Minor client refactoring (#3539)

api/client.go

@@ -13,6 +13,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/go-rootcerts"
 	"github.com/hashicorp/vault/helper/parseutil"
@@ -63,6 +64,10 @@ type Config struct {
 
 	// Timeout is for setting custom timeout parameter in the HttpClient
 	Timeout time.Duration
+
+	// If there is an error when creating the configuration, this will be the
+	// error
+	Error error
 }
 
 // TLSConfig contains the parameters needed to configure TLS on the HTTP client
@@ -110,17 +115,15 @@ func DefaultConfig() *Config {
 		MinVersion: tls.VersionTLS12,
 	}
 	if err := http2.ConfigureTransport(transport); err != nil {
+		config.Error = err
 		return nil
 	}
 
 	if err := config.ReadEnvironment(); err != nil {
+		config.Error = err
 		return nil
 	}
 
-	if v := os.Getenv(EnvVaultAddress); v != "" {
-		config.Address = v
-	}
-
 	// Ensure redirects are not automatically followed
 	// Note that this is sane for the API client as it has its own
 	// redirect handling logic (and thus also for command/meta),
@@ -142,36 +145,41 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error {
 	if c.HttpClient == nil {
 		c.HttpClient = DefaultConfig().HttpClient
 	}
+	clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
 
 	var clientCert tls.Certificate
 	foundClientCert := false
-	if t.CACert != "" || t.CAPath != "" || t.ClientCert != "" || t.ClientKey != "" || t.Insecure {
-		if t.ClientCert != "" && t.ClientKey != "" {
-			var err error
-			clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey)
-			if err != nil {
-				return err
-			}
-			foundClientCert = true
-		} else if t.ClientCert != "" || t.ClientKey != "" {
-			return fmt.Errorf("Both client cert and client key must be provided")
+
+	switch {
+	case t.ClientCert != "" && t.ClientKey != "":
+		var err error
+		clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey)
+		if err != nil {
+			return err
+		}
+		foundClientCert = true
+	case t.ClientCert != "" || t.ClientKey != "":
+		return fmt.Errorf("Both client cert and client key must be provided")
+	}
+
+	if t.CACert != "" || t.CAPath != "" {
+		rootConfig := &rootcerts.Config{
+			CAFile: t.CACert,
+			CAPath: t.CAPath,
+		}
+		if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
+			return err
 		}
 	}
 
-	clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
-	rootConfig := &rootcerts.Config{
-		CAFile: t.CACert,
-		CAPath: t.CAPath,
+	if t.Insecure {
+		clientTLSConfig.InsecureSkipVerify = true
 	}
-	if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
-		return err
-	}
-
-	clientTLSConfig.InsecureSkipVerify = t.Insecure
 
 	if foundClientCert {
 		clientTLSConfig.Certificates = []tls.Certificate{clientCert}
 	}
+
 	if t.TLSServerName != "" {
 		clientTLSConfig.ServerName = t.TLSServerName
 	}
@@ -290,6 +298,9 @@ func NewClient(c *Config) (*Client, error) {
 	if def == nil {
 		return nil, fmt.Errorf("could not create/read default configuration")
 	}
+	if def.Error != nil {
+		return nil, errwrap.Wrapf("error encountered setting up default configuration: {{err}}", def.Error)
+	}
 
 	if c == nil {
 		c = def