mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-25 08:31:09 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #751 from hashicorp/issue-618

Browse Source 
Move environment variable reading logic to API.
This commit is contained in:
Jeff Mitchell 2015-11-05 19:42:16 -05:00
commit 816f204d35
6 changed files with 229 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -21,6 +21,8 @@ IMPROVEMENTS:
* api: API client now uses a 60 second timeout instead of indefinite [GH-681] * api: API client now uses a 60 second timeout instead of indefinite [GH-681]
* api: Implement LookupSelf, RenewSelf, and RevokeSelf functions for auth * api: Implement LookupSelf, RenewSelf, and RevokeSelf functions for auth
tokens [GH-739] tokens [GH-739]
* api: Standardize environment variable reading logic inside the API; the CLI
now uses this but can still override via command-line parameters [GH-618]
* audit: HMAC-SHA256'd client tokens are now stored with each request entry. * audit: HMAC-SHA256'd client tokens are now stored with each request entry.
Previously they were only displayed at creation time; this allows much Previously they were only displayed at creation time; this allows much
better traceability of client actions. [GH-713] better traceability of client actions. [GH-713]

174
api/client.go
View File

@ -1,11 +1,17 @@
package api package api
import ( import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"errors" "errors"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
"path/filepath"
"strconv"
"strings" "strings"
"sync" "sync"
"time" "time"
@ -13,6 +19,13 @@ import (
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
) )
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
var ( var (
errRedirect = errors.New("redirect") errRedirect = errors.New("redirect")
) )
@ -44,14 +57,99 @@ func DefaultConfig() *Config {
HttpClient: cleanhttp.DefaultClient(), HttpClient: cleanhttp.DefaultClient(),
} }
config.HttpClient.Timeout = time.Second * 60 config.HttpClient.Timeout = time.Second * 60
transport := config.HttpClient.Transport.(*http.Transport)
transport.TLSHandshakeTimeout = 10 * time.Second
transport.TLSClientConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
}
if addr := os.Getenv("VAULT_ADDR"); addr != "" { if v := os.Getenv(EnvVaultAddress); v != "" {
config.Address = addr config.Address = v
} }
return config return config
} }
// ReadEnvironment reads configuration information from the
// environment. If there is an error, no configuration value
// is updated.
func (c *Config) ReadEnvironment() error {
var envAddress string
var envCACert string
var envCAPath string
var envClientCert string
var envClientKey string
var envInsecure bool
var foundInsecure bool
var newCertPool *x509.CertPool
var clientCert tls.Certificate
var foundClientCert bool
if v := os.Getenv(EnvVaultAddress); v != "" {
envAddress = v
}
if v := os.Getenv(EnvVaultCACert); v != "" {
envCACert = v
}
if v := os.Getenv(EnvVaultCAPath); v != "" {
envCAPath = v
}
if v := os.Getenv(EnvVaultClientCert); v != "" {
envClientCert = v
}
if v := os.Getenv(EnvVaultClientKey); v != "" {
envClientKey = v
}
if v := os.Getenv(EnvVaultInsecure); v != "" {
var err error
envInsecure, err = strconv.ParseBool(v)
if err != nil {
return fmt.Errorf("Could not parse VAULT_SKIP_VERIFY")
}
foundInsecure = true
}
// If we need custom TLS configuration, then set it
if envCACert != "" || envCAPath != "" || envClientCert != "" || envClientKey != "" || envInsecure {
var err error
if envCACert != "" {
newCertPool, err = LoadCACert(envCACert)
} else if envCAPath != "" {
newCertPool, err = LoadCAPath(envCAPath)
}
if err != nil {
return fmt.Errorf("Error setting up CA path: %s", err)
}
if envClientCert != "" && envClientKey != "" {
clientCert, err = tls.LoadX509KeyPair(envClientCert, envClientKey)
if err != nil {
return err
}
foundClientCert = true
} else if envClientCert != "" || envClientKey != "" {
return fmt.Errorf("Both client cert and client key must be provided")
}
}
if envAddress != "" {
c.Address = envAddress
}
clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
if foundInsecure {
clientTLSConfig.InsecureSkipVerify = envInsecure
}
if newCertPool != nil {
clientTLSConfig.RootCAs = newCertPool
}
if foundClientCert {
clientTLSConfig.Certificates = []tls.Certificate{clientCert}
}
return nil
}
// Client is the client to the Vault API. Create a client with // Client is the client to the Vault API. Create a client with
// NewClient. // NewClient.
type Client struct { type Client struct {
@ -66,6 +164,7 @@ type Client struct {
// automatically added to the client. Otherwise, you must manually call // automatically added to the client. Otherwise, you must manually call
// `SetToken()`. // `SetToken()`.
func NewClient(c *Config) (*Client, error) { func NewClient(c *Config) (*Client, error) {
u, err := url.Parse(c.Address) u, err := url.Parse(c.Address)
if err != nil { if err != nil {
return nil, err return nil, err
@ -203,3 +302,74 @@ START:
return result, nil return result, nil
} }
// Loads the certificate from given path and creates a certificate pool from it.
func LoadCACert(path string) (*x509.CertPool, error) {
certs, err := loadCertFromPEM(path)
if err != nil {
return nil, err
}
result := x509.NewCertPool()
for _, cert := range certs {
result.AddCert(cert)
}
return result, nil
}
// Loads the certificates present in the given directory and creates a
// certificate pool from it.
func LoadCAPath(path string) (*x509.CertPool, error) {
result := x509.NewCertPool()
fn := func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if info.IsDir() {
return nil
}
certs, err := loadCertFromPEM(path)
if err != nil {
return err
}
for _, cert := range certs {
result.AddCert(cert)
}
return nil
}
return result, filepath.Walk(path, fn)
}
// Creates a certificate from the given path
func loadCertFromPEM(path string) ([]*x509.Certificate, error) {
pemCerts, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
}
certs := make([]*x509.Certificate, 0, 5)
for len(pemCerts) > 0 {
var block *pem.Block
block, pemCerts = pem.Decode(pemCerts)
if block == nil {
break
}
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
certs = append(certs, cert)
}
return certs, nil
}

35
api/client_test.go
View File

@ -99,3 +99,38 @@ func TestClientRedirect(t *testing.T) {
t.Fatalf("Bad: %s", buf.String()) t.Fatalf("Bad: %s", buf.String())
} }
} }
func TestClientEnvSettings(t *testing.T) {
cwd, _ := os.Getwd()
oldCACert := os.Getenv(EnvVaultCACert)
oldCAPath := os.Getenv(EnvVaultCAPath)
oldClientCert := os.Getenv(EnvVaultClientCert)
oldClientKey := os.Getenv(EnvVaultClientKey)
oldSkipVerify := os.Getenv(EnvVaultInsecure)
os.Setenv("VAULT_CACERT", cwd+"/../test/key/ourdomain.cer")
os.Setenv("VAULT_CAPATH", cwd+"/../test/key")
os.Setenv("VAULT_CLIENT_CERT", cwd+"/../test/key/ourdomain.cer")
os.Setenv("VAULT_CLIENT_KEY", cwd+"/../test/key/ourdomain.key")
os.Setenv("VAULT_SKIP_VERIFY", "true")
defer os.Setenv("VAULT_CACERT", oldCACert)
defer os.Setenv("VAULT_CAPATH", oldCAPath)
defer os.Setenv("VAULT_CLIENT_CERT", oldClientCert)
defer os.Setenv("VAULT_CLIENT_KEY", oldClientKey)
defer os.Setenv("VAULT_SKIP_VERIFY", oldSkipVerify)
config := DefaultConfig()
if err := config.ReadEnvironment(); err != nil {
t.Fatalf("error reading environment: %v", err)
}
tlsConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig
if len(tlsConfig.RootCAs.Subjects()) == 0 {
t.Fatalf("bad: expected a cert pool with at least one subject")
}
if len(tlsConfig.Certificates) != 1 {
t.Fatalf("bad: expected client tls config to have a client certificate")
}
if tlsConfig.InsecureSkipVerify != true {
t.Fatalf("bad: %s", tlsConfig.InsecureSkipVerify)
}
}

77
api/ssh_agent.go
View File

@ -3,13 +3,11 @@ package api
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/pem"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net" "net"
"net/http" "net/http"
"os" "os"
"path/filepath"
"time" "time"
"github.com/hashicorp/hcl" "github.com/hashicorp/hcl"
@ -95,9 +93,9 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
var certPool *x509.CertPool var certPool *x509.CertPool
var err error var err error
if c.CACert != "" { if c.CACert != "" {
certPool, err = loadCACert(c.CACert) certPool, err = LoadCACert(c.CACert)
} else if c.CAPath != "" { } else if c.CAPath != "" {
certPool, err = loadCAPath(c.CAPath) certPool, err = LoadCAPath(c.CAPath)
} }
if err != nil { if err != nil {
return nil, err return nil, err
@ -199,74 +197,3 @@ func (c *SSHAgent) Verify(otp string) (*SSHVerifyResponse, error) {
} }
return &verifyResp, nil return &verifyResp, nil
} }
// Loads the certificate from given path and creates a certificate pool from it.
func loadCACert(path string) (*x509.CertPool, error) {
certs, err := loadCertFromPEM(path)
if err != nil {
return nil, err
}
result := x509.NewCertPool()
for _, cert := range certs {
result.AddCert(cert)
}
return result, nil
}
// Loads the certificates present in the given directory and creates a
// certificate pool from it.
func loadCAPath(path string) (*x509.CertPool, error) {
result := x509.NewCertPool()
fn := func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if info.IsDir() {
return nil
}
certs, err := loadCertFromPEM(path)
if err != nil {
return err
}
for _, cert := range certs {
result.AddCert(cert)
}
return nil
}
return result, filepath.Walk(path, fn)
}
// Creates a certificate from the given path
func loadCertFromPEM(path string) ([]*x509.Certificate, error) {
pemCerts, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
}
certs := make([]*x509.Certificate, 0, 5)
for len(pemCerts) > 0 {
var block *pem.Block
block, pemCerts = pem.Decode(pemCerts)
if block == nil {
break
}
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
certs = append(certs, cert)
}
return certs, nil
}

71
command/meta.go
View File

@ -9,27 +9,17 @@ import (
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"net"
"net/http" "net/http"
"os" "os"
"path/filepath" "path/filepath"
"strconv"
"strings" "strings"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/token" "github.com/hashicorp/vault/command/token"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
) )
// EnvVaultAddress can be used to set the address of Vault
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
// FlagSetFlags is an enum to define what flags are present in the // FlagSetFlags is an enum to define what flags are present in the
// default FlagSet returned by Meta.FlagSet. // default FlagSet returned by Meta.FlagSet.
type FlagSetFlags uint type FlagSetFlags uint
@ -67,51 +57,40 @@ type Meta struct {
// flag settings for this command. // flag settings for this command.
func (m *Meta) Client() (*api.Client, error) { func (m *Meta) Client() (*api.Client, error) {
config := api.DefaultConfig() config := api.DefaultConfig()
if v := os.Getenv(EnvVaultAddress); v != "" {
config.Address = v err := config.ReadEnvironment()
if err != nil {
return nil, errwrap.Wrapf("error reading environment: {{err}}", err)
} }
if m.flagAddress != "" { if m.flagAddress != "" {
config.Address = m.flagAddress config.Address = m.flagAddress
} }
if m.ForceAddress != "" { if m.ForceAddress != "" {
config.Address = m.ForceAddress config.Address = m.ForceAddress
} }
if v := os.Getenv(EnvVaultCACert); v != "" {
m.flagCACert = v
}
if v := os.Getenv(EnvVaultCAPath); v != "" {
m.flagCAPath = v
}
if v := os.Getenv(EnvVaultClientCert); v != "" {
m.flagClientCert = v
}
if v := os.Getenv(EnvVaultClientKey); v != "" {
m.flagClientKey = v
}
if v := os.Getenv(EnvVaultInsecure); v != "" {
var err error
m.flagInsecure, err = strconv.ParseBool(v)
if err != nil {
return nil, fmt.Errorf("Invalid value passed in for -insecure flag: %s", err)
}
}
// If we need custom TLS configuration, then set it // If we need custom TLS configuration, then set it
if m.flagCACert != "" || m.flagCAPath != "" || m.flagClientCert != "" || m.flagClientKey != "" || m.flagInsecure { if m.flagCACert != "" || m.flagCAPath != "" || m.flagClientCert != "" || m.flagClientKey != "" || m.flagInsecure {
// We may have set items from the environment so start with the
// existing TLS config
tlsConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig
var certPool *x509.CertPool var certPool *x509.CertPool
var err error var err error
if m.flagCACert != "" { if m.flagCACert != "" {
certPool, err = m.loadCACert(m.flagCACert) certPool, err = api.LoadCACert(m.flagCACert)
} else if m.flagCAPath != "" { } else if m.flagCAPath != "" {
certPool, err = m.loadCAPath(m.flagCAPath) certPool, err = api.LoadCAPath(m.flagCAPath)
} }
if err != nil { if err != nil {
return nil, fmt.Errorf("Error setting up CA path: %s", err) return nil, errwrap.Wrapf("Error setting up CA path: {{err}}", err)
} }
tlsConfig := &tls.Config{ if certPool != nil {
InsecureSkipVerify: m.flagInsecure, tlsConfig.RootCAs = certPool
MinVersion: tls.VersionTLS12, }
RootCAs: certPool, if m.flagInsecure {
tlsConfig.InsecureSkipVerify = true
} }
if m.flagClientCert != "" && m.flagClientKey != "" { if m.flagClientCert != "" && m.flagClientKey != "" {
@ -123,20 +102,6 @@ func (m *Meta) Client() (*api.Client, error) {
} else if m.flagClientCert != "" || m.flagClientKey != "" { } else if m.flagClientCert != "" || m.flagClientKey != "" {
return nil, fmt.Errorf("Both client cert and client key must be provided") return nil, fmt.Errorf("Both client cert and client key must be provided")
} }
client := &http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSClientConfig: tlsConfig,
TLSHandshakeTimeout: 10 * time.Second,
},
}
config.HttpClient = client
} }
// Build the client // Build the client

35
command/meta_test.go
View File

@ -2,7 +2,6 @@ package command
import ( import (
"flag" "flag"
"os"
"reflect" "reflect"
"sort" "sort"
"testing" "testing"
@ -40,37 +39,3 @@ func TestFlagSet(t *testing.T) {
} }
} }
} }
func TestEnvSettings(t *testing.T) {
os.Setenv("VAULT_CACERT", "/path/to/fake/cert.crt")
os.Setenv("VAULT_CAPATH", "/path/to/fake/certs")
os.Setenv("VAULT_CLIENT_CERT", "/path/to/fake/client.crt")
os.Setenv("VAULT_CLIENT_KEY", "/path/to/fake/client.key")
os.Setenv("VAULT_SKIP_VERIFY", "true")
defer os.Setenv("VAULT_CACERT", "")
defer os.Setenv("VAULT_CAPATH", "")
defer os.Setenv("VAULT_CLIENT_CERT", "")
defer os.Setenv("VAULT_CLIENT_KEY", "")
defer os.Setenv("VAULT_SKIP_VERIFY", "")
var m Meta
// Err is ignored as it is expected that the test settings
// will cause errors; just check the flag settings
m.Client()
if m.flagCACert != "/path/to/fake/cert.crt" {
t.Fatalf("bad: %s", m.flagAddress)
}
if m.flagCAPath != "/path/to/fake/certs" {
t.Fatalf("bad: %s", m.flagAddress)
}
if m.flagClientCert != "/path/to/fake/client.crt" {
t.Fatalf("bad: %s", m.flagAddress)
}
if m.flagClientKey != "/path/to/fake/client.key" {
t.Fatalf("bad: %s", m.flagAddress)
}
if m.flagInsecure != true {
t.Fatalf("bad: %s", m.flagAddress)
}
}