From fb8ce19d90ae64b1a14bc7ee06df1a1caebf7610 Mon Sep 17 00:00:00 2001 From: Jonathan Sokolowski Date: Thu, 25 Jul 2019 02:41:07 +1000 Subject: [PATCH] Add -dev-no-store-token to vault server command (#7104) When starting a vault dev server the token helper is invoked to store the dev root token. This option gives the user the ability to not store the token. Storing the token can be undesirable in certain circumstances (e.g. running local tests) as the user's existing vault token is clobbered without warning. Fixes #1861 --- command/server.go | 36 +++++++++++++-------- website/source/docs/commands/server.html.md | 4 +++ 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/command/server.go b/command/server.go index 06c3d98a67..c93e6a3007 100644 --- a/command/server.go +++ b/command/server.go @@ -87,13 +87,13 @@ type ServerCommand struct { reloadedCh chan (struct{}) // for tests // new stuff - flagConfigs []string - flagLogLevel string - flagLogFormat string - flagDev bool - flagDevRootTokenID string - flagDevListenAddr string - + flagConfigs []string + flagLogLevel string + flagLogFormat string + flagDev bool + flagDevRootTokenID string + flagDevListenAddr string + flagDevNoStoreToken bool flagDevPluginDir string flagDevPluginInit bool flagDevHA bool @@ -213,6 +213,14 @@ func (c *ServerCommand) Flags() *FlagSets { EnvVar: "VAULT_DEV_LISTEN_ADDRESS", Usage: "Address to bind to in \"dev\" mode.", }) + f.BoolVar(&BoolVar{ + Name: "dev-no-store-token", + Target: &c.flagDevNoStoreToken, + Default: false, + Usage: "Do not persist the dev root token to the token helper " + + "(usually the local filesystem) for use in future requests. " + + "The token will only be displayed in the command output.", + }) // Internal-only flags to follow. // @@ -1515,12 +1523,14 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig } // Set the token - tokenHelper, err := c.TokenHelper() - if err != nil { - return nil, err - } - if err := tokenHelper.Store(init.RootToken); err != nil { - return nil, err + if !c.flagDevNoStoreToken { + tokenHelper, err := c.TokenHelper() + if err != nil { + return nil, err + } + if err := tokenHelper.Store(init.RootToken); err != nil { + return nil, err + } } kvVer := "2" diff --git a/website/source/docs/commands/server.html.md b/website/source/docs/commands/server.html.md index 491483573d..3f43e9dfed 100644 --- a/website/source/docs/commands/server.html.md +++ b/website/source/docs/commands/server.html.md @@ -76,4 +76,8 @@ flags](/docs/commands/index.html) included on all commands. when running in "dev" mode. This can also be specified via the `VAULT_DEV_ROOT_TOKEN_ID` environment variable. +- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to + the token helper (usually the local filesystem) for use in future requests. + The token will only be displayed in the command output. + - `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.