open-vault/command/auth_move.go

127 lines
3.6 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package command
import (
"fmt"
"strings"
"time"
"github.com/mitchellh/cli"
"github.com/posener/complete"
)
var (
_ cli.Command = (*AuthMoveCommand)(nil)
_ cli.CommandAutocomplete = (*AuthMoveCommand)(nil)
)
type AuthMoveCommand struct {
*BaseCommand
}
func (c *AuthMoveCommand) Synopsis() string {
return "Move an auth method to a new path"
}
func (c *AuthMoveCommand) Help() string {
helpText := `
Usage: vault auth move [options] SOURCE DESTINATION
Moves an existing auth method to a new path. Any leases from the old
auth method are revoked, but all configuration associated with the method
is preserved. It initiates the migration and intermittently polls its status,
exiting if a final state is reached.
This command works within or across namespaces, both source and destination paths
can be prefixed with a namespace heirarchy relative to the current namespace.
WARNING! Moving an auth method will revoke any leases from the
old method.
Move the auth method at approle/ to generic/:
$ vault auth move approle/ generic/
Move the auth method at ns1/approle/ across namespaces to ns2/generic/,
where ns1 and ns2 are child namespaces of the current namespace:
$ vault auth move ns1/approle/ ns2/generic/
` + c.Flags().Help()
return strings.TrimSpace(helpText)
}
func (c *AuthMoveCommand) Flags() *FlagSets {
return c.flagSet(FlagSetHTTP)
}
func (c *AuthMoveCommand) AutocompleteArgs() complete.Predictor {
return c.PredictVaultMounts()
}
func (c *AuthMoveCommand) AutocompleteFlags() complete.Flags {
return c.Flags().Completions()
}
func (c *AuthMoveCommand) Run(args []string) int {
f := c.Flags()
if err := f.Parse(args); err != nil {
c.UI.Error(err.Error())
return 1
}
args = f.Args()
switch {
case len(args) < 2:
c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
return 1
case len(args) > 2:
c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
return 1
}
// Grab the source and destination
source := ensureTrailingSlash(args[0])
destination := ensureTrailingSlash(args[1])
client, err := c.Client()
if err != nil {
c.UI.Error(err.Error())
return 2
}
remountResp, err := client.Sys().StartRemount(source, destination)
if err != nil {
c.UI.Error(fmt.Sprintf("Error moving auth method %s to %s: %s", source, destination, err))
return 2
}
c.UI.Output(fmt.Sprintf("Started moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
// Poll the status endpoint with the returned migration ID
// Exit if a terminal status is reached, else wait and retry
for {
remountStatusResp, err := client.Sys().RemountStatus(remountResp.MigrationID)
if err != nil {
c.UI.Error(fmt.Sprintf("Error checking migration status of auth method %s to %s: %s", source, destination, err))
return 2
}
if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusSuccess {
c.UI.Output(fmt.Sprintf("Success! Finished moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
return 0
}
if remountStatusResp.MigrationInfo.MigrationStatus == MountMigrationStatusFailure {
c.UI.Error(fmt.Sprintf("Failure! Error encountered moving auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
return 0
}
c.UI.Output(fmt.Sprintf("Waiting for terminal status in migration of auth method %s to %s, with migration ID %s", source, destination, remountResp.MigrationID))
time.Sleep(10 * time.Second)
}
return 0
}