared/reloadutil/reload.go
+++ b/internalshared/reloadutil/reload.go
@ -1,4 +1,4 @@
-package reload
+package reloadutil

 import (
 	"crypto/tls"
--- a/internalshared/reloadutil/reload_test.go
+++ b/internalshared/reloadutil/reload_test.go
@ -1,4 +1,4 @@
-package reload
+package reloadutil

 import (
 	"crypto/x509"
--- a/vault/core.go
+++ b/vault/core.go
@ -30,13 +30,13 @@ import (
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/internalshared/reloadutil"
 	"github.com/hashicorp/vault/physical/raft"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/mlock"
-	"github.com/hashicorp/vault/sdk/helper/reload"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/helper/tlsutil"
 	"github.com/hashicorp/vault/sdk/logical"
@ -365,7 +365,7 @@ type Core struct {
 	physicalCache physical.ToggleablePurgemonster

 	// reloadFuncs is a map containing reload functions
-	reloadFuncs map[string][]reload.ReloadFunc
+	reloadFuncs map[string][]reloadutil.ReloadFunc

 	// reloadFuncsLock controls access to the funcs
 	reloadFuncsLock sync.RWMutex
@ -582,7 +582,7 @@ type CoreConfig struct {

 	RawConfig *server.Config

-	ReloadFuncs     *map[string][]reload.ReloadFunc
+	ReloadFuncs     *map[string][]reloadutil.ReloadFunc
 	ReloadFuncsLock *sync.RWMutex

 	// Licensing
@ -855,7 +855,7 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 	// the caller can share state
 	conf.ReloadFuncsLock = &c.reloadFuncsLock
 	c.reloadFuncsLock.Lock()
-	c.reloadFuncs = make(map[string][]reload.ReloadFunc)
+	c.reloadFuncs = make(map[string][]reloadutil.ReloadFunc)
 	c.reloadFuncsLock.Unlock()
 	conf.ReloadFuncs = &c.reloadFuncs

--- a/vault/testing.go
+++ b/vault/testing.go
@ -44,12 +44,12 @@ import (
 	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/internalshared/reloadutil"
 	dbMysql "github.com/hashicorp/vault/plugins/database/mysql"
 	dbPostgres "github.com/hashicorp/vault/plugins/database/postgresql"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/helper/reload"
 	"github.com/hashicorp/vault/sdk/helper/salt"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/physical"
@ -1023,7 +1023,7 @@ type TestClusterCore struct {
 	Client               *api.Client
 	Handler              http.Handler
 	Listeners            []*TestListener
-	ReloadFuncs          *map[string][]reload.ReloadFunc
+	ReloadFuncs          *map[string][]reloadutil.ReloadFunc
 	ReloadFuncsLock      *sync.RWMutex
 	Server               *http.Server
 	ServerCert           *x509.Certificate
@ -1295,7 +1295,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 	servers := []*http.Server{}
 	handlers := []http.Handler{}
 	tlsConfigs := []*tls.Config{}
-	certGetters := []*reload.CertificateGetter{}
+	certGetters := []*reloadutil.CertificateGetter{}
 	for i := 0; i < numCores; i++ {
 		baseAddr.Port = ports[i]
 		ln, err := net.ListenTCP("tcp", baseAddr)
@ -1316,7 +1316,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 		if err != nil {
 			t.Fatal(err)
 		}
-		certGetter := reload.NewCertificateGetter(certFile, keyFile, "")
+		certGetter := reloadutil.NewCertificateGetter(certFile, keyFile, "")
 		certGetters = append(certGetters, certGetter)
 		certGetter.Reload(nil)
 		tlsConfig := &tls.Config{
@ -1773,7 +1773,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 		tcc.ReloadFuncs = &cores[i].reloadFuncs
 		tcc.ReloadFuncsLock = &cores[i].reloadFuncsLock
 		tcc.ReloadFuncsLock.Lock()
-		(*tcc.ReloadFuncs)["listener|tcp"] = []reload.ReloadFunc{certGetters[i].Reload}
+		(*tcc.ReloadFuncs)["listener|tcp"] = []reloadutil.ReloadFunc{certGetters[i].Reload}
 		tcc.ReloadFuncsLock.Unlock()

 		testAdjustTestCore(base, tcc)
--- a/vendor/github.com/hashicorp/vault/api/go.mod
+++ b/vendor/github.com/hashicorp/vault/api/go.mod
@ -12,7 +12,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.6.2
 	github.com/hashicorp/go-rootcerts v1.0.1
 	github.com/hashicorp/hcl v1.0.0
-	github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5
+	github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500
 	github.com/mitchellh/mapstructure v1.1.2
 	golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
--- a/vendor/github.com/hashicorp/vault/api/go.sum
+++ b/vendor/github.com/hashicorp/vault/api/go.sum
@ -56,7 +56,6 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
-github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f/go.mod h1:3J2qVK16Lq8V+wfiL2lPeDZ7UWMxk5LemerHa1p6N00=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
--- a/vendor/github.com/hashicorp/vault/sdk/helper/gatedwriter/writer.go
+++ b/vendor/github.com/hashicorp/vault/sdk/helper/gatedwriter/writer.go
@ -1,43 +0,0 @@
-package gatedwriter
-
-import (
-	"bytes"
-	"io"
-	"sync"
-)
-
-// Writer is an io.Writer implementation that buffers all of its
-// data into an internal buffer until it is told to let data through.
-type Writer struct {
-	writer io.Writer
-
-	buf   bytes.Buffer
-	flush bool
-	lock  sync.Mutex
-}
-
-func NewWriter(underlying io.Writer) *Writer {
-	return &Writer{writer: underlying}
-}
-
-// Flush tells the Writer to flush any buffered data and to stop
-// buffering.
-func (w *Writer) Flush() error {
-	w.lock.Lock()
-	defer w.lock.Unlock()
-
-	w.flush = true
-	_, err := w.buf.WriteTo(w.writer)
-	return err
-}
-
-func (w *Writer) Write(p []byte) (n int, err error) {
-	w.lock.Lock()
-	defer w.lock.Unlock()
-
-	if w.flush {
-		return w.writer.Write(p)
-	}
-
-	return w.buf.Write(p)
-}
--- a/vendor/github.com/hashicorp/vault/sdk/helper/listenerutil/listener.go
+++ b/vendor/github.com/hashicorp/vault/sdk/helper/listenerutil/listener.go
@ -1,271 +0,0 @@
-package listenerutil
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"io/ioutil"
-	"net"
-	"os"
-	osuser "os/user"
-	"strconv"
-
-	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/vault/sdk/helper/parseutil"
-	"github.com/hashicorp/vault/sdk/helper/reload"
-	"github.com/hashicorp/vault/sdk/helper/tlsutil"
-	"github.com/jefferai/isbadcipher"
-	"github.com/mitchellh/cli"
-)
-
-type UnixSocketsConfig struct {
-	User  string `hcl:"user"`
-	Mode  string `hcl:"mode"`
-	Group string `hcl:"group"`
-}
-
-// rmListener is an implementation of net.Listener that forwards most
-// calls to the listener but also removes a file as part of the close. We
-// use this to cleanup the unix domain socket on close.
-type rmListener struct {
-	net.Listener
-	Path string
-}
-
-func (l *rmListener) Close() error {
-	// Close the listener itself
-	if err := l.Listener.Close(); err != nil {
-		return err
-	}
-
-	// Remove the file
-	return os.Remove(l.Path)
-}
-
-func UnixSocketListener(path string, unixSocketsConfig *UnixSocketsConfig) (net.Listener, error) {
-	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
-		return nil, fmt.Errorf("failed to remove socket file: %v", err)
-	}
-
-	ln, err := net.Listen("unix", path)
-	if err != nil {
-		return nil, err
-	}
-
-	if unixSocketsConfig != nil {
-		err = setFilePermissions(path, unixSocketsConfig.User, unixSocketsConfig.Group, unixSocketsConfig.Mode)
-		if err != nil {
-			return nil, fmt.Errorf("failed to set file system permissions on the socket file: %s", err)
-		}
-	}
-
-	// Wrap the listener in rmListener so that the Unix domain socket file is
-	// removed on close.
-	return &rmListener{
-		Listener: ln,
-		Path:     path,
-	}, nil
-}
-
-func WrapTLS(
-	ln net.Listener,
-	props map[string]string,
-	config map[string]interface{},
-	ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, *tls.Config, error) {
-	props["tls"] = "disabled"
-
-	if v, ok := config["tls_disable"]; ok {
-		disabled, err := parseutil.ParseBool(v)
-		if err != nil {
-			return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable': {{err}}", err)
-		}
-		if disabled {
-			return ln, props, nil, nil, nil
-		}
-	}
-
-	certFileRaw, ok := config["tls_cert_file"]
-	if !ok {
-		return nil, nil, nil, nil, fmt.Errorf("'tls_cert_file' must be set")
-	}
-	certFile := certFileRaw.(string)
-	keyFileRaw, ok := config["tls_key_file"]
-	if !ok {
-		return nil, nil, nil, nil, fmt.Errorf("'tls_key_file' must be set")
-	}
-	keyFile := keyFileRaw.(string)
-
-	cg := reload.NewCertificateGetter(certFile, keyFile, "")
-	if err := cg.Reload(config); err != nil {
-		// We try the key without a passphrase first and if we get an incorrect
-		// passphrase response, try again after prompting for a passphrase
-		if errwrap.Contains(err, x509.IncorrectPasswordError.Error()) {
-			var passphrase string
-			passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", keyFile))
-			if err == nil {
-				cg = reload.NewCertificateGetter(certFile, keyFile, passphrase)
-				if err = cg.Reload(config); err == nil {
-					goto PASSPHRASECORRECT
-				}
-			}
-		}
-		return nil, nil, nil, nil, errwrap.Wrapf("error loading TLS cert: {{err}}", err)
-	}
-
-PASSPHRASECORRECT:
-	var tlsvers string
-	tlsversRaw, ok := config["tls_min_version"]
-	if !ok {
-		tlsvers = "tls12"
-	} else {
-		tlsvers = tlsversRaw.(string)
-	}
-
-	tlsConf := &tls.Config{}
-	tlsConf.GetCertificate = cg.GetCertificate
-	tlsConf.NextProtos = []string{"h2", "http/1.1"}
-	tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]
-	if !ok {
-		return nil, nil, nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", tlsvers)
-	}
-	tlsConf.ClientAuth = tls.RequestClientCert
-
-	if v, ok := config["tls_cipher_suites"]; ok {
-		ciphers, err := tlsutil.ParseCiphers(v.(string))
-		if err != nil {
-			return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_cipher_suites': {{err}}", err)
-		}
-
-		// HTTP/2 with TLS 1.2 blacklists several cipher suites.
-		// https://tools.ietf.org/html/rfc7540#appendix-A
-		//
-		// Since the CLI (net/http) automatically uses HTTP/2 with TLS 1.2,
-		// we check here if all or some specified cipher suites are blacklisted.
-		badCiphers := []string{}
-		for _, cipher := range ciphers {
-			if isbadcipher.IsBadCipher(cipher) {
-				// Get the name of the current cipher.
-				cipherStr, err := tlsutil.GetCipherName(cipher)
-				if err != nil {
-					return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_cipher_suites': {{err}}", err)
-				}
-				badCiphers = append(badCiphers, cipherStr)
-			}
-		}
-		if len(badCiphers) == len(ciphers) {
-			ui.Warn(`WARNING! All cipher suites defined by 'tls_cipher_suites' are blacklisted by the
-HTTP/2 specification. HTTP/2 communication with TLS 1.2 will not work as intended
-and Vault will be unavailable via the CLI.
-Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`)
-		} else if len(badCiphers) > 0 {
-			ui.Warn(fmt.Sprintf(`WARNING! The following cipher suites defined by 'tls_cipher_suites' are
-blacklisted by the HTTP/2 specification:
-%v
-Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`, badCiphers))
-		}
-		tlsConf.CipherSuites = ciphers
-	}
-	if v, ok := config["tls_prefer_server_cipher_suites"]; ok {
-		preferServer, err := parseutil.ParseBool(v)
-		if err != nil {
-			return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_prefer_server_cipher_suites': {{err}}", err)
-		}
-		tlsConf.PreferServerCipherSuites = preferServer
-	}
-	var requireVerifyCerts bool
-	var err error
-	if v, ok := config["tls_require_and_verify_client_cert"]; ok {
-		requireVerifyCerts, err = parseutil.ParseBool(v)
-		if err != nil {
-			return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_require_and_verify_client_cert': {{err}}", err)
-		}
-		if requireVerifyCerts {
-			tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
-		}
-		if tlsClientCaFile, ok := config["tls_client_ca_file"]; ok {
-			caPool := x509.NewCertPool()
-			data, err := ioutil.ReadFile(tlsClientCaFile.(string))
-			if err != nil {
-				return nil, nil, nil, nil, errwrap.Wrapf("failed to read tls_client_ca_file: {{err}}", err)
-			}
-
-			if !caPool.AppendCertsFromPEM(data) {
-				return nil, nil, nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file")
-			}
-			tlsConf.ClientCAs = caPool
-		}
-	}
-	if v, ok := config["tls_disable_client_certs"]; ok {
-		disableClientCerts, err := parseutil.ParseBool(v)
-		if err != nil {
-			return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable_client_certs': {{err}}", err)
-		}
-		if disableClientCerts && requireVerifyCerts {
-			return nil, nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")
-		}
-		if disableClientCerts {
-			tlsConf.ClientAuth = tls.NoClientCert
-		}
-	}
-
-	ln = tls.NewListener(ln, tlsConf)
-	props["tls"] = "enabled"
-	return ln, props, cg.Reload, tlsConf, nil
-}
-
-// setFilePermissions handles configuring ownership and permissions
-// settings on a given file. All permission/ownership settings are
-// optional. If no user or group is specified, the current user/group
-// will be used. Mode is optional, and has no default (the operation is
-// not performed if absent). User may be specified by name or ID, but
-// group may only be specified by ID.
-func setFilePermissions(path string, user, group, mode string) error {
-	var err error
-	uid, gid := os.Getuid(), os.Getgid()
-
-	if user != "" {
-		if uid, err = strconv.Atoi(user); err == nil {
-			goto GROUP
-		}
-
-		// Try looking up the user by name
-		u, err := osuser.Lookup(user)
-		if err != nil {
-			return fmt.Errorf("failed to look up user %q: %v", user, err)
-		}
-		uid, _ = strconv.Atoi(u.Uid)
-	}
-
-GROUP:
-	if group != "" {
-		if gid, err = strconv.Atoi(group); err == nil {
-			goto OWN
-		}
-
-		// Try looking up the user by name
-		g, err := osuser.LookupGroup(group)
-		if err != nil {
-			return fmt.Errorf("failed to look up group %q: %v", user, err)
-		}
-		gid, _ = strconv.Atoi(g.Gid)
-	}
-
-OWN:
-	if err := os.Chown(path, uid, gid); err != nil {
-		return fmt.Errorf("failed setting ownership to %d:%d on %q: %v",
-			uid, gid, path, err)
-	}
-
-	if mode != "" {
-		mode, err := strconv.ParseUint(mode, 8, 32)
-		if err != nil {
-			return fmt.Errorf("invalid mode specified: %v", mode)
-		}
-		if err := os.Chmod(path, os.FileMode(mode)); err != nil {
-			return fmt.Errorf("failed setting permissions to %d on %q: %v",
-				mode, path, err)
-		}
-	}
-
-	return nil
-}
--- a/vendor/github.com/hashicorp/vault/sdk/helper/reload/reload.go
+++ b/vendor/github.com/hashicorp/vault/sdk/helper/reload/reload.go
@ -1,85 +0,0 @@
-package reload
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"sync"
-
-	"github.com/hashicorp/errwrap"
-)
-
-// ReloadFunc are functions that are called when a reload is requested
-type ReloadFunc func(map[string]interface{}) error
-
-// CertificateGetter satisfies ReloadFunc and its GetCertificate method
-// satisfies the tls.GetCertificate function signature.  Currently it does not
-// allow changing paths after the fact.
-type CertificateGetter struct {
-	sync.RWMutex
-
-	cert *tls.Certificate
-
-	certFile   string
-	keyFile    string
-	passphrase string
-}
-
-func NewCertificateGetter(certFile, keyFile, passphrase string) *CertificateGetter {
-	return &CertificateGetter{
-		certFile:   certFile,
-		keyFile:    keyFile,
-		passphrase: passphrase,
-	}
-}
-
-func (cg *CertificateGetter) Reload(_ map[string]interface{}) error {
-	certPEMBlock, err := ioutil.ReadFile(cg.certFile)
-	if err != nil {
-		return err
-	}
-	keyPEMBlock, err := ioutil.ReadFile(cg.keyFile)
-	if err != nil {
-		return err
-	}
-
-	// Check for encrypted pem block
-	keyBlock, _ := pem.Decode(keyPEMBlock)
-	if keyBlock == nil {
-		return errors.New("decoded PEM is blank")
-	}
-
-	if x509.IsEncryptedPEMBlock(keyBlock) {
-		keyBlock.Bytes, err = x509.DecryptPEMBlock(keyBlock, []byte(cg.passphrase))
-		if err != nil {
-			return errwrap.Wrapf("Decrypting PEM block failed {{err}}", err)
-		}
-		keyPEMBlock = pem.EncodeToMemory(keyBlock)
-	}
-
-	cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
-	if err != nil {
-		return err
-	}
-
-	cg.Lock()
-	defer cg.Unlock()
-
-	cg.cert = &cert
-
-	return nil
-}
-
-func (cg *CertificateGetter) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	cg.RLock()
-	defer cg.RUnlock()
-
-	if cg.cert == nil {
-		return nil, fmt.Errorf("nil certificate")
-	}
-
-	return cg.cert, nil
-}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -428,9 +428,9 @@ github.com/hashicorp/vault-plugin-secrets-mongodbatlas
 # github.com/hashicorp/vault-plugin-secrets-openldap v0.0.0-20200215165936-237ad8919d2c
 github.com/hashicorp/vault-plugin-secrets-openldap
 github.com/hashicorp/vault-plugin-secrets-openldap/client
-# github.com/hashicorp/vault/api v1.0.5-0.20200214222743-c39f5634b39f => ./api
+# github.com/hashicorp/vault/api v1.0.5-0.20200215195706-26a747400a65 => ./api
 github.com/hashicorp/vault/api
-# github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5 => ./sdk
+# github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500 => ./sdk
 github.com/hashicorp/vault/sdk/database/dbplugin
 github.com/hashicorp/vault/sdk/database/helper/connutil
 github.com/hashicorp/vault/sdk/database/helper/credsutil
@ -445,7 +445,6 @@ github.com/hashicorp/vault/sdk/helper/consts
 github.com/hashicorp/vault/sdk/helper/cryptoutil
 github.com/hashicorp/vault/sdk/helper/dbtxn
 github.com/hashicorp/vault/sdk/helper/errutil
-github.com/hashicorp/vault/sdk/helper/gatedwriter
 github.com/hashicorp/vault/sdk/helper/hclutil
 github.com/hashicorp/vault/sdk/helper/identitytpl
 github.com/hashicorp/vault/sdk/helper/jsonutil
@ -453,7 +452,6 @@ github.com/hashicorp/vault/sdk/helper/kdf
 github.com/hashicorp/vault/sdk/helper/keysutil
 github.com/hashicorp/vault/sdk/helper/ldaputil
 github.com/hashicorp/vault/sdk/helper/license
-github.com/hashicorp/vault/sdk/helper/listenerutil
 github.com/hashicorp/vault/sdk/helper/locksutil
 github.com/hashicorp/vault/sdk/helper/logging
 github.com/hashicorp/vault/sdk/helper/mlock
@ -463,7 +461,6 @@ github.com/hashicorp/vault/sdk/helper/pathmanager
 github.com/hashicorp/vault/sdk/helper/pluginutil
 github.com/hashicorp/vault/sdk/helper/pointerutil
 github.com/hashicorp/vault/sdk/helper/policyutil
-github.com/hashicorp/vault/sdk/helper/reload
 github.com/hashicorp/vault/sdk/helper/salt
 github.com/hashicorp/vault/sdk/helper/strutil
 github.com/hashicorp/vault/sdk/helper/tlsutil