krd/vault-redux
1
0
Fork 0
Code

command/init

Browse Source
This commit is contained in:
Mitchell Hashimoto 2015-03-13 10:32:39 -07:00
parent 722a3875cf
commit 6b83c937d4
4 changed files with 137 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -26,3 +26,6 @@ _testmain.go
# Other dirs
bin/
pkg/
# Vault-specific
example.hcl

90
command/init.go Normal file
View File

@ -0,0 +1,90 @@
package command
import (
"fmt"
"strings"
"github.com/hashicorp/vault/api"
)
// InitCommand is a Command that initializes a new Vault server.
type InitCommand struct {
Meta
}
func (c *InitCommand) Run(args []string) int {
var shares, threshold int
flags := c.Meta.FlagSet("init", FlagSetDefault)
flags.Usage = func() { c.Ui.Error(c.Help()) }
flags.IntVar(&shares, "key-shares", 5, "")
flags.IntVar(&threshold, "key-threshold", 3, "")
if err := flags.Parse(args); err != nil {
return 1
}
client, err := c.Client()
if err != nil {
c.Ui.Error(fmt.Sprintf(
"Error initializing client: %s", err))
return 1
}
resp, err := client.Sys().Init(&api.InitRequest{
SecretShares: shares,
SecretThreshold: threshold,
})
if err != nil {
c.Ui.Error(fmt.Sprintf(
"Error initializing Vault: %s", err))
return 1
}
for _, key := range resp.Keys {
c.Ui.Output(fmt.Sprintf("Key: %s", key))
}
return 0
}
func (c *InitCommand) Synopsis() string {
return "Initialize a new Vault server"
}
func (c *InitCommand) Help() string {
helpText := `
Usage: vault init [options]
Initialize a new Vault server.
This command connects to a Vault server and initializes it for the
first time. This sets up the initial set of master keys and sets up the
backend data store structure.
This command can't be called on an already-initialized Vault.
General Options:
-address=TODO The address of the Vault server.
-ca-cert=path Path to a PEM encoded CA cert file to use to
verify the Vault server SSL certificate.
-ca-path=path Path to a directory of PEM encoded CA cert files
to verify the Vault server SSL certificate. If both
-ca-cert and -ca-path are specified, -ca-path is used.
-insecure Do not verify TLS certificate. This is highly
not recommended. This is especially not recommended
for unsealing a vault.
Init Options:
-key-shares=5 The number of key shares to split the master key
into.
-key-threshold=3 The number of key shares required to reconstruct
the master key.
`
return strings.TrimSpace(helpText)
}

38
command/meta.go
View File

@ -2,9 +2,14 @@ package command
import (
"bufio"
"crypto/tls"
"flag"
"io"
"net"
"net/http"
"time"
"github.com/hashicorp/vault/api"
"github.com/mitchellh/cli"
)
@ -30,6 +35,39 @@ type Meta struct {
flagInsecure bool
}
// Client returns the API client to a Vault server given the configured
// flag settings for this command.
func (m *Meta) Client() (*api.Client, error) {
config := api.DefaultConfig()
if m.flagAddress != "" {
config.Address = m.flagAddress
}
// If we need custom TLS configuration, then set it
if m.flagCACert != "" || m.flagCAPath != "" || m.flagInsecure {
tlsConfig := &tls.Config{
InsecureSkipVerify: m.flagInsecure,
}
// TODO: Root CAs
client := *http.DefaultClient
client.Transport = &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSClientConfig: tlsConfig,
TLSHandshakeTimeout: 10 * time.Second,
}
config.HttpClient = &client
}
return api.NewClient(config)
}
// FlagSet returns a FlagSet with the common flags that every
// command implements. The exact behavior of FlagSet can be configured
// using the flags as the second parameter, for example to disable

6
commands.go
View File

@ -48,6 +48,12 @@ func init() {
}, nil
},
"init": func() (cli.Command, error) {
return &command.InitCommand{
Meta: meta,
}, nil
},
"server": func() (cli.Command, error) {
return &command.ServerCommand{
Meta: meta,