mirror of
https://github.com/hashicorp/vault.git
synced 2025-11-28 22:21:30 +01:00
Add support for stored shares and skip-init in dev mode (#3364)
This commit is contained in:
Calvin Leung Huang
GitHub
parent
516cc8bd6b
commit
b7413325dd
@ -72,7 +72,7 @@ type ServerCommand struct {
|
||||
}
|
||||
|
||||
func (c *ServerCommand) Run(args []string) int {
|
||||
var dev, verifyOnly, devHA, devTransactional, devLeasedKV, devThreeNode bool
|
||||
var dev, verifyOnly, devHA, devTransactional, devLeasedKV, devThreeNode, devSkipInit bool
|
||||
var configPath []string
|
||||
var logLevel, devRootTokenID, devListenAddress, devPluginDir string
|
||||
var devLatency, devLatencyJitter int
|
||||
@ -89,6 +89,7 @@ func (c *ServerCommand) Run(args []string) int {
|
||||
flags.BoolVar(&devTransactional, "dev-transactional", false, "")
|
||||
flags.BoolVar(&devLeasedKV, "dev-leased-kv", false, "")
|
||||
flags.BoolVar(&devThreeNode, "dev-three-node", false, "")
|
||||
flags.BoolVar(&devSkipInit, "dev-skip-init", false, "")
|
||||
flags.Usage = func() { c.Ui.Output(c.Help()) }
|
||||
flags.Var((*sliceflag.StringFlag)(&configPath), "config", "config")
|
||||
if err := flags.Parse(args); err != nil {
|
||||
@ -606,7 +607,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
|
||||
core.SetClusterHandler(handler)
|
||||
|
||||
// If we're in Dev mode, then initialize the core
|
||||
if dev {
|
||||
if dev && !devSkipInit {
|
||||
init, err := c.enableDev(core, coreConfig)
|
||||
if err != nil {
|
||||
c.Ui.Output(fmt.Sprintf(
|
||||
@ -621,7 +622,7 @@ CLUSTER_SYNTHESIS_COMPLETE:
|
||||
quote = ""
|
||||
}
|
||||
|
||||
c.Ui.Output(fmt.Sprintf(
|
||||
c.Ui.Output(fmt.Sprint(
|
||||
"==> WARNING: Dev mode is enabled!\n\n" +
|
||||
"In this mode, Vault is completely in-memory and unsealed.\n" +
|
||||
"Vault is configured to only have a single unseal key. The root\n" +
|
||||
@ -631,9 +632,26 @@ CLUSTER_SYNTHESIS_COMPLETE:
|
||||
"environment variables:\n\n" +
|
||||
" " + export + " VAULT_ADDR=" + quote + "http://" + config.Listeners[0].Config["address"].(string) + quote + "\n\n" +
|
||||
"The unseal key and root token are reproduced below in case you\n" +
|
||||
"want to seal/unseal the Vault or play with authentication.\n\n"+
|
||||
"Unseal Key: %s\nRoot Token: %s\n",
|
||||
"want to seal/unseal the Vault or play with authentication.\n",
|
||||
))
|
||||
|
||||
// Unseal key is not returned if stored shares is supported
|
||||
if len(init.SecretShares) > 0 {
|
||||
c.Ui.Output(fmt.Sprintf(
|
||||
"Unseal Key: %s",
|
||||
base64.StdEncoding.EncodeToString(init.SecretShares[0]),
|
||||
))
|
||||
}
|
||||
|
||||
if len(init.RecoveryShares) > 0 {
|
||||
c.Ui.Output(fmt.Sprintf(
|
||||
"Recovery Key: %s",
|
||||
base64.StdEncoding.EncodeToString(init.RecoveryShares[0]),
|
||||
))
|
||||
}
|
||||
|
||||
c.Ui.Output(fmt.Sprintf(
|
||||
"Root Token: %s\n",
|
||||
init.RootToken,
|
||||
))
|
||||
}
|
||||
@ -706,18 +724,39 @@ CLUSTER_SYNTHESIS_COMPLETE:
|
||||
}
|
||||
|
||||
func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig) (*vault.InitResult, error) {
|
||||
// Initialize it with a basic single key
|
||||
init, err := core.Initialize(&vault.InitParams{
|
||||
BarrierConfig: &vault.SealConfig{
|
||||
var recoveryConfig *vault.SealConfig
|
||||
barrierConfig := &vault.SealConfig{
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
},
|
||||
RecoveryConfig: nil,
|
||||
}
|
||||
|
||||
if core.SealAccess().RecoveryKeySupported() {
|
||||
recoveryConfig = &vault.SealConfig{
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
}
|
||||
}
|
||||
|
||||
if core.SealAccess().StoredKeysSupported() {
|
||||
barrierConfig.StoredShares = 1
|
||||
}
|
||||
|
||||
// Initialize it with a basic single key
|
||||
init, err := core.Initialize(&vault.InitParams{
|
||||
BarrierConfig: barrierConfig,
|
||||
RecoveryConfig: recoveryConfig,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Handle unseal with stored keys
|
||||
if core.SealAccess().StoredKeysSupported() {
|
||||
err := core.UnsealWithStoredKeys()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
} else {
|
||||
// Copy the key so that it can be zeroed
|
||||
key := make([]byte, len(init.SecretShares[0]))
|
||||
copy(key, init.SecretShares[0])
|
||||
@ -730,6 +769,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
|
||||
if !unsealed {
|
||||
return nil, fmt.Errorf("failed to unseal Vault for dev mode")
|
||||
}
|
||||
}
|
||||
|
||||
isLeader, _, _, err := core.Leader()
|
||||
if err != nil && err != vault.ErrHANotEnabled {
|
||||
@ -752,6 +792,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
|
||||
}
|
||||
}
|
||||
|
||||
// Generate a dev root token if one is provided in the flag
|
||||
if coreConfig.DevToken != "" {
|
||||
req := &logical.Request{
|
||||
ID: "dev-gen-root",
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user