scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Errwrap everywhere (#4252)

Browse Source 
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
This commit is contained in:
Vishal Nayak
2018-04-05 11:49:21 -04:00
committed by GitHub
parent f13a832a9f
commit e2bb2ec3b9
159 changed files with 811 additions and 741 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/client.go
View File

@@ -160,7 +160,7 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error {
} }
foundClientCert = true foundClientCert = true
case t.ClientCert != "" || t.ClientKey != "": case t.ClientCert != "" || t.ClientKey != "":
return fmt.Errorf("Both client cert and client key must be provided") return fmt.Errorf("both client cert and client key must be provided")
} }
if t.CACert != "" || t.CAPath != "" { if t.CACert != "" || t.CAPath != "" {
@@ -232,7 +232,7 @@ func (c *Config) ReadEnvironment() error {
if t := os.Getenv(EnvVaultClientTimeout); t != "" { if t := os.Getenv(EnvVaultClientTimeout); t != "" {
clientTimeout, err := parseutil.ParseDurationSecond(t) clientTimeout, err := parseutil.ParseDurationSecond(t)
if err != nil { if err != nil {
return fmt.Errorf("Could not parse %s", EnvVaultClientTimeout) return fmt.Errorf("could not parse %q", EnvVaultClientTimeout)
} }
envClientTimeout = clientTimeout envClientTimeout = clientTimeout
} }
@@ -240,7 +240,7 @@ func (c *Config) ReadEnvironment() error {
var err error var err error
envInsecure, err = strconv.ParseBool(v) envInsecure, err = strconv.ParseBool(v)
if err != nil { if err != nil {
return fmt.Errorf("Could not parse VAULT_SKIP_VERIFY") return fmt.Errorf("could not parse VAULT_SKIP_VERIFY")
} }
} }
if v := os.Getenv(EnvVaultTLSServerName); v != "" { if v := os.Getenv(EnvVaultTLSServerName); v != "" {
@@ -348,7 +348,7 @@ func (c *Client) SetAddress(addr string) error {
var err error var err error
if c.addr, err = url.Parse(addr); err != nil { if c.addr, err = url.Parse(addr); err != nil {
return fmt.Errorf("failed to set address: %v", err) return errwrap.Wrapf("failed to set address: {{err}}", err)
} }
return nil return nil
@@ -539,7 +539,7 @@ func (c *Client) RawRequest(r *Request) (*Response, error) {
return !unicode.IsPrint(c) return !unicode.IsPrint(c)
}) })
if idx != -1 { if idx != -1 {
return nil, fmt.Errorf("Configured Vault token contains non-printable characters and cannot be used.") return nil, fmt.Errorf("configured Vault token contains non-printable characters and cannot be used")
} }
redirectCount := 0 redirectCount := 0
@@ -560,8 +560,8 @@ START:
} }
if err != nil { if err != nil {
if strings.Contains(err.Error(), "tls: oversized") { if strings.Contains(err.Error(), "tls: oversized") {
err = fmt.Errorf( err = errwrap.Wrapf(
"%s\n\n"+ "{{err}}\n\n"+
"This error usually means that the server is running with TLS disabled\n"+ "This error usually means that the server is running with TLS disabled\n"+
"but the client is configured to use TLS. Please either enable TLS\n"+ "but the client is configured to use TLS. Please either enable TLS\n"+
"on the server or run the client with -address set to an address\n"+ "on the server or run the client with -address set to an address\n"+

7
api/logical.go
View File

@@ -7,6 +7,7 @@ import (
"net/http" "net/http"
"os" "os"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
) )
@@ -213,10 +214,10 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
secret, err := c.Read(wrappedResponseLocation) secret, err := c.Read(wrappedResponseLocation)
if err != nil { if err != nil {
return nil, fmt.Errorf("error reading %s: %s", wrappedResponseLocation, err) return nil, errwrap.Wrapf(fmt.Sprintf("error reading %q: {{err}}", wrappedResponseLocation), err)
} }
if secret == nil { if secret == nil {
return nil, fmt.Errorf("no value found at %s", wrappedResponseLocation) return nil, fmt.Errorf("no value found at %q", wrappedResponseLocation)
} }
if secret.Data == nil { if secret.Data == nil {
return nil, fmt.Errorf("\"data\" not found in wrapping response") return nil, fmt.Errorf("\"data\" not found in wrapping response")
@@ -228,7 +229,7 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
wrappedSecret := new(Secret) wrappedSecret := new(Secret)
buf := bytes.NewBufferString(secret.Data["response"].(string)) buf := bytes.NewBufferString(secret.Data["response"].(string))
if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil { if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
return nil, fmt.Errorf("error unmarshalling wrapped secret: %s", err) return nil, errwrap.Wrapf("error unmarshalling wrapped secret: {{err}}", err)
} }
return wrappedSecret, nil return wrappedSecret, nil

3
api/secret.go
View File

@@ -5,6 +5,7 @@ import (
"io" "io"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
"github.com/hashicorp/vault/helper/parseutil" "github.com/hashicorp/vault/helper/parseutil"
) )
@@ -190,7 +191,7 @@ func (s *Secret) TokenIsRenewable() (bool, error) {
renewable, err := parseutil.ParseBool(s.Data["renewable"]) renewable, err := parseutil.ParseBool(s.Data["renewable"])
if err != nil { if err != nil {
return false, fmt.Errorf("could not convert renewable value to a boolean: %v", err) return false, errwrap.Wrapf("could not convert renewable value to a boolean: {{err}}", err)
} }
return renewable, nil return renewable, nil

10
api/ssh_agent.go
View File

@@ -7,6 +7,7 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-rootcerts" "github.com/hashicorp/go-rootcerts"
@@ -141,12 +142,12 @@ func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) {
func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) { func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
root, err := hcl.Parse(string(contents)) root, err := hcl.Parse(string(contents))
if err != nil { if err != nil {
return nil, fmt.Errorf("ssh_helper: error parsing config: %s", err) return nil, errwrap.Wrapf("error parsing config: {{err}}", err)
} }
list, ok := root.Node.(*ast.ObjectList) list, ok := root.Node.(*ast.ObjectList)
if !ok { if !ok {
return nil, fmt.Errorf("ssh_helper: error parsing config: file doesn't contain a root object") return nil, fmt.Errorf("error parsing config: file doesn't contain a root object")
} }
valid := []string{ valid := []string{
@@ -170,7 +171,7 @@ func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
} }
if c.VaultAddr == "" { if c.VaultAddr == "" {
return nil, fmt.Errorf("ssh_helper: missing config 'vault_addr'") return nil, fmt.Errorf("missing config 'vault_addr'")
} }
return &c, nil return &c, nil
} }
@@ -248,8 +249,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items { for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string) key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok { if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf( result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
"invalid key '%s' on line %d", key, item.Assign.Line))
} }
} }

5
builtin/audit/file/backend.go
View File

@@ -10,6 +10,7 @@ import (
"strings" "strings"
"sync" "sync"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/audit"
"github.com/hashicorp/vault/helper/salt" "github.com/hashicorp/vault/helper/salt"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -46,7 +47,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
switch format { switch format {
case "json", "jsonx": case "json", "jsonx":
default: default:
return nil, fmt.Errorf("unknown format type %s", format) return nil, fmt.Errorf("unknown format type %q", format)
} }
// Check if hashing of accessor is disabled // Check if hashing of accessor is disabled
@@ -113,7 +114,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
// otherwise it will be too late to catch later without problems // otherwise it will be too late to catch later without problems
// (ref: https://github.com/hashicorp/vault/issues/550) // (ref: https://github.com/hashicorp/vault/issues/550)
if err := b.open(); err != nil { if err := b.open(); err != nil {
return nil, fmt.Errorf("sanity check failed; unable to open %s for writing: %v", path, err) return nil, errwrap.Wrapf(fmt.Sprintf("sanity check failed; unable to open %q for writing: {{err}}", path), err)
} }
} }

2
builtin/audit/socket/backend.go
View File

@@ -50,7 +50,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
switch format { switch format {
case "json", "jsonx": case "json", "jsonx":
default: default:
return nil, fmt.Errorf("unknown format type %s", format) return nil, fmt.Errorf("unknown format type %q", format)
} }
// Check if hashing of accessor is disabled // Check if hashing of accessor is disabled

2
builtin/audit/syslog/backend.go
View File

@@ -40,7 +40,7 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
switch format { switch format {
case "json", "jsonx": case "json", "jsonx":
default: default:
return nil, fmt.Errorf("unknown format type %s", format) return nil, fmt.Errorf("unknown format type %q", format)
} }
// Check if hashing of accessor is disabled // Check if hashing of accessor is disabled

5
builtin/credential/app-id/path_login.go
View File

@@ -9,6 +9,7 @@ import (
"net" "net"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/policyutil" "github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -168,7 +169,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, a
if raw, ok := appsMap["cidr_block"]; ok { if raw, ok := appsMap["cidr_block"]; ok {
_, cidr, err := net.ParseCIDR(raw.(string)) _, cidr, err := net.ParseCIDR(raw.(string))
if err != nil { if err != nil {
return "", nil, fmt.Errorf("invalid restriction cidr: %s", err) return "", nil, errwrap.Wrapf("invalid restriction cidr: {{err}}", err)
} }
var addr string var addr string
@@ -187,7 +188,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, a
apps, ok := appsRaw.(string) apps, ok := appsRaw.(string)
if !ok { if !ok {
return "", nil, fmt.Errorf("internal error: mapping is not a string") return "", nil, fmt.Errorf("mapping is not a string")
} }
// Verify that the app is in the list // Verify that the app is in the list

4
builtin/credential/approle/path_login.go
View File

@@ -101,10 +101,10 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, data
// Ensure that the Role still exists. // Ensure that the Role still exists.
role, err := b.roleEntry(ctx, req.Storage, strings.ToLower(roleName)) role, err := b.roleEntry(ctx, req.Storage, strings.ToLower(roleName))
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to validate role %s during renewal:%s", roleName, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to validate role %q during renewal: {{err}}", roleName), err)
} }
if role == nil { if role == nil {
return nil, fmt.Errorf("role %s does not exist during renewal", roleName) return nil, fmt.Errorf("role %q does not exist during renewal", roleName)
} }
resp := &logical.Response{Auth: req.Auth} resp := &logical.Response{Auth: req.Auth}

49
builtin/credential/approle/path_role.go
View File

@@ -7,6 +7,7 @@ import (
"time" "time"
"github.com/fatih/structs" "github.com/fatih/structs"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/cidrutil" "github.com/hashicorp/vault/helper/cidrutil"
"github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/helper/consts"
@@ -579,7 +580,7 @@ func (b *backend) pathRoleSecretIDList(ctx context.Context, req *logical.Request
roleNameHMAC, err := createHMAC(role.HMACKey, roleName) roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
// Listing works one level at a time. Get the first level of data // Listing works one level at a time. Get the first level of data
@@ -673,7 +674,7 @@ func (b *backend) setRoleEntry(ctx context.Context, s logical.Storage, roleName
// Check if the index from the role_id to role already exists // Check if the index from the role_id to role already exists
roleIDIndex, err := b.roleIDEntry(ctx, s, role.RoleID) roleIDIndex, err := b.roleIDEntry(ctx, s, role.RoleID)
if err != nil { if err != nil {
return fmt.Errorf("failed to read role_id index: %v", err) return errwrap.Wrapf("failed to read role_id index: {{err}}", err)
} }
// If the entry exists, make sure that it belongs to the current role // If the entry exists, make sure that it belongs to the current role
@@ -768,7 +769,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
if role == nil && req.Operation == logical.CreateOperation { if role == nil && req.Operation == logical.CreateOperation {
hmacKey, err := uuid.GenerateUUID() hmacKey, err := uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create role_id: %v\n", err) return nil, errwrap.Wrapf("failed to create role_id: {{err}}", err)
} }
role = &roleStorageEntry{ role = &roleStorageEntry{
HMACKey: hmacKey, HMACKey: hmacKey,
@@ -784,7 +785,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
} else if req.Operation == logical.CreateOperation { } else if req.Operation == logical.CreateOperation {
roleID, err := uuid.GenerateUUID() roleID, err := uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to generate role_id: %v\n", err) return nil, errwrap.Wrapf("failed to generate role_id: {{err}}", err)
} }
role.RoleID = roleID role.RoleID = roleID
} }
@@ -807,7 +808,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
if len(role.BoundCIDRList) != 0 { if len(role.BoundCIDRList) != 0 {
valid, err := cidrutil.ValidateCIDRListSlice(role.BoundCIDRList) valid, err := cidrutil.ValidateCIDRListSlice(role.BoundCIDRList)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to validate CIDR blocks: %v", err) return nil, errwrap.Wrapf("failed to validate CIDR blocks: {{err}}", err)
} }
if !valid { if !valid {
return logical.ErrorResponse("invalid CIDR blocks"), nil return logical.ErrorResponse("invalid CIDR blocks"), nil
@@ -953,7 +954,7 @@ func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, data *
}) })
if err != nil { if err != nil {
lockRelease() lockRelease()
return nil, fmt.Errorf("failed to create secondary index for role_id %q: %v", role.RoleID, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to create secondary index for role_id %q: {{err}}", role.RoleID), err)
} }
resp.AddWarning("Role identifier was missing an index back to role name. A new index has been added. Please report this observation.") resp.AddWarning("Role identifier was missing an index back to role name. A new index has been added. Please report this observation.")
} }
@@ -985,12 +986,12 @@ func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, data
// Just before the role is deleted, remove all the SecretIDs issued as part of the role. // Just before the role is deleted, remove all the SecretIDs issued as part of the role.
if err = b.flushRoleSecrets(ctx, req.Storage, roleName, role.HMACKey); err != nil { if err = b.flushRoleSecrets(ctx, req.Storage, roleName, role.HMACKey); err != nil {
return nil, fmt.Errorf("failed to invalidate the secrets belonging to role %q: %v", roleName, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to invalidate the secrets belonging to role %q: {{err}}", roleName), err)
} }
// Delete the reverse mapping from RoleID to the role // Delete the reverse mapping from RoleID to the role
if err = b.roleIDEntryDelete(ctx, req.Storage, role.RoleID); err != nil { if err = b.roleIDEntryDelete(ctx, req.Storage, role.RoleID); err != nil {
return nil, fmt.Errorf("failed to delete the mapping from RoleID to role %q: %v", roleName, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to delete the mapping from RoleID to role %q: {{err}}", roleName), err)
} }
// After deleting the SecretIDs and the RoleID, delete the role itself // After deleting the SecretIDs and the RoleID, delete the role itself
@@ -1033,13 +1034,13 @@ func (b *backend) pathRoleSecretIDLookupUpdate(ctx context.Context, req *logical
// Create the HMAC of the secret ID using the per-role HMAC key // Create the HMAC of the secret ID using the per-role HMAC key
secretIDHMAC, err := createHMAC(role.HMACKey, secretID) secretIDHMAC, err := createHMAC(role.HMACKey, secretID)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of secret_id: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of secret_id: {{err}}", err)
} }
// Create the HMAC of the roleName using the per-role HMAC key // Create the HMAC of the roleName using the per-role HMAC key
roleNameHMAC, err := createHMAC(role.HMACKey, roleName) roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
// Create the index at which the secret_id would've been stored // Create the index at which the secret_id would've been stored
@@ -1110,12 +1111,12 @@ func (b *backend) pathRoleSecretIDDestroyUpdateDelete(ctx context.Context, req *
secretIDHMAC, err := createHMAC(role.HMACKey, secretID) secretIDHMAC, err := createHMAC(role.HMACKey, secretID)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of secret_id: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of secret_id: {{err}}", err)
} }
roleNameHMAC, err := createHMAC(role.HMACKey, roleName) roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC) entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC)
@@ -1140,7 +1141,7 @@ func (b *backend) pathRoleSecretIDDestroyUpdateDelete(ctx context.Context, req *
// Delete the storage entry that corresponds to the SecretID // Delete the storage entry that corresponds to the SecretID
if err := req.Storage.Delete(ctx, entryIndex); err != nil { if err := req.Storage.Delete(ctx, entryIndex); err != nil {
return nil, fmt.Errorf("failed to delete secret_id: %v", err) return nil, errwrap.Wrapf("failed to delete secret_id: {{err}}", err)
} }
return nil, nil return nil, nil
@@ -1180,12 +1181,12 @@ func (b *backend) pathRoleSecretIDAccessorLookupUpdate(ctx context.Context, req
return nil, err return nil, err
} }
if accessorEntry == nil { if accessorEntry == nil {
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q\n", secretIDAccessor) return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor)
} }
roleNameHMAC, err := createHMAC(role.HMACKey, roleName) roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, accessorEntry.SecretIDHMAC) entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, accessorEntry.SecretIDHMAC)
@@ -1221,12 +1222,12 @@ func (b *backend) pathRoleSecretIDAccessorDestroyUpdateDelete(ctx context.Contex
return nil, err return nil, err
} }
if accessorEntry == nil { if accessorEntry == nil {
return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q\n", secretIDAccessor) return nil, fmt.Errorf("failed to find accessor entry for secret_id_accessor: %q", secretIDAccessor)
} }
roleNameHMAC, err := createHMAC(role.HMACKey, roleName) roleNameHMAC, err := createHMAC(role.HMACKey, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, accessorEntry.SecretIDHMAC) entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, accessorEntry.SecretIDHMAC)
@@ -1242,7 +1243,7 @@ func (b *backend) pathRoleSecretIDAccessorDestroyUpdateDelete(ctx context.Contex
// Delete the storage entry that corresponds to the SecretID // Delete the storage entry that corresponds to the SecretID
if err := req.Storage.Delete(ctx, entryIndex); err != nil { if err := req.Storage.Delete(ctx, entryIndex); err != nil {
return nil, fmt.Errorf("failed to delete secret_id: %v", err) return nil, errwrap.Wrapf("failed to delete secret_id: {{err}}", err)
} }
return nil, nil return nil, nil
@@ -1274,7 +1275,7 @@ func (b *backend) pathRoleBoundCIDRListUpdate(ctx context.Context, req *logical.
valid, err := cidrutil.ValidateCIDRListSlice(role.BoundCIDRList) valid, err := cidrutil.ValidateCIDRListSlice(role.BoundCIDRList)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to validate CIDR blocks: %v", err) return nil, errwrap.Wrapf("failed to validate CIDR blocks: {{err}}", err)
} }
if !valid { if !valid {
return logical.ErrorResponse("failed to validate CIDR blocks"), nil return logical.ErrorResponse("failed to validate CIDR blocks"), nil
@@ -1978,7 +1979,7 @@ func (b *backend) pathRoleTokenMaxTTLDelete(ctx context.Context, req *logical.Re
func (b *backend) pathRoleSecretIDUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { func (b *backend) pathRoleSecretIDUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
secretID, err := uuid.GenerateUUID() secretID, err := uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to generate secret_id: %v", err) return nil, errwrap.Wrapf("failed to generate secret_id: {{err}}", err)
} }
return b.handleRoleSecretIDCommon(ctx, req, data, secretID) return b.handleRoleSecretIDCommon(ctx, req, data, secretID)
} }
@@ -2019,7 +2020,7 @@ func (b *backend) handleRoleSecretIDCommon(ctx context.Context, req *logical.Req
if len(secretIDCIDRs) != 0 { if len(secretIDCIDRs) != 0 {
valid, err := cidrutil.ValidateCIDRListSlice(secretIDCIDRs) valid, err := cidrutil.ValidateCIDRListSlice(secretIDCIDRs)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to validate CIDR blocks: %v", err) return nil, errwrap.Wrapf("failed to validate CIDR blocks: {{err}}", err)
} }
if !valid { if !valid {
return logical.ErrorResponse("failed to validate CIDR blocks"), nil return logical.ErrorResponse("failed to validate CIDR blocks"), nil
@@ -2047,7 +2048,7 @@ func (b *backend) handleRoleSecretIDCommon(ctx context.Context, req *logical.Req
} }
if secretIDStorage, err = b.registerSecretIDEntry(ctx, req.Storage, roleName, secretID, role.HMACKey, secretIDStorage); err != nil { if secretIDStorage, err = b.registerSecretIDEntry(ctx, req.Storage, roleName, secretID, role.HMACKey, secretIDStorage); err != nil {
return nil, fmt.Errorf("failed to store secret_id: %v", err) return nil, errwrap.Wrapf("failed to store secret_id: {{err}}", err)
} }
return &logical.Response{ return &logical.Response{
@@ -2091,7 +2092,7 @@ func (b *backend) setRoleIDEntry(ctx context.Context, s logical.Storage, roleID
// roleIDEntry is used to read the storage entry that maps RoleID to Role // roleIDEntry is used to read the storage entry that maps RoleID to Role
func (b *backend) roleIDEntry(ctx context.Context, s logical.Storage, roleID string) (*roleIDStorageEntry, error) { func (b *backend) roleIDEntry(ctx context.Context, s logical.Storage, roleID string) (*roleIDStorageEntry, error) {
if roleID == "" { if roleID == "" {
return nil, fmt.Errorf("missing roleID") return nil, fmt.Errorf("missing role id")
} }
lock := b.roleIDLock(roleID) lock := b.roleIDLock(roleID)
@@ -2121,7 +2122,7 @@ func (b *backend) roleIDEntry(ctx context.Context, s logical.Storage, roleID str
// RoleID to the Role itself. // RoleID to the Role itself.
func (b *backend) roleIDEntryDelete(ctx context.Context, s logical.Storage, roleID string) error { func (b *backend) roleIDEntryDelete(ctx context.Context, s logical.Storage, roleID string) error {
if roleID == "" { if roleID == "" {
return fmt.Errorf("missing roleID") return fmt.Errorf("missing role id")
} }
lock := b.roleIDLock(roleID) lock := b.roleIDLock(roleID)

9
builtin/credential/approle/path_tidy_user_id.go
View File

@@ -6,6 +6,7 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -65,18 +66,18 @@ func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {
secretIDEntry, err := s.Get(ctx, entryIndex) secretIDEntry, err := s.Get(ctx, entryIndex)
if err != nil { if err != nil {
lock.Unlock() lock.Unlock()
return fmt.Errorf("error fetching SecretID %s: %s", secretIDHMAC, err) return errwrap.Wrapf(fmt.Sprintf("error fetching SecretID %q: {{err}}", secretIDHMAC), err)
} }
if secretIDEntry == nil { if secretIDEntry == nil {
result = multierror.Append(result, fmt.Errorf("entry for SecretID %s is nil", secretIDHMAC)) result = multierror.Append(result, fmt.Errorf("entry for SecretID %q is nil", secretIDHMAC))
lock.Unlock() lock.Unlock()
continue continue
} }
if secretIDEntry.Value == nil || len(secretIDEntry.Value) == 0 { if secretIDEntry.Value == nil || len(secretIDEntry.Value) == 0 {
lock.Unlock() lock.Unlock()
return fmt.Errorf("found entry for SecretID %s but actual SecretID is empty", secretIDHMAC) return fmt.Errorf("found entry for SecretID %q but actual SecretID is empty", secretIDHMAC)
} }
var result secretIDStorageEntry var result secretIDStorageEntry
@@ -96,7 +97,7 @@ func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {
if err := s.Delete(ctx, entryIndex); err != nil { if err := s.Delete(ctx, entryIndex); err != nil {
lock.Unlock() lock.Unlock()
return fmt.Errorf("error deleting SecretID %s from storage: %s", secretIDHMAC, err) return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)
} }
} }

32
builtin/credential/approle/validation.go
View File

@@ -76,7 +76,7 @@ func (b *backend) validateRoleID(ctx context.Context, s logical.Storage, roleID
return nil, "", err return nil, "", err
} }
if roleIDIndex == nil { if roleIDIndex == nil {
return nil, "", fmt.Errorf("invalid role_id %q\n", roleID) return nil, "", fmt.Errorf("invalid role_id %q", roleID)
} }
lock := b.roleLock(roleIDIndex.Name) lock := b.roleLock(roleIDIndex.Name)
@@ -160,12 +160,12 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
hmacKey string, roleBoundCIDRList []string) (bool, map[string]string, error) { hmacKey string, roleBoundCIDRList []string) (bool, map[string]string, error) {
secretIDHMAC, err := createHMAC(hmacKey, secretID) secretIDHMAC, err := createHMAC(hmacKey, secretID)
if err != nil { if err != nil {
return false, nil, fmt.Errorf("failed to create HMAC of secret_id: %v", err) return false, nil, errwrap.Wrapf("failed to create HMAC of secret_id: {{err}}", err)
} }
roleNameHMAC, err := createHMAC(hmacKey, roleName) roleNameHMAC, err := createHMAC(hmacKey, roleName)
if err != nil { if err != nil {
return false, nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return false, nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC) entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC)
@@ -204,7 +204,7 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
} }
if belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, result.CIDRList); !belongs || err != nil { if belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, result.CIDRList); !belongs || err != nil {
return false, nil, fmt.Errorf("source address %q unauthorized through CIDR restrictions on the secret ID: %v", req.Connection.RemoteAddr, err) return false, nil, errwrap.Wrapf(fmt.Sprintf("source address %q unauthorized through CIDR restrictions on the secret ID: {{err}}", req.Connection.RemoteAddr), err)
} }
} }
@@ -238,16 +238,16 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
return false, nil, err return false, nil, err
} }
if err := req.Storage.Delete(ctx, entryIndex); err != nil { if err := req.Storage.Delete(ctx, entryIndex); err != nil {
return false, nil, fmt.Errorf("failed to delete secret ID: %v", err) return false, nil, errwrap.Wrapf("failed to delete secret ID: {{err}}", err)
} }
} else { } else {
// If the use count is greater than one, decrement it and update the last updated time. // If the use count is greater than one, decrement it and update the last updated time.
result.SecretIDNumUses -= 1 result.SecretIDNumUses -= 1
result.LastUpdatedTime = time.Now() result.LastUpdatedTime = time.Now()
if entry, err := logical.StorageEntryJSON(entryIndex, &result); err != nil { if entry, err := logical.StorageEntryJSON(entryIndex, &result); err != nil {
return false, nil, fmt.Errorf("failed to create storage entry while decrementing the secret ID use count: %v", err) return false, nil, errwrap.Wrapf("failed to create storage entry while decrementing the secret ID use count: {{err}}", err)
} else if err = req.Storage.Put(ctx, entry); err != nil { } else if err = req.Storage.Put(ctx, entry); err != nil {
return false, nil, fmt.Errorf("failed to decrement the secret ID use count: %v", err) return false, nil, errwrap.Wrapf("failed to decrement the secret ID use count: {{err}}", err)
} }
} }
@@ -266,7 +266,7 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
} }
if belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, result.CIDRList); !belongs || err != nil { if belongs, err := cidrutil.IPBelongsToCIDRBlocksSlice(req.Connection.RemoteAddr, result.CIDRList); !belongs || err != nil {
return false, nil, fmt.Errorf("source address %q unauthorized through CIDR restrictions on the secret ID: %v", req.Connection.RemoteAddr, err) return false, nil, errwrap.Wrapf(fmt.Sprintf("source address %q unauthorized through CIDR restrictions on the secret ID: {{err}}", req.Connection.RemoteAddr), err)
} }
} }
@@ -282,7 +282,7 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st
if len(roleBoundCIDRList) != 0 { if len(roleBoundCIDRList) != 0 {
subset, err := cidrutil.SubsetBlocks(roleBoundCIDRList, secretIDCIDRs) subset, err := cidrutil.SubsetBlocks(roleBoundCIDRList, secretIDCIDRs)
if !subset || err != nil { if !subset || err != nil {
return fmt.Errorf("failed to verify subset relationship between CIDR blocks on the role %q and CIDR blocks on the secret ID %q: %v", roleBoundCIDRList, secretIDCIDRs, err) return errwrap.Wrapf(fmt.Sprintf("failed to verify subset relationship between CIDR blocks on the role %q and CIDR blocks on the secret ID %q: {{err}}", roleBoundCIDRList, secretIDCIDRs), err)
} }
} }
} }
@@ -354,7 +354,7 @@ func (b *backend) nonLockedSecretIDStorageEntry(ctx context.Context, s logical.S
if persistNeeded { if persistNeeded {
if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleNameHMAC, secretIDHMAC, &result); err != nil { if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleNameHMAC, secretIDHMAC, &result); err != nil {
return nil, fmt.Errorf("failed to upgrade role storage entry %s", err) return nil, errwrap.Wrapf("failed to upgrade role storage entry {{err}}", err)
} }
} }
@@ -394,11 +394,11 @@ func (b *backend) nonLockedSetSecretIDStorageEntry(ctx context.Context, s logica
func (b *backend) registerSecretIDEntry(ctx context.Context, s logical.Storage, roleName, secretID, hmacKey string, secretEntry *secretIDStorageEntry) (*secretIDStorageEntry, error) { func (b *backend) registerSecretIDEntry(ctx context.Context, s logical.Storage, roleName, secretID, hmacKey string, secretEntry *secretIDStorageEntry) (*secretIDStorageEntry, error) {
secretIDHMAC, err := createHMAC(hmacKey, secretID) secretIDHMAC, err := createHMAC(hmacKey, secretID)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of secret ID: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of secret ID: {{err}}", err)
} }
roleNameHMAC, err := createHMAC(hmacKey, roleName) roleNameHMAC, err := createHMAC(hmacKey, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create HMAC of role_name: %v", err) return nil, errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
lock := b.secretIDLock(secretIDHMAC) lock := b.secretIDLock(secretIDHMAC)
@@ -519,7 +519,7 @@ func (b *backend) createSecretIDAccessorEntry(ctx context.Context, s logical.Sto
}); err != nil { }); err != nil {
return err return err
} else if err = s.Put(ctx, entry); err != nil { } else if err = s.Put(ctx, entry); err != nil {
return fmt.Errorf("failed to persist accessor index entry: %v", err) return errwrap.Wrapf("failed to persist accessor index entry: {{err}}", err)
} }
return nil return nil
@@ -539,7 +539,7 @@ func (b *backend) deleteSecretIDAccessorEntry(ctx context.Context, s logical.Sto
// Delete the accessor of the SecretID first // Delete the accessor of the SecretID first
if err := s.Delete(ctx, accessorEntryIndex); err != nil { if err := s.Delete(ctx, accessorEntryIndex); err != nil {
return fmt.Errorf("failed to delete accessor storage entry: %v", err) return errwrap.Wrapf("failed to delete accessor storage entry: {{err}}", err)
} }
return nil return nil
@@ -550,7 +550,7 @@ func (b *backend) deleteSecretIDAccessorEntry(ctx context.Context, s logical.Sto
func (b *backend) flushRoleSecrets(ctx context.Context, s logical.Storage, roleName, hmacKey string) error { func (b *backend) flushRoleSecrets(ctx context.Context, s logical.Storage, roleName, hmacKey string) error {
roleNameHMAC, err := createHMAC(hmacKey, roleName) roleNameHMAC, err := createHMAC(hmacKey, roleName)
if err != nil { if err != nil {
return fmt.Errorf("failed to create HMAC of role_name: %v", err) return errwrap.Wrapf("failed to create HMAC of role_name: {{err}}", err)
} }
// Acquire the custom lock to perform listing of SecretIDs // Acquire the custom lock to perform listing of SecretIDs
@@ -568,7 +568,7 @@ func (b *backend) flushRoleSecrets(ctx context.Context, s logical.Storage, roleN
entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC) entryIndex := fmt.Sprintf("secret_id/%s/%s", roleNameHMAC, secretIDHMAC)
if err := s.Delete(ctx, entryIndex); err != nil { if err := s.Delete(ctx, entryIndex); err != nil {
lock.Unlock() lock.Unlock()
return fmt.Errorf("error deleting SecretID %q from storage: %v", secretIDHMAC, err) return errwrap.Wrapf(fmt.Sprintf("error deleting SecretID %q from storage: {{err}}", secretIDHMAC), err)
} }
lock.Unlock() lock.Unlock()
} }

2
builtin/credential/aws/backend.go
View File

@@ -227,7 +227,7 @@ func (b *backend) resolveArnToRealUniqueId(ctx context.Context, s logical.Storag
// Sigh // Sigh
region := getAnyRegionForAwsPartition(entity.Partition) region := getAnyRegionForAwsPartition(entity.Partition)
if region == nil { if region == nil {
return "", fmt.Errorf("Unable to resolve partition %q to a region", entity.Partition) return "", fmt.Errorf("unable to resolve partition %q to a region", entity.Partition)
} }
iamClient, err := b.clientIAM(ctx, s, region.ID(), entity.AccountNumber) iamClient, err := b.clientIAM(ctx, s, region.ID(), entity.AccountNumber)
if err != nil { if err != nil {

3
builtin/credential/aws/cli.go
View File

@@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts" "github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/awsutil" "github.com/hashicorp/vault/helper/awsutil"
) )
@@ -36,7 +37,7 @@ func GenerateLoginData(accessKey, secretKey, sessionToken, headerValue string) (
_, err = creds.Get() _, err = creds.Get()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to retrieve credentials from credential chain: %v", err) return nil, errwrap.Wrapf("failed to retrieve credentials from credential chain: {{err}}", err)
} }
// Use the credentials we've found to construct an STS session // Use the credentials we've found to construct an STS session

9
builtin/credential/aws/client.go
View File

@@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts" "github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/awsutil" "github.com/hashicorp/vault/helper/awsutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -103,12 +104,12 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
if b.defaultAWSAccountID == "" { if b.defaultAWSAccountID == "" {
client := sts.New(session.New(stsConfig)) client := sts.New(session.New(stsConfig))
if client == nil { if client == nil {
return nil, fmt.Errorf("could not obtain sts client: %v", err) return nil, errwrap.Wrapf("could not obtain sts client: {{err}}", err)
} }
inputParams := &sts.GetCallerIdentityInput{} inputParams := &sts.GetCallerIdentityInput{}
identity, err := client.GetCallerIdentity(inputParams) identity, err := client.GetCallerIdentity(inputParams)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to fetch current caller: %v", err) return nil, errwrap.Wrapf("unable to fetch current caller: {{err}}", err)
} }
if identity == nil { if identity == nil {
return nil, fmt.Errorf("got nil result from GetCallerIdentity") return nil, fmt.Errorf("got nil result from GetCallerIdentity")
@@ -116,7 +117,7 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
b.defaultAWSAccountID = *identity.Account b.defaultAWSAccountID = *identity.Account
} }
if b.defaultAWSAccountID != accountID { if b.defaultAWSAccountID != accountID {
return nil, fmt.Errorf("unable to fetch client for account ID %s -- default client is for account %s", accountID, b.defaultAWSAccountID) return nil, fmt.Errorf("unable to fetch client for account ID %q -- default client is for account %q", accountID, b.defaultAWSAccountID)
} }
} }
@@ -168,7 +169,7 @@ func (b *backend) stsRoleForAccount(ctx context.Context, s logical.Storage, acco
// Check if an STS configuration exists for the AWS account // Check if an STS configuration exists for the AWS account
sts, err := b.lockedAwsStsEntry(ctx, s, accountID) sts, err := b.lockedAwsStsEntry(ctx, s, accountID)
if err != nil { if err != nil {
return "", fmt.Errorf("error fetching STS config for account ID %q: %q\n", accountID, err) return "", errwrap.Wrapf(fmt.Sprintf("error fetching STS config for account ID %q: {{err}}", accountID), err)
} }
// An empty STS role signifies the master account // An empty STS role signifies the master account
if sts != nil { if sts != nil {

2
builtin/credential/aws/path_config_certificate.go
View File

@@ -206,7 +206,7 @@ func (b *backend) awsPublicCertificates(ctx context.Context, s logical.Storage,
return nil, err return nil, err
} }
if certEntry == nil { if certEntry == nil {
return nil, fmt.Errorf("certificate storage has a nil entry under the name:%s\n", cert) return nil, fmt.Errorf("certificate storage has a nil entry under the name: %q", cert)
} }
// Append relevant certificates only // Append relevant certificates only
if (isPkcs && certEntry.Type == "pkcs7") || if (isPkcs && certEntry.Type == "pkcs7") ||

35
builtin/credential/aws/path_login.go
View File

@@ -21,6 +21,7 @@ import (
"github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam"
"github.com/fullsailor/pkcs7" "github.com/fullsailor/pkcs7"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
@@ -167,7 +168,7 @@ func (b *backend) validateInstance(ctx context.Context, s logical.Storage, insta
}, },
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("error fetching description for instance ID %q: %q\n", instanceID, err) return nil, errwrap.Wrapf(fmt.Sprintf("error fetching description for instance ID %q: {{err}}", instanceID), err)
} }
if status == nil { if status == nil {
return nil, fmt.Errorf("nil output from describe instances") return nil, fmt.Errorf("nil output from describe instances")
@@ -310,7 +311,7 @@ func (b *backend) parseIdentityDocument(ctx context.Context, s logical.Storage,
// Parse the signature from asn1 format into a struct // Parse the signature from asn1 format into a struct
pkcs7Data, err := pkcs7.Parse(pkcs7BER.Bytes) pkcs7Data, err := pkcs7.Parse(pkcs7BER.Bytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse the BER encoded PKCS#7 signature: %v\n", err) return nil, errwrap.Wrapf("failed to parse the BER encoded PKCS#7 signature: {{err}}", err)
} }
// Get the public certificates that are used to verify the signature. // Get the public certificates that are used to verify the signature.
@@ -494,19 +495,19 @@ func (b *backend) verifyInstanceMeetsRoleRequirements(ctx context.Context,
iamInstanceProfileEntity, err := parseIamArn(iamInstanceProfileARN) iamInstanceProfileEntity, err := parseIamArn(iamInstanceProfileARN)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse IAM instance profile ARN %q; error: %v", iamInstanceProfileARN, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to parse IAM instance profile ARN %q: {{err}}", iamInstanceProfileARN), err)
} }
// Use instance profile ARN to fetch the associated role ARN // Use instance profile ARN to fetch the associated role ARN
iamClient, err := b.clientIAM(ctx, s, identityDoc.Region, identityDoc.AccountID) iamClient, err := b.clientIAM(ctx, s, identityDoc.Region, identityDoc.AccountID)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not fetch IAM client: %v", err) return nil, errwrap.Wrapf("could not fetch IAM client: {{err}}", err)
} else if iamClient == nil { } else if iamClient == nil {
return nil, fmt.Errorf("received a nil iamClient") return nil, fmt.Errorf("received a nil iamClient")
} }
iamRoleARN, err := b.instanceIamRoleARN(iamClient, iamInstanceProfileEntity.FriendlyName) iamRoleARN, err := b.instanceIamRoleARN(iamClient, iamInstanceProfileEntity.FriendlyName)
if err != nil { if err != nil {
return nil, fmt.Errorf("IAM role ARN could not be fetched: %v", err) return nil, errwrap.Wrapf("IAM role ARN could not be fetched: {{err}}", err)
} }
if iamRoleARN == "" { if iamRoleARN == "" {
return nil, fmt.Errorf("IAM role ARN could not be fetched") return nil, fmt.Errorf("IAM role ARN could not be fetched")
@@ -878,7 +879,7 @@ func (b *backend) handleRoleTagLogin(ctx context.Context, s logical.Storage, rol
// If instance_id was set on the role tag, check if the same instance is attempting to login // If instance_id was set on the role tag, check if the same instance is attempting to login
if rTag.InstanceID != "" && rTag.InstanceID != *instance.InstanceId { if rTag.InstanceID != "" && rTag.InstanceID != *instance.InstanceId {
return nil, fmt.Errorf("role tag is being used by an unauthorized instance.") return nil, fmt.Errorf("role tag is being used by an unauthorized instance")
} }
// Check if the role tag is blacklisted // Check if the role tag is blacklisted
@@ -959,7 +960,7 @@ func (b *backend) pathLoginRenewIam(ctx context.Context, req *logical.Request, d
} }
_, err := b.validateInstance(ctx, req.Storage, instanceID, instanceRegion, req.Auth.Metadata["account_id"]) _, err := b.validateInstance(ctx, req.Storage, instanceID, instanceRegion, req.Auth.Metadata["account_id"])
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to verify instance ID %q: %v", instanceID, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to verify instance ID %q: {{err}}", instanceID), err)
} }
} else { } else {
return nil, fmt.Errorf("unrecognized entity_type in metadata: %q", roleEntry.InferredEntityType) return nil, fmt.Errorf("unrecognized entity_type in metadata: %q", roleEntry.InferredEntityType)
@@ -990,11 +991,11 @@ func (b *backend) pathLoginRenewIam(ctx context.Context, req *logical.Request, d
if fullArn == "" { if fullArn == "" {
entity, err := parseIamArn(canonicalArn) entity, err := parseIamArn(canonicalArn)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing ARN %q: %v", canonicalArn, err) return nil, errwrap.Wrapf(fmt.Sprintf("error parsing ARN %q: {{err}}", canonicalArn), err)
} }
fullArn, err = b.fullArn(ctx, entity, req.Storage) fullArn, err = b.fullArn(ctx, entity, req.Storage)
if err != nil { if err != nil {
return nil, fmt.Errorf("error looking up full ARN of entity %v: %v", entity, err) return nil, errwrap.Wrapf(fmt.Sprintf("error looking up full ARN of entity %v: {{err}}", entity), err)
} }
if fullArn == "" { if fullArn == "" {
return nil, fmt.Errorf("got empty string back when looking up full ARN of entity %v", entity) return nil, fmt.Errorf("got empty string back when looking up full ARN of entity %v", entity)
@@ -1045,7 +1046,7 @@ func (b *backend) pathLoginRenewEc2(ctx context.Context, req *logical.Request, d
// Cross check that the instance is still in 'running' state // Cross check that the instance is still in 'running' state
_, err := b.validateInstance(ctx, req.Storage, instanceID, region, accountID) _, err := b.validateInstance(ctx, req.Storage, instanceID, region, accountID)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to verify instance ID %q: %q", instanceID, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to verify instance ID %q: {{err}}", instanceID), err)
} }
storedIdentity, err := whitelistIdentityEntry(ctx, req.Storage, instanceID) storedIdentity, err := whitelistIdentityEntry(ctx, req.Storage, instanceID)
@@ -1395,12 +1396,12 @@ func validateVaultHeaderValue(headers http.Header, requestUrl *url.URL, required
} }
} }
if providedValue == "" { if providedValue == "" {
return fmt.Errorf("didn't find %s", iamServerIdHeader) return fmt.Errorf("missing header %q", iamServerIdHeader)
} }
// NOT doing a constant time compare here since the value is NOT intended to be secret // NOT doing a constant time compare here since the value is NOT intended to be secret
if providedValue != requiredHeaderValue { if providedValue != requiredHeaderValue {
return fmt.Errorf("expected %s but got %s", requiredHeaderValue, providedValue) return fmt.Errorf("expected %q but got %q", requiredHeaderValue, providedValue)
} }
if authzHeaders, ok := headers["Authorization"]; ok { if authzHeaders, ok := headers["Authorization"]; ok {
@@ -1494,7 +1495,7 @@ func parseIamRequestHeaders(headersB64 string) (http.Header, error) {
var headersDecoded map[string]interface{} var headersDecoded map[string]interface{}
err = jsonutil.DecodeJSON(headersJson, &headersDecoded) err = jsonutil.DecodeJSON(headersJson, &headersDecoded)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to JSON decode iam_request_headers %q: %v", headersJson, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to JSON decode iam_request_headers %q: {{err}}", headersJson), err)
} }
headers := make(http.Header) headers := make(http.Header)
for k, v := range headersDecoded { for k, v := range headersDecoded {
@@ -1533,7 +1534,7 @@ func submitCallerIdentityRequest(method, endpoint string, parsedUrl *url.URL, bo
} }
response, err := client.Do(request) response, err := client.Do(request)
if err != nil { if err != nil {
return nil, fmt.Errorf("error making request: %v", err) return nil, errwrap.Wrapf("error making request: {{err}}", err)
} }
if response != nil { if response != nil {
defer response.Body.Close() defer response.Body.Close()
@@ -1617,7 +1618,7 @@ func (b *backend) fullArn(ctx context.Context, e *iamEntity, s logical.Storage)
// Not assuming path is reliable for any entity types // Not assuming path is reliable for any entity types
client, err := b.clientIAM(ctx, s, getAnyRegionForAwsPartition(e.Partition).ID(), e.AccountNumber) client, err := b.clientIAM(ctx, s, getAnyRegionForAwsPartition(e.Partition).ID(), e.AccountNumber)
if err != nil { if err != nil {
return "", fmt.Errorf("error creating IAM client: %v", err) return "", errwrap.Wrapf("error creating IAM client: {{err}}", err)
} }
switch e.Type { switch e.Type {
@@ -1627,7 +1628,7 @@ func (b *backend) fullArn(ctx context.Context, e *iamEntity, s logical.Storage)
} }
resp, err := client.GetUser(&input) resp, err := client.GetUser(&input)
if err != nil { if err != nil {
return "", fmt.Errorf("error fetching user %q: %v", e.FriendlyName, err) return "", errwrap.Wrapf(fmt.Sprintf("error fetching user %q: {{err}}", e.FriendlyName), err)
} }
if resp == nil { if resp == nil {
return "", fmt.Errorf("nil response from GetUser") return "", fmt.Errorf("nil response from GetUser")
@@ -1641,7 +1642,7 @@ func (b *backend) fullArn(ctx context.Context, e *iamEntity, s logical.Storage)
} }
resp, err := client.GetRole(&input) resp, err := client.GetRole(&input)
if err != nil { if err != nil {
return "", fmt.Errorf("error fetching role %q: %v", e.FriendlyName, err) return "", errwrap.Wrapf(fmt.Sprintf("error fetching role %q: {{err}}", e.FriendlyName), err)
} }
if resp == nil { if resp == nil {
return "", fmt.Errorf("nil response form GetRole") return "", fmt.Errorf("nil response form GetRole")

9
builtin/credential/aws/path_role.go
View File

@@ -6,6 +6,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/policyutil" "github.com/hashicorp/vault/helper/policyutil"
@@ -244,7 +245,7 @@ func (b *backend) lockedAWSRole(ctx context.Context, s logical.Storage, roleName
} }
needUpgrade, err := b.upgradeRoleEntry(ctx, s, roleEntry) needUpgrade, err := b.upgradeRoleEntry(ctx, s, roleEntry)
if err != nil { if err != nil {
return nil, fmt.Errorf("error upgrading roleEntry: %v", err) return nil, errwrap.Wrapf("error upgrading roleEntry: {{err}}", err)
} }
if needUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) { if needUpgrade && (b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) {
b.roleMutex.Lock() b.roleMutex.Lock()
@@ -261,11 +262,11 @@ func (b *backend) lockedAWSRole(ctx context.Context, s logical.Storage, roleName
} }
// now re-check to see if we need to upgrade // now re-check to see if we need to upgrade
if needUpgrade, err = b.upgradeRoleEntry(ctx, s, roleEntry); err != nil { if needUpgrade, err = b.upgradeRoleEntry(ctx, s, roleEntry); err != nil {
return nil, fmt.Errorf("error upgrading roleEntry: %v", err) return nil, errwrap.Wrapf("error upgrading roleEntry: {{err}}", err)
} }
if needUpgrade { if needUpgrade {
if err = b.nonLockedSetAWSRole(ctx, s, roleName, roleEntry); err != nil { if err = b.nonLockedSetAWSRole(ctx, s, roleName, roleEntry); err != nil {
return nil, fmt.Errorf("error saving upgraded roleEntry: %v", err) return nil, errwrap.Wrapf("error saving upgraded roleEntry: {{err}}", err)
} }
} }
} }
@@ -789,7 +790,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
if roleEntry.HMACKey == "" { if roleEntry.HMACKey == "" {
roleEntry.HMACKey, err = uuid.GenerateUUID() roleEntry.HMACKey, err = uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to generate role HMAC key: %v", err) return nil, errwrap.Wrapf("failed to generate role HMAC key: {{err}}", err)
} }
} }

4
builtin/credential/aws/path_role_tag.go
View File

@@ -341,7 +341,7 @@ func (b *backend) parseAndVerifyRoleTagValue(ctx context.Context, s logical.Stor
return nil, err return nil, err
} }
default: default:
return nil, fmt.Errorf("unrecognized item %s in tag", tagItem) return nil, fmt.Errorf("unrecognized item %q in tag", tagItem)
} }
} }
@@ -354,7 +354,7 @@ func (b *backend) parseAndVerifyRoleTagValue(ctx context.Context, s logical.Stor
return nil, err return nil, err
} }
if roleEntry == nil { if roleEntry == nil {
return nil, fmt.Errorf("entry not found for %s", rTag.Role) return nil, fmt.Errorf("entry not found for %q", rTag.Role)
} }
// Create a HMAC of the plaintext value of role tag and compare it with the given value. // Create a HMAC of the plaintext value of role tag and compare it with the given value.

9
builtin/credential/aws/path_tidy_identity_whitelist.go
View File

@@ -6,6 +6,7 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -50,15 +51,15 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
for _, instanceID := range identities { for _, instanceID := range identities {
identityEntry, err := s.Get(ctx, "whitelist/identity/"+instanceID) identityEntry, err := s.Get(ctx, "whitelist/identity/"+instanceID)
if err != nil { if err != nil {
return fmt.Errorf("error fetching identity of instanceID %s: %s", instanceID, err) return errwrap.Wrapf(fmt.Sprintf("error fetching identity of instanceID %q: {{err}}", instanceID), err)
} }
if identityEntry == nil { if identityEntry == nil {
return fmt.Errorf("identity entry for instanceID %s is nil", instanceID) return fmt.Errorf("identity entry for instanceID %q is nil", instanceID)
} }
if identityEntry.Value == nil || len(identityEntry.Value) == 0 { if identityEntry.Value == nil || len(identityEntry.Value) == 0 {
return fmt.Errorf("found identity entry for instanceID %s but actual identity is empty", instanceID) return fmt.Errorf("found identity entry for instanceID %q but actual identity is empty", instanceID)
} }
var result whitelistIdentity var result whitelistIdentity
@@ -68,7 +69,7 @@ func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage,
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) { if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
if err := s.Delete(ctx, "whitelist/identity"+instanceID); err != nil { if err := s.Delete(ctx, "whitelist/identity"+instanceID); err != nil {
return fmt.Errorf("error deleting identity of instanceID %s from storage: %s", instanceID, err) return errwrap.Wrapf(fmt.Sprintf("error deleting identity of instanceID %q from storage: {{err}}", instanceID), err)
} }
} }
} }

9
builtin/credential/aws/path_tidy_roletag_blacklist.go
View File

@@ -6,6 +6,7 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -49,15 +50,15 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
for _, tag := range tags { for _, tag := range tags {
tagEntry, err := s.Get(ctx, "blacklist/roletag/"+tag) tagEntry, err := s.Get(ctx, "blacklist/roletag/"+tag)
if err != nil { if err != nil {
return fmt.Errorf("error fetching tag %s: %s", tag, err) return errwrap.Wrapf(fmt.Sprintf("error fetching tag %q: {{err}}", tag), err)
} }
if tagEntry == nil { if tagEntry == nil {
return fmt.Errorf("tag entry for tag %s is nil", tag) return fmt.Errorf("tag entry for tag %q is nil", tag)
} }
if tagEntry.Value == nil || len(tagEntry.Value) == 0 { if tagEntry.Value == nil || len(tagEntry.Value) == 0 {
return fmt.Errorf("found entry for tag %s but actual tag is empty", tag) return fmt.Errorf("found entry for tag %q but actual tag is empty", tag)
} }
var result roleTagBlacklistEntry var result roleTagBlacklistEntry
@@ -67,7 +68,7 @@ func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, s
if time.Now().After(result.ExpirationTime.Add(bufferDuration)) { if time.Now().After(result.ExpirationTime.Add(bufferDuration)) {
if err := s.Delete(ctx, "blacklist/roletag"+tag); err != nil { if err := s.Delete(ctx, "blacklist/roletag"+tag); err != nil {
return fmt.Errorf("error deleting tag %s from storage: %s", tag, err) return errwrap.Wrapf(fmt.Sprintf("error deleting tag %q from storage: {{err}}", tag), err)
} }
} }
} }

4
builtin/credential/cert/path_config.go
View File

@@ -2,8 +2,8 @@ package cert
import ( import (
"context" "context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -52,7 +52,7 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
var result config var result config
if entry != nil { if entry != nil {
if err := entry.DecodeJSON(&result); err != nil { if err := entry.DecodeJSON(&result); err != nil {
return nil, fmt.Errorf("error reading configuration: %s", err) return nil, errwrap.Wrapf("error reading configuration: {{err}}", err)
} }
} }
return &result, nil return &result, nil

13
builtin/credential/cert/path_crls.go
View File

@@ -8,6 +8,7 @@ import (
"strings" "strings"
"github.com/fatih/structs" "github.com/fatih/structs"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -54,7 +55,7 @@ func (b *backend) populateCRLs(ctx context.Context, storage logical.Storage) err
keys, err := storage.List(ctx, "crls/") keys, err := storage.List(ctx, "crls/")
if err != nil { if err != nil {
return fmt.Errorf("error listing CRLs: %v", err) return errwrap.Wrapf("error listing CRLs: {{err}}", err)
} }
if keys == nil || len(keys) == 0 { if keys == nil || len(keys) == 0 {
return nil return nil
@@ -64,7 +65,7 @@ func (b *backend) populateCRLs(ctx context.Context, storage logical.Storage) err
entry, err := storage.Get(ctx, "crls/"+key) entry, err := storage.Get(ctx, "crls/"+key)
if err != nil { if err != nil {
b.crls = nil b.crls = nil
return fmt.Errorf("error loading CRL %s: %v", key, err) return errwrap.Wrapf(fmt.Sprintf("error loading CRL %q: {{err}}", key), err)
} }
if entry == nil { if entry == nil {
continue continue
@@ -73,7 +74,7 @@ func (b *backend) populateCRLs(ctx context.Context, storage logical.Storage) err
err = entry.DecodeJSON(&crlInfo) err = entry.DecodeJSON(&crlInfo)
if err != nil { if err != nil {
b.crls = nil b.crls = nil
return fmt.Errorf("error decoding CRL %s: %v", key, err) return errwrap.Wrapf(fmt.Sprintf("error decoding CRL %q: {{err}}", key), err)
} }
b.crls[key] = crlInfo b.crls[key] = crlInfo
} }
@@ -103,20 +104,20 @@ func parseSerialString(input string) (*big.Int, error) {
case strings.Count(input, ":") > 0: case strings.Count(input, ":") > 0:
serialBytes := certutil.ParseHexFormatted(input, ":") serialBytes := certutil.ParseHexFormatted(input, ":")
if serialBytes == nil { if serialBytes == nil {
return nil, fmt.Errorf("error parsing serial %s", input) return nil, fmt.Errorf("error parsing serial %q", input)
} }
ret.SetBytes(serialBytes) ret.SetBytes(serialBytes)
case strings.Count(input, "-") > 0: case strings.Count(input, "-") > 0:
serialBytes := certutil.ParseHexFormatted(input, "-") serialBytes := certutil.ParseHexFormatted(input, "-")
if serialBytes == nil { if serialBytes == nil {
return nil, fmt.Errorf("error parsing serial %s", input) return nil, fmt.Errorf("error parsing serial %q", input)
} }
ret.SetBytes(serialBytes) ret.SetBytes(serialBytes)
default: default:
var success bool var success bool
ret, success = ret.SetString(input, 0) ret, success = ret.SetString(input, 0)
if !success { if !success {
return nil, fmt.Errorf("error parsing serial %s", input) return nil, fmt.Errorf("error parsing serial %q", input)
} }
} }

5
builtin/credential/github/cli.go
View File

@@ -6,6 +6,7 @@ import (
"os" "os"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/password" "github.com/hashicorp/vault/helper/password"
) )
@@ -42,12 +43,12 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
return nil, fmt.Errorf("user interrupted") return nil, fmt.Errorf("user interrupted")
} }
return nil, fmt.Errorf("An error occurred attempting to "+ return nil, errwrap.Wrapf("An error occurred attempting to "+
"ask for a token. The raw error message is shown below, but usually "+ "ask for a token. The raw error message is shown below, but usually "+
"this is because you attempted to pipe a value into the command or "+ "this is because you attempted to pipe a value into the command or "+
"you are executing outside of a terminal (tty). If you want to pipe "+ "you are executing outside of a terminal (tty). If you want to pipe "+
"the value, pass \"-\" as the argument to read from stdin. The raw "+ "the value, pass \"-\" as the argument to read from stdin. The raw "+
"error was: %s", err) "error was: {{err}}", err)
} }
} }

3
builtin/credential/github/path_config.go
View File

@@ -6,6 +6,7 @@ import (
"net/url" "net/url"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -127,7 +128,7 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
var result config var result config
if entry != nil { if entry != nil {
if err := entry.DecodeJSON(&result); err != nil { if err := entry.DecodeJSON(&result); err != nil {
return nil, fmt.Errorf("error reading configuration: %s", err) return nil, errwrap.Wrapf("error reading configuration: {{err}}", err)
} }
} }

3
builtin/credential/github/path_login.go
View File

@@ -7,6 +7,7 @@ import (
"strings" "strings"
"github.com/google/go-github/github" "github.com/google/go-github/github"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/policyutil" "github.com/hashicorp/vault/helper/policyutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -163,7 +164,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, t
if config.BaseURL != "" { if config.BaseURL != "" {
parsedURL, err := url.Parse(config.BaseURL) parsedURL, err := url.Parse(config.BaseURL)
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("Successfully parsed base_url when set but failing to parse now: %s", err) return nil, nil, errwrap.Wrapf("successfully parsed base_url when set but failing to parse now: {{err}}", err)
} }
client.BaseURL = parsedURL client.BaseURL = parsedURL
} }

11
builtin/credential/ldap/backend.go
View File

@@ -9,6 +9,7 @@ import (
"text/template" "text/template"
"github.com/go-ldap/ldap" "github.com/go-ldap/ldap"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/mfa" "github.com/hashicorp/vault/helper/mfa"
"github.com/hashicorp/vault/helper/strutil" "github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -270,7 +271,7 @@ func (b *backend) getUserBindDN(cfg *ConfigEntry, c *ldap.Conn, username string)
err = c.UnauthenticatedBind(cfg.BindDN) err = c.UnauthenticatedBind(cfg.BindDN)
} }
if err != nil { if err != nil {
return bindDN, fmt.Errorf("LDAP bind (service) failed: %v", err) return bindDN, errwrap.Wrapf("LDAP bind (service) failed: {{err}}", err)
} }
filter := fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username)) filter := fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username))
@@ -284,7 +285,7 @@ func (b *backend) getUserBindDN(cfg *ConfigEntry, c *ldap.Conn, username string)
SizeLimit: math.MaxInt32, SizeLimit: math.MaxInt32,
}) })
if err != nil { if err != nil {
return bindDN, fmt.Errorf("LDAP search for binddn failed: %v", err) return bindDN, errwrap.Wrapf("LDAP search for binddn failed: {{err}}", err)
} }
if len(result.Entries) != 1 { if len(result.Entries) != 1 {
return bindDN, fmt.Errorf("LDAP search for binddn 0 or not unique") return bindDN, fmt.Errorf("LDAP search for binddn 0 or not unique")
@@ -319,7 +320,7 @@ func (b *backend) getUserDN(cfg *ConfigEntry, c *ldap.Conn, bindDN string) (stri
SizeLimit: math.MaxInt32, SizeLimit: math.MaxInt32,
}) })
if err != nil { if err != nil {
return userDN, fmt.Errorf("LDAP search failed for detecting user: %v", err) return userDN, errwrap.Wrapf("LDAP search failed for detecting user: {{err}}", err)
} }
for _, e := range result.Entries { for _, e := range result.Entries {
userDN = e.DN userDN = e.DN
@@ -373,7 +374,7 @@ func (b *backend) getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, u
// Example template "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" // Example template "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
t, err := template.New("queryTemplate").Parse(cfg.GroupFilter) t, err := template.New("queryTemplate").Parse(cfg.GroupFilter)
if err != nil { if err != nil {
return nil, fmt.Errorf("LDAP search failed due to template compilation error: %v", err) return nil, errwrap.Wrapf("LDAP search failed due to template compilation error: {{err}}", err)
} }
// Build context to pass to template - we will be exposing UserDn and Username. // Build context to pass to template - we will be exposing UserDn and Username.
@@ -402,7 +403,7 @@ func (b *backend) getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, u
SizeLimit: math.MaxInt32, SizeLimit: math.MaxInt32,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("LDAP search failed: %v", err) return nil, errwrap.Wrapf("LDAP search failed: {{err}}", err)
} }
for _, e := range result.Entries { for _, e := range result.Entries {

9
builtin/credential/ldap/path_config.go
View File

@@ -12,6 +12,7 @@ import (
"text/template" "text/template"
"github.com/go-ldap/ldap" "github.com/go-ldap/ldap"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog" log "github.com/hashicorp/go-hclog"
multierror "github.com/hashicorp/go-multierror" multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/helper/consts"
@@ -253,7 +254,7 @@ func (b *backend) newConfigEntry(d *framework.FieldData) (*ConfigEntry, error) {
// Validate the template before proceeding // Validate the template before proceeding
_, err := template.New("queryTemplate").Parse(groupfilter) _, err := template.New("queryTemplate").Parse(groupfilter)
if err != nil { if err != nil {
return nil, fmt.Errorf("invalid groupfilter (%v)", err) return nil, errwrap.Wrapf("invalid groupfilter: {{err}}", err)
} }
cfg.GroupFilter = groupfilter cfg.GroupFilter = groupfilter
@@ -275,7 +276,7 @@ func (b *backend) newConfigEntry(d *framework.FieldData) (*ConfigEntry, error) {
} }
_, err := x509.ParseCertificate(block.Bytes) _, err := x509.ParseCertificate(block.Bytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse certificate %s", err.Error()) return nil, errwrap.Wrapf("failed to parse certificate: {{err}}", err)
} }
cfg.Certificate = certificate cfg.Certificate = certificate
} }
@@ -429,7 +430,7 @@ func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
for _, uut := range urls { for _, uut := range urls {
u, err := url.Parse(uut) u, err := url.Parse(uut)
if err != nil { if err != nil {
retErr = multierror.Append(retErr, fmt.Errorf("error parsing url %q: %s", uut, err.Error())) retErr = multierror.Append(retErr, errwrap.Wrapf(fmt.Sprintf("error parsing url %q: {{err}}", uut), err))
continue continue
} }
host, port, err := net.SplitHostPort(u.Host) host, port, err := net.SplitHostPort(u.Host)
@@ -480,7 +481,7 @@ func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
retErr = nil retErr = nil
break break
} }
retErr = multierror.Append(retErr, fmt.Errorf("error connecting to host %q: %s", uut, err.Error())) retErr = multierror.Append(retErr, errwrap.Wrapf(fmt.Sprintf("error connecting to host %q: {{err}}", uut), err))
} }
return conn, retErr.ErrorOrNil() return conn, retErr.ErrorOrNil()

23
builtin/credential/token/cli.go
View File

@@ -7,6 +7,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/password" "github.com/hashicorp/vault/helper/password"
) )
@@ -26,7 +27,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
if x, ok := m["lookup"]; ok { if x, ok := m["lookup"]; ok {
parsed, err := strconv.ParseBool(x) parsed, err := strconv.ParseBool(x)
if err != nil { if err != nil {
return nil, fmt.Errorf("Failed to parse \"lookup\" as boolean: %s", err) return nil, errwrap.Wrapf("Failed to parse \"lookup\" as boolean: {{err}}", err)
} }
lookup = parsed lookup = parsed
} }
@@ -51,12 +52,12 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
return nil, fmt.Errorf("user interrupted") return nil, fmt.Errorf("user interrupted")
} }
return nil, fmt.Errorf("An error occurred attempting to "+ return nil, errwrap.Wrapf("An error occurred attempting to "+
"ask for a token. The raw error message is shown below, but usually "+ "ask for a token. The raw error message is shown below, but usually "+
"this is because you attempted to pipe a value into the command or "+ "this is because you attempted to pipe a value into the command or "+
"you are executing outside of a terminal (tty). If you want to pipe "+ "you are executing outside of a terminal (tty). If you want to pipe "+
"the value, pass \"-\" as the argument to read from stdin. The raw "+ "the value, pass \"-\" as the argument to read from stdin. The raw "+
"error was: %s", err) "error was: {{err}}", err)
} }
} }
@@ -86,10 +87,10 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
secret, err := c.Auth().Token().LookupSelf() secret, err := c.Auth().Token().LookupSelf()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error looking up token: %s", err) return nil, errwrap.Wrapf("error looking up token: {{err}}", err)
} }
if secret == nil { if secret == nil {
return nil, fmt.Errorf("Empty response from lookup-self") return nil, fmt.Errorf("empty response from lookup-self")
} }
// Return an auth struct that "looks" like the response from an auth method. // Return an auth struct that "looks" like the response from an auth method.
@@ -97,27 +98,27 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
// mirror that data here. // mirror that data here.
id, err := secret.TokenID() id, err := secret.TokenID()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error accessing token ID: %s", err) return nil, errwrap.Wrapf("error accessing token ID: {{err}}", err)
} }
accessor, err := secret.TokenAccessor() accessor, err := secret.TokenAccessor()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error accessing token accessor: %s", err) return nil, errwrap.Wrapf("error accessing token accessor: {{err}}", err)
} }
policies, err := secret.TokenPolicies() policies, err := secret.TokenPolicies()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error accessing token policies: %s", err) return nil, errwrap.Wrapf("error accessing token policies: {{err}}", err)
} }
metadata, err := secret.TokenMetadata() metadata, err := secret.TokenMetadata()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error accessing token metadata: %s", err) return nil, errwrap.Wrapf("error accessing token metadata: {{err}}", err)
} }
dur, err := secret.TokenTTL() dur, err := secret.TokenTTL()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error converting token TTL: %s", err) return nil, errwrap.Wrapf("error converting token TTL: {{err}}", err)
} }
renewable, err := secret.TokenIsRenewable() renewable, err := secret.TokenIsRenewable()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error checking if token is renewable: %s", err) return nil, errwrap.Wrapf("error checking if token is renewable: {{err}}", err)
} }
return &api.Secret{ return &api.Secret{
Auth: &api.SecretAuth{ Auth: &api.SecretAuth{

3
builtin/logical/aws/client.go
View File

@@ -9,6 +9,7 @@ import (
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts" "github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/awsutil" "github.com/hashicorp/vault/helper/awsutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -26,7 +27,7 @@ func getRootConfig(ctx context.Context, s logical.Storage, clientType string) (*
if entry != nil { if entry != nil {
var config rootConfig var config rootConfig
if err := entry.DecodeJSON(&config); err != nil { if err := entry.DecodeJSON(&config); err != nil {
return nil, fmt.Errorf("error reading root configuration: %s", err) return nil, errwrap.Wrapf("error reading root configuration: {{err}}", err)
} }
credsConfig.AccessKey = config.AccessKey credsConfig.AccessKey = config.AccessKey

3
builtin/logical/aws/path_sts.go
View File

@@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -47,7 +48,7 @@ func (b *backend) pathSTSRead(ctx context.Context, req *logical.Request, d *fram
// Read the policy // Read the policy
policy, err := req.Storage.Get(ctx, "policy/"+policyName) policy, err := req.Storage.Get(ctx, "policy/"+policyName)
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err) return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
} }
if policy == nil { if policy == nil {
return logical.ErrorResponse(fmt.Sprintf( return logical.ErrorResponse(fmt.Sprintf(

3
builtin/logical/aws/path_user.go
View File

@@ -6,6 +6,7 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
@@ -36,7 +37,7 @@ func (b *backend) pathUserRead(ctx context.Context, req *logical.Request, d *fra
// Read the policy // Read the policy
policy, err := req.Storage.Get(ctx, "policy/"+policyName) policy, err := req.Storage.Get(ctx, "policy/"+policyName)
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err) return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
} }
if policy == nil { if policy == nil {
return logical.ErrorResponse(fmt.Sprintf( return logical.ErrorResponse(fmt.Sprintf(

5
builtin/logical/aws/secret_access_keys.go
View File

@@ -12,6 +12,7 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts" "github.com/aws/aws-sdk-go/service/sts"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -174,7 +175,7 @@ func (b *backend) secretAccessKeysCreate(
UserName: username, UserName: username,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("Error writing WAL entry: %s", err) return nil, errwrap.Wrapf("error writing WAL entry: {{err}}", err)
} }
// Create the user // Create the user
@@ -223,7 +224,7 @@ func (b *backend) secretAccessKeysCreate(
// the secret because it'll get rolled back anyways, so we have to return // the secret because it'll get rolled back anyways, so we have to return
// an error here. // an error here.
if err := framework.DeleteWAL(ctx, s, walId); err != nil { if err := framework.DeleteWAL(ctx, s, walId); err != nil {
return nil, fmt.Errorf("Failed to commit WAL entry: %s", err) return nil, errwrap.Wrapf("failed to commit WAL entry: {{err}}", err)
} }
// Return the info! // Return the info!

3
builtin/logical/cassandra/backend.go
View File

@@ -92,8 +92,7 @@ func (b *backend) DB(ctx context.Context, s logical.Storage) (*gocql.Session, er
return nil, err return nil, err
} }
if entry == nil { if entry == nil {
return nil, return nil, fmt.Errorf("configure the DB connection with config/connection first")
fmt.Errorf("Configure the DB connection with config/connection first")
} }
config := &sessionConfig{} config := &sessionConfig{}

5
builtin/logical/cassandra/secret_creds.go
View File

@@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -44,7 +45,7 @@ func (b *backend) secretCredsRenew(ctx context.Context, req *logical.Request, d
role, err := getRole(ctx, req.Storage, roleName) role, err := getRole(ctx, req.Storage, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to load role: %s", err) return nil, errwrap.Wrapf("unable to load role: {{err}}", err)
} }
resp := &logical.Response{Secret: req.Secret} resp := &logical.Response{Secret: req.Secret}
@@ -70,7 +71,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
err = session.Query(fmt.Sprintf("DROP USER '%s'", username)).Exec() err = session.Query(fmt.Sprintf("DROP USER '%s'", username)).Exec()
if err != nil { if err != nil {
return nil, fmt.Errorf("error removing user %s", username) return nil, fmt.Errorf("error removing user %q", username)
} }
return nil, nil return nil, nil

11
builtin/logical/cassandra/util.go
View File

@@ -7,6 +7,7 @@ import (
"time" "time"
"github.com/gocql/gocql" "github.com/gocql/gocql"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/tlsutil" "github.com/hashicorp/vault/helper/tlsutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -39,7 +40,7 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
var tlsConfig *tls.Config var tlsConfig *tls.Config
if len(cfg.Certificate) > 0 || len(cfg.IssuingCA) > 0 { if len(cfg.Certificate) > 0 || len(cfg.IssuingCA) > 0 {
if len(cfg.Certificate) > 0 && len(cfg.PrivateKey) == 0 { if len(cfg.Certificate) > 0 && len(cfg.PrivateKey) == 0 {
return nil, fmt.Errorf("Found certificate for TLS authentication but no private key") return nil, fmt.Errorf("found certificate for TLS authentication but no private key")
} }
certBundle := &certutil.CertBundle{} certBundle := &certutil.CertBundle{}
@@ -53,12 +54,12 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
parsedCertBundle, err := certBundle.ToParsedCertBundle() parsedCertBundle, err := certBundle.ToParsedCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse certificate bundle: %s", err) return nil, errwrap.Wrapf("failed to parse certificate bundle: {{err}}", err)
} }
tlsConfig, err = parsedCertBundle.GetTLSConfig(certutil.TLSClient) tlsConfig, err = parsedCertBundle.GetTLSConfig(certutil.TLSClient)
if err != nil || tlsConfig == nil { if err != nil || tlsConfig == nil {
return nil, fmt.Errorf("failed to get TLS configuration: tlsConfig:%#v err:%v", tlsConfig, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to get TLS configuration: tlsConfig: %#v; {{err}}", tlsConfig), err)
} }
tlsConfig.InsecureSkipVerify = cfg.InsecureTLS tlsConfig.InsecureSkipVerify = cfg.InsecureTLS
@@ -82,13 +83,13 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
session, err := clusterConfig.CreateSession() session, err := clusterConfig.CreateSession()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error creating session: %s", err) return nil, errwrap.Wrapf("error creating session: {{err}}", err)
} }
// Verify the info // Verify the info
err = session.Query(`LIST USERS`).Exec() err = session.Query(`LIST USERS`).Exec()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error validating connection info: %s", err) return nil, errwrap.Wrapf("error validating connection info: {{err}}", err)
} }
return session, nil return session, nil

7
builtin/logical/consul/path_config.go
View File

@@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -46,14 +47,12 @@ func readConfigAccess(ctx context.Context, storage logical.Storage) (*accessConf
return nil, nil, err return nil, nil, err
} }
if entry == nil { if entry == nil {
return nil, fmt.Errorf( return nil, fmt.Errorf("access credentials for the backend itself haven't been configured; please configure them at the '/config/access' endpoint"), nil
"Access credentials for the backend itself haven't been configured. Please configure them at the '/config/access' endpoint"),
nil
} }
conf := &accessConfig{} conf := &accessConfig{}
if err := entry.DecodeJSON(conf); err != nil { if err := entry.DecodeJSON(conf); err != nil {
return nil, nil, fmt.Errorf("error reading consul access configuration: %s", err) return nil, nil, errwrap.Wrapf("error reading consul access configuration: {{err}}", err)
} }
return conf, nil, nil return conf, nil, nil

3
builtin/logical/consul/path_token.go
View File

@@ -6,6 +6,7 @@ import (
"time" "time"
"github.com/hashicorp/consul/api" "github.com/hashicorp/consul/api"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -31,7 +32,7 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
entry, err := req.Storage.Get(ctx, "policy/"+role) entry, err := req.Storage.Get(ctx, "policy/"+role)
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err) return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
} }
if entry == nil { if entry == nil {
return logical.ErrorResponse(fmt.Sprintf("role %q not found", role)), nil return logical.ErrorResponse(fmt.Sprintf("role %q not found", role)), nil

3
builtin/logical/consul/secret_token.go
View File

@@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -41,7 +42,7 @@ func (b *backend) secretTokenRenew(ctx context.Context, req *logical.Request, d
entry, err := req.Storage.Get(ctx, "policy/"+role) entry, err := req.Storage.Get(ctx, "policy/"+role)
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving role: %s", err) return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
} }
if entry == nil { if entry == nil {
return logical.ErrorResponse(fmt.Sprintf("issuing role %q not found", role)), nil return logical.ErrorResponse(fmt.Sprintf("issuing role %q not found", role)), nil

2
builtin/logical/database/backend.go
View File

@@ -96,7 +96,7 @@ func (b *databaseBackend) DatabaseConfig(ctx context.Context, s logical.Storage,
return nil, errwrap.Wrapf("failed to read connection configuration: {{err}}", err) return nil, errwrap.Wrapf("failed to read connection configuration: {{err}}", err)
} }
if entry == nil { if entry == nil {
return nil, fmt.Errorf("failed to find entry for connection with name: %s", name) return nil, fmt.Errorf("failed to find entry for connection with name: %q", name)
} }
var config DatabaseConfig var config DatabaseConfig

2
builtin/logical/database/dbplugin/plugin.go
View File

@@ -54,7 +54,7 @@ func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRu
var ok bool var ok bool
db, ok = dbRaw.(Database) db, ok = dbRaw.(Database)
if !ok { if !ok {
return nil, fmt.Errorf("unsupported database type: %s", pluginName) return nil, fmt.Errorf("unsupported database type: %q", pluginName)
} }
transport = "builtin" transport = "builtin"

6
builtin/logical/database/secret_creds.go
View File

@@ -32,7 +32,7 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
roleNameRaw, ok := req.Secret.InternalData["role"] roleNameRaw, ok := req.Secret.InternalData["role"]
if !ok { if !ok {
return nil, fmt.Errorf("could not find role with name: %s", req.Secret.InternalData["role"]) return nil, fmt.Errorf("could not find role with name: %q", req.Secret.InternalData["role"])
} }
role, err := b.Role(ctx, req.Storage, roleNameRaw.(string)) role, err := b.Role(ctx, req.Storage, roleNameRaw.(string))
@@ -40,7 +40,7 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
return nil, err return nil, err
} }
if role == nil { if role == nil {
return nil, fmt.Errorf("error during renew: could not find role with name %s", req.Secret.InternalData["role"]) return nil, fmt.Errorf("error during renew: could not find role with name %q", req.Secret.InternalData["role"])
} }
// Get the Database object // Get the Database object
@@ -96,7 +96,7 @@ func (b *databaseBackend) secretCredsRevoke() framework.OperationFunc {
return nil, err return nil, err
} }
if role == nil { if role == nil {
return nil, fmt.Errorf("error during revoke: could not find role with name %s", req.Secret.InternalData["role"]) return nil, fmt.Errorf("error during revoke: could not find role with name %q", req.Secret.InternalData["role"])
} }
// Get our connection // Get our connection

5
builtin/logical/mssql/secret_creds.go
View File

@@ -5,6 +5,7 @@ import (
"database/sql" "database/sql"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -143,10 +144,10 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
// can't drop if not all database users are dropped // can't drop if not all database users are dropped
if rows.Err() != nil { if rows.Err() != nil {
return nil, fmt.Errorf("could not generate sql statements for all rows: %s", rows.Err()) return nil, errwrap.Wrapf("could not generate sql statements for all rows: {{err}}", rows.Err())
} }
if lastStmtError != nil { if lastStmtError != nil {
return nil, fmt.Errorf("could not perform all sql statements: %s", lastStmtError) return nil, errwrap.Wrapf("could not perform all sql statements: {{err}}", lastStmtError)
} }
// Drop this login // Drop this login

5
builtin/logical/pki/crl_util.go
View File

@@ -8,6 +8,7 @@ import (
"fmt" "fmt"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
) )
@@ -66,7 +67,7 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
cert, err := x509.ParseCertificate(certEntry.Value) cert, err := x509.ParseCertificate(certEntry.Value)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing certificate: %s", err) return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
} }
if cert == nil { if cert == nil {
return nil, fmt.Errorf("got a nil certificate") return nil, fmt.Errorf("got a nil certificate")
@@ -104,7 +105,7 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
case errutil.UserError: case errutil.UserError:
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
case errutil.InternalError: case errutil.InternalError:
return nil, fmt.Errorf("error encountered during CRL building: %s", crlErr) return nil, errwrap.Wrapf("error encountered during CRL building: {{err}}", crlErr)
} }
resp := &logical.Response{ resp := &logical.Response{

4
builtin/logical/pki/path_config_ca.go
View File

@@ -2,8 +2,8 @@ package pki
import ( import (
"context" "context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -62,7 +62,7 @@ func (b *backend) pathCAWrite(ctx context.Context, req *logical.Request, data *f
cb, err := parsedBundle.ToCertBundle() cb, err := parsedBundle.ToCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("error converting raw values into cert bundle: %s", err) return nil, errwrap.Wrapf("error converting raw values into cert bundle: {{err}}", err)
} }
entry, err := logical.StorageEntryJSON("config/ca_bundle", cb) entry, err := logical.StorageEntryJSON("config/ca_bundle", cb)

2
builtin/logical/pki/path_config_urls.go
View File

@@ -76,7 +76,7 @@ func writeURLs(ctx context.Context, req *logical.Request, entries *urlEntries) e
return err return err
} }
if entry == nil { if entry == nil {
return fmt.Errorf("Unable to marshal entry into JSON") return fmt.Errorf("unable to marshal entry into JSON")
} }
err = req.Storage.Put(ctx, entry) err = req.Storage.Put(ctx, entry)

7
builtin/logical/pki/path_intermediate.go
View File

@@ -5,6 +5,7 @@ import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -87,7 +88,7 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
csrb, err := parsedBundle.ToCSRBundle() csrb, err := parsedBundle.ToCSRBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error converting raw CSR bundle to CSR bundle: %s", err) return nil, errwrap.Wrapf("error converting raw CSR bundle to CSR bundle: {{err}}", err)
} }
resp = &logical.Response{ resp = &logical.Response{
@@ -197,12 +198,12 @@ func (b *backend) pathSetSignedIntermediate(ctx context.Context, req *logical.Re
} }
if err := inputBundle.Verify(); err != nil { if err := inputBundle.Verify(); err != nil {
return nil, fmt.Errorf("verification of parsed bundle failed: %s", err) return nil, errwrap.Wrapf("verification of parsed bundle failed: {{err}}", err)
} }
cb, err = inputBundle.ToCertBundle() cb, err = inputBundle.ToCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("error converting raw values into cert bundle: %s", err) return nil, errwrap.Wrapf("error converting raw values into cert bundle: {{err}}", err)
} }
entry, err = logical.StorageEntryJSON("config/ca_bundle", cb) entry, err = logical.StorageEntryJSON("config/ca_bundle", cb)

2
builtin/logical/pki/path_issue_sign.go
View File

@@ -297,7 +297,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
Value: parsedBundle.CertificateBytes, Value: parsedBundle.CertificateBytes,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to store certificate locally: %v", err) return nil, errwrap.Wrapf("unable to store certificate locally: {{err}}", err)
} }
} }

3
builtin/logical/pki/path_revoke.go
View File

@@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -68,7 +69,7 @@ func (b *backend) pathRotateCRLRead(ctx context.Context, req *logical.Request, d
case errutil.UserError: case errutil.UserError:
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
case errutil.InternalError: case errutil.InternalError:
return nil, fmt.Errorf("Error encountered during CRL building: %s", crlErr) return nil, errwrap.Wrapf("error encountered during CRL building: {{err}}", crlErr)
default: default:
return &logical.Response{ return &logical.Response{
Data: map[string]interface{}{ Data: map[string]interface{}{

10
builtin/logical/pki/path_root.go
View File

@@ -309,17 +309,17 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
} }
if err := parsedBundle.Verify(); err != nil { if err := parsedBundle.Verify(); err != nil {
return nil, fmt.Errorf("verification of parsed bundle failed: %s", err) return nil, errwrap.Wrapf("verification of parsed bundle failed: {{err}}", err)
} }
signingCB, err := signingBundle.ToCertBundle() signingCB, err := signingBundle.ToCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error converting raw signing bundle to cert bundle: %s", err) return nil, errwrap.Wrapf("error converting raw signing bundle to cert bundle: {{err}}", err)
} }
cb, err := parsedBundle.ToCertBundle() cb, err := parsedBundle.ToCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error converting raw cert bundle to cert bundle: %s", err) return nil, errwrap.Wrapf("error converting raw cert bundle to cert bundle: {{err}}", err)
} }
resp := &logical.Response{ resp := &logical.Response{
@@ -366,7 +366,7 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
Value: parsedBundle.CertificateBytes, Value: parsedBundle.CertificateBytes,
}) })
if err != nil { if err != nil {
return nil, fmt.Errorf("Unable to store certificate locally: %v", err) return nil, errwrap.Wrapf("unable to store certificate locally: {{err}}", err)
} }
if parsedBundle.Certificate.MaxPathLen == 0 { if parsedBundle.Certificate.MaxPathLen == 0 {
@@ -413,7 +413,7 @@ func (b *backend) pathCASignSelfIssued(ctx context.Context, req *logical.Request
signingCB, err := signingBundle.ToCertBundle() signingCB, err := signingBundle.ToCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error converting raw signing bundle to cert bundle: %s", err) return nil, errwrap.Wrapf("error converting raw signing bundle to cert bundle: {{err}}", err)
} }
urls := &urlEntries{} urls := &urlEntries{}

18
builtin/logical/pki/path_tidy.go
View File

@@ -60,13 +60,13 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
if tidyCertStore { if tidyCertStore {
serials, err := req.Storage.List(ctx, "certs/") serials, err := req.Storage.List(ctx, "certs/")
if err != nil { if err != nil {
return nil, fmt.Errorf("error fetching list of certs: %s", err) return nil, errwrap.Wrapf("error fetching list of certs: {{err}}", err)
} }
for _, serial := range serials { for _, serial := range serials {
certEntry, err := req.Storage.Get(ctx, "certs/"+serial) certEntry, err := req.Storage.Get(ctx, "certs/"+serial)
if err != nil { if err != nil {
return nil, fmt.Errorf("error fetching certificate %s: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("error fetching certificate %q: {{err}}", serial), err)
} }
if certEntry == nil { if certEntry == nil {
@@ -91,12 +91,12 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
cert, err := x509.ParseCertificate(certEntry.Value) cert, err := x509.ParseCertificate(certEntry.Value)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to parse stored certificate with serial %s: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("unable to parse stored certificate with serial %q: {{err}}", serial), err)
} }
if time.Now().After(cert.NotAfter.Add(bufferDuration)) { if time.Now().After(cert.NotAfter.Add(bufferDuration)) {
if err := req.Storage.Delete(ctx, "certs/"+serial); err != nil { if err := req.Storage.Delete(ctx, "certs/"+serial); err != nil {
return nil, fmt.Errorf("error deleting serial %s from storage: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from storage: {{err}}", serial), err)
} }
} }
} }
@@ -110,14 +110,14 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
revokedSerials, err := req.Storage.List(ctx, "revoked/") revokedSerials, err := req.Storage.List(ctx, "revoked/")
if err != nil { if err != nil {
return nil, fmt.Errorf("error fetching list of revoked certs: %s", err) return nil, errwrap.Wrapf("error fetching list of revoked certs: {{err}}", err)
} }
var revInfo revocationInfo var revInfo revocationInfo
for _, serial := range revokedSerials { for _, serial := range revokedSerials {
revokedEntry, err := req.Storage.Get(ctx, "revoked/"+serial) revokedEntry, err := req.Storage.Get(ctx, "revoked/"+serial)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to fetch revoked cert with serial %s: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("unable to fetch revoked cert with serial %q: {{err}}", serial), err)
} }
if revokedEntry == nil { if revokedEntry == nil {
@@ -142,17 +142,17 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
err = revokedEntry.DecodeJSON(&revInfo) err = revokedEntry.DecodeJSON(&revInfo)
if err != nil { if err != nil {
return nil, fmt.Errorf("error decoding revocation entry for serial %s: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("error decoding revocation entry for serial %q: {{err}}", serial), err)
} }
revokedCert, err := x509.ParseCertificate(revInfo.CertificateBytes) revokedCert, err := x509.ParseCertificate(revInfo.CertificateBytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to parse stored revoked certificate with serial %s: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("unable to parse stored revoked certificate with serial %q: {{err}}", serial), err)
} }
if time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) { if time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
if err := req.Storage.Delete(ctx, "revoked/"+serial); err != nil { if err := req.Storage.Delete(ctx, "revoked/"+serial); err != nil {
return nil, fmt.Errorf("error deleting serial %s from revoked list: %s", serial, err) return nil, errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from revoked list: {{err}}", serial), err)
} }
tidiedRevoked = true tidiedRevoked = true
} }

5
builtin/logical/postgresql/secret_creds.go
View File

@@ -7,6 +7,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/strutil" "github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -224,10 +225,10 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
// can't drop if not all privileges are revoked // can't drop if not all privileges are revoked
if rows.Err() != nil { if rows.Err() != nil {
return nil, fmt.Errorf("could not generate revocation statements for all rows: %s", rows.Err()) return nil, errwrap.Wrapf("could not generate revocation statements for all rows: {{err}}", rows.Err())
} }
if lastStmtError != nil { if lastStmtError != nil {
return nil, fmt.Errorf("could not perform all revocation statements: %s", lastStmtError) return nil, errwrap.Wrapf("could not perform all revocation statements: {{err}}", lastStmtError)
} }
// Drop this user // Drop this user

6
builtin/logical/rabbitmq/path_config_connection.go
View File

@@ -2,8 +2,8 @@ package rabbitmq
import ( import (
"context" "context"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
"github.com/michaelklishin/rabbit-hole" "github.com/michaelklishin/rabbit-hole"
@@ -63,12 +63,12 @@ func (b *backend) pathConnectionUpdate(ctx context.Context, req *logical.Request
// Create RabbitMQ management client // Create RabbitMQ management client
client, err := rabbithole.NewClient(uri, username, password) client, err := rabbithole.NewClient(uri, username, password)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create client: %s", err) return nil, errwrap.Wrapf("failed to create client: {{err}}", err)
} }
// Verify that configured credentials is capable of listing // Verify that configured credentials is capable of listing
if _, err = client.ListUsers(); err != nil { if _, err = client.ListUsers(); err != nil {
return nil, fmt.Errorf("failed to validate the connection: %s", err) return nil, errwrap.Wrapf("failed to validate the connection: {{err}}", err)
} }
} }

7
builtin/logical/rabbitmq/path_role_create.go
View File

@@ -4,6 +4,8 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -82,11 +84,12 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr
Write: permission.Write, Write: permission.Write,
Read: permission.Read, Read: permission.Read,
}); err != nil { }); err != nil {
outerErr := errwrap.Wrapf(fmt.Sprintf("failed to update permissions to the %q user: {{err}}", username), err)
// Delete the user because it's in an unknown state // Delete the user because it's in an unknown state
if _, rmErr := client.DeleteUser(username); rmErr != nil { if _, rmErr := client.DeleteUser(username); rmErr != nil {
return nil, fmt.Errorf("failed to delete user:%s, err: %s. %s", username, err, rmErr) return nil, multierror.Append(errwrap.Wrapf("failed to delete user: {{err}}", rmErr), outerErr)
} }
return nil, fmt.Errorf("failed to update permissions to the %s user. err:%s", username, err) return nil, outerErr
} }
} }

3
builtin/logical/rabbitmq/secret_creds.go
View File

@@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
) )
@@ -62,7 +63,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, d
} }
if _, err = client.DeleteUser(username); err != nil { if _, err = client.DeleteUser(username); err != nil {
return nil, fmt.Errorf("could not delete user: %s", err) return nil, errwrap.Wrapf("could not delete user: {{err}}", err)
} }
return nil, nil return nil, nil

11
builtin/logical/ssh/communicator.go
View File

@@ -11,6 +11,7 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog" log "github.com/hashicorp/go-hclog"
"golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh"
@@ -277,7 +278,7 @@ func checkSCPStatus(r *bufio.Reader) error {
// Treat any non-zero (really 1 and 2) as fatal errors // Treat any non-zero (really 1 and 2) as fatal errors
message, _, err := r.ReadLine() message, _, err := r.ReadLine()
if err != nil { if err != nil {
return fmt.Errorf("Error reading error message: %s", err) return errwrap.Wrapf("error reading error message: {{err}}", err)
} }
return errors.New(string(message)) return errors.New(string(message))
@@ -298,7 +299,7 @@ func scpUploadFile(dst string, src io.Reader, w io.Writer, r *bufio.Reader, fi *
// so that we can determine the length, since SCP is length-prefixed. // so that we can determine the length, since SCP is length-prefixed.
tf, err := ioutil.TempFile("", "vault-ssh-upload") tf, err := ioutil.TempFile("", "vault-ssh-upload")
if err != nil { if err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err) return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
} }
defer os.Remove(tf.Name()) defer os.Remove(tf.Name())
defer tf.Close() defer tf.Close()
@@ -312,17 +313,17 @@ func scpUploadFile(dst string, src io.Reader, w io.Writer, r *bufio.Reader, fi *
// Sync the file so that the contents are definitely on disk, then // Sync the file so that the contents are definitely on disk, then
// read the length of it. // read the length of it.
if err := tf.Sync(); err != nil { if err := tf.Sync(); err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err) return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
} }
// Seek the file to the beginning so we can re-read all of it // Seek the file to the beginning so we can re-read all of it
if _, err := tf.Seek(0, 0); err != nil { if _, err := tf.Seek(0, 0); err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err) return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
} }
tfi, err := tf.Stat() tfi, err := tf.Stat()
if err != nil { if err != nil {
return fmt.Errorf("Error creating temporary file for upload: %s", err) return errwrap.Wrapf("error creating temporary file for upload: {{err}}", err)
} }
size = tfi.Size() size = tfi.Size()

13
builtin/logical/ssh/path_config_ca.go
View File

@@ -8,6 +8,7 @@ import (
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
multierror "github.com/hashicorp/go-multierror" multierror "github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -65,7 +66,7 @@ Read operations will return the public key, if already stored/generated.`,
func (b *backend) pathConfigCARead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { func (b *backend) pathConfigCARead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
publicKeyEntry, err := caKey(ctx, req.Storage, caPublicKey) publicKeyEntry, err := caKey(ctx, req.Storage, caPublicKey)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read CA public key: %v", err) return nil, errwrap.Wrapf("failed to read CA public key: {{err}}", err)
} }
if publicKeyEntry == nil { if publicKeyEntry == nil {
@@ -106,7 +107,7 @@ func caKey(ctx context.Context, storage logical.Storage, keyType string) (*keySt
entry, err := storage.Get(ctx, path) entry, err := storage.Get(ctx, path)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read CA key of type %q: %v", keyType, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to read CA key of type %q: {{err}}", keyType), err)
} }
if entry == nil { if entry == nil {
@@ -202,12 +203,12 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request,
publicKeyEntry, err := caKey(ctx, req.Storage, caPublicKey) publicKeyEntry, err := caKey(ctx, req.Storage, caPublicKey)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read CA public key: %v", err) return nil, errwrap.Wrapf("failed to read CA public key: {{err}}", err)
} }
privateKeyEntry, err := caKey(ctx, req.Storage, caPrivateKey) privateKeyEntry, err := caKey(ctx, req.Storage, caPrivateKey)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read CA private key: %v", err) return nil, errwrap.Wrapf("failed to read CA private key: {{err}}", err)
} }
if (publicKeyEntry != nil && publicKeyEntry.Key != "") || (privateKeyEntry != nil && privateKeyEntry.Key != "") { if (publicKeyEntry != nil && publicKeyEntry.Key != "") || (privateKeyEntry != nil && privateKeyEntry.Key != "") {
@@ -239,12 +240,12 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request,
if err != nil { if err != nil {
var mErr *multierror.Error var mErr *multierror.Error
mErr = multierror.Append(mErr, fmt.Errorf("failed to store CA private key: %v", err)) mErr = multierror.Append(mErr, errwrap.Wrapf("failed to store CA private key: {{err}}", err))
// If storing private key fails, the corresponding public key should be // If storing private key fails, the corresponding public key should be
// removed // removed
if delErr := req.Storage.Delete(ctx, caPublicKeyStoragePath); delErr != nil { if delErr := req.Storage.Delete(ctx, caPublicKeyStoragePath); delErr != nil {
mErr = multierror.Append(mErr, fmt.Errorf("failed to cleanup CA public key: %v", delErr)) mErr = multierror.Append(mErr, errwrap.Wrapf("failed to cleanup CA public key: {{err}}", delErr))
return nil, mErr return nil, mErr
} }

2
builtin/logical/ssh/path_config_zeroaddress.go
View File

@@ -146,7 +146,7 @@ func (r *zeroAddressRoles) remove(roleName string) error {
} }
length := len(r.Roles) length := len(r.Roles)
if index >= length || index < 0 { if index >= length || index < 0 {
return fmt.Errorf("invalid index [%d]", index) return fmt.Errorf("invalid index %d", index)
} }
// If slice has zero or one item, remove the item by setting slice to nil. // If slice has zero or one item, remove the item by setting slice to nil.
if length < 2 { if length < 2 {

13
builtin/logical/ssh/path_creds_create.go
View File

@@ -6,6 +6,7 @@ import (
"net" "net"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -55,7 +56,7 @@ func (b *backend) pathCredsCreateWrite(ctx context.Context, req *logical.Request
role, err := b.getRole(ctx, req.Storage, roleName) role, err := b.getRole(ctx, req.Storage, roleName)
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving role: %v", err) return nil, errwrap.Wrapf("error retrieving role: {{err}}", err)
} }
if role == nil { if role == nil {
return logical.ErrorResponse(fmt.Sprintf("Role %q not found", roleName)), nil return logical.ErrorResponse(fmt.Sprintf("Role %q not found", roleName)), nil
@@ -97,7 +98,7 @@ func (b *backend) pathCredsCreateWrite(ctx context.Context, req *logical.Request
zeroAddressEntry, err := b.getZeroAddressRoles(ctx, req.Storage) zeroAddressEntry, err := b.getZeroAddressRoles(ctx, req.Storage)
if err != nil { if err != nil {
return nil, fmt.Errorf("error retrieving zero-address roles: %v", err) return nil, errwrap.Wrapf("error retrieving zero-address roles: {{err}}", err)
} }
var zeroAddressRoles []string var zeroAddressRoles []string
if zeroAddressEntry != nil { if zeroAddressEntry != nil {
@@ -171,7 +172,7 @@ func (b *backend) GenerateDynamicCredential(ctx context.Context, req *logical.Re
// Fetch the host key to be used for dynamic key installation // Fetch the host key to be used for dynamic key installation
keyEntry, err := req.Storage.Get(ctx, fmt.Sprintf("keys/%s", role.KeyName)) keyEntry, err := req.Storage.Get(ctx, fmt.Sprintf("keys/%s", role.KeyName))
if err != nil { if err != nil {
return "", "", fmt.Errorf("key %q not found. err: %v", role.KeyName, err) return "", "", errwrap.Wrapf(fmt.Sprintf("key %q not found: {{err}}", role.KeyName), err)
} }
if keyEntry == nil { if keyEntry == nil {
@@ -180,13 +181,13 @@ func (b *backend) GenerateDynamicCredential(ctx context.Context, req *logical.Re
var hostKey sshHostKey var hostKey sshHostKey
if err := keyEntry.DecodeJSON(&hostKey); err != nil { if err := keyEntry.DecodeJSON(&hostKey); err != nil {
return "", "", fmt.Errorf("error reading the host key: %v", err) return "", "", errwrap.Wrapf("error reading the host key: {{err}}", err)
} }
// Generate a new RSA key pair with the given key length. // Generate a new RSA key pair with the given key length.
dynamicPublicKey, dynamicPrivateKey, err := generateRSAKeys(role.KeyBits) dynamicPublicKey, dynamicPrivateKey, err := generateRSAKeys(role.KeyBits)
if err != nil { if err != nil {
return "", "", fmt.Errorf("error generating key: %v", err) return "", "", errwrap.Wrapf("error generating key: {{err}}", err)
} }
if len(role.KeyOptionSpecs) != 0 { if len(role.KeyOptionSpecs) != 0 {
@@ -196,7 +197,7 @@ func (b *backend) GenerateDynamicCredential(ctx context.Context, req *logical.Re
// Add the public key to authorized_keys file in target machine // Add the public key to authorized_keys file in target machine
err = b.installPublicKeyInTarget(ctx, role.AdminUser, username, ip, role.Port, hostKey.Key, dynamicPublicKey, role.InstallScript, true) err = b.installPublicKeyInTarget(ctx, role.AdminUser, username, ip, role.Port, hostKey.Key, dynamicPublicKey, role.InstallScript, true)
if err != nil { if err != nil {
return "", "", fmt.Errorf("failed to add public key to authorized_keys file in target: %v", err) return "", "", errwrap.Wrapf("failed to add public key to authorized_keys file in target: {{err}}", err)
} }
return dynamicPublicKey, dynamicPrivateKey, nil return dynamicPublicKey, dynamicPrivateKey, nil
} }

5
builtin/logical/ssh/path_roles.go
View File

@@ -7,6 +7,7 @@ import (
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/cidrutil" "github.com/hashicorp/vault/helper/cidrutil"
"github.com/hashicorp/vault/helper/parseutil" "github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -305,7 +306,7 @@ func (b *backend) pathRoleWrite(ctx context.Context, req *logical.Request, d *fr
if cidrList != "" { if cidrList != "" {
valid, err := cidrutil.ValidateCIDRListString(cidrList, ",") valid, err := cidrutil.ValidateCIDRListString(cidrList, ",")
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to validate cidr_list: %v", err) return nil, errwrap.Wrapf("failed to validate cidr_list: {{err}}", err)
} }
if !valid { if !valid {
return logical.ErrorResponse("failed to validate cidr_list"), nil return logical.ErrorResponse("failed to validate cidr_list"), nil
@@ -317,7 +318,7 @@ func (b *backend) pathRoleWrite(ctx context.Context, req *logical.Request, d *fr
if excludeCidrList != "" { if excludeCidrList != "" {
valid, err := cidrutil.ValidateCIDRListString(excludeCidrList, ",") valid, err := cidrutil.ValidateCIDRListString(excludeCidrList, ",")
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to validate exclude_cidr_list entry: %v", err) return nil, errwrap.Wrapf("failed to validate exclude_cidr_list entry: {{err}}", err)
} }
if !valid { if !valid {
return logical.ErrorResponse(fmt.Sprintf("failed to validate exclude_cidr_list entry: %v", err)), nil return logical.ErrorResponse(fmt.Sprintf("failed to validate exclude_cidr_list entry: %v", err)), nil

9
builtin/logical/ssh/path_sign.go
View File

@@ -10,6 +10,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/certutil"
"github.com/hashicorp/vault/helper/parseutil" "github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/strutil" "github.com/hashicorp/vault/helper/strutil"
@@ -151,7 +152,7 @@ func (b *backend) pathSignCertificate(ctx context.Context, req *logical.Request,
privateKeyEntry, err := caKey(ctx, req.Storage, caPrivateKey) privateKeyEntry, err := caKey(ctx, req.Storage, caPrivateKey)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read CA private key: %v", err) return nil, errwrap.Wrapf("failed to read CA private key: {{err}}", err)
} }
if privateKeyEntry == nil || privateKeyEntry.Key == "" { if privateKeyEntry == nil || privateKeyEntry.Key == "" {
return nil, fmt.Errorf("failed to read CA private key") return nil, fmt.Errorf("failed to read CA private key")
@@ -159,7 +160,7 @@ func (b *backend) pathSignCertificate(ctx context.Context, req *logical.Request,
signer, err := ssh.ParsePrivateKey([]byte(privateKeyEntry.Key)) signer, err := ssh.ParsePrivateKey([]byte(privateKeyEntry.Key))
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse stored CA private key: %v", err) return nil, errwrap.Wrapf("failed to parse stored CA private key: {{err}}", err)
} }
cBundle := creationBundle{ cBundle := creationBundle{
@@ -312,7 +313,7 @@ func (b *backend) calculateCriticalOptions(data *framework.FieldData, role *sshR
} }
if len(notAllowedOptions) != 0 { if len(notAllowedOptions) != 0 {
return nil, fmt.Errorf("Critical options not on allowed list: %v", notAllowedOptions) return nil, fmt.Errorf("critical options not on allowed list: %v", notAllowedOptions)
} }
} }
@@ -376,7 +377,7 @@ func (b *backend) calculateTTL(data *framework.FieldData, role *sshRole) (time.D
if !specifiedTTL { if !specifiedTTL {
ttl = maxTTL ttl = maxTTL
} else { } else {
return 0, fmt.Errorf("ttl is larger than maximum allowed (%d)", maxTTL/time.Second) return 0, fmt.Errorf("ttl is larger than maximum allowed %d", maxTTL/time.Second)
} }
} }

2
builtin/logical/ssh/secret_dynamic_key.go
View File

@@ -55,7 +55,7 @@ func (b *backend) secretDynamicKeyRevoke(ctx context.Context, req *logical.Reque
// Fetch the host key using the key name // Fetch the host key using the key name
hostKey, err := b.getKey(ctx, req.Storage, intSec.HostKeyName) hostKey, err := b.getKey(ctx, req.Storage, intSec.HostKeyName)
if err != nil { if err != nil {
return nil, fmt.Errorf("key %q not found error: %v", intSec.HostKeyName, err) return nil, errwrap.Wrapf(fmt.Sprintf("key %q not found error: {{err}}", intSec.HostKeyName), err)
} }
if hostKey == nil { if hostKey == nil {
return nil, fmt.Errorf("key %q not found", intSec.HostKeyName) return nil, fmt.Errorf("key %q not found", intSec.HostKeyName)

13
builtin/logical/ssh/util.go
View File

@@ -13,6 +13,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
log "github.com/hashicorp/go-hclog" log "github.com/hashicorp/go-hclog"
@@ -24,7 +25,7 @@ import (
func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) {
privateKey, err := rsa.GenerateKey(rand.Reader, keyBits) privateKey, err := rsa.GenerateKey(rand.Reader, keyBits)
if err != nil { if err != nil {
return "", "", fmt.Errorf("error generating RSA key-pair: %v", err) return "", "", errwrap.Wrapf("error generating RSA key-pair: {{err}}", err)
} }
privateKeyRsa = string(pem.EncodeToMemory(&pem.Block{ privateKeyRsa = string(pem.EncodeToMemory(&pem.Block{
@@ -34,7 +35,7 @@ func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, er
sshPublicKey, err := ssh.NewPublicKey(privateKey.Public()) sshPublicKey, err := ssh.NewPublicKey(privateKey.Public())
if err != nil { if err != nil {
return "", "", fmt.Errorf("error generating RSA key-pair: %v", err) return "", "", errwrap.Wrapf("error generating RSA key-pair: {{err}}", err)
} }
publicKeyRsa = "ssh-rsa " + base64.StdEncoding.EncodeToString(sshPublicKey.Marshal()) publicKeyRsa = "ssh-rsa " + base64.StdEncoding.EncodeToString(sshPublicKey.Marshal())
return return
@@ -62,7 +63,7 @@ func (b *backend) installPublicKeyInTarget(ctx context.Context, adminUser, usern
err = comm.Upload(publicKeyFileName, bytes.NewBufferString(dynamicPublicKey), nil) err = comm.Upload(publicKeyFileName, bytes.NewBufferString(dynamicPublicKey), nil)
if err != nil { if err != nil {
return fmt.Errorf("error uploading public key: %v", err) return errwrap.Wrapf("error uploading public key: {{err}}", err)
} }
// Transfer the script required to install or uninstall the key to the remote // Transfer the script required to install or uninstall the key to the remote
@@ -71,14 +72,14 @@ func (b *backend) installPublicKeyInTarget(ctx context.Context, adminUser, usern
scriptFileName := fmt.Sprintf("%s.sh", publicKeyFileName) scriptFileName := fmt.Sprintf("%s.sh", publicKeyFileName)
err = comm.Upload(scriptFileName, bytes.NewBufferString(installScript), nil) err = comm.Upload(scriptFileName, bytes.NewBufferString(installScript), nil)
if err != nil { if err != nil {
return fmt.Errorf("error uploading install script: %v", err) return errwrap.Wrapf("error uploading install script: {{err}}", err)
} }
// Create a session to run remote command that triggers the script to install // Create a session to run remote command that triggers the script to install
// or uninstall the key. // or uninstall the key.
session, err := comm.NewSession() session, err := comm.NewSession()
if err != nil { if err != nil {
return fmt.Errorf("unable to create SSH Session using public keys: %v", err) return errwrap.Wrapf("unable to create SSH Session using public keys: {{err}}", err)
} }
if session == nil { if session == nil {
return fmt.Errorf("invalid session object") return fmt.Errorf("invalid session object")
@@ -117,7 +118,7 @@ func roleContainsIP(ctx context.Context, s logical.Storage, roleName string, ip
roleEntry, err := s.Get(ctx, fmt.Sprintf("roles/%s", roleName)) roleEntry, err := s.Get(ctx, fmt.Sprintf("roles/%s", roleName))
if err != nil { if err != nil {
return false, fmt.Errorf("error retrieving role %v", err) return false, errwrap.Wrapf("error retrieving role {{err}}", err)
} }
if roleEntry == nil { if roleEntry == nil {
return false, fmt.Errorf("role %q not found", roleName) return false, fmt.Errorf("role %q not found", roleName)

3
builtin/logical/totp/path_keys.go
View File

@@ -11,6 +11,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
otplib "github.com/pquerna/otp" otplib "github.com/pquerna/otp"
@@ -355,7 +356,7 @@ func (b *backend) pathKeyCreate(ctx context.Context, req *logical.Request, data
} else { } else {
barcode, err := keyObject.Image(qrSize, qrSize) barcode, err := keyObject.Image(qrSize, qrSize)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to generate QR code image: %v", err) return nil, errwrap.Wrapf("failed to generate QR code image: {{err}}", err)
} }
var buff bytes.Buffer var buff bytes.Buffer

4
builtin/logical/transit/path_decrypt.go
View File

@@ -3,8 +3,8 @@ package transit
import ( import (
"context" "context"
"encoding/base64" "encoding/base64"
"fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -58,7 +58,7 @@ func (b *backend) pathDecryptWrite(ctx context.Context, req *logical.Request, d
if batchInputRaw != nil { if batchInputRaw != nil {
err = mapstructure.Decode(batchInputRaw, &batchInputItems) err = mapstructure.Decode(batchInputRaw, &batchInputItems)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse batch input: %v", err) return nil, errwrap.Wrapf("failed to parse batch input: {{err}}", err)
} }
if len(batchInputItems) == 0 { if len(batchInputItems) == 0 {

3
builtin/logical/transit/path_encrypt.go
View File

@@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"sync" "sync"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/helper/keysutil" "github.com/hashicorp/vault/helper/keysutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@@ -146,7 +147,7 @@ func (b *backend) pathEncryptWrite(ctx context.Context, req *logical.Request, d
if batchInputRaw != nil { if batchInputRaw != nil {
err = mapstructure.Decode(batchInputRaw, &batchInputItems) err = mapstructure.Decode(batchInputRaw, &batchInputItems)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse batch input: %v", err) return nil, errwrap.Wrapf("failed to parse batch input: {{err}}", err)
} }
if len(batchInputItems) == 0 { if len(batchInputItems) == 0 {

5
builtin/logical/transit/path_keys.go
View File

@@ -13,6 +13,7 @@ import (
"golang.org/x/crypto/ed25519" "golang.org/x/crypto/ed25519"
"github.com/fatih/structs" "github.com/fatih/structs"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/keysutil" "github.com/hashicorp/vault/helper/keysutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -277,7 +278,7 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
} else { } else {
ver, err := strconv.Atoi(k) ver, err := strconv.Atoi(k)
if err != nil { if err != nil {
return nil, fmt.Errorf("invalid version %q: %v", k, err) return nil, errwrap.Wrapf(fmt.Sprintf("invalid version %q: {{err}}", k), err)
} }
derived, err := p.DeriveKey(context, ver) derived, err := p.DeriveKey(context, ver)
if err != nil { if err != nil {
@@ -298,7 +299,7 @@ func (b *backend) pathPolicyRead(ctx context.Context, req *logical.Request, d *f
// API // API
derBytes, err := x509.MarshalPKIXPublicKey(v.RSAKey.Public()) derBytes, err := x509.MarshalPKIXPublicKey(v.RSAKey.Public())
if err != nil { if err != nil {
return nil, fmt.Errorf("error marshaling RSA public key: %v", err) return nil, errwrap.Wrapf("error marshaling RSA public key: {{err}}", err)
} }
pemBlock := &pem.Block{ pemBlock := &pem.Block{
Type: "PUBLIC KEY", Type: "PUBLIC KEY",

3
builtin/logical/transit/path_rewrap.go
View File

@@ -5,6 +5,7 @@ import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework" "github.com/hashicorp/vault/logical/framework"
@@ -59,7 +60,7 @@ func (b *backend) pathRewrapWrite(ctx context.Context, req *logical.Request, d *
if batchInputRaw != nil { if batchInputRaw != nil {
err = mapstructure.Decode(batchInputRaw, &batchInputItems) err = mapstructure.Decode(batchInputRaw, &batchInputItems)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse batch input: %v", err) return nil, errwrap.Wrapf("failed to parse batch input: {{err}}", err)
} }
if len(batchInputItems) == 0 { if len(batchInputItems) == 0 {

2
command/base_flags.go
View File

@@ -648,7 +648,7 @@ func newStringMapValue(def map[string]string, target *map[string]string, hidden
func (s *stringMapValue) Set(val string) error { func (s *stringMapValue) Set(val string) error {
idx := strings.Index(val, "=") idx := strings.Index(val, "=")
if idx == -1 { if idx == -1 {
return fmt.Errorf("Missing = in KV pair: %s", val) return fmt.Errorf("missing = in KV pair: %q", val)
} }
if *s.target == nil { if *s.target == nil {

3
command/config.go
View File

@@ -77,8 +77,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items { for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string) key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok { if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf( result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
"invalid key '%s' on line %d", key, item.Assign.Line))
} }
} }

10
command/config/config.go
View File

@@ -5,6 +5,7 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/hashicorp/hcl" "github.com/hashicorp/hcl"
"github.com/hashicorp/hcl/hcl/ast" "github.com/hashicorp/hcl/hcl/ast"
@@ -56,7 +57,7 @@ func LoadConfig(path string) (*DefaultConfig, error) {
// NOTE: requires HOME env var to be set // NOTE: requires HOME env var to be set
path, err := homedir.Expand(path) path, err := homedir.Expand(path)
if err != nil { if err != nil {
return nil, fmt.Errorf("Error expanding config path %s: %s", path, err) return nil, errwrap.Wrapf(fmt.Sprintf("error expanding config path %q: {{err}}", path), err)
} }
contents, err := ioutil.ReadFile(path) contents, err := ioutil.ReadFile(path)
@@ -66,7 +67,7 @@ func LoadConfig(path string) (*DefaultConfig, error) {
conf, err := ParseConfig(string(contents)) conf, err := ParseConfig(string(contents))
if err != nil { if err != nil {
return nil, fmt.Errorf("Error parsing config file at %s: %q. Ensure that the file is valid; Ansible Vault is known to conflict with it.", path, err) return nil, errwrap.Wrapf(fmt.Sprintf("error parsing config file at %q: {{err}}; ensure that the file is valid; Ansible Vault is known to conflict with it.", path), err)
} }
return conf, nil return conf, nil
@@ -82,7 +83,7 @@ func ParseConfig(contents string) (*DefaultConfig, error) {
// Top-level item should be the object list // Top-level item should be the object list
list, ok := root.Node.(*ast.ObjectList) list, ok := root.Node.(*ast.ObjectList)
if !ok { if !ok {
return nil, fmt.Errorf("Failed to parse config: does not contain a root object") return nil, fmt.Errorf("failed to parse config; does not contain a root object")
} }
valid := []string{ valid := []string{
@@ -119,8 +120,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items { for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string) key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok { if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf( result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
"invalid key '%s' on line %d", key, item.Assign.Line))
} }
} }

2
command/format.go
View File

@@ -161,7 +161,7 @@ func (t TableFormatter) OutputList(ui cli.Ui, secret *api.Secret, data interface
for i, v := range list { for i, v := range list {
typed, ok := v.(string) typed, ok := v.(string)
if !ok { if !ok {
return fmt.Errorf("Error: %v is not a string", v) return fmt.Errorf("%v is not a string", v)
} }
keys[i] = typed keys[i] = typed
} }

7
command/operator_generate_root.go
View File

@@ -9,6 +9,7 @@ import (
"os" "os"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/password" "github.com/hashicorp/vault/helper/password"
@@ -252,14 +253,14 @@ func (c *OperatorGenerateRootCommand) Run(args []string) int {
// verifyOTP verifies the given OTP code is exactly 16 bytes. // verifyOTP verifies the given OTP code is exactly 16 bytes.
func (c *OperatorGenerateRootCommand) verifyOTP(otp string) error { func (c *OperatorGenerateRootCommand) verifyOTP(otp string) error {
if len(otp) == 0 { if len(otp) == 0 {
return fmt.Errorf("No OTP passed in") return fmt.Errorf("no OTP passed in")
} }
otpBytes, err := base64.StdEncoding.DecodeString(otp) otpBytes, err := base64.StdEncoding.DecodeString(otp)
if err != nil { if err != nil {
return fmt.Errorf("Error decoding base64 OTP value: %s", err) return errwrap.Wrapf("error decoding base64 OTP value: {{err}}", err)
} }
if otpBytes == nil || len(otpBytes) != 16 { if otpBytes == nil || len(otpBytes) != 16 {
return fmt.Errorf("Decoded OTP value is invalid or wrong length") return fmt.Errorf("decoded OTP value is invalid or wrong length")
} }
return nil return nil

24
command/server.go
View File

@@ -1037,7 +1037,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
isLeader, _, _, err := core.Leader() isLeader, _, _, err := core.Leader()
if err != nil && err != vault.ErrHANotEnabled { if err != nil && err != vault.ErrHANotEnabled {
return nil, fmt.Errorf("failed to check active status: %v", err) return nil, errwrap.Wrapf("failed to check active status: {{err}}", err)
} }
if err == nil { if err == nil {
leaderCount := 5 leaderCount := 5
@@ -1050,7 +1050,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
time.Sleep(1 * time.Second) time.Sleep(1 * time.Second)
isLeader, _, _, err = core.Leader() isLeader, _, _, err = core.Leader()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to check active status: %v", err) return nil, errwrap.Wrapf("failed to check active status: {{err}}", err)
} }
leaderCount-- leaderCount--
} }
@@ -1072,13 +1072,13 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
} }
resp, err := core.HandleRequest(req) resp, err := core.HandleRequest(req)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create root token with ID %s: %s", coreConfig.DevToken, err) return nil, errwrap.Wrapf(fmt.Sprintf("failed to create root token with ID %q: {{err}}", coreConfig.DevToken), err)
} }
if resp == nil { if resp == nil {
return nil, fmt.Errorf("nil response when creating root token with ID %s", coreConfig.DevToken) return nil, fmt.Errorf("nil response when creating root token with ID %q", coreConfig.DevToken)
} }
if resp.Auth == nil { if resp.Auth == nil {
return nil, fmt.Errorf("nil auth when creating root token with ID %s", coreConfig.DevToken) return nil, fmt.Errorf("nil auth when creating root token with ID %q", coreConfig.DevToken)
} }
init.RootToken = resp.Auth.ClientToken init.RootToken = resp.Auth.ClientToken
@@ -1088,7 +1088,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, coreConfig *vault.CoreConfig
req.Data = nil req.Data = nil
resp, err = core.HandleRequest(req) resp, err = core.HandleRequest(req)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to revoke initial root token: %s", err) return nil, errwrap.Wrapf("failed to revoke initial root token: {{err}}", err)
} }
} }
@@ -1355,7 +1355,7 @@ func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
if val, ok := list.Config["tls_disable"]; ok { if val, ok := list.Config["tls_disable"]; ok {
disable, err := parseutil.ParseBool(val) disable, err := parseutil.ParseBool(val)
if err != nil { if err != nil {
return "", fmt.Errorf("tls_disable: %s", err) return "", errwrap.Wrapf("tls_disable: {{err}}", err)
} }
if disable { if disable {
@@ -1483,7 +1483,7 @@ func (c *ServerCommand) setupTelemetry(config *server.Config) error {
sink, err := datadog.NewDogStatsdSink(telConfig.DogStatsDAddr, metricsConf.HostName) sink, err := datadog.NewDogStatsdSink(telConfig.DogStatsDAddr, metricsConf.HostName)
if err != nil { if err != nil {
return fmt.Errorf("failed to start DogStatsD sink. Got: %s", err) return errwrap.Wrapf("failed to start DogStatsD sink: {{err}}", err)
} }
sink.SetTags(tags) sink.SetTags(tags)
fanout = append(fanout, sink) fanout = append(fanout, sink)
@@ -1512,7 +1512,7 @@ func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]rel
for _, relFunc := range relFuncs { for _, relFunc := range relFuncs {
if relFunc != nil { if relFunc != nil {
if err := relFunc(nil); err != nil { if err := relFunc(nil); err != nil {
reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("Error encountered reloading listener: %v", err)) reloadErrors = multierror.Append(reloadErrors, errwrap.Wrapf("error encountered reloading listener: {{err}}", err))
} }
} }
} }
@@ -1521,7 +1521,7 @@ func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]rel
for _, relFunc := range relFuncs { for _, relFunc := range relFuncs {
if relFunc != nil { if relFunc != nil {
if err := relFunc(nil); err != nil { if err := relFunc(nil); err != nil {
reloadErrors = multierror.Append(reloadErrors, fmt.Errorf("Error encountered reloading file audit device at path %s: %v", strings.TrimPrefix(k, "audit_file|"), err)) reloadErrors = multierror.Append(reloadErrors, errwrap.Wrapf(fmt.Sprintf("error encountered reloading file audit device at path %q: {{err}}", strings.TrimPrefix(k, "audit_file|")), err))
} }
} }
} }
@@ -1548,7 +1548,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error {
// Open the PID file // Open the PID file
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644) pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
if err != nil { if err != nil {
return fmt.Errorf("could not open pid file: %v", err) return errwrap.Wrapf("could not open pid file: {{err}}", err)
} }
defer pidFile.Close() defer pidFile.Close()
@@ -1556,7 +1556,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error {
pid := os.Getpid() pid := os.Getpid()
_, err = pidFile.WriteString(fmt.Sprintf("%d", pid)) _, err = pidFile.WriteString(fmt.Sprintf("%d", pid))
if err != nil { if err != nil {
return fmt.Errorf("could not write to pid file: %v", err) return errwrap.Wrapf("could not write to pid file: {{err}}", err)
} }
return nil return nil
} }

26
command/server/config.go
View File

@@ -10,6 +10,7 @@ import (
"strings" "strings"
"time" "time"
"github.com/hashicorp/errwrap"
log "github.com/hashicorp/go-hclog" log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
@@ -430,49 +431,49 @@ func ParseConfig(d string, logger log.Logger) (*Config, error) {
// Look for storage but still support old backend // Look for storage but still support old backend
if o := list.Filter("storage"); len(o.Items) > 0 { if o := list.Filter("storage"); len(o.Items) > 0 {
if err := parseStorage(&result, o, "storage"); err != nil { if err := parseStorage(&result, o, "storage"); err != nil {
return nil, fmt.Errorf("error parsing 'storage': %s", err) return nil, errwrap.Wrapf("error parsing 'storage': {{err}}", err)
} }
} else { } else {
if o := list.Filter("backend"); len(o.Items) > 0 { if o := list.Filter("backend"); len(o.Items) > 0 {
if err := parseStorage(&result, o, "backend"); err != nil { if err := parseStorage(&result, o, "backend"); err != nil {
return nil, fmt.Errorf("error parsing 'backend': %s", err) return nil, errwrap.Wrapf("error parsing 'backend': {{err}}", err)
} }
} }
} }
if o := list.Filter("ha_storage"); len(o.Items) > 0 { if o := list.Filter("ha_storage"); len(o.Items) > 0 {
if err := parseHAStorage(&result, o, "ha_storage"); err != nil { if err := parseHAStorage(&result, o, "ha_storage"); err != nil {
return nil, fmt.Errorf("error parsing 'ha_storage': %s", err) return nil, errwrap.Wrapf("error parsing 'ha_storage': {{err}}", err)
} }
} else { } else {
if o := list.Filter("ha_backend"); len(o.Items) > 0 { if o := list.Filter("ha_backend"); len(o.Items) > 0 {
if err := parseHAStorage(&result, o, "ha_backend"); err != nil { if err := parseHAStorage(&result, o, "ha_backend"); err != nil {
return nil, fmt.Errorf("error parsing 'ha_backend': %s", err) return nil, errwrap.Wrapf("error parsing 'ha_backend': {{err}}", err)
} }
} }
} }
if o := list.Filter("hsm"); len(o.Items) > 0 { if o := list.Filter("hsm"); len(o.Items) > 0 {
if err := parseSeal(&result, o, "hsm"); err != nil { if err := parseSeal(&result, o, "hsm"); err != nil {
return nil, fmt.Errorf("error parsing 'hsm': %s", err) return nil, errwrap.Wrapf("error parsing 'hsm': {{err}}", err)
} }
} }
if o := list.Filter("seal"); len(o.Items) > 0 { if o := list.Filter("seal"); len(o.Items) > 0 {
if err := parseSeal(&result, o, "seal"); err != nil { if err := parseSeal(&result, o, "seal"); err != nil {
return nil, fmt.Errorf("error parsing 'seal': %s", err) return nil, errwrap.Wrapf("error parsing 'seal': {{err}}", err)
} }
} }
if o := list.Filter("listener"); len(o.Items) > 0 { if o := list.Filter("listener"); len(o.Items) > 0 {
if err := parseListeners(&result, o); err != nil { if err := parseListeners(&result, o); err != nil {
return nil, fmt.Errorf("error parsing 'listener': %s", err) return nil, errwrap.Wrapf("error parsing 'listener': {{err}}", err)
} }
} }
if o := list.Filter("telemetry"); len(o.Items) > 0 { if o := list.Filter("telemetry"); len(o.Items) > 0 {
if err := parseTelemetry(&result, o); err != nil { if err := parseTelemetry(&result, o); err != nil {
return nil, fmt.Errorf("error parsing 'telemetry': %s", err) return nil, errwrap.Wrapf("error parsing 'telemetry': {{err}}", err)
} }
} }
@@ -493,9 +494,7 @@ func LoadConfigDir(dir string, logger log.Logger) (*Config, error) {
return nil, err return nil, err
} }
if !fi.IsDir() { if !fi.IsDir() {
return nil, fmt.Errorf( return nil, fmt.Errorf("configuration path must be a directory: %q", dir)
"configuration path must be a directory: %s",
dir)
} }
var files []string var files []string
@@ -534,7 +533,7 @@ func LoadConfigDir(dir string, logger log.Logger) (*Config, error) {
for _, f := range files { for _, f := range files {
config, err := LoadConfigFile(f, logger) config, err := LoadConfigFile(f, logger)
if err != nil { if err != nil {
return nil, fmt.Errorf("Error loading %s: %s", f, err) return nil, errwrap.Wrapf(fmt.Sprintf("error loading %q: {{err}}", f), err)
} }
if result == nil { if result == nil {
@@ -866,8 +865,7 @@ func checkHCLKeys(node ast.Node, valid []string) error {
for _, item := range list.Items { for _, item := range list.Items {
key := item.Keys[0].Token.Value().(string) key := item.Keys[0].Token.Value().(string)
if _, ok := validMap[key]; !ok { if _, ok := validMap[key]; !ok {
result = multierror.Append(result, fmt.Errorf( result = multierror.Append(result, fmt.Errorf("invalid key %q on line %d", key, item.Assign.Line))
"invalid key '%s' on line %d", key, item.Assign.Line))
} }
} }

20
command/server/listener.go
View File

@@ -32,7 +32,7 @@ var BuiltinListeners = map[string]ListenerFactory{
func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) { func NewListener(t string, config map[string]interface{}, logger io.Writer, ui cli.Ui) (net.Listener, map[string]string, reload.ReloadFunc, error) {
f, ok := BuiltinListeners[t] f, ok := BuiltinListeners[t]
if !ok { if !ok {
return nil, nil, nil, fmt.Errorf("unknown listener type: %s", t) return nil, nil, nil, fmt.Errorf("unknown listener type: %q", t)
} }
return f(config, logger, ui) return f(config, logger, ui)
@@ -58,12 +58,12 @@ func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.List
Behavior: behavior, Behavior: behavior,
} }
if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil { if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
return nil, fmt.Errorf("failed parsing proxy_protocol_authorized_addrs: %v", err) return nil, errwrap.Wrapf("failed parsing proxy_protocol_authorized_addrs: {{err}}", err)
} }
newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig) newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %s", err) return nil, errwrap.Wrapf("failed configuring PROXY protocol wrapper: {{err}}", err)
} }
return newLn, nil return newLn, nil
@@ -79,7 +79,7 @@ func listenerWrapTLS(
if v, ok := config["tls_disable"]; ok { if v, ok := config["tls_disable"]; ok {
disabled, err := parseutil.ParseBool(v) disabled, err := parseutil.ParseBool(v)
if err != nil { if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err) return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable': {{err}}", err)
} }
if disabled { if disabled {
return ln, props, nil, nil return ln, props, nil, nil
@@ -128,21 +128,21 @@ PASSPHRASECORRECT:
tlsConf.NextProtos = []string{"h2", "http/1.1"} tlsConf.NextProtos = []string{"h2", "http/1.1"}
tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers] tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]
if !ok { if !ok {
return nil, nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers) return nil, nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
} }
tlsConf.ClientAuth = tls.RequestClientCert tlsConf.ClientAuth = tls.RequestClientCert
if v, ok := config["tls_cipher_suites"]; ok { if v, ok := config["tls_cipher_suites"]; ok {
ciphers, err := tlsutil.ParseCiphers(v.(string)) ciphers, err := tlsutil.ParseCiphers(v.(string))
if err != nil { if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %v", err) return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_cipher_suites': {{err}}", err)
} }
tlsConf.CipherSuites = ciphers tlsConf.CipherSuites = ciphers
} }
if v, ok := config["tls_prefer_server_cipher_suites"]; ok { if v, ok := config["tls_prefer_server_cipher_suites"]; ok {
preferServer, err := parseutil.ParseBool(v) preferServer, err := parseutil.ParseBool(v)
if err != nil { if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_prefer_server_cipher_suites': %v", err) return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_prefer_server_cipher_suites': {{err}}", err)
} }
tlsConf.PreferServerCipherSuites = preferServer tlsConf.PreferServerCipherSuites = preferServer
} }
@@ -151,7 +151,7 @@ PASSPHRASECORRECT:
if v, ok := config["tls_require_and_verify_client_cert"]; ok { if v, ok := config["tls_require_and_verify_client_cert"]; ok {
requireVerifyCerts, err = parseutil.ParseBool(v) requireVerifyCerts, err = parseutil.ParseBool(v)
if err != nil { if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_require_and_verify_client_cert': %v", err) return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_require_and_verify_client_cert': {{err}}", err)
} }
if requireVerifyCerts { if requireVerifyCerts {
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
@@ -160,7 +160,7 @@ PASSPHRASECORRECT:
caPool := x509.NewCertPool() caPool := x509.NewCertPool()
data, err := ioutil.ReadFile(tlsClientCaFile.(string)) data, err := ioutil.ReadFile(tlsClientCaFile.(string))
if err != nil { if err != nil {
return nil, nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %v", err) return nil, nil, nil, errwrap.Wrapf("failed to read tls_client_ca_file: {{err}}", err)
} }
if !caPool.AppendCertsFromPEM(data) { if !caPool.AppendCertsFromPEM(data) {
@@ -172,7 +172,7 @@ PASSPHRASECORRECT:
if v, ok := config["tls_disable_client_certs"]; ok { if v, ok := config["tls_disable_client_certs"]; ok {
disableClientCerts, err := parseutil.ParseBool(v) disableClientCerts, err := parseutil.ParseBool(v)
if err != nil { if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable_client_certs': %v", err) return nil, nil, nil, errwrap.Wrapf("invalid value for 'tls_disable_client_certs': {{err}}", err)
} }
if disableClientCerts && requireVerifyCerts { if disableClientCerts && requireVerifyCerts {
return nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive") return nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")

10
command/ssh.go
View File

@@ -11,6 +11,7 @@ import (
"strings" "strings"
"syscall" "syscall"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/builtin/logical/ssh" "github.com/hashicorp/vault/builtin/logical/ssh"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
@@ -697,15 +698,14 @@ func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
} }
secret, err := c.client.Logical().Write(mountPoint+"/lookup", data) secret, err := c.client.Logical().Write(mountPoint+"/lookup", data)
if err != nil { if err != nil {
return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err) return "", errwrap.Wrapf(fmt.Sprintf("error finding roles for IP %q: {{err}}", ip), err)
} }
if secret == nil || secret.Data == nil { if secret == nil || secret.Data == nil {
return "", fmt.Errorf("Error finding roles for IP %q: %q", ip, err) return "", errwrap.Wrapf(fmt.Sprintf("error finding roles for IP %q: {{err}}", ip), err)
} }
if secret.Data["roles"] == nil { if secret.Data["roles"] == nil {
return "", fmt.Errorf("No matching roles found for IP %q", ip) return "", fmt.Errorf("no matching roles found for IP %q", ip)
} }
if len(secret.Data["roles"].([]interface{})) == 1 { if len(secret.Data["roles"].([]interface{})) == 1 {
@@ -716,7 +716,7 @@ func (c *SSHCommand) defaultRole(mountPoint, ip string) (string, error) {
roleNames += item.(string) + ", " roleNames += item.(string) + ", "
} }
roleNames = strings.TrimRight(roleNames, ", ") roleNames = strings.TrimRight(roleNames, ", ")
return "", fmt.Errorf("Roles:%q. "+` return "", fmt.Errorf("Roles: %q. "+`
Multiple roles are registered for this IP. Multiple roles are registered for this IP.
Select a role using '-role' option. Select a role using '-role' option.
Note that all roles may not be permitted, based on ACLs.`, roleNames) Note that all roles may not be permitted, based on ACLs.`, roleNames)

17
command/token/helper_external.go
View File

@@ -8,6 +8,8 @@ import (
"path/filepath" "path/filepath"
"runtime" "runtime"
"strings" "strings"
"github.com/hashicorp/errwrap"
) )
// ExternalTokenHelperPath takes the configured path to a helper and expands it to // ExternalTokenHelperPath takes the configured path to a helper and expands it to
@@ -59,11 +61,10 @@ type ExternalTokenHelper struct {
func (h *ExternalTokenHelper) Erase() error { func (h *ExternalTokenHelper) Erase() error {
cmd, err := h.cmd("erase") cmd, err := h.cmd("erase")
if err != nil { if err != nil {
return fmt.Errorf("Error: %s", err) return err
} }
if output, err := cmd.CombinedOutput(); err != nil { if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf( return errwrap.Wrapf(fmt.Sprintf("%q: {{err}}", string(output)), err)
"Error: %s\n\n%s", err, string(output))
} }
return nil return nil
} }
@@ -73,13 +74,12 @@ func (h *ExternalTokenHelper) Get() (string, error) {
var buf, stderr bytes.Buffer var buf, stderr bytes.Buffer
cmd, err := h.cmd("get") cmd, err := h.cmd("get")
if err != nil { if err != nil {
return "", fmt.Errorf("Error: %s", err) return "", err
} }
cmd.Stdout = &buf cmd.Stdout = &buf
cmd.Stderr = &stderr cmd.Stderr = &stderr
if err := cmd.Run(); err != nil { if err := cmd.Run(); err != nil {
return "", fmt.Errorf( return "", errwrap.Wrapf(fmt.Sprintf("%q: {{err}}", stderr.String()), err)
"Error: %s\n\n%s", err, stderr.String())
} }
return buf.String(), nil return buf.String(), nil
@@ -90,12 +90,11 @@ func (h *ExternalTokenHelper) Store(v string) error {
buf := bytes.NewBufferString(v) buf := bytes.NewBufferString(v)
cmd, err := h.cmd("store") cmd, err := h.cmd("store")
if err != nil { if err != nil {
return fmt.Errorf("Error: %s", err) return err
} }
cmd.Stdin = buf cmd.Stdin = buf
if output, err := cmd.CombinedOutput(); err != nil { if output, err := cmd.CombinedOutput(); err != nil {
return fmt.Errorf( return errwrap.Wrapf(fmt.Sprintf("%q: {{err}}", string(output)), err)
"Error: %s\n\n%s", err, string(output))
} }
return nil return nil

2
command/token/helper_internal.go
View File

@@ -23,7 +23,7 @@ type InternalTokenHelper struct {
func (i *InternalTokenHelper) populateTokenPath() { func (i *InternalTokenHelper) populateTokenPath() {
homePath, err := homedir.Dir() homePath, err := homedir.Dir()
if err != nil { if err != nil {
panic(fmt.Errorf("error getting user's home directory: %v", err)) panic(fmt.Sprintf("error getting user's home directory: %v", err))
} }
i.tokenPath = homePath + "/.vault-token" i.tokenPath = homePath + "/.vault-token"
} }

11
helper/certutil/types.go
View File

@@ -20,6 +20,7 @@ import (
"math/big" "math/big"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
) )
@@ -293,10 +294,10 @@ func (p *ParsedCertBundle) Verify() error {
if p.PrivateKey != nil && p.Certificate != nil { if p.PrivateKey != nil && p.Certificate != nil {
equal, err := ComparePublicKeys(p.Certificate.PublicKey, p.PrivateKey.Public()) equal, err := ComparePublicKeys(p.Certificate.PublicKey, p.PrivateKey.Public())
if err != nil { if err != nil {
return fmt.Errorf("could not compare public and private keys: %s", err) return errwrap.Wrapf("could not compare public and private keys: {{err}}", err)
} }
if !equal { if !equal {
return fmt.Errorf("Public key of certificate does not match private key") return fmt.Errorf("public key of certificate does not match private key")
} }
} }
@@ -307,7 +308,7 @@ func (p *ParsedCertBundle) Verify() error {
return fmt.Errorf("certificate %d of certificate chain is not a certificate authority", i+1) return fmt.Errorf("certificate %d of certificate chain is not a certificate authority", i+1)
} }
if !bytes.Equal(certPath[i].Certificate.AuthorityKeyId, caCert.Certificate.SubjectKeyId) { if !bytes.Equal(certPath[i].Certificate.AuthorityKeyId, caCert.Certificate.SubjectKeyId) {
return fmt.Errorf("certificate %d of certificate chain ca trust path is incorrect (%s/%s)", return fmt.Errorf("certificate %d of certificate chain ca trust path is incorrect (%q/%q)",
i+1, certPath[i].Certificate.Subject.CommonName, caCert.Certificate.Subject.CommonName) i+1, certPath[i].Certificate.Subject.CommonName, caCert.Certificate.Subject.CommonName)
} }
} }
@@ -556,13 +557,13 @@ func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error) {
// Technically we only need one cert, but this doesn't duplicate code // Technically we only need one cert, but this doesn't duplicate code
certBundle, err := p.ToCertBundle() certBundle, err := p.ToCertBundle()
if err != nil { if err != nil {
return nil, fmt.Errorf("Error converting parsed bundle to string bundle when getting TLS config: %s", err) return nil, errwrap.Wrapf("error converting parsed bundle to string bundle when getting TLS config: {{err}}", err)
} }
caPool := x509.NewCertPool() caPool := x509.NewCertPool()
ok := caPool.AppendCertsFromPEM([]byte(certBundle.CAChain[0])) ok := caPool.AppendCertsFromPEM([]byte(certBundle.CAChain[0]))
if !ok { if !ok {
return nil, fmt.Errorf("Could not append CA certificate") return nil, fmt.Errorf("could not append CA certificate")
} }
if usage&TLSServer > 0 { if usage&TLSServer > 0 {

5
helper/cidrutil/cidr.go
View File

@@ -5,6 +5,7 @@ import (
"net" "net"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/strutil" "github.com/hashicorp/vault/helper/strutil"
) )
@@ -102,7 +103,7 @@ func Subset(cidr1, cidr2 string) (bool, error) {
ip1, net1, err := net.ParseCIDR(cidr1) ip1, net1, err := net.ParseCIDR(cidr1)
if err != nil { if err != nil {
return false, fmt.Errorf("failed to parse the CIDR to be checked against: %q", err) return false, errwrap.Wrapf("failed to parse the CIDR to be checked against: {{err}}", err)
} }
zeroAddr := false zeroAddr := false
@@ -120,7 +121,7 @@ func Subset(cidr1, cidr2 string) (bool, error) {
ip2, net2, err := net.ParseCIDR(cidr2) ip2, net2, err := net.ParseCIDR(cidr2)
if err != nil { if err != nil {
return false, fmt.Errorf("failed to parse the CIDR that needs to be checked: %q", err) return false, errwrap.Wrapf("failed to parse the CIDR that needs to be checked: {{err}}", err)
} }
zeroAddr = false zeroAddr = false

7
helper/compressutil/compress.go
View File

@@ -8,6 +8,7 @@ import (
"io" "io"
"github.com/golang/snappy" "github.com/golang/snappy"
"github.com/hashicorp/errwrap"
) )
const ( const (
@@ -107,7 +108,7 @@ func Compress(data []byte, config *CompressionConfig) ([]byte, error) {
} }
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create a compression writer; err: %v", err) return nil, errwrap.Wrapf("failed to create a compression writer: {{err}}", err)
} }
if writer == nil { if writer == nil {
@@ -117,7 +118,7 @@ func Compress(data []byte, config *CompressionConfig) ([]byte, error) {
// Compress the input and place it in the same buffer containing the // Compress the input and place it in the same buffer containing the
// canary byte. // canary byte.
if _, err = writer.Write(data); err != nil { if _, err = writer.Write(data); err != nil {
return nil, fmt.Errorf("failed to compress input data; err: %v", err) return nil, errwrap.Wrapf("failed to compress input data: err: {{err}}", err)
} }
// Close the io.WriteCloser // Close the io.WriteCloser
@@ -172,7 +173,7 @@ func Decompress(data []byte) ([]byte, bool, error) {
return nil, true, nil return nil, true, nil
} }
if err != nil { if err != nil {
return nil, false, fmt.Errorf("failed to create a compression reader; err: %v", err) return nil, false, errwrap.Wrapf("failed to create a compression reader: {{err}}", err)
} }
if reader == nil { if reader == nil {
return nil, false, fmt.Errorf("failed to create a compression reader") return nil, false, fmt.Errorf("failed to create a compression reader")

2
helper/flag-kv/flag.go
View File

@@ -16,7 +16,7 @@ func (v *Flag) String() string {
func (v *Flag) Set(raw string) error { func (v *Flag) Set(raw string) error {
idx := strings.Index(raw, "=") idx := strings.Index(raw, "=")
if idx == -1 { if idx == -1 {
return fmt.Errorf("No '=' value in arg: %s", raw) return fmt.Errorf("no '=' value in arg: %q", raw)
} }
if *v == nil { if *v == nil {

13
helper/identity/identity.go
View File

@@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"github.com/gogo/protobuf/proto" "github.com/gogo/protobuf/proto"
"github.com/hashicorp/errwrap"
) )
func (g *Group) Clone() (*Group, error) { func (g *Group) Clone() (*Group, error) {
@@ -13,13 +14,13 @@ func (g *Group) Clone() (*Group, error) {
marshaledGroup, err := proto.Marshal(g) marshaledGroup, err := proto.Marshal(g)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to marshal group: %v", err) return nil, errwrap.Wrapf("failed to marshal group: {{err}}", err)
} }
var clonedGroup Group var clonedGroup Group
err = proto.Unmarshal(marshaledGroup, &clonedGroup) err = proto.Unmarshal(marshaledGroup, &clonedGroup)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to unmarshal group: %v", err) return nil, errwrap.Wrapf("failed to unmarshal group: {{err}}", err)
} }
return &clonedGroup, nil return &clonedGroup, nil
@@ -32,13 +33,13 @@ func (e *Entity) Clone() (*Entity, error) {
marshaledEntity, err := proto.Marshal(e) marshaledEntity, err := proto.Marshal(e)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to marshal entity: %v", err) return nil, errwrap.Wrapf("failed to marshal entity: {{err}}", err)
} }
var clonedEntity Entity var clonedEntity Entity
err = proto.Unmarshal(marshaledEntity, &clonedEntity) err = proto.Unmarshal(marshaledEntity, &clonedEntity)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to unmarshal entity: %v", err) return nil, errwrap.Wrapf("failed to unmarshal entity: {{err}}", err)
} }
return &clonedEntity, nil return &clonedEntity, nil
@@ -51,13 +52,13 @@ func (p *Alias) Clone() (*Alias, error) {
marshaledAlias, err := proto.Marshal(p) marshaledAlias, err := proto.Marshal(p)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to marshal alias: %v", err) return nil, errwrap.Wrapf("failed to marshal alias: {{err}}", err)
} }
var clonedAlias Alias var clonedAlias Alias
err = proto.Unmarshal(marshaledAlias, &clonedAlias) err = proto.Unmarshal(marshaledAlias, &clonedAlias)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to unmarshal alias: %v", err) return nil, errwrap.Wrapf("failed to unmarshal alias: {{err}}", err)
} }
return &clonedAlias, nil return &clonedAlias, nil

3
helper/jsonutil/json.go
View File

@@ -7,6 +7,7 @@ import (
"fmt" "fmt"
"io" "io"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/compressutil" "github.com/hashicorp/vault/helper/compressutil"
) )
@@ -64,7 +65,7 @@ func DecodeJSON(data []byte, out interface{}) error {
// Decompress the data if it was compressed in the first place // Decompress the data if it was compressed in the first place
decompressedBytes, uncompressed, err := compressutil.Decompress(data) decompressedBytes, uncompressed, err := compressutil.Decompress(data)
if err != nil { if err != nil {
return fmt.Errorf("failed to decompress JSON: err: %v", err) return errwrap.Wrapf("failed to decompress JSON: {{err}}", err)
} }
if !uncompressed && (decompressedBytes == nil || len(decompressedBytes) == 0) { if !uncompressed && (decompressedBytes == nil || len(decompressedBytes) == 0) {
return fmt.Errorf("decompressed data being decoded is invalid") return fmt.Errorf("decompressed data being decoded is invalid")

9
helper/keysutil/lock_manager.go
View File

@@ -8,6 +8,7 @@ import (
"sync" "sync"
"time" "time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
) )
@@ -270,7 +271,7 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
if keyData.ArchivedKeys != nil { if keyData.ArchivedKeys != nil {
err = keyData.Policy.storeArchive(ctx, storage, keyData.ArchivedKeys) err = keyData.Policy.storeArchive(ctx, storage, keyData.ArchivedKeys)
if err != nil { if err != nil {
return fmt.Errorf("failed to restore archived keys for policy %q: %v", name, err) return errwrap.Wrapf(fmt.Sprintf("failed to restore archived keys for policy %q: {{err}}", name), err)
} }
} }
@@ -283,7 +284,7 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
// Restore the policy. This will also attempt to adjust the archive. // Restore the policy. This will also attempt to adjust the archive.
err = keyData.Policy.Persist(ctx, storage) err = keyData.Policy.Persist(ctx, storage)
if err != nil { if err != nil {
return fmt.Errorf("failed to restore the policy %q: %v", name, err) return errwrap.Wrapf(fmt.Sprintf("failed to restore the policy %q: {{err}}", name), err)
} }
// Update the cache to contain the restored policy // Update the cache to contain the restored policy
@@ -484,12 +485,12 @@ func (lm *LockManager) DeletePolicy(ctx context.Context, storage logical.Storage
err = storage.Delete(ctx, "policy/"+name) err = storage.Delete(ctx, "policy/"+name)
if err != nil { if err != nil {
return fmt.Errorf("error deleting policy %s: %s", name, err) return errwrap.Wrapf(fmt.Sprintf("error deleting policy %q: {{err}}", name), err)
} }
err = storage.Delete(ctx, "archive/"+name) err = storage.Delete(ctx, "archive/"+name)
if err != nil { if err != nil {
return fmt.Errorf("error deleting archive %s: %s", name, err) return errwrap.Wrapf(fmt.Sprintf("error deleting archive %q: {{err}}", name), err)
} }
if lm.CacheActive() { if lm.CacheActive() {

5
helper/keysutil/policy.go
View File

@@ -30,6 +30,7 @@ import (
"golang.org/x/crypto/ed25519" "golang.org/x/crypto/ed25519"
"golang.org/x/crypto/hkdf" "golang.org/x/crypto/hkdf"
"github.com/hashicorp/errwrap"
uuid "github.com/hashicorp/go-uuid" uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/errutil"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
@@ -1227,7 +1228,7 @@ func (p *Policy) Rotate(ctx context.Context, storage logical.Storage) (retErr er
entry.EC_Y = privKey.Y entry.EC_Y = privKey.Y
derBytes, err := x509.MarshalPKIXPublicKey(privKey.Public()) derBytes, err := x509.MarshalPKIXPublicKey(privKey.Public())
if err != nil { if err != nil {
return fmt.Errorf("error marshaling public key: %s", err) return errwrap.Wrapf("error marshaling public key: {{err}}", err)
} }
pemBlock := &pem.Block{ pemBlock := &pem.Block{
Type: "PUBLIC KEY", Type: "PUBLIC KEY",
@@ -1308,7 +1309,7 @@ func (p *Policy) Backup(ctx context.Context, storage logical.Storage) (out strin
} }
err := p.Persist(ctx, storage) err := p.Persist(ctx, storage)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to persist policy with backup info: %v", err) return "", errwrap.Wrapf("failed to persist policy with backup info: {{err}}", err)
} }
// Load the archive only after persisting the policy as the archive can get // Load the archive only after persisting the policy as the archive can get

5
helper/kv-builder/builder.go
View File

@@ -8,6 +8,7 @@ import (
"os" "os"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
) )
@@ -30,7 +31,7 @@ func (b *Builder) Map() map[string]interface{} {
func (b *Builder) Add(args ...string) error { func (b *Builder) Add(args ...string) error {
for _, a := range args { for _, a := range args {
if err := b.add(a); err != nil { if err := b.add(a); err != nil {
return fmt.Errorf("Invalid key/value pair '%s': %s", a, err) return errwrap.Wrapf(fmt.Sprintf("invalid key/value pair %q: {{err}}", a), err)
} }
} }
@@ -87,7 +88,7 @@ func (b *Builder) add(raw string) error {
if value[0] == '@' { if value[0] == '@' {
contents, err := ioutil.ReadFile(value[1:]) contents, err := ioutil.ReadFile(value[1:])
if err != nil { if err != nil {
return fmt.Errorf("error reading file: %s", err) return errwrap.Wrapf("error reading file: {{err}}", err)
} }
value = string(contents) value = string(contents)

4
helper/mfa/duo/path_duo_access.go
View File

@@ -70,7 +70,7 @@ func GetDuoAuthClient(ctx context.Context, req *logical.Request, config *DuoConf
return nil, err return nil, err
} }
if check == nil { if check == nil {
return nil, fmt.Errorf("Could not connect to Duo; got nil result back from API check call") return nil, fmt.Errorf("could not connect to Duo; got nil result back from API check call")
} }
var msg, detail string var msg, detail string
if check.StatResult.Message != nil { if check.StatResult.Message != nil {
@@ -80,7 +80,7 @@ func GetDuoAuthClient(ctx context.Context, req *logical.Request, config *DuoConf
detail = *check.StatResult.Message_Detail detail = *check.StatResult.Message_Detail
} }
if check.StatResult.Stat != "OK" { if check.StatResult.Stat != "OK" {
return nil, fmt.Errorf("Could not connect to Duo: %s (%s)", msg, detail) return nil, fmt.Errorf("could not connect to Duo: %q (%q)", msg, detail)
} }
return duoAuthClient, nil return duoAuthClient, nil
} }

2
helper/password/password_solaris.go
View File

@@ -13,7 +13,7 @@ import (
func read(f *os.File) (string, error) { func read(f *os.File) (string, error) {
fd := int(f.Fd()) fd := int(f.Fd())
if !isTerminal(fd) { if !isTerminal(fd) {
return "", fmt.Errorf("File descriptor %d is not a terminal", fd) return "", fmt.Errorf("file descriptor %d is not a terminal", fd)
} }
oldState, err := makeRaw(fd) oldState, err := makeRaw(fd)

2
helper/password/password_unix.go
View File

@@ -12,7 +12,7 @@ import (
func read(f *os.File) (string, error) { func read(f *os.File) (string, error) {
fd := int(f.Fd()) fd := int(f.Fd())
if !terminal.IsTerminal(fd) { if !terminal.IsTerminal(fd) {
return "", fmt.Errorf("File descriptor %d is not a terminal", fd) return "", fmt.Errorf("file descriptor %d is not a terminal", fd)
} }
oldState, err := terminal.MakeRaw(fd) oldState, err := terminal.MakeRaw(fd)

19
helper/pgpkeys/encrypt_decrypt.go
View File

@@ -5,6 +5,7 @@ import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
"github.com/keybase/go-crypto/openpgp" "github.com/keybase/go-crypto/openpgp"
"github.com/keybase/go-crypto/openpgp/packet" "github.com/keybase/go-crypto/openpgp/packet"
) )
@@ -17,7 +18,7 @@ import (
// thoroughly tested in the init and rekey command unit tests // thoroughly tested in the init and rekey command unit tests
func EncryptShares(input [][]byte, pgpKeys []string) ([]string, [][]byte, error) { func EncryptShares(input [][]byte, pgpKeys []string) ([]string, [][]byte, error) {
if len(input) != len(pgpKeys) { if len(input) != len(pgpKeys) {
return nil, nil, fmt.Errorf("Mismatch between number items to encrypt and number of PGP keys") return nil, nil, fmt.Errorf("mismatch between number items to encrypt and number of PGP keys")
} }
encryptedShares := make([][]byte, 0, len(pgpKeys)) encryptedShares := make([][]byte, 0, len(pgpKeys))
entities, err := GetEntities(pgpKeys) entities, err := GetEntities(pgpKeys)
@@ -28,11 +29,11 @@ func EncryptShares(input [][]byte, pgpKeys []string) ([]string, [][]byte, error)
ctBuf := bytes.NewBuffer(nil) ctBuf := bytes.NewBuffer(nil)
pt, err := openpgp.Encrypt(ctBuf, []*openpgp.Entity{entity}, nil, nil, nil) pt, err := openpgp.Encrypt(ctBuf, []*openpgp.Entity{entity}, nil, nil, nil)
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("Error setting up encryption for PGP message: %s", err) return nil, nil, errwrap.Wrapf("error setting up encryption for PGP message: {{err}}", err)
} }
_, err = pt.Write(input[i]) _, err = pt.Write(input[i])
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("Error encrypting PGP message: %s", err) return nil, nil, errwrap.Wrapf("error encrypting PGP message: {{err}}", err)
} }
pt.Close() pt.Close()
encryptedShares = append(encryptedShares, ctBuf.Bytes()) encryptedShares = append(encryptedShares, ctBuf.Bytes())
@@ -72,11 +73,11 @@ func GetEntities(pgpKeys []string) ([]*openpgp.Entity, error) {
for _, keystring := range pgpKeys { for _, keystring := range pgpKeys {
data, err := base64.StdEncoding.DecodeString(keystring) data, err := base64.StdEncoding.DecodeString(keystring)
if err != nil { if err != nil {
return nil, fmt.Errorf("Error decoding given PGP key: %s", err) return nil, errwrap.Wrapf("error decoding given PGP key: {{err}}", err)
} }
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(data))) entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(data)))
if err != nil { if err != nil {
return nil, fmt.Errorf("Error parsing given PGP key: %s", err) return nil, errwrap.Wrapf("error parsing given PGP key: {{err}}", err)
} }
ret = append(ret, entity) ret = append(ret, entity)
} }
@@ -91,23 +92,23 @@ func GetEntities(pgpKeys []string) ([]*openpgp.Entity, error) {
func DecryptBytes(encodedCrypt, privKey string) (*bytes.Buffer, error) { func DecryptBytes(encodedCrypt, privKey string) (*bytes.Buffer, error) {
privKeyBytes, err := base64.StdEncoding.DecodeString(privKey) privKeyBytes, err := base64.StdEncoding.DecodeString(privKey)
if err != nil { if err != nil {
return nil, fmt.Errorf("Error decoding base64 private key: %s", err) return nil, errwrap.Wrapf("error decoding base64 private key: {{err}}", err)
} }
cryptBytes, err := base64.StdEncoding.DecodeString(encodedCrypt) cryptBytes, err := base64.StdEncoding.DecodeString(encodedCrypt)
if err != nil { if err != nil {
return nil, fmt.Errorf("Error decoding base64 crypted bytes: %s", err) return nil, errwrap.Wrapf("error decoding base64 crypted bytes: {{err}}", err)
} }
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(privKeyBytes))) entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(privKeyBytes)))
if err != nil { if err != nil {
return nil, fmt.Errorf("Error parsing private key: %s", err) return nil, errwrap.Wrapf("error parsing private key: {{err}}", err)
} }
entityList := &openpgp.EntityList{entity} entityList := &openpgp.EntityList{entity}
md, err := openpgp.ReadMessage(bytes.NewBuffer(cryptBytes), entityList, nil, nil) md, err := openpgp.ReadMessage(bytes.NewBuffer(cryptBytes), entityList, nil, nil)
if err != nil { if err != nil {
return nil, fmt.Errorf("Error decrypting the messages: %s", err) return nil, errwrap.Wrapf("error decrypting the messages: {{err}}", err)
} }
ptBuf := bytes.NewBuffer(nil) ptBuf := bytes.NewBuffer(nil)

7
helper/pgpkeys/flag.go
View File

@@ -8,6 +8,7 @@ import (
"os" "os"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/keybase/go-crypto/openpgp" "github.com/keybase/go-crypto/openpgp"
) )
@@ -115,16 +116,16 @@ func ReadPGPFile(path string) (string, error) {
entityList, err := openpgp.ReadArmoredKeyRing(keyReader) entityList, err := openpgp.ReadArmoredKeyRing(keyReader)
if err == nil { if err == nil {
if len(entityList) != 1 { if len(entityList) != 1 {
return "", fmt.Errorf("more than one key found in file %s", path) return "", fmt.Errorf("more than one key found in file %q", path)
} }
if entityList[0] == nil { if entityList[0] == nil {
return "", fmt.Errorf("primary key was nil for file %s", path) return "", fmt.Errorf("primary key was nil for file %q", path)
} }
serializedEntity := bytes.NewBuffer(nil) serializedEntity := bytes.NewBuffer(nil)
err = entityList[0].Serialize(serializedEntity) err = entityList[0].Serialize(serializedEntity)
if err != nil { if err != nil {
return "", fmt.Errorf("error serializing entity for file %s: %s", path, err) return "", errwrap.Wrapf(fmt.Sprintf("error serializing entity for file %q: {{err}}", path), err)
} }
return base64.StdEncoding.EncodeToString(serializedEntity.Bytes()), nil return base64.StdEncoding.EncodeToString(serializedEntity.Bytes()), nil

11
helper/pgpkeys/keybase.go
View File

@@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"strings" "strings"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
"github.com/keybase/go-crypto/openpgp" "github.com/keybase/go-crypto/openpgp"
@@ -75,7 +76,7 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
} }
if out.Status.Name != "OK" { if out.Status.Name != "OK" {
return nil, fmt.Errorf("got non-OK response: %s", out.Status.Name) return nil, fmt.Errorf("got non-OK response: %q", out.Status.Name)
} }
missingNames := make([]string, 0, len(usernames)) missingNames := make([]string, 0, len(usernames))
@@ -92,16 +93,16 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
return nil, err return nil, err
} }
if len(entityList) != 1 { if len(entityList) != 1 {
return nil, fmt.Errorf("primary key could not be parsed for user %s", usernames[i]) return nil, fmt.Errorf("primary key could not be parsed for user %q", usernames[i])
} }
if entityList[0] == nil { if entityList[0] == nil {
return nil, fmt.Errorf("primary key was nil for user %s", usernames[i]) return nil, fmt.Errorf("primary key was nil for user %q", usernames[i])
} }
serializedEntity.Reset() serializedEntity.Reset()
err = entityList[0].Serialize(serializedEntity) err = entityList[0].Serialize(serializedEntity)
if err != nil { if err != nil {
return nil, fmt.Errorf("error serializing entity for user %s: %s", usernames[i], err) return nil, errwrap.Wrapf(fmt.Sprintf("error serializing entity for user %q: {{err}}", usernames[i]), err)
} }
// The API returns values in the same ordering requested, so this should properly match // The API returns values in the same ordering requested, so this should properly match
@@ -109,7 +110,7 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
} }
if len(missingNames) > 0 { if len(missingNames) > 0 {
return nil, fmt.Errorf("unable to fetch keys for user(s) %s from keybase", strings.Join(missingNames, ",")) return nil, fmt.Errorf("unable to fetch keys for user(s) %q from keybase", strings.Join(missingNames, ","))
} }
return ret, nil return ret, nil

15
helper/pluginutil/tls.go
View File

@@ -10,7 +10,6 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/base64" "encoding/base64"
"errors" "errors"
"fmt"
"net/url" "net/url"
"os" "os"
"time" "time"
@@ -79,7 +78,7 @@ func generateCert() ([]byte, *ecdsa.PrivateKey, error) {
func createClientTLSConfig(certBytes []byte, key *ecdsa.PrivateKey) (*tls.Config, error) { func createClientTLSConfig(certBytes []byte, key *ecdsa.PrivateKey) (*tls.Config, error) {
clientCert, err := x509.ParseCertificate(certBytes) clientCert, err := x509.ParseCertificate(certBytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing generated plugin certificate: %v", err) return nil, errwrap.Wrapf("error parsing generated plugin certificate: {{err}}", err)
} }
cert := tls.Certificate{ cert := tls.Certificate{
@@ -137,7 +136,7 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
// Parse the JWT and retrieve the vault address // Parse the JWT and retrieve the vault address
wt, err := jws.ParseJWT([]byte(unwrapToken)) wt, err := jws.ParseJWT([]byte(unwrapToken))
if err != nil { if err != nil {
return nil, fmt.Errorf("error decoding token: %s", err) return nil, errwrap.Wrapf("error decoding token: {{err}}", err)
} }
if wt == nil { if wt == nil {
return nil, errors.New("nil decoded token") return nil, errors.New("nil decoded token")
@@ -157,7 +156,7 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
// Sanity check the value // Sanity check the value
if _, err := url.Parse(vaultAddr); err != nil { if _, err := url.Parse(vaultAddr); err != nil {
return nil, fmt.Errorf("error parsing the vault api_addr: %s", err) return nil, errwrap.Wrapf("error parsing the vault api_addr: {{err}}", err)
} }
// Unwrap the token // Unwrap the token
@@ -190,12 +189,12 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw) serverCertBytes, err := base64.StdEncoding.DecodeString(serverCertBytesRaw)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err) return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
} }
serverCert, err := x509.ParseCertificate(serverCertBytes) serverCert, err := x509.ParseCertificate(serverCertBytes)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err) return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
} }
// Retrieve and parse the server's private key // Retrieve and parse the server's private key
@@ -206,12 +205,12 @@ func VaultPluginTLSProvider(apiTLSConfig *api.TLSConfig) func() (*tls.Config, er
serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64) serverKeyRaw, err := base64.StdEncoding.DecodeString(serverKeyB64)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err) return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
} }
serverKey, err := x509.ParseECPrivateKey(serverKeyRaw) serverKey, err := x509.ParseECPrivateKey(serverKeyRaw)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing certificate: %v", err) return nil, errwrap.Wrapf("error parsing certificate: {{err}}", err)
} }
// Add CA cert to the cert pool // Add CA cert to the cert pool

7
helper/salt/salt.go
View File

@@ -9,6 +9,7 @@ import (
"fmt" "fmt"
"hash" "hash"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
) )
@@ -78,7 +79,7 @@ func NewSalt(ctx context.Context, view logical.Storage, config *Config) (*Salt,
if view != nil { if view != nil {
raw, err = view.Get(ctx, config.Location) raw, err = view.Get(ctx, config.Location)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read salt: %v", err) return nil, errwrap.Wrapf("failed to read salt: {{err}}", err)
} }
} }
@@ -91,7 +92,7 @@ func NewSalt(ctx context.Context, view logical.Storage, config *Config) (*Salt,
if s.salt == "" { if s.salt == "" {
s.salt, err = uuid.GenerateUUID() s.salt, err = uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to generate uuid: %v", err) return nil, errwrap.Wrapf("failed to generate uuid: {{err}}", err)
} }
s.generated = true s.generated = true
if view != nil { if view != nil {
@@ -100,7 +101,7 @@ func NewSalt(ctx context.Context, view logical.Storage, config *Config) (*Salt,
Value: []byte(s.salt), Value: []byte(s.salt),
} }
if err := view.Put(ctx, raw); err != nil { if err := view.Put(ctx, raw); err != nil {
return nil, fmt.Errorf("failed to persist salt: %v", err) return nil, errwrap.Wrapf("failed to persist salt: {{err}}", err)
} }
} }
} }

7
helper/strutil/strutil.go
View File

@@ -7,6 +7,7 @@ import (
"sort" "sort"
"strings" "strings"
"github.com/hashicorp/errwrap"
glob "github.com/ryanuber/go-glob" glob "github.com/ryanuber/go-glob"
) )
@@ -89,7 +90,7 @@ func ParseKeyValues(input string, out map[string]string, sep string) error {
key := strings.TrimSpace(shards[0]) key := strings.TrimSpace(shards[0])
value := strings.TrimSpace(shards[1]) value := strings.TrimSpace(shards[1])
if key == "" || value == "" { if key == "" || value == "" {
return fmt.Errorf("invalid <key,value> pair: key:'%s' value:'%s'", key, value) return fmt.Errorf("invalid <key,value> pair: key: %q value: %q", key, value)
} }
out[key] = value out[key] = value
} }
@@ -129,14 +130,14 @@ func ParseArbitraryKeyValues(input string, out map[string]string, sep string) er
// If JSON unmarshalling fails, consider that the input was // If JSON unmarshalling fails, consider that the input was
// supplied as a comma separated string of 'key=value' pairs. // supplied as a comma separated string of 'key=value' pairs.
if err = ParseKeyValues(input, out, sep); err != nil { if err = ParseKeyValues(input, out, sep); err != nil {
return fmt.Errorf("failed to parse the input: %v", err) return errwrap.Wrapf("failed to parse the input: {{err}}", err)
} }
} }
// Validate the parsed input // Validate the parsed input
for key, value := range out { for key, value := range out {
if key != "" && value == "" { if key != "" && value == "" {
return fmt.Errorf("invalid value for key '%s'", key) return fmt.Errorf("invalid value for key %q", key)
} }
} }

6
helper/xor/xor.go
View File

@@ -3,6 +3,8 @@ package xor
import ( import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"github.com/hashicorp/errwrap"
) )
// XORBytes takes two byte slices and XORs them together, returning the final // XORBytes takes two byte slices and XORs them together, returning the final
@@ -28,7 +30,7 @@ func XORBytes(a, b []byte) ([]byte, error) {
func XORBase64(a, b string) ([]byte, error) { func XORBase64(a, b string) ([]byte, error) {
aBytes, err := base64.StdEncoding.DecodeString(a) aBytes, err := base64.StdEncoding.DecodeString(a)
if err != nil { if err != nil {
return nil, fmt.Errorf("error decoding first base64 value: %v", err) return nil, errwrap.Wrapf("error decoding first base64 value: {{err}}", err)
} }
if aBytes == nil || len(aBytes) == 0 { if aBytes == nil || len(aBytes) == 0 {
return nil, fmt.Errorf("decoded first base64 value is nil or empty") return nil, fmt.Errorf("decoded first base64 value is nil or empty")
@@ -36,7 +38,7 @@ func XORBase64(a, b string) ([]byte, error) {
bBytes, err := base64.StdEncoding.DecodeString(b) bBytes, err := base64.StdEncoding.DecodeString(b)
if err != nil { if err != nil {
return nil, fmt.Errorf("error decoding second base64 value: %v", err) return nil, errwrap.Wrapf("error decoding second base64 value: {{err}}", err)
} }
if bBytes == nil || len(bBytes) == 0 { if bBytes == nil || len(bBytes) == 0 {
return nil, fmt.Errorf("decoded second base64 value is nil or empty") return nil, fmt.Errorf("decoded second base64 value is nil or empty")

2
http/handler.go
View File

@@ -134,7 +134,7 @@ func wrappingVerificationFunc(core *vault.Core, req *logical.Request) error {
valid, err := core.ValidateWrappingToken(req) valid, err := core.ValidateWrappingToken(req)
if err != nil { if err != nil {
return fmt.Errorf("error validating wrapping token: %v", err) return errwrap.Wrapf("error validating wrapping token: {{err}}", err)
} }
if !valid { if !valid {
return fmt.Errorf("wrapping token is not valid or does not exist") return fmt.Errorf("wrapping token is not valid or does not exist")

3
http/sys_generate_root.go
View File

@@ -36,8 +36,7 @@ func handleSysGenerateRootAttemptGet(core *vault.Core, w http.ResponseWriter, r
return return
} }
if barrierConfig == nil { if barrierConfig == nil {
respondError(w, http.StatusBadRequest, fmt.Errorf( respondError(w, http.StatusBadRequest, fmt.Errorf("server is not yet initialized"))
"server is not yet initialized"))
return return
} }

Some files were not shown because too many files have changed in this diff Show More