From 5350e670d2be830497d464b175665f2ea7306916 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Sat, 15 Feb 2020 14:58:05 -0500 Subject: [PATCH] Bump API/SDK and adapt to move from SDK stuff --- command/agent.go | 2 +- command/agent/cache/listener.go | 2 +- command/debug.go | 2 +- command/server.go | 58 ++-- command/server/listener.go | 6 +- command/server/listener_tcp.go | 6 +- go.mod | 5 +- internalshared/listenerutil/listener.go | 8 +- internalshared/reloadutil/reload.go | 2 +- internalshared/reloadutil/reload_test.go | 2 +- vault/core.go | 8 +- vault/testing.go | 10 +- vendor/github.com/hashicorp/vault/api/go.mod | 2 +- vendor/github.com/hashicorp/vault/api/go.sum | 1 - .../vault/sdk/helper/gatedwriter/writer.go | 43 --- .../vault/sdk/helper/listenerutil/listener.go | 271 ------------------ .../vault/sdk/helper/reload/reload.go | 85 ------ vendor/modules.txt | 7 +- 18 files changed, 59 insertions(+), 461 deletions(-) delete mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/gatedwriter/writer.go delete mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/listenerutil/listener.go delete mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/reload/reload.go diff --git a/command/agent.go b/command/agent.go index 11d2da4d5d..18f89ced77 100644 --- a/command/agent.go +++ b/command/agent.go @@ -35,8 +35,8 @@ import ( "github.com/hashicorp/vault/command/agent/sink/file" "github.com/hashicorp/vault/command/agent/sink/inmem" "github.com/hashicorp/vault/command/agent/template" + "github.com/hashicorp/vault/internalshared/gatedwriter" "github.com/hashicorp/vault/sdk/helper/consts" - "github.com/hashicorp/vault/sdk/helper/gatedwriter" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/version" diff --git a/command/agent/cache/listener.go b/command/agent/cache/listener.go index 769bc4669a..508b3d292b 100644 --- a/command/agent/cache/listener.go +++ b/command/agent/cache/listener.go @@ -9,7 +9,7 @@ import ( "github.com/hashicorp/vault/command/agent/config" "github.com/hashicorp/vault/command/server" - "github.com/hashicorp/vault/sdk/helper/listenerutil" + "github.com/hashicorp/vault/internalshared/listenerutil" ) func StartListener(lnConfig *config.Listener) (net.Listener, *tls.Config, error) { diff --git a/command/debug.go b/command/debug.go index 9d6ac74be5..655583957f 100644 --- a/command/debug.go +++ b/command/debug.go @@ -14,7 +14,7 @@ import ( "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/api" - "github.com/hashicorp/vault/sdk/helper/gatedwriter" + "github.com/hashicorp/vault/internalshared/gatedwriter" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/version" diff --git a/command/server.go b/command/server.go index c28a230d16..214d0b8580 100644 --- a/command/server.go +++ b/command/server.go @@ -40,12 +40,12 @@ import ( "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/namespace" vaulthttp "github.com/hashicorp/vault/http" - "github.com/hashicorp/vault/sdk/helper/gatedwriter" + "github.com/hashicorp/vault/internalshared/gatedwriter" + "github.com/hashicorp/vault/internalshared/reloadutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/helper/mlock" "github.com/hashicorp/vault/sdk/helper/parseutil" - "github.com/hashicorp/vault/sdk/helper/reload" "github.com/hashicorp/vault/sdk/helper/useragent" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/physical" @@ -97,36 +97,36 @@ type ServerCommand struct { cleanupGuard sync.Once reloadFuncsLock *sync.RWMutex - reloadFuncs *map[string][]reload.ReloadFunc + reloadFuncs *map[string][]reloadutil.ReloadFunc startedCh chan (struct{}) // for tests reloadedCh chan (struct{}) // for tests // new stuff - flagConfigs []string - flagLogLevel string - flagLogFormat string - flagRecovery bool - flagDev bool - flagDevRootTokenID string - flagDevListenAddr string - flagDevNoStoreToken bool - flagDevPluginDir string - flagDevPluginInit bool - flagDevHA bool - flagDevLatency int - flagDevLatencyJitter int - flagDevLeasedKV bool - flagDevKVV1 bool - flagDevSkipInit bool - flagDevThreeNode bool - flagDevFourCluster bool - flagDevTransactional bool - flagDevAutoSeal bool - flagTestVerifyOnly bool - flagCombineLogs bool - flagTestServerConfig bool - flagDevConsul bool - flagExitOnCoreShutdown bool + flagConfigs []string + flagLogLevel string + flagLogFormat string + flagRecovery bool + flagDev bool + flagDevRootTokenID string + flagDevListenAddr string + flagDevNoStoreToken bool + flagDevPluginDir string + flagDevPluginInit bool + flagDevHA bool + flagDevLatency int + flagDevLatencyJitter int + flagDevLeasedKV bool + flagDevKVV1 bool + flagDevSkipInit bool + flagDevThreeNode bool + flagDevFourCluster bool + flagDevTransactional bool + flagDevAutoSeal bool + flagTestVerifyOnly bool + flagCombineLogs bool + flagTestServerConfig bool + flagDevConsul bool + flagExitOnCoreShutdown bool } type ServerListener struct { @@ -2483,7 +2483,7 @@ func (c *ServerCommand) setupTelemetry(config *server.Config) (*metricsutil.Metr return metricHelper, nil } -func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reload.ReloadFunc, configPath []string) error { +func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string) error { lock.RLock() defer lock.RUnlock() diff --git a/command/server/listener.go b/command/server/listener.go index 821fb17a95..3df2bfaedd 100644 --- a/command/server/listener.go +++ b/command/server/listener.go @@ -10,12 +10,12 @@ import ( "net" "github.com/hashicorp/vault/helper/proxyutil" - "github.com/hashicorp/vault/sdk/helper/reload" + "github.com/hashicorp/vault/internalshared/reloadutil" "github.com/mitchellh/cli" ) // ListenerFactory is the factory function to create a listener. -type ListenerFactory func(map[string]interface{}, io.Writer, cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) +type ListenerFactory func(map[string]interface{}, io.Writer, cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) // BuiltinListeners is the list of built-in listener types. var BuiltinListeners = map[string]ListenerFactory{ @@ -24,7 +24,7 @@ var BuiltinListeners = map[string]ListenerFactory{ // NewListener creates a new listener of the given type with the given // configuration. The type is looked up in the BuiltinListeners map. -func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) { +func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) { f, ok := BuiltinListeners[t] if !ok { return nil, nil, nil, fmt.Errorf("unknown listener type: %q", t) diff --git a/command/server/listener_tcp.go b/command/server/listener_tcp.go index a72752321f..bb0be86abf 100644 --- a/command/server/listener_tcp.go +++ b/command/server/listener_tcp.go @@ -9,13 +9,13 @@ import ( "time" "github.com/hashicorp/errwrap" - "github.com/hashicorp/vault/sdk/helper/listenerutil" + "github.com/hashicorp/vault/internalshared/listenerutil" + "github.com/hashicorp/vault/internalshared/reloadutil" "github.com/hashicorp/vault/sdk/helper/parseutil" - "github.com/hashicorp/vault/sdk/helper/reload" "github.com/mitchellh/cli" ) -func tcpListenerFactory(config map[string]interface{}, _ io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) { +func tcpListenerFactory(config map[string]interface{}, _ io.Writer, ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error) { bindProto := "tcp" var addr string addrRaw, ok := config["address"] diff --git a/go.mod b/go.mod index 51b0ffb555..2cd0115a01 100644 --- a/go.mod +++ b/go.mod @@ -88,12 +88,13 @@ require ( github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20191017213228-e8cf7060a4d0 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.0.0-20200124190647-0026e6bed4fb github.com/hashicorp/vault-plugin-secrets-openldap v0.0.0-20200215165936-237ad8919d2c - github.com/hashicorp/vault/api v1.0.5-0.20200214222743-c39f5634b39f - github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5 + github.com/hashicorp/vault/api v1.0.5-0.20200215195706-26a747400a65 + github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500 github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4 github.com/jackc/fake v0.0.0-20150926172116-812a484cc733 // indirect github.com/jackc/pgx v3.3.0+incompatible // indirect github.com/jcmturner/gokrb5/v8 v8.0.0 + github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f github.com/jefferai/jsonx v1.0.0 github.com/joyent/triton-go v0.0.0-20190112182421-51ffac552869 github.com/keybase/go-crypto v0.0.0-20190403132359-d65b6b94177f diff --git a/internalshared/listenerutil/listener.go b/internalshared/listenerutil/listener.go index 38c130c146..93e5b26b88 100644 --- a/internalshared/listenerutil/listener.go +++ b/internalshared/listenerutil/listener.go @@ -11,8 +11,8 @@ import ( "strconv" "github.com/hashicorp/errwrap" + "github.com/hashicorp/vault/internalshared/reloadutil" "github.com/hashicorp/vault/sdk/helper/parseutil" - "github.com/hashicorp/vault/sdk/helper/reload" "github.com/hashicorp/vault/sdk/helper/tlsutil" "github.com/jefferai/isbadcipher" "github.com/mitchellh/cli" @@ -71,7 +71,7 @@ func WrapTLS( ln net.Listener, props map[string]string, config map[string]interface{}, - ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, *tls.Config, error) { + ui cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, *tls.Config, error) { props["tls"] = "disabled" if v, ok := config["tls_disable"]; ok { @@ -95,7 +95,7 @@ func WrapTLS( } keyFile := keyFileRaw.(string) - cg := reload.NewCertificateGetter(certFile, keyFile, "") + cg := reloadutil.NewCertificateGetter(certFile, keyFile, "") if err := cg.Reload(config); err != nil { // We try the key without a passphrase first and if we get an incorrect // passphrase response, try again after prompting for a passphrase @@ -103,7 +103,7 @@ func WrapTLS( var passphrase string passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", keyFile)) if err == nil { - cg = reload.NewCertificateGetter(certFile, keyFile, passphrase) + cg = reloadutil.NewCertificateGetter(certFile, keyFile, passphrase) if err = cg.Reload(config); err == nil { goto PASSPHRASECORRECT } diff --git a/internalshared/reloadutil/reload.go b/internalshared/reloadutil/reload.go index 44526c08eb..4938b9cce3 100644 --- a/internalshared/reloadutil/reload.go +++ b/internalshared/reloadutil/reload.go @@ -1,4 +1,4 @@ -package reload +package reloadutil import ( "crypto/tls" diff --git a/internalshared/reloadutil/reload_test.go b/internalshared/reloadutil/reload_test.go index 811056da89..ed4cc0c02f 100644 --- a/internalshared/reloadutil/reload_test.go +++ b/internalshared/reloadutil/reload_test.go @@ -1,4 +1,4 @@ -package reload +package reloadutil import ( "crypto/x509" diff --git a/vault/core.go b/vault/core.go index baec85c541..263ef00305 100644 --- a/vault/core.go +++ b/vault/core.go @@ -30,13 +30,13 @@ import ( "github.com/hashicorp/vault/command/server" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/namespace" + "github.com/hashicorp/vault/internalshared/reloadutil" "github.com/hashicorp/vault/physical/raft" "github.com/hashicorp/vault/sdk/helper/certutil" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/helper/mlock" - "github.com/hashicorp/vault/sdk/helper/reload" "github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/helper/tlsutil" "github.com/hashicorp/vault/sdk/logical" @@ -365,7 +365,7 @@ type Core struct { physicalCache physical.ToggleablePurgemonster // reloadFuncs is a map containing reload functions - reloadFuncs map[string][]reload.ReloadFunc + reloadFuncs map[string][]reloadutil.ReloadFunc // reloadFuncsLock controls access to the funcs reloadFuncsLock sync.RWMutex @@ -582,7 +582,7 @@ type CoreConfig struct { RawConfig *server.Config - ReloadFuncs *map[string][]reload.ReloadFunc + ReloadFuncs *map[string][]reloadutil.ReloadFunc ReloadFuncsLock *sync.RWMutex // Licensing @@ -855,7 +855,7 @@ func NewCore(conf *CoreConfig) (*Core, error) { // the caller can share state conf.ReloadFuncsLock = &c.reloadFuncsLock c.reloadFuncsLock.Lock() - c.reloadFuncs = make(map[string][]reload.ReloadFunc) + c.reloadFuncs = make(map[string][]reloadutil.ReloadFunc) c.reloadFuncsLock.Unlock() conf.ReloadFuncs = &c.reloadFuncs diff --git a/vault/testing.go b/vault/testing.go index ae3d6250bc..eec7de861d 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -44,12 +44,12 @@ import ( "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/command/server" "github.com/hashicorp/vault/helper/namespace" + "github.com/hashicorp/vault/internalshared/reloadutil" dbMysql "github.com/hashicorp/vault/plugins/database/mysql" dbPostgres "github.com/hashicorp/vault/plugins/database/postgresql" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/logging" - "github.com/hashicorp/vault/sdk/helper/reload" "github.com/hashicorp/vault/sdk/helper/salt" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/physical" @@ -1023,7 +1023,7 @@ type TestClusterCore struct { Client *api.Client Handler http.Handler Listeners []*TestListener - ReloadFuncs *map[string][]reload.ReloadFunc + ReloadFuncs *map[string][]reloadutil.ReloadFunc ReloadFuncsLock *sync.RWMutex Server *http.Server ServerCert *x509.Certificate @@ -1295,7 +1295,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te servers := []*http.Server{} handlers := []http.Handler{} tlsConfigs := []*tls.Config{} - certGetters := []*reload.CertificateGetter{} + certGetters := []*reloadutil.CertificateGetter{} for i := 0; i < numCores; i++ { baseAddr.Port = ports[i] ln, err := net.ListenTCP("tcp", baseAddr) @@ -1316,7 +1316,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te if err != nil { t.Fatal(err) } - certGetter := reload.NewCertificateGetter(certFile, keyFile, "") + certGetter := reloadutil.NewCertificateGetter(certFile, keyFile, "") certGetters = append(certGetters, certGetter) certGetter.Reload(nil) tlsConfig := &tls.Config{ @@ -1773,7 +1773,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te tcc.ReloadFuncs = &cores[i].reloadFuncs tcc.ReloadFuncsLock = &cores[i].reloadFuncsLock tcc.ReloadFuncsLock.Lock() - (*tcc.ReloadFuncs)["listener|tcp"] = []reload.ReloadFunc{certGetters[i].Reload} + (*tcc.ReloadFuncs)["listener|tcp"] = []reloadutil.ReloadFunc{certGetters[i].Reload} tcc.ReloadFuncsLock.Unlock() testAdjustTestCore(base, tcc) diff --git a/vendor/github.com/hashicorp/vault/api/go.mod b/vendor/github.com/hashicorp/vault/api/go.mod index e153ca8d93..29810c6ca9 100644 --- a/vendor/github.com/hashicorp/vault/api/go.mod +++ b/vendor/github.com/hashicorp/vault/api/go.mod @@ -12,7 +12,7 @@ require ( github.com/hashicorp/go-retryablehttp v0.6.2 github.com/hashicorp/go-rootcerts v1.0.1 github.com/hashicorp/hcl v1.0.0 - github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5 + github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500 github.com/mitchellh/mapstructure v1.1.2 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 diff --git a/vendor/github.com/hashicorp/vault/api/go.sum b/vendor/github.com/hashicorp/vault/api/go.sum index ddaadc8d03..56fb281105 100644 --- a/vendor/github.com/hashicorp/vault/api/go.sum +++ b/vendor/github.com/hashicorp/vault/api/go.sum @@ -56,7 +56,6 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f/go.mod h1:3J2qVK16Lq8V+wfiL2lPeDZ7UWMxk5LemerHa1p6N00= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA= diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/gatedwriter/writer.go b/vendor/github.com/hashicorp/vault/sdk/helper/gatedwriter/writer.go deleted file mode 100644 index 9c4596e389..0000000000 --- a/vendor/github.com/hashicorp/vault/sdk/helper/gatedwriter/writer.go +++ /dev/null @@ -1,43 +0,0 @@ -package gatedwriter - -import ( - "bytes" - "io" - "sync" -) - -// Writer is an io.Writer implementation that buffers all of its -// data into an internal buffer until it is told to let data through. -type Writer struct { - writer io.Writer - - buf bytes.Buffer - flush bool - lock sync.Mutex -} - -func NewWriter(underlying io.Writer) *Writer { - return &Writer{writer: underlying} -} - -// Flush tells the Writer to flush any buffered data and to stop -// buffering. -func (w *Writer) Flush() error { - w.lock.Lock() - defer w.lock.Unlock() - - w.flush = true - _, err := w.buf.WriteTo(w.writer) - return err -} - -func (w *Writer) Write(p []byte) (n int, err error) { - w.lock.Lock() - defer w.lock.Unlock() - - if w.flush { - return w.writer.Write(p) - } - - return w.buf.Write(p) -} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/listenerutil/listener.go b/vendor/github.com/hashicorp/vault/sdk/helper/listenerutil/listener.go deleted file mode 100644 index 38c130c146..0000000000 --- a/vendor/github.com/hashicorp/vault/sdk/helper/listenerutil/listener.go +++ /dev/null @@ -1,271 +0,0 @@ -package listenerutil - -import ( - "crypto/tls" - "crypto/x509" - "fmt" - "io/ioutil" - "net" - "os" - osuser "os/user" - "strconv" - - "github.com/hashicorp/errwrap" - "github.com/hashicorp/vault/sdk/helper/parseutil" - "github.com/hashicorp/vault/sdk/helper/reload" - "github.com/hashicorp/vault/sdk/helper/tlsutil" - "github.com/jefferai/isbadcipher" - "github.com/mitchellh/cli" -) - -type UnixSocketsConfig struct { - User string `hcl:"user"` - Mode string `hcl:"mode"` - Group string `hcl:"group"` -} - -// rmListener is an implementation of net.Listener that forwards most -// calls to the listener but also removes a file as part of the close. We -// use this to cleanup the unix domain socket on close. -type rmListener struct { - net.Listener - Path string -} - -func (l *rmListener) Close() error { - // Close the listener itself - if err := l.Listener.Close(); err != nil { - return err - } - - // Remove the file - return os.Remove(l.Path) -} - -func UnixSocketListener(path string, unixSocketsConfig *UnixSocketsConfig) (net.Listener, error) { - if err := os.Remove(path); err != nil && !os.IsNotExist(err) { - return nil, fmt.Errorf("failed to remove socket file: %v", err) - } - - ln, err := net.Listen("unix", path) - if err != nil { - return nil, err - } - - if unixSocketsConfig != nil { - err = setFilePermissions(path, unixSocketsConfig.User, unixSocketsConfig.Group, unixSocketsConfig.Mode) - if err != nil { - return nil, fmt.Errorf("failed to set file system permissions on the socket file: %s", err) - } - } - - // Wrap the listener in rmListener so that the Unix domain socket file is - // removed on close. - return &rmListener{ - Listener: ln, - Path: path, - }, nil -} - -func WrapTLS( - ln net.Listener, - props map[string]string, - config map[string]interface{}, - ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, *tls.Config, error) { - props["tls"] = "disabled" - - if v, ok := config["tls_disable"]; ok { - disabled, err := parseutil.ParseBool(v) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable': {{err}}", err) - } - if disabled { - return ln, props, nil, nil, nil - } - } - - certFileRaw, ok := config["tls_cert_file"] - if !ok { - return nil, nil, nil, nil, fmt.Errorf("'tls_cert_file' must be set") - } - certFile := certFileRaw.(string) - keyFileRaw, ok := config["tls_key_file"] - if !ok { - return nil, nil, nil, nil, fmt.Errorf("'tls_key_file' must be set") - } - keyFile := keyFileRaw.(string) - - cg := reload.NewCertificateGetter(certFile, keyFile, "") - if err := cg.Reload(config); err != nil { - // We try the key without a passphrase first and if we get an incorrect - // passphrase response, try again after prompting for a passphrase - if errwrap.Contains(err, x509.IncorrectPasswordError.Error()) { - var passphrase string - passphrase, err = ui.AskSecret(fmt.Sprintf("Enter passphrase for %s:", keyFile)) - if err == nil { - cg = reload.NewCertificateGetter(certFile, keyFile, passphrase) - if err = cg.Reload(config); err == nil { - goto PASSPHRASECORRECT - } - } - } - return nil, nil, nil, nil, errwrap.Wrapf("error loading TLS cert: {{err}}", err) - } - -PASSPHRASECORRECT: - var tlsvers string - tlsversRaw, ok := config["tls_min_version"] - if !ok { - tlsvers = "tls12" - } else { - tlsvers = tlsversRaw.(string) - } - - tlsConf := &tls.Config{} - tlsConf.GetCertificate = cg.GetCertificate - tlsConf.NextProtos = []string{"h2", "http/1.1"} - tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers] - if !ok { - return nil, nil, nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", tlsvers) - } - tlsConf.ClientAuth = tls.RequestClientCert - - if v, ok := config["tls_cipher_suites"]; ok { - ciphers, err := tlsutil.ParseCiphers(v.(string)) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_cipher_suites': {{err}}", err) - } - - // HTTP/2 with TLS 1.2 blacklists several cipher suites. - // https://tools.ietf.org/html/rfc7540#appendix-A - // - // Since the CLI (net/http) automatically uses HTTP/2 with TLS 1.2, - // we check here if all or some specified cipher suites are blacklisted. - badCiphers := []string{} - for _, cipher := range ciphers { - if isbadcipher.IsBadCipher(cipher) { - // Get the name of the current cipher. - cipherStr, err := tlsutil.GetCipherName(cipher) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_cipher_suites': {{err}}", err) - } - badCiphers = append(badCiphers, cipherStr) - } - } - if len(badCiphers) == len(ciphers) { - ui.Warn(`WARNING! All cipher suites defined by 'tls_cipher_suites' are blacklisted by the -HTTP/2 specification. HTTP/2 communication with TLS 1.2 will not work as intended -and Vault will be unavailable via the CLI. -Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`) - } else if len(badCiphers) > 0 { - ui.Warn(fmt.Sprintf(`WARNING! The following cipher suites defined by 'tls_cipher_suites' are -blacklisted by the HTTP/2 specification: -%v -Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.`, badCiphers)) - } - tlsConf.CipherSuites = ciphers - } - if v, ok := config["tls_prefer_server_cipher_suites"]; ok { - preferServer, err := parseutil.ParseBool(v) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_prefer_server_cipher_suites': {{err}}", err) - } - tlsConf.PreferServerCipherSuites = preferServer - } - var requireVerifyCerts bool - var err error - if v, ok := config["tls_require_and_verify_client_cert"]; ok { - requireVerifyCerts, err = parseutil.ParseBool(v) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_require_and_verify_client_cert': {{err}}", err) - } - if requireVerifyCerts { - tlsConf.ClientAuth = tls.RequireAndVerifyClientCert - } - if tlsClientCaFile, ok := config["tls_client_ca_file"]; ok { - caPool := x509.NewCertPool() - data, err := ioutil.ReadFile(tlsClientCaFile.(string)) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("failed to read tls_client_ca_file: {{err}}", err) - } - - if !caPool.AppendCertsFromPEM(data) { - return nil, nil, nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file") - } - tlsConf.ClientCAs = caPool - } - } - if v, ok := config["tls_disable_client_certs"]; ok { - disableClientCerts, err := parseutil.ParseBool(v) - if err != nil { - return nil, nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable_client_certs': {{err}}", err) - } - if disableClientCerts && requireVerifyCerts { - return nil, nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive") - } - if disableClientCerts { - tlsConf.ClientAuth = tls.NoClientCert - } - } - - ln = tls.NewListener(ln, tlsConf) - props["tls"] = "enabled" - return ln, props, cg.Reload, tlsConf, nil -} - -// setFilePermissions handles configuring ownership and permissions -// settings on a given file. All permission/ownership settings are -// optional. If no user or group is specified, the current user/group -// will be used. Mode is optional, and has no default (the operation is -// not performed if absent). User may be specified by name or ID, but -// group may only be specified by ID. -func setFilePermissions(path string, user, group, mode string) error { - var err error - uid, gid := os.Getuid(), os.Getgid() - - if user != "" { - if uid, err = strconv.Atoi(user); err == nil { - goto GROUP - } - - // Try looking up the user by name - u, err := osuser.Lookup(user) - if err != nil { - return fmt.Errorf("failed to look up user %q: %v", user, err) - } - uid, _ = strconv.Atoi(u.Uid) - } - -GROUP: - if group != "" { - if gid, err = strconv.Atoi(group); err == nil { - goto OWN - } - - // Try looking up the user by name - g, err := osuser.LookupGroup(group) - if err != nil { - return fmt.Errorf("failed to look up group %q: %v", user, err) - } - gid, _ = strconv.Atoi(g.Gid) - } - -OWN: - if err := os.Chown(path, uid, gid); err != nil { - return fmt.Errorf("failed setting ownership to %d:%d on %q: %v", - uid, gid, path, err) - } - - if mode != "" { - mode, err := strconv.ParseUint(mode, 8, 32) - if err != nil { - return fmt.Errorf("invalid mode specified: %v", mode) - } - if err := os.Chmod(path, os.FileMode(mode)); err != nil { - return fmt.Errorf("failed setting permissions to %d on %q: %v", - mode, path, err) - } - } - - return nil -} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/reload/reload.go b/vendor/github.com/hashicorp/vault/sdk/helper/reload/reload.go deleted file mode 100644 index 44526c08eb..0000000000 --- a/vendor/github.com/hashicorp/vault/sdk/helper/reload/reload.go +++ /dev/null @@ -1,85 +0,0 @@ -package reload - -import ( - "crypto/tls" - "crypto/x509" - "encoding/pem" - "errors" - "fmt" - "io/ioutil" - "sync" - - "github.com/hashicorp/errwrap" -) - -// ReloadFunc are functions that are called when a reload is requested -type ReloadFunc func(map[string]interface{}) error - -// CertificateGetter satisfies ReloadFunc and its GetCertificate method -// satisfies the tls.GetCertificate function signature. Currently it does not -// allow changing paths after the fact. -type CertificateGetter struct { - sync.RWMutex - - cert *tls.Certificate - - certFile string - keyFile string - passphrase string -} - -func NewCertificateGetter(certFile, keyFile, passphrase string) *CertificateGetter { - return &CertificateGetter{ - certFile: certFile, - keyFile: keyFile, - passphrase: passphrase, - } -} - -func (cg *CertificateGetter) Reload(_ map[string]interface{}) error { - certPEMBlock, err := ioutil.ReadFile(cg.certFile) - if err != nil { - return err - } - keyPEMBlock, err := ioutil.ReadFile(cg.keyFile) - if err != nil { - return err - } - - // Check for encrypted pem block - keyBlock, _ := pem.Decode(keyPEMBlock) - if keyBlock == nil { - return errors.New("decoded PEM is blank") - } - - if x509.IsEncryptedPEMBlock(keyBlock) { - keyBlock.Bytes, err = x509.DecryptPEMBlock(keyBlock, []byte(cg.passphrase)) - if err != nil { - return errwrap.Wrapf("Decrypting PEM block failed {{err}}", err) - } - keyPEMBlock = pem.EncodeToMemory(keyBlock) - } - - cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) - if err != nil { - return err - } - - cg.Lock() - defer cg.Unlock() - - cg.cert = &cert - - return nil -} - -func (cg *CertificateGetter) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { - cg.RLock() - defer cg.RUnlock() - - if cg.cert == nil { - return nil, fmt.Errorf("nil certificate") - } - - return cg.cert, nil -} diff --git a/vendor/modules.txt b/vendor/modules.txt index a20933e148..993e5c8560 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -428,9 +428,9 @@ github.com/hashicorp/vault-plugin-secrets-mongodbatlas # github.com/hashicorp/vault-plugin-secrets-openldap v0.0.0-20200215165936-237ad8919d2c github.com/hashicorp/vault-plugin-secrets-openldap github.com/hashicorp/vault-plugin-secrets-openldap/client -# github.com/hashicorp/vault/api v1.0.5-0.20200214222743-c39f5634b39f => ./api +# github.com/hashicorp/vault/api v1.0.5-0.20200215195706-26a747400a65 => ./api github.com/hashicorp/vault/api -# github.com/hashicorp/vault/sdk v0.1.14-0.20200214222719-7a3b716487a5 => ./sdk +# github.com/hashicorp/vault/sdk v0.1.14-0.20200215195600-2ca765f0a500 => ./sdk github.com/hashicorp/vault/sdk/database/dbplugin github.com/hashicorp/vault/sdk/database/helper/connutil github.com/hashicorp/vault/sdk/database/helper/credsutil @@ -445,7 +445,6 @@ github.com/hashicorp/vault/sdk/helper/consts github.com/hashicorp/vault/sdk/helper/cryptoutil github.com/hashicorp/vault/sdk/helper/dbtxn github.com/hashicorp/vault/sdk/helper/errutil -github.com/hashicorp/vault/sdk/helper/gatedwriter github.com/hashicorp/vault/sdk/helper/hclutil github.com/hashicorp/vault/sdk/helper/identitytpl github.com/hashicorp/vault/sdk/helper/jsonutil @@ -453,7 +452,6 @@ github.com/hashicorp/vault/sdk/helper/kdf github.com/hashicorp/vault/sdk/helper/keysutil github.com/hashicorp/vault/sdk/helper/ldaputil github.com/hashicorp/vault/sdk/helper/license -github.com/hashicorp/vault/sdk/helper/listenerutil github.com/hashicorp/vault/sdk/helper/locksutil github.com/hashicorp/vault/sdk/helper/logging github.com/hashicorp/vault/sdk/helper/mlock @@ -463,7 +461,6 @@ github.com/hashicorp/vault/sdk/helper/pathmanager github.com/hashicorp/vault/sdk/helper/pluginutil github.com/hashicorp/vault/sdk/helper/pointerutil github.com/hashicorp/vault/sdk/helper/policyutil -github.com/hashicorp/vault/sdk/helper/reload github.com/hashicorp/vault/sdk/helper/salt github.com/hashicorp/vault/sdk/helper/strutil github.com/hashicorp/vault/sdk/helper/tlsutil