scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove hex output from keys; standardize on B64 for CLI output. This (#1831)

Browse Source 
aligns with all other interactions which use B64 encoding for bytes.
This commit is contained in:
Jeff Mitchell
2016-09-01 12:59:15 -04:00
committed by GitHub
parent ffb5fd1858
commit 392565fe01
4 changed files with 63 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
command/init.go
View File

@@ -193,16 +193,14 @@ func (c *InitCommand) runInit(check bool, initRequest *api.InitRequest) int {
for i, key := range resp.Keys { for i, key := range resp.Keys {
if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) { if resp.KeysB64 != nil && len(resp.KeysB64) == len(resp.Keys) {
c.Ui.Output(fmt.Sprintf("Unseal Key %d (hex) : %s", i+1, key)) c.Ui.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, resp.KeysB64[i]))
c.Ui.Output(fmt.Sprintf("Unseal Key %d (base64): %s", i+1, resp.KeysB64[i]))
} else { } else {
c.Ui.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, key)) c.Ui.Output(fmt.Sprintf("Unseal Key %d: %s", i+1, key))
} }
} }
for i, key := range resp.RecoveryKeys { for i, key := range resp.RecoveryKeys {
if resp.RecoveryKeysB64 != nil && len(resp.RecoveryKeysB64) == len(resp.RecoveryKeys) { if resp.RecoveryKeysB64 != nil && len(resp.RecoveryKeysB64) == len(resp.RecoveryKeys) {
c.Ui.Output(fmt.Sprintf("Recovery Key %d (hex) : %s", i+1, key)) c.Ui.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, resp.RecoveryKeysB64[i]))
c.Ui.Output(fmt.Sprintf("Recovery Key %d (base64): %s", i+1, resp.RecoveryKeysB64[i]))
} else { } else {
c.Ui.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, key)) c.Ui.Output(fmt.Sprintf("Recovery Key %d: %s", i+1, key))
} }
@@ -279,62 +277,66 @@ General Options:
` + meta.GeneralOptionsUsage() + ` ` + meta.GeneralOptionsUsage() + `
Init Options: Init Options:
-check Don't actually initialize, just check if Vault is -check Don't actually initialize, just check if Vault is
already initialized. A return code of 0 means Vault already initialized. A return code of 0 means Vault
is initialized; a return code of 2 means Vault is not is initialized; a return code of 2 means Vault is not
initialized; a return code of 1 means an error was initialized; a return code of 1 means an error was
encountered. encountered.
-key-shares=5 The number of key shares to split the master key -key-shares=5 The number of key shares to split the master key
into. into.
-key-threshold=3 The number of key shares required to reconstruct -key-threshold=3 The number of key shares required to reconstruct
the master key. the master key.
-stored-shares=0 The number of unseal keys to store. This is not -stored-shares=0 The number of unseal keys to store. This is not
normally available. normally available.
-pgp-keys If provided, must be a comma-separated list of -pgp-keys If provided, must be a comma-separated list of
files on disk containing binary- or base64-format files on disk containing binary- or base64-format
public PGP keys, or Keybase usernames specified as public PGP keys, or Keybase usernames specified as
"keybase:<username>". The number of given entries "keybase:<username>". The number of given entries
must match 'key-shares'. The output unseal keys will must match 'key-shares'. The output unseal keys will
be encrypted and hex-encoded, in order, with the be encrypted and base64-encoded, in order, with the
given public keys. If you want to use them with the given public keys. If you want to use them with the
'vault unseal' command, you will need to hex decode 'vault unseal' command, you will need to base64-
and decrypt; this will be the plaintext unseal key. decode and decrypt; this will be the plaintext
unseal key.
-recovery-shares=5 The number of key shares to split the recovery key -recovery-shares=5 The number of key shares to split the recovery key
into. This is not normally available. into. This is not normally available.
-recovery-threshold=3 The number of key shares required to reconstruct -recovery-threshold=3 The number of key shares required to reconstruct
the recovery key. This is not normally available. the recovery key. This is not normally available.
-recovery-pgp-keys If provided, behaves like "pgp-keys" but for the -recovery-pgp-keys If provided, behaves like "pgp-keys" but for the
recovery key shares. This is not normally available. recovery key shares. This is not normally available.
-auto If set, performs service discovery using Consul. When -auto If set, performs service discovery using Consul.
all the nodes of a Vault cluster are registered with When all the nodes of a Vault cluster are
Consul, setting this flag will trigger service discovery registered with Consul, setting this flag will
using the service name with which Vault nodes are trigger service discovery using the service name
registered. This option works well when each Vault with which Vault nodes are registered. This option
cluster is registered under a unique service name. works well when each Vault cluster is registered
Note that, when Consul is serving as Vault's HA backend, under a unique service name. Note that, when Consul
Vault nodes are registered with Consul by default. The is serving as Vault's HA backend, Vault nodes are
service name can be changed using 'consul-service' flag. registered with Consul by default. The service name
Ensure that environment variables required to communicate can be changed using 'consul-service' flag. Ensure
with Consul, like (CONSUL_HTTP_ADDR, CONSUL_HTTP_TOKEN, that environment variables required to communicate
CONSUL_HTTP_SSL, et al) are properly set. When only one with Consul, like (CONSUL_HTTP_ADDR,
Vault node is discovered, it will be initialized and CONSUL_HTTP_TOKEN, CONSUL_HTTP_SSL, et al) are
when more than one Vault node is discovered, they will properly set. When only one Vault node is
be output for easy selection. discovered, it will be initialized and when more
than one Vault node is discovered, they will be
output for easy selection.
-consul-service Service name under which all the nodes of a Vault cluster -consul-service Service name under which all the nodes of a Vault
are registered with Consul. Note that, when Vault uses cluster are registered with Consul. Note that, when
Consul as its HA backend, by default, Vault will register Vault uses Consul as its HA backend, by default,
itself as a service with Consul with the service name "vault". Vault will register itself as a service with Consul
This name can be modified in Vault's configuration file, with the service name "vault". This name can be
using the "service" option for the Consul backend. modified in Vault's configuration file, using the
"service" option for the Consul backend.
` `
return strings.TrimSpace(helpText) return strings.TrimSpace(helpText)
} }

23
command/pgp_test.go
View File

@@ -89,20 +89,12 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
priv3Bytes, priv3Bytes,
} }
testFunc := func(b64 bool, bkeys map[string][]string) { testFunc := func(bkeys map[string][]string) {
var re *regexp.Regexp var re *regexp.Regexp
if fingerprints { if fingerprints {
if b64 { re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value:\\s+(.*)")
re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value\\s+\\(base64\\):\\s+(.*)")
} else {
re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value\\s+\\(hex\\)\\s+:\\s+(.*)")
}
} else { } else {
if b64 { re, err = regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
re, err = regexp.Compile("\\s*Key\\s+\\d+\\s\\(base64\\):\\s+(.*)")
} else {
re, err = regexp.Compile("\\s*Key\\s+\\d+\\s\\(hex\\)\\s+:\\s+(.*)")
}
} }
if err != nil { if err != nil {
t.Fatalf("Error compiling regex: %s", err) t.Fatalf("Error compiling regex: %s", err)
@@ -152,11 +144,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
t.Fatalf("Error parsing private key %d: %s", i, err) t.Fatalf("Error parsing private key %d: %s", i, err)
} }
var keyBytes []byte var keyBytes []byte
if b64 { keyBytes, err = base64.StdEncoding.DecodeString(encodedKeys[i])
keyBytes, err = base64.StdEncoding.DecodeString(encodedKeys[i])
} else {
keyBytes, err = hex.DecodeString(encodedKeys[i])
}
if err != nil { if err != nil {
t.Fatalf("Error decoding key %d: %s", i, err) t.Fatalf("Error decoding key %d: %s", i, err)
} }
@@ -189,6 +177,5 @@ func parseDecryptAndTestUnsealKeys(t *testing.T,
} }
} }
testFunc(false, backupKeys) testFunc(backupKeysB64)
testFunc(true, backupKeysB64)
} }

10
command/rekey.go
View File

@@ -167,15 +167,13 @@ func (c *RekeyCommand) Run(args []string) int {
for i, key := range result.Keys { for i, key := range result.Keys {
if len(result.PGPFingerprints) > 0 { if len(result.PGPFingerprints) > 0 {
if haveB64 { if haveB64 {
c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value (hex) : %s", i+1, result.PGPFingerprints[i], key)) c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, result.PGPFingerprints[i], result.KeysB64[i]))
c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value (base64): %s", i+1, result.PGPFingerprints[i], result.KeysB64[i]))
} else { } else {
c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, result.PGPFingerprints[i], key)) c.Ui.Output(fmt.Sprintf("Key %d fingerprint: %s; value: %s", i+1, result.PGPFingerprints[i], key))
} }
} else { } else {
if haveB64 { if haveB64 {
c.Ui.Output(fmt.Sprintf("Key %d (hex) : %s", i+1, key)) c.Ui.Output(fmt.Sprintf("Key %d: %s", i+1, result.KeysB64[i]))
c.Ui.Output(fmt.Sprintf("Key %d (base64): %s", i+1, result.KeysB64[i]))
} else { } else {
c.Ui.Output(fmt.Sprintf("Key %d: %s", i+1, key)) c.Ui.Output(fmt.Sprintf("Key %d: %s", i+1, key))
} }
@@ -404,9 +402,9 @@ Rekey Options:
public PGP keys, or Keybase usernames specified as public PGP keys, or Keybase usernames specified as
"keybase:<username>". The number of given entries "keybase:<username>". The number of given entries
must match 'key-shares'. The output unseal keys will must match 'key-shares'. The output unseal keys will
be encrypted and hex-encoded, in order, with the be encrypted and base64-encoded, in order, with the
given public keys. If you want to use them with the given public keys. If you want to use them with the
'vault unseal' command, you will need to hex decode 'vault unseal' command, you will need to base64-decode
and decrypt; this will be the plaintext unseal key. and decrypt; this will be the plaintext unseal key.
-backup=false If true, and if the key shares are PGP-encrypted, a -backup=false If true, and if the key shares are PGP-encrypted, a

4
command/server.go
View File

@@ -2,7 +2,6 @@ package command
import ( import (
"encoding/base64" "encoding/base64"
"encoding/hex"
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
@@ -525,8 +524,7 @@ func (c *ServerCommand) Run(args []string) int {
" "+export+" VAULT_ADDR="+quote+"http://"+config.Listeners[0].Config["address"]+quote+"\n\n"+ " "+export+" VAULT_ADDR="+quote+"http://"+config.Listeners[0].Config["address"]+quote+"\n\n"+
"The unseal key and root token are reproduced below in case you\n"+ "The unseal key and root token are reproduced below in case you\n"+
"want to seal/unseal the Vault or play with authentication.\n\n"+ "want to seal/unseal the Vault or play with authentication.\n\n"+
"Unseal Key (hex) : %s\nUnseal Key (base64): %s\nRoot Token: %s\n", "Unseal Key: %s\nRoot Token: %s\n",
hex.EncodeToString(init.SecretShares[0]),
base64.StdEncoding.EncodeToString(init.SecretShares[0]), base64.StdEncoding.EncodeToString(init.SecretShares[0]),
init.RootToken, init.RootToken,
)) ))