mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-01 11:08:10 +00:00
Update unwrap command
This commit is contained in:
Seth Vargo
@@ -1,104 +1,107 @@
|
||||
package command
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/vault/api"
|
||||
"github.com/hashicorp/vault/meta"
|
||||
"github.com/mitchellh/cli"
|
||||
"github.com/posener/complete"
|
||||
)
|
||||
|
||||
// UnwrapCommand is a Command that behaves like ReadCommand but specifically
|
||||
// for unwrapping cubbyhole-wrapped secrets
|
||||
// Ensure we are implementing the right interfaces.
|
||||
var _ cli.Command = (*UnwrapCommand)(nil)
|
||||
var _ cli.CommandAutocomplete = (*UnwrapCommand)(nil)
|
||||
|
||||
// UnwrapCommand is a Command that behaves like ReadCommand but specifically for
|
||||
// unwrapping cubbyhole-wrapped secrets
|
||||
type UnwrapCommand struct {
|
||||
meta.Meta
|
||||
*BaseCommand
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) Synopsis() string {
|
||||
return "Unwraps a wrapped secret"
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) Help() string {
|
||||
helpText := `
|
||||
Usage: vault unwrap [options] [TOKEN]
|
||||
|
||||
Unwraps a wrapped secret from Vault by the given token. The result is the
|
||||
same as the "vault read" operation on the non-wrapped secret. If no token
|
||||
is given, the data in the currently authenticated token is unwrapped.
|
||||
|
||||
Unwrap the data in the cubbyhole backend for a token:
|
||||
|
||||
$ vault unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
|
||||
|
||||
Unwrap the data in the active token:
|
||||
|
||||
$ vault auth 848f9ccf-7176-098c-5e2b-75a0689d41cd
|
||||
$ vault unwrap # unwraps 848f9ccf...
|
||||
|
||||
For a full list of examples and paths, please see the online documentation.
|
||||
|
||||
` + c.Flags().Help()
|
||||
|
||||
return strings.TrimSpace(helpText)
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) Flags() *FlagSets {
|
||||
return c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) AutocompleteArgs() complete.Predictor {
|
||||
return c.PredictVaultFiles()
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) AutocompleteFlags() complete.Flags {
|
||||
return c.Flags().Completions()
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) Run(args []string) int {
|
||||
var format string
|
||||
var field string
|
||||
var err error
|
||||
var secret *api.Secret
|
||||
var flags *flag.FlagSet
|
||||
flags = c.Meta.FlagSet("unwrap", meta.FlagSetDefault)
|
||||
flags.StringVar(&format, "format", "table", "")
|
||||
flags.StringVar(&field, "field", "", "")
|
||||
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
||||
if err := flags.Parse(args); err != nil {
|
||||
f := c.Flags()
|
||||
|
||||
if err := f.Parse(args); err != nil {
|
||||
c.UI.Error(err.Error())
|
||||
return 1
|
||||
}
|
||||
|
||||
var tokenID string
|
||||
|
||||
args = flags.Args()
|
||||
args = f.Args()
|
||||
token := ""
|
||||
switch len(args) {
|
||||
case 0:
|
||||
// Leave token as "", that will use the local token
|
||||
case 1:
|
||||
tokenID = args[0]
|
||||
token = strings.TrimSpace(args[0])
|
||||
default:
|
||||
c.Ui.Error("unwrap expects zero or one argument (the ID of the wrapping token)")
|
||||
flags.Usage()
|
||||
c.UI.Error(fmt.Sprintf("Too many arguments (expected 0-1, got %d)", len(args)))
|
||||
return 1
|
||||
}
|
||||
|
||||
client, err := c.Client()
|
||||
if err != nil {
|
||||
c.Ui.Error(fmt.Sprintf(
|
||||
"Error initializing client: %s", err))
|
||||
c.UI.Error(err.Error())
|
||||
return 2
|
||||
}
|
||||
|
||||
secret, err = client.Logical().Unwrap(tokenID)
|
||||
secret, err := client.Logical().Unwrap(token)
|
||||
if err != nil {
|
||||
c.Ui.Error(err.Error())
|
||||
return 1
|
||||
c.UI.Error(fmt.Sprintf("Error unwrapping: %s", err))
|
||||
return 2
|
||||
}
|
||||
if secret == nil {
|
||||
c.Ui.Error("Server gave empty response or secret returned was empty")
|
||||
return 1
|
||||
c.UI.Error("Could not find wrapped response")
|
||||
return 2
|
||||
}
|
||||
|
||||
// Handle single field output
|
||||
if field != "" {
|
||||
return PrintRawField(c.Ui, secret, field)
|
||||
if c.flagField != "" {
|
||||
return PrintRawField(c.UI, secret, c.flagField)
|
||||
}
|
||||
|
||||
// Check if the original was a list response and format as a list if so
|
||||
if secret.Data != nil &&
|
||||
len(secret.Data) == 1 &&
|
||||
secret.Data["keys"] != nil {
|
||||
_, ok := secret.Data["keys"].([]interface{})
|
||||
if ok {
|
||||
return OutputList(c.Ui, format, secret)
|
||||
}
|
||||
// Check if the original was a list response and format as a list
|
||||
if _, ok := extractListData(secret); ok {
|
||||
return OutputList(c.UI, c.flagFormat, secret)
|
||||
}
|
||||
return OutputSecret(c.Ui, format, secret)
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) Synopsis() string {
|
||||
return "Unwrap a wrapped secret"
|
||||
}
|
||||
|
||||
func (c *UnwrapCommand) Help() string {
|
||||
helpText := `
|
||||
Usage: vault unwrap [options] <wrapping token ID>
|
||||
|
||||
Unwrap a wrapped secret.
|
||||
|
||||
Unwraps the data wrapped by the given token ID. The returned result is the
|
||||
same as a 'read' operation on a non-wrapped secret.
|
||||
|
||||
General Options:
|
||||
` + meta.GeneralOptionsUsage() + `
|
||||
Read Options:
|
||||
|
||||
-format=table The format for output. By default it is a whitespace-
|
||||
delimited table. This can also be json or yaml.
|
||||
|
||||
-field=field If included, the raw value of the specified field
|
||||
will be output raw to stdout.
|
||||
|
||||
`
|
||||
return strings.TrimSpace(helpText)
|
||||
return OutputSecret(c.UI, c.flagFormat, secret)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user