Do some porting to make diffing easier

2017-02-24 10:45:29 -05:00 · 2017-02-24 10:45:29 -05:00 · b29861f7bb
parent 4e045d000c
commit b29861f7bb
12 changed files with 172 additions and 23 deletions
--- a/command/server.go
+++ b/command/server.go
@ -302,6 +302,9 @@ func (c *ServerCommand) Run(args []string) int {
 			coreConfig.RedirectAddr = redirect
 		}
 	}
+	if coreConfig.RedirectAddr == "" && dev {
+		coreConfig.RedirectAddr = fmt.Sprintf("http://%s", config.Listeners[0].Config["address"])
+	}

 	// After the redirect bits are sorted out, if no cluster address was
 	// explicitly given, derive one from the redirect addr
@ -309,10 +312,16 @@ func (c *ServerCommand) Run(args []string) int {
 		coreConfig.ClusterAddr = ""
 	} else if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
 		coreConfig.ClusterAddr = envCA
-	} else if coreConfig.ClusterAddr == "" && coreConfig.RedirectAddr != "" {
-		u, err := url.ParseRequestURI(coreConfig.RedirectAddr)
+	} else {
+		var addrToUse string
+		if coreConfig.ClusterAddr == "" && coreConfig.RedirectAddr != "" {
+			addrToUse = coreConfig.RedirectAddr
+		} else if dev {
+			addrToUse = fmt.Sprintf("http://%s", config.Listeners[0].Config["address"])
+		}
+		u, err := url.ParseRequestURI(addrToUse)
 		if err != nil {
-			c.Ui.Output(fmt.Sprintf("Error parsing redirect address %s: %v", coreConfig.RedirectAddr, err))
+			c.Ui.Output(fmt.Sprintf("Error parsing synthesized cluster address %s: %v", addrToUse, err))
 			return 1
 		}
 		host, port, err := net.SplitHostPort(u.Host)
@ -328,7 +337,7 @@ func (c *ServerCommand) Run(args []string) int {
 		}
 		nPort, err := strconv.Atoi(port)
 		if err != nil {
-			c.Ui.Output(fmt.Sprintf("Error parsing redirect address; failed to convert %q to a numeric: %v", port, err))
+			c.Ui.Output(fmt.Sprintf("Error parsing synthesized address; failed to convert %q to a numeric: %v", port, err))
 			return 1
 		}
 		u.Host = net.JoinHostPort(host, strconv.Itoa(nPort+1))
@ -368,25 +377,23 @@ func (c *ServerCommand) Run(args []string) int {
 		mlock.Supported(), !config.DisableMlock && mlock.Supported())
 	infoKeys = append(infoKeys, "log level", "mlock", "backend")

+	if coreConfig.ClusterAddr != "" {
+		info["cluster address"] = coreConfig.ClusterAddr
+		infoKeys = append(infoKeys, "cluster address")
+	}
+	if coreConfig.RedirectAddr != "" {
+		info["redirect address"] = coreConfig.RedirectAddr
+		infoKeys = append(infoKeys, "redirect address")
+	}
+
 	if config.HABackend != nil {
 		info["HA backend"] = config.HABackend.Type
-		info["redirect address"] = coreConfig.RedirectAddr
-		infoKeys = append(infoKeys, "HA backend", "redirect address")
-		if coreConfig.ClusterAddr != "" {
-			info["cluster address"] = coreConfig.ClusterAddr
-			infoKeys = append(infoKeys, "cluster address")
-		}
+		infoKeys = append(infoKeys, "HA backend")
 	} else {
 		// If the backend supports HA, then note it
 		if coreConfig.HAPhysical != nil {
 			if coreConfig.HAPhysical.HAEnabled() {
 				info["backend"] += " (HA available)"
-				info["redirect address"] = coreConfig.RedirectAddr
-				infoKeys = append(infoKeys, "redirect address")
-				if coreConfig.ClusterAddr != "" {
-					info["cluster address"] = coreConfig.ClusterAddr
-					infoKeys = append(infoKeys, "cluster address")
-				}
 			} else {
 				info["backend"] += " (HA disabled)"
 			}
@ -442,10 +449,12 @@ func (c *ServerCommand) Run(args []string) int {
 					c.Ui.Output("Failed to parse tcp listener")
 					return 1
 				}
-				clusterAddrs = append(clusterAddrs, &net.TCPAddr{
+				clusterAddr := &net.TCPAddr{
 					IP:   tcpAddr.IP,
 					Port: tcpAddr.Port + 1,
-				})
+				}
+				clusterAddrs = append(clusterAddrs, clusterAddr)
+				addr = clusterAddr.String()
 			}
 			props["cluster address"] = addr
 		}
--- a/command/server/config.go
+++ b/command/server/config.go
@ -23,10 +23,14 @@ type Config struct {
 	Backend   *Backend    `hcl:"-"`
 	HABackend *Backend    `hcl:"-"`

+	HSM *HSM `hcl:"-"`
+
 	CacheSize    int  `hcl:"cache_size"`
 	DisableCache bool `hcl:"disable_cache"`
 	DisableMlock bool `hcl:"disable_mlock"`

+	EnableUI bool `hcl:"ui"`
+
 	Telemetry *Telemetry `hcl:"telemetry"`

 	MaxLeaseTTL        time.Duration `hcl:"-"`
@ -57,6 +61,8 @@ func DevConfig(ha, transactional bool) *Config {
 			},
 		},

+		EnableUI: true,
+
 		Telemetry: &Telemetry{},

 		MaxLeaseTTL:     32 * 24 * time.Hour,
@ -98,6 +104,16 @@ func (b *Backend) GoString() string {
 	return fmt.Sprintf("*%#v", *b)
 }

+// HSM contains HSM configuration for the server
+type HSM struct {
+	Type   string
+	Config map[string]string
+}
+
+func (h *HSM) GoString() string {
+	return fmt.Sprintf("*%#v", *h)
+}
+
 // Telemetry is the telemetry configuration for the server
 type Telemetry struct {
 	StatsiteAddr string `hcl:"statsite_address"`
@ -205,6 +221,11 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.HABackend = c2.HABackend
 	}

+	result.HSM = c.HSM
+	if c2.HSM != nil {
+		result.HSM = c2.HSM
+	}
+
 	result.Telemetry = c.Telemetry
 	if c2.Telemetry != nil {
 		result.Telemetry = c2.Telemetry
@ -242,6 +263,11 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.ClusterName = c2.ClusterName
 	}

+	result.EnableUI = c.EnableUI
+	if c2.EnableUI {
+		result.EnableUI = c2.EnableUI
+	}
+
 	return result
 }

@ -303,10 +329,12 @@ func ParseConfig(d string, logger log.Logger) (*Config, error) {
 		"atlas",
 		"backend",
 		"ha_backend",
+		"hsm",
 		"listener",
 		"cache_size",
 		"disable_cache",
 		"disable_mlock",
+		"ui",
 		"telemetry",
 		"default_lease_ttl",
 		"max_lease_ttl",
@ -328,6 +356,12 @@ func ParseConfig(d string, logger log.Logger) (*Config, error) {
 		}
 	}

+	if o := list.Filter("hsm"); len(o.Items) > 0 {
+		if err := parseHSMs(&result, o); err != nil {
+			return nil, fmt.Errorf("error parsing 'hsm': %s", err)
+		}
+	}
+
 	if o := list.Filter("listener"); len(o.Items) > 0 {
 		if err := parseListeners(&result, o); err != nil {
 			return nil, fmt.Errorf("error parsing 'listener': %s", err)
@ -530,6 +564,45 @@ func parseHABackends(result *Config, list *ast.ObjectList) error {
 	return nil
 }

+func parseHSMs(result *Config, list *ast.ObjectList) error {
+	if len(list.Items) > 1 {
+		return fmt.Errorf("only one 'hsm' block is permitted")
+	}
+
+	// Get our item
+	item := list.Items[0]
+
+	key := "hsm"
+	if len(item.Keys) > 0 {
+		key = item.Keys[0].Token.Value().(string)
+	}
+
+	valid := []string{
+		"lib",
+		"slot",
+		"pin",
+		"mechanism",
+		"key_label",
+		"generate_key",
+		"regenerate_key",
+	}
+	if err := checkHCLKeys(item.Val, valid); err != nil {
+		return multierror.Prefix(err, fmt.Sprintf("hsm.%s:", key))
+	}
+
+	var m map[string]string
+	if err := hcl.DecodeObject(&m, item.Val); err != nil {
+		return multierror.Prefix(err, fmt.Sprintf("hsm.%s:", key))
+	}
+
+	result.HSM = &HSM{
+		Type:   strings.ToLower(key),
+		Config: m,
+	}
+
+	return nil
+}
+
 func parseListeners(result *Config, list *ast.ObjectList) error {
 	var foundAtlas bool

--- a/command/server/config_test.go
+++ b/command/server/config_test.go
@ -62,6 +62,7 @@ func TestLoadConfigFile(t *testing.T) {

 		DisableCache: true,
 		DisableMlock: true,
+		EnableUI:     true,

 		MaxLeaseTTL:        10 * time.Hour,
 		MaxLeaseTTLRaw:     "10h",
@ -133,6 +134,7 @@ func TestLoadConfigFile_json(t *testing.T) {
 		DefaultLeaseTTL:    10 * time.Hour,
 		DefaultLeaseTTLRaw: "10h",
 		ClusterName:        "testcluster",
+		EnableUI:           true,
 	}
 	if !reflect.DeepEqual(config, expected) {
 		t.Fatalf("expected \n\n%#v\n\n to be \n\n%#v\n\n", config, expected)
@ -180,6 +182,8 @@ func TestLoadConfigFile_json2(t *testing.T) {

 		CacheSize: 45678,

+		EnableUI: true,
+
 		Telemetry: &Telemetry{
 			StatsiteAddr:                       "foo",
 			StatsdAddr:                         "bar",
@ -232,6 +236,8 @@ func TestLoadConfigDir(t *testing.T) {
 			DisableClustering: true,
 		},

+		EnableUI: true,
+
 		Telemetry: &Telemetry{
 			StatsiteAddr:    "qux",
 			StatsdAddr:      "baz",
--- a/command/server/test-fixtures/config-dir/bar.json
+++ b/command/server/test-fixtures/config-dir/bar.json
@ -1,4 +1,6 @@
 {
+    "ui":false,
+
    "listener": {
        "tcp": {
            "address": "127.0.0.1:443"
--- a/command/server/test-fixtures/config-dir/baz.hcl
+++ b/command/server/test-fixtures/config-dir/baz.hcl
@ -3,6 +3,6 @@ telemetry {
    statsite_address = "qux"
    disable_hostname = true
 }
-
+ui=true
 default_lease_ttl = "10h"
 cluster_name = "testcluster"
--- a/command/server/test-fixtures/config.hcl
+++ b/command/server/test-fixtures/config.hcl
@ -1,6 +1,8 @@
 disable_cache = true
 disable_mlock = true

+ui = true
+
 listener "atlas" {
    token = "foobar"
    infrastructure = "foo/bar"
--- a/command/server/test-fixtures/config.hcl.json
+++ b/command/server/test-fixtures/config.hcl.json
@ -22,5 +22,6 @@
 	},
 	"max_lease_ttl": "10h",
 	"default_lease_ttl": "10h",
-	"cluster_name":"testcluster"
+	"cluster_name":"testcluster",
+	"ui":true
 }
--- a/command/server/test-fixtures/config2.hcl.json
+++ b/command/server/test-fixtures/config2.hcl.json
@ -1,4 +1,5 @@
 {
+  "ui":true,
  "listener":[
    {
      "tcp":{
--- a/vault/core.go
+++ b/vault/core.go
@ -320,6 +320,9 @@ type Core struct {
 	// replicationState keeps the current replication state cached for quick
 	// lookup
 	replicationState consts.ReplicationState
+
+	// uiEnabled indicates whether Vault Web UI is enabled or not
+	uiEnabled bool
 }

 // CoreConfig is used to parameterize a core
@ -362,6 +365,8 @@ type CoreConfig struct {

 	ClusterName string `json:"cluster_name" structs:"cluster_name" mapstructure:"cluster_name"`

+	EnableUI bool `json:"ui" structs:"ui" mapstructure:"ui"`
+
 	ReloadFuncs     *map[string][]ReloadFunc
 	ReloadFuncsLock *sync.RWMutex
 }
@ -403,9 +408,10 @@ func NewCore(conf *CoreConfig) (*Core, error) {

 	// Setup the core
 	c := &Core{
+		devToken:                         conf.DevToken,
+		physical:                         conf.Physical,
 		redirectAddr:                     conf.RedirectAddr,
 		clusterAddr:                      conf.ClusterAddr,
-		physical:                         conf.Physical,
 		seal:                             conf.Seal,
 		router:                           NewRouter(),
 		sealed:                           true,
--- a/vault/rekey.go
+++ b/vault/rekey.go
@ -411,6 +411,16 @@ func (c *Core) BarrierRekeyUpdate(key []byte, nonce string) (*RekeyResult, error
 		return nil, fmt.Errorf("failed to save rekey seal configuration: %v", err)
 	}

+	// Write to the canary path, which will force a synchronous truing during
+	// replication
+	if err := c.barrier.Put(&Entry{
+		Key:   coreKeyringCanaryPath,
+		Value: []byte(c.barrierRekeyConfig.Nonce),
+	}); err != nil {
+		c.logger.Error("core: error saving keyring canary", "error", err)
+		return nil, fmt.Errorf("failed to save keyring canary: %v", err)
+	}
+
 	// Done!
 	c.barrierRekeyProgress = nil
 	c.barrierRekeyConfig = nil
@ -579,6 +589,16 @@ func (c *Core) RecoveryRekeyUpdate(key []byte, nonce string) (*RekeyResult, erro
 		return nil, fmt.Errorf("failed to save rekey seal configuration: %v", err)
 	}

+	// Write to the canary path, which will force a synchronous truing during
+	// replication
+	if err := c.barrier.Put(&Entry{
+		Key:   coreKeyringCanaryPath,
+		Value: []byte(c.recoveryRekeyConfig.Nonce),
+	}); err != nil {
+		c.logger.Error("core: error saving keyring canary", "error", err)
+		return nil, fmt.Errorf("failed to save keyring canary: %v", err)
+	}
+
 	// Done!
 	c.recoveryRekeyProgress = nil
 	c.recoveryRekeyConfig = nil
--- a/vault/router_test.go
+++ b/vault/router_test.go
@ -58,8 +58,8 @@ func (n *NoopBackend) Cleanup() {
 	// noop
 }

-func (n *NoopBackend) InvalidateKey(string) {
-	// noop
+func (n *NoopBackend) InvalidateKey(k string) {
+	n.Invalidations = append(n.Invalidations, k)
 }

 func (n *NoopBackend) Initialize() error {
--- a/vault/testing.go
+++ b/vault/testing.go
@ -18,8 +18,11 @@ import (
 	"github.com/mitchellh/copystructure"

 	"golang.org/x/crypto/ssh"
+	"golang.org/x/net/http2"

+	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/helper/logformat"
 	"github.com/hashicorp/vault/helper/salt"
@ -508,6 +511,7 @@ type TestClusterCore struct {
 	CACertBytes []byte
 	CACert      *x509.Certificate
 	TLSConfig   *tls.Config
+	Client      *api.Client
 }

 func (t *TestClusterCore) CloseListeners() {
@ -796,6 +800,28 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal
 		}
 	}

+	getAPIClient := func(port int) *api.Client {
+		transport := cleanhttp.DefaultPooledTransport()
+		transport.TLSClientConfig = tlsConfig
+		http2.ConfigureTransport(transport)
+		client := &http.Client{
+			Transport: transport,
+			CheckRedirect: func(*http.Request, []*http.Request) error {
+				// This can of course be overridden per-test by using its own client
+				return fmt.Errorf("redirects not allowed in these tests")
+			},
+		}
+		config := api.DefaultConfig()
+		config.Address = fmt.Sprintf("https://127.0.0.1:%d", port)
+		config.HttpClient = client
+		apiClient, err := api.NewClient(config)
+		if err != nil {
+			t.Fatal(err)
+		}
+		apiClient.SetToken(root)
+		return apiClient
+	}
+
 	var ret []*TestClusterCore
 	keyCopies, _ := copystructure.Copy(keys)
 	ret = append(ret, &TestClusterCore{
@ -806,6 +832,7 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal
 		CACertBytes: caBytes,
 		CACert:      caCert,
 		TLSConfig:   tlsConfig,
+		Client:      getAPIClient(c1lns[0].Address.Port),
 	})

 	keyCopies, _ = copystructure.Copy(keys)
@ -817,6 +844,7 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal
 		CACertBytes: caBytes,
 		CACert:      caCert,
 		TLSConfig:   tlsConfig,
+		Client:      getAPIClient(c2lns[0].Address.Port),
 	})

 	keyCopies, _ = copystructure.Copy(keys)
@ -828,6 +856,7 @@ func TestCluster(t testing.TB, handlers []http.Handler, base *CoreConfig, unseal
 		CACertBytes: caBytes,
 		CACert:      caCert,
 		TLSConfig:   tlsConfig,
+		Client:      getAPIClient(c3lns[0].Address.Port),
 	})

 	return ret