From c41d6ba434ce7d62b84ec43cbfe2717a77cab1e2 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 2 Aug 2019 15:35:51 -0400 Subject: [PATCH 1/2] update consul-template to latest version pulls in configuration option for blacklisting template functions from: https://github.com/hashicorp/consul-template/pull/1243 https://github.com/hashicorp/consul-template/pull/1246 pulls in configuration option for file sandboxing from: https://github.com/hashicorp/consul-template/pull/1249 https://github.com/hashicorp/consul-template/pull/1254 pulls in vault KVv2 read fixes from: https://github.com/hashicorp/consul-template/pull/1253 --- vendor/github.com/BurntSushi/toml/COMPATIBLE | 3 + vendor/github.com/BurntSushi/toml/COPYING | 21 + .../{burntsushi => BurntSushi}/toml/Makefile | 0 .../{burntsushi => BurntSushi}/toml/README.md | 18 +- .../{burntsushi => BurntSushi}/toml/decode.go | 0 .../toml/decode_meta.go | 0 .../{burntsushi => BurntSushi}/toml/doc.go | 2 +- .../{burntsushi => BurntSushi}/toml/encode.go | 2 +- .../toml/encoding_types.go | 0 .../toml/encoding_types_1.1.go | 0 .../{burntsushi => BurntSushi}/toml/lex.go | 263 ++++--- .../{burntsushi => BurntSushi}/toml/parse.go | 35 + .../toml/session.vim | 0 .../toml/type_check.go | 0 .../toml/type_fields.go | 0 vendor/github.com/burntsushi/toml/COMPATIBLE | 3 - vendor/github.com/burntsushi/toml/COPYING | 14 - .../hashicorp/consul-template/CHANGELOG.md | 19 +- .../hashicorp/consul-template/Gopkg.lock | 696 ------------------ .../hashicorp/consul-template/Gopkg.toml | 64 -- .../hashicorp/consul-template/Makefile | 37 +- .../hashicorp/consul-template/README.md | 24 +- .../consul-template/config/template.go | 29 + .../hashicorp/consul-template/config/vault.go | 24 +- .../consul-template/dependency/vault_read.go | 8 +- .../consul-template/dependency/vault_write.go | 4 +- .../hashicorp/consul-template/go.mod | 42 ++ .../hashicorp/consul-template/go.sum | 228 ++++++ .../consul-template/manager/dedup.go | 32 +- .../consul-template/manager/runner.go | 77 +- .../consul-template/template/funcs.go | 34 +- .../consul-template/template/template.go | 57 +- .../consul-template/version/version.go | 2 +- vendor/vendor.json | 24 +- 34 files changed, 771 insertions(+), 991 deletions(-) create mode 100644 vendor/github.com/BurntSushi/toml/COMPATIBLE create mode 100644 vendor/github.com/BurntSushi/toml/COPYING rename vendor/github.com/{burntsushi => BurntSushi}/toml/Makefile (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/README.md (88%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/decode.go (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/decode_meta.go (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/doc.go (94%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/encode.go (99%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/encoding_types.go (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/encoding_types_1.1.go (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/lex.go (73%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/parse.go (94%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/session.vim (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/type_check.go (100%) rename vendor/github.com/{burntsushi => BurntSushi}/toml/type_fields.go (100%) delete mode 100644 vendor/github.com/burntsushi/toml/COMPATIBLE delete mode 100644 vendor/github.com/burntsushi/toml/COPYING delete mode 100644 vendor/github.com/hashicorp/consul-template/Gopkg.lock delete mode 100644 vendor/github.com/hashicorp/consul-template/Gopkg.toml create mode 100644 vendor/github.com/hashicorp/consul-template/go.mod create mode 100644 vendor/github.com/hashicorp/consul-template/go.sum diff --git a/vendor/github.com/BurntSushi/toml/COMPATIBLE b/vendor/github.com/BurntSushi/toml/COMPATIBLE new file mode 100644 index 000000000000..6efcfd0ce55e --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/COMPATIBLE @@ -0,0 +1,3 @@ +Compatible with TOML version +[v0.4.0](https://github.com/toml-lang/toml/blob/v0.4.0/versions/en/toml-v0.4.0.md) + diff --git a/vendor/github.com/BurntSushi/toml/COPYING b/vendor/github.com/BurntSushi/toml/COPYING new file mode 100644 index 000000000000..01b5743200b8 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/COPYING @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2013 TOML authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/burntsushi/toml/Makefile b/vendor/github.com/BurntSushi/toml/Makefile similarity index 100% rename from vendor/github.com/burntsushi/toml/Makefile rename to vendor/github.com/BurntSushi/toml/Makefile diff --git a/vendor/github.com/burntsushi/toml/README.md b/vendor/github.com/BurntSushi/toml/README.md similarity index 88% rename from vendor/github.com/burntsushi/toml/README.md rename to vendor/github.com/BurntSushi/toml/README.md index 5a5df6370946..7c1b37ecc7a0 100644 --- a/vendor/github.com/burntsushi/toml/README.md +++ b/vendor/github.com/BurntSushi/toml/README.md @@ -1,17 +1,17 @@ ## TOML parser and encoder for Go with reflection TOML stands for Tom's Obvious, Minimal Language. This Go package provides a -reflection interface similar to Go's standard library `json` and `xml` +reflection interface similar to Go's standard library `json` and `xml` packages. This package also supports the `encoding.TextUnmarshaler` and -`encoding.TextMarshaler` interfaces so that you can define custom data +`encoding.TextMarshaler` interfaces so that you can define custom data representations. (There is an example of this below.) -Spec: https://github.com/mojombo/toml +Spec: https://github.com/toml-lang/toml Compatible with TOML version -[v0.2.0](https://github.com/toml-lang/toml/blob/master/versions/en/toml-v0.2.0.md) +[v0.4.0](https://github.com/toml-lang/toml/blob/master/versions/en/toml-v0.4.0.md) -Documentation: http://godoc.org/github.com/BurntSushi/toml +Documentation: https://godoc.org/github.com/BurntSushi/toml Installation: @@ -26,8 +26,7 @@ go get github.com/BurntSushi/toml/cmd/tomlv tomlv some-toml-file.toml ``` -[![Build status](https://api.travis-ci.org/BurntSushi/toml.png)](https://travis-ci.org/BurntSushi/toml) - +[![Build Status](https://travis-ci.org/BurntSushi/toml.svg?branch=master)](https://travis-ci.org/BurntSushi/toml) [![GoDoc](https://godoc.org/github.com/BurntSushi/toml?status.svg)](https://godoc.org/github.com/BurntSushi/toml) ### Testing @@ -87,7 +86,7 @@ type TOML struct { ### Using the `encoding.TextUnmarshaler` interface -Here's an example that automatically parses duration strings into +Here's an example that automatically parses duration strings into `time.Duration` values: ```toml @@ -120,7 +119,7 @@ for _, s := range favorites.Song { } ``` -And you'll also need a `duration` type that satisfies the +And you'll also need a `duration` type that satisfies the `encoding.TextUnmarshaler` interface: ```go @@ -217,4 +216,3 @@ Note that a case insensitive match will be tried if an exact match can't be found. A working example of the above can be found in `_examples/example.{go,toml}`. - diff --git a/vendor/github.com/burntsushi/toml/decode.go b/vendor/github.com/BurntSushi/toml/decode.go similarity index 100% rename from vendor/github.com/burntsushi/toml/decode.go rename to vendor/github.com/BurntSushi/toml/decode.go diff --git a/vendor/github.com/burntsushi/toml/decode_meta.go b/vendor/github.com/BurntSushi/toml/decode_meta.go similarity index 100% rename from vendor/github.com/burntsushi/toml/decode_meta.go rename to vendor/github.com/BurntSushi/toml/decode_meta.go diff --git a/vendor/github.com/burntsushi/toml/doc.go b/vendor/github.com/BurntSushi/toml/doc.go similarity index 94% rename from vendor/github.com/burntsushi/toml/doc.go rename to vendor/github.com/BurntSushi/toml/doc.go index fe26800041bd..b371f396edca 100644 --- a/vendor/github.com/burntsushi/toml/doc.go +++ b/vendor/github.com/BurntSushi/toml/doc.go @@ -4,7 +4,7 @@ files via reflection. There is also support for delaying decoding with the Primitive type, and querying the set of keys in a TOML document with the MetaData type. -The specification implemented: https://github.com/mojombo/toml +The specification implemented: https://github.com/toml-lang/toml The sub-command github.com/BurntSushi/toml/cmd/tomlv can be used to verify whether a file is a valid TOML document. It can also be used to print the diff --git a/vendor/github.com/burntsushi/toml/encode.go b/vendor/github.com/BurntSushi/toml/encode.go similarity index 99% rename from vendor/github.com/burntsushi/toml/encode.go rename to vendor/github.com/BurntSushi/toml/encode.go index 0f2558b2eafa..d905c21a2466 100644 --- a/vendor/github.com/burntsushi/toml/encode.go +++ b/vendor/github.com/BurntSushi/toml/encode.go @@ -241,7 +241,7 @@ func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) { func (enc *Encoder) eTable(key Key, rv reflect.Value) { panicIfInvalidKey(key) if len(key) == 1 { - // Output an extra new line between top-level tables. + // Output an extra newline between top-level tables. // (The newline isn't written if nothing else has been written though.) enc.newline() } diff --git a/vendor/github.com/burntsushi/toml/encoding_types.go b/vendor/github.com/BurntSushi/toml/encoding_types.go similarity index 100% rename from vendor/github.com/burntsushi/toml/encoding_types.go rename to vendor/github.com/BurntSushi/toml/encoding_types.go diff --git a/vendor/github.com/burntsushi/toml/encoding_types_1.1.go b/vendor/github.com/BurntSushi/toml/encoding_types_1.1.go similarity index 100% rename from vendor/github.com/burntsushi/toml/encoding_types_1.1.go rename to vendor/github.com/BurntSushi/toml/encoding_types_1.1.go diff --git a/vendor/github.com/burntsushi/toml/lex.go b/vendor/github.com/BurntSushi/toml/lex.go similarity index 73% rename from vendor/github.com/burntsushi/toml/lex.go rename to vendor/github.com/BurntSushi/toml/lex.go index 104ebda2127e..e0a742a8870f 100644 --- a/vendor/github.com/burntsushi/toml/lex.go +++ b/vendor/github.com/BurntSushi/toml/lex.go @@ -30,24 +30,28 @@ const ( itemArrayTableEnd itemKeyStart itemCommentStart + itemInlineTableStart + itemInlineTableEnd ) const ( - eof = 0 - tableStart = '[' - tableEnd = ']' - arrayTableStart = '[' - arrayTableEnd = ']' - tableSep = '.' - keySep = '=' - arrayStart = '[' - arrayEnd = ']' - arrayValTerm = ',' - commentStart = '#' - stringStart = '"' - stringEnd = '"' - rawStringStart = '\'' - rawStringEnd = '\'' + eof = 0 + comma = ',' + tableStart = '[' + tableEnd = ']' + arrayTableStart = '[' + arrayTableEnd = ']' + tableSep = '.' + keySep = '=' + arrayStart = '[' + arrayEnd = ']' + commentStart = '#' + stringStart = '"' + stringEnd = '"' + rawStringStart = '\'' + rawStringEnd = '\'' + inlineTableStart = '{' + inlineTableEnd = '}' ) type stateFn func(lx *lexer) stateFn @@ -56,11 +60,18 @@ type lexer struct { input string start int pos int - width int line int state stateFn items chan item + // Allow for backing up up to three runes. + // This is necessary because TOML contains 3-rune tokens (""" and '''). + prevWidths [3]int + nprev int // how many of prevWidths are in use + // If we emit an eof, we can still back up, but it is not OK to call + // next again. + atEOF bool + // A stack of state functions used to maintain context. // The idea is to reuse parts of the state machine in various places. // For example, values can appear at the top level or within arbitrarily @@ -88,7 +99,7 @@ func (lx *lexer) nextItem() item { func lex(input string) *lexer { lx := &lexer{ - input: input + "\n", + input: input, state: lexTop, line: 1, items: make(chan item, 10), @@ -103,7 +114,7 @@ func (lx *lexer) push(state stateFn) { func (lx *lexer) pop() stateFn { if len(lx.stack) == 0 { - return lx.errorf("BUG in lexer: no states to pop.") + return lx.errorf("BUG in lexer: no states to pop") } last := lx.stack[len(lx.stack)-1] lx.stack = lx.stack[0 : len(lx.stack)-1] @@ -125,16 +136,25 @@ func (lx *lexer) emitTrim(typ itemType) { } func (lx *lexer) next() (r rune) { + if lx.atEOF { + panic("next called after EOF") + } if lx.pos >= len(lx.input) { - lx.width = 0 + lx.atEOF = true return eof } if lx.input[lx.pos] == '\n' { lx.line++ } - r, lx.width = utf8.DecodeRuneInString(lx.input[lx.pos:]) - lx.pos += lx.width + lx.prevWidths[2] = lx.prevWidths[1] + lx.prevWidths[1] = lx.prevWidths[0] + if lx.nprev < 3 { + lx.nprev++ + } + r, w := utf8.DecodeRuneInString(lx.input[lx.pos:]) + lx.prevWidths[0] = w + lx.pos += w return r } @@ -143,9 +163,20 @@ func (lx *lexer) ignore() { lx.start = lx.pos } -// backup steps back one rune. Can be called only once per call of next. +// backup steps back one rune. Can be called only twice between calls to next. func (lx *lexer) backup() { - lx.pos -= lx.width + if lx.atEOF { + lx.atEOF = false + return + } + if lx.nprev < 1 { + panic("backed up too far") + } + w := lx.prevWidths[0] + lx.prevWidths[0] = lx.prevWidths[1] + lx.prevWidths[1] = lx.prevWidths[2] + lx.nprev-- + lx.pos -= w if lx.pos < len(lx.input) && lx.input[lx.pos] == '\n' { lx.line-- } @@ -182,7 +213,7 @@ func (lx *lexer) skip(pred func(rune) bool) { // errorf stops all lexing by emitting an error and returning `nil`. // Note that any value that is a character is escaped if it's a special -// character (new lines, tabs, etc.). +// character (newlines, tabs, etc.). func (lx *lexer) errorf(format string, values ...interface{}) stateFn { lx.items <- item{ itemError, @@ -198,7 +229,6 @@ func lexTop(lx *lexer) stateFn { if isWhitespace(r) || isNL(r) { return lexSkip(lx, lexTop) } - switch r { case commentStart: lx.push(lexTop) @@ -207,7 +237,7 @@ func lexTop(lx *lexer) stateFn { return lexTableStart case eof: if lx.pos > lx.start { - return lx.errorf("Unexpected EOF.") + return lx.errorf("unexpected EOF") } lx.emit(itemEOF) return nil @@ -222,12 +252,12 @@ func lexTop(lx *lexer) stateFn { // lexTopEnd is entered whenever a top-level item has been consumed. (A value // or a table.) It must see only whitespace, and will turn back to lexTop -// upon a new line. If it sees EOF, it will quit the lexer successfully. +// upon a newline. If it sees EOF, it will quit the lexer successfully. func lexTopEnd(lx *lexer) stateFn { r := lx.next() switch { case r == commentStart: - // a comment will read to a new line for us. + // a comment will read to a newline for us. lx.push(lexTop) return lexCommentStart case isWhitespace(r): @@ -236,11 +266,11 @@ func lexTopEnd(lx *lexer) stateFn { lx.ignore() return lexTop case r == eof: - lx.ignore() - return lexTop + lx.emit(itemEOF) + return nil } - return lx.errorf("Expected a top-level item to end with a new line, "+ - "comment or EOF, but got %q instead.", r) + return lx.errorf("expected a top-level item to end with a newline, "+ + "comment, or EOF, but got %q instead", r) } // lexTable lexes the beginning of a table. Namely, it makes sure that @@ -267,8 +297,8 @@ func lexTableEnd(lx *lexer) stateFn { func lexArrayTableEnd(lx *lexer) stateFn { if r := lx.next(); r != arrayTableEnd { - return lx.errorf("Expected end of table array name delimiter %q, "+ - "but got %q instead.", arrayTableEnd, r) + return lx.errorf("expected end of table array name delimiter %q, "+ + "but got %q instead", arrayTableEnd, r) } lx.emit(itemArrayTableEnd) return lexTopEnd @@ -278,11 +308,11 @@ func lexTableNameStart(lx *lexer) stateFn { lx.skip(isWhitespace) switch r := lx.peek(); { case r == tableEnd || r == eof: - return lx.errorf("Unexpected end of table name. (Table names cannot " + - "be empty.)") + return lx.errorf("unexpected end of table name " + + "(table names cannot be empty)") case r == tableSep: - return lx.errorf("Unexpected table separator. (Table names cannot " + - "be empty.)") + return lx.errorf("unexpected table separator " + + "(table names cannot be empty)") case r == stringStart || r == rawStringStart: lx.ignore() lx.push(lexTableNameEnd) @@ -317,8 +347,8 @@ func lexTableNameEnd(lx *lexer) stateFn { case r == tableEnd: return lx.pop() default: - return lx.errorf("Expected '.' or ']' to end table name, but got %q "+ - "instead.", r) + return lx.errorf("expected '.' or ']' to end table name, "+ + "but got %q instead", r) } } @@ -328,7 +358,7 @@ func lexKeyStart(lx *lexer) stateFn { r := lx.peek() switch { case r == keySep: - return lx.errorf("Unexpected key separator %q.", keySep) + return lx.errorf("unexpected key separator %q", keySep) case isWhitespace(r) || isNL(r): lx.next() return lexSkip(lx, lexKeyStart) @@ -359,7 +389,7 @@ func lexBareKey(lx *lexer) stateFn { lx.emit(itemText) return lexKeyEnd default: - return lx.errorf("Bare keys cannot contain %q.", r) + return lx.errorf("bare keys cannot contain %q", r) } } @@ -372,7 +402,7 @@ func lexKeyEnd(lx *lexer) stateFn { case isWhitespace(r): return lexSkip(lx, lexKeyEnd) default: - return lx.errorf("Expected key separator %q, but got %q instead.", + return lx.errorf("expected key separator %q, but got %q instead", keySep, r) } } @@ -381,9 +411,8 @@ func lexKeyEnd(lx *lexer) stateFn { // lexValue will ignore whitespace. // After a value is lexed, the last state on the next is popped and returned. func lexValue(lx *lexer) stateFn { - // We allow whitespace to precede a value, but NOT new lines. - // In array syntax, the array states are responsible for ignoring new - // lines. + // We allow whitespace to precede a value, but NOT newlines. + // In array syntax, the array states are responsible for ignoring newlines. r := lx.next() switch { case isWhitespace(r): @@ -397,6 +426,10 @@ func lexValue(lx *lexer) stateFn { lx.ignore() lx.emit(itemArray) return lexArrayValue + case inlineTableStart: + lx.ignore() + lx.emit(itemInlineTableStart) + return lexInlineTableValue case stringStart: if lx.accept(stringStart) { if lx.accept(stringStart) { @@ -420,7 +453,7 @@ func lexValue(lx *lexer) stateFn { case '+', '-': return lexNumberStart case '.': // special error case, be kind to users - return lx.errorf("Floats must start with a digit, not '.'.") + return lx.errorf("floats must start with a digit, not '.'") } if unicode.IsLetter(r) { // Be permissive here; lexBool will give a nice error if the @@ -430,11 +463,11 @@ func lexValue(lx *lexer) stateFn { lx.backup() return lexBool } - return lx.errorf("Expected value but found %q instead.", r) + return lx.errorf("expected value but found %q instead", r) } // lexArrayValue consumes one value in an array. It assumes that '[' or ',' -// have already been consumed. All whitespace and new lines are ignored. +// have already been consumed. All whitespace and newlines are ignored. func lexArrayValue(lx *lexer) stateFn { r := lx.next() switch { @@ -443,10 +476,11 @@ func lexArrayValue(lx *lexer) stateFn { case r == commentStart: lx.push(lexArrayValue) return lexCommentStart - case r == arrayValTerm: - return lx.errorf("Unexpected array value terminator %q.", - arrayValTerm) + case r == comma: + return lx.errorf("unexpected comma") case r == arrayEnd: + // NOTE(caleb): The spec isn't clear about whether you can have + // a trailing comma or not, so we'll allow it. return lexArrayEnd } @@ -455,8 +489,9 @@ func lexArrayValue(lx *lexer) stateFn { return lexValue } -// lexArrayValueEnd consumes the cruft between values of an array. Namely, -// it ignores whitespace and expects either a ',' or a ']'. +// lexArrayValueEnd consumes everything between the end of an array value and +// the next value (or the end of the array): it ignores whitespace and newlines +// and expects either a ',' or a ']'. func lexArrayValueEnd(lx *lexer) stateFn { r := lx.next() switch { @@ -465,31 +500,88 @@ func lexArrayValueEnd(lx *lexer) stateFn { case r == commentStart: lx.push(lexArrayValueEnd) return lexCommentStart - case r == arrayValTerm: + case r == comma: lx.ignore() return lexArrayValue // move on to the next value case r == arrayEnd: return lexArrayEnd } - return lx.errorf("Expected an array value terminator %q or an array "+ - "terminator %q, but got %q instead.", arrayValTerm, arrayEnd, r) + return lx.errorf( + "expected a comma or array terminator %q, but got %q instead", + arrayEnd, r, + ) } -// lexArrayEnd finishes the lexing of an array. It assumes that a ']' has -// just been consumed. +// lexArrayEnd finishes the lexing of an array. +// It assumes that a ']' has just been consumed. func lexArrayEnd(lx *lexer) stateFn { lx.ignore() lx.emit(itemArrayEnd) return lx.pop() } +// lexInlineTableValue consumes one key/value pair in an inline table. +// It assumes that '{' or ',' have already been consumed. Whitespace is ignored. +func lexInlineTableValue(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexInlineTableValue) + case isNL(r): + return lx.errorf("newlines not allowed within inline tables") + case r == commentStart: + lx.push(lexInlineTableValue) + return lexCommentStart + case r == comma: + return lx.errorf("unexpected comma") + case r == inlineTableEnd: + return lexInlineTableEnd + } + lx.backup() + lx.push(lexInlineTableValueEnd) + return lexKeyStart +} + +// lexInlineTableValueEnd consumes everything between the end of an inline table +// key/value pair and the next pair (or the end of the table): +// it ignores whitespace and expects either a ',' or a '}'. +func lexInlineTableValueEnd(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexInlineTableValueEnd) + case isNL(r): + return lx.errorf("newlines not allowed within inline tables") + case r == commentStart: + lx.push(lexInlineTableValueEnd) + return lexCommentStart + case r == comma: + lx.ignore() + return lexInlineTableValue + case r == inlineTableEnd: + return lexInlineTableEnd + } + return lx.errorf("expected a comma or an inline table terminator %q, "+ + "but got %q instead", inlineTableEnd, r) +} + +// lexInlineTableEnd finishes the lexing of an inline table. +// It assumes that a '}' has just been consumed. +func lexInlineTableEnd(lx *lexer) stateFn { + lx.ignore() + lx.emit(itemInlineTableEnd) + return lx.pop() +} + // lexString consumes the inner contents of a string. It assumes that the // beginning '"' has already been consumed and ignored. func lexString(lx *lexer) stateFn { r := lx.next() switch { + case r == eof: + return lx.errorf("unexpected EOF") case isNL(r): - return lx.errorf("Strings cannot contain new lines.") + return lx.errorf("strings cannot contain newlines") case r == '\\': lx.push(lexString) return lexStringEscape @@ -506,11 +598,12 @@ func lexString(lx *lexer) stateFn { // lexMultilineString consumes the inner contents of a string. It assumes that // the beginning '"""' has already been consumed and ignored. func lexMultilineString(lx *lexer) stateFn { - r := lx.next() - switch { - case r == '\\': + switch lx.next() { + case eof: + return lx.errorf("unexpected EOF") + case '\\': return lexMultilineStringEscape - case r == stringEnd: + case stringEnd: if lx.accept(stringEnd) { if lx.accept(stringEnd) { lx.backup() @@ -534,8 +627,10 @@ func lexMultilineString(lx *lexer) stateFn { func lexRawString(lx *lexer) stateFn { r := lx.next() switch { + case r == eof: + return lx.errorf("unexpected EOF") case isNL(r): - return lx.errorf("Strings cannot contain new lines.") + return lx.errorf("strings cannot contain newlines") case r == rawStringEnd: lx.backup() lx.emit(itemRawString) @@ -547,12 +642,13 @@ func lexRawString(lx *lexer) stateFn { } // lexMultilineRawString consumes a raw string. Nothing can be escaped in such -// a string. It assumes that the beginning "'" has already been consumed and +// a string. It assumes that the beginning "'''" has already been consumed and // ignored. func lexMultilineRawString(lx *lexer) stateFn { - r := lx.next() - switch { - case r == rawStringEnd: + switch lx.next() { + case eof: + return lx.errorf("unexpected EOF") + case rawStringEnd: if lx.accept(rawStringEnd) { if lx.accept(rawStringEnd) { lx.backup() @@ -605,10 +701,9 @@ func lexStringEscape(lx *lexer) stateFn { case 'U': return lexLongUnicodeEscape } - return lx.errorf("Invalid escape character %q. Only the following "+ + return lx.errorf("invalid escape character %q; only the following "+ "escape characters are allowed: "+ - "\\b, \\t, \\n, \\f, \\r, \\\", \\/, \\\\, "+ - "\\uXXXX and \\UXXXXXXXX.", r) + `\b, \t, \n, \f, \r, \", \\, \uXXXX, and \UXXXXXXXX`, r) } func lexShortUnicodeEscape(lx *lexer) stateFn { @@ -616,8 +711,8 @@ func lexShortUnicodeEscape(lx *lexer) stateFn { for i := 0; i < 4; i++ { r = lx.next() if !isHexadecimal(r) { - return lx.errorf("Expected four hexadecimal digits after '\\u', "+ - "but got '%s' instead.", lx.current()) + return lx.errorf(`expected four hexadecimal digits after '\u', `+ + "but got %q instead", lx.current()) } } return lx.pop() @@ -628,8 +723,8 @@ func lexLongUnicodeEscape(lx *lexer) stateFn { for i := 0; i < 8; i++ { r = lx.next() if !isHexadecimal(r) { - return lx.errorf("Expected eight hexadecimal digits after '\\U', "+ - "but got '%s' instead.", lx.current()) + return lx.errorf(`expected eight hexadecimal digits after '\U', `+ + "but got %q instead", lx.current()) } } return lx.pop() @@ -647,9 +742,9 @@ func lexNumberOrDateStart(lx *lexer) stateFn { case 'e', 'E': return lexFloat case '.': - return lx.errorf("Floats must start with a digit, not '.'.") + return lx.errorf("floats must start with a digit, not '.'") } - return lx.errorf("Expected a digit but got %q.", r) + return lx.errorf("expected a digit but got %q", r) } // lexNumberOrDate consumes either an integer, float or datetime. @@ -680,7 +775,7 @@ func lexDatetime(lx *lexer) stateFn { return lexDatetime } switch r { - case '-', 'T', ':', '.', 'Z': + case '-', 'T', ':', '.', 'Z', '+': return lexDatetime } @@ -697,9 +792,9 @@ func lexNumberStart(lx *lexer) stateFn { r := lx.next() if !isDigit(r) { if r == '.' { - return lx.errorf("Floats must start with a digit, not '.'.") + return lx.errorf("floats must start with a digit, not '.'") } - return lx.errorf("Expected a digit but got %q.", r) + return lx.errorf("expected a digit but got %q", r) } return lexNumber } @@ -745,7 +840,7 @@ func lexBool(lx *lexer) stateFn { var rs []rune for { r := lx.next() - if r == eof || isWhitespace(r) || isNL(r) { + if !unicode.IsLetter(r) { lx.backup() break } @@ -757,7 +852,7 @@ func lexBool(lx *lexer) stateFn { lx.emit(itemBool) return lx.pop() } - return lx.errorf("Expected value but found %q instead.", s) + return lx.errorf("expected value but found %q instead", s) } // lexCommentStart begins the lexing of a comment. It will emit @@ -769,7 +864,7 @@ func lexCommentStart(lx *lexer) stateFn { } // lexComment lexes an entire comment. It assumes that '#' has been consumed. -// It will consume *up to* the first new line character, and pass control +// It will consume *up to* the first newline character, and pass control // back to the last state on the stack. func lexComment(lx *lexer) stateFn { r := lx.peek() diff --git a/vendor/github.com/burntsushi/toml/parse.go b/vendor/github.com/BurntSushi/toml/parse.go similarity index 94% rename from vendor/github.com/burntsushi/toml/parse.go rename to vendor/github.com/BurntSushi/toml/parse.go index a5625555c5e1..50869ef9266e 100644 --- a/vendor/github.com/burntsushi/toml/parse.go +++ b/vendor/github.com/BurntSushi/toml/parse.go @@ -269,6 +269,41 @@ func (p *parser) value(it item) (interface{}, tomlType) { types = append(types, typ) } return array, p.typeOfArray(types) + case itemInlineTableStart: + var ( + hash = make(map[string]interface{}) + outerContext = p.context + outerKey = p.currentKey + ) + + p.context = append(p.context, p.currentKey) + p.currentKey = "" + for it := p.next(); it.typ != itemInlineTableEnd; it = p.next() { + if it.typ != itemKeyStart { + p.bug("Expected key start but instead found %q, around line %d", + it.val, p.approxLine) + } + if it.typ == itemCommentStart { + p.expect(itemText) + continue + } + + // retrieve key + k := p.next() + p.approxLine = k.line + kname := p.keyString(k) + + // retrieve value + p.currentKey = kname + val, typ := p.value(p.next()) + // make sure we keep metadata up to date + p.setType(kname, typ) + p.ordered = append(p.ordered, p.context.add(p.currentKey)) + hash[kname] = val + } + p.context = outerContext + p.currentKey = outerKey + return hash, tomlHash } p.bug("Unexpected value type: %s", it.typ) panic("unreachable") diff --git a/vendor/github.com/burntsushi/toml/session.vim b/vendor/github.com/BurntSushi/toml/session.vim similarity index 100% rename from vendor/github.com/burntsushi/toml/session.vim rename to vendor/github.com/BurntSushi/toml/session.vim diff --git a/vendor/github.com/burntsushi/toml/type_check.go b/vendor/github.com/BurntSushi/toml/type_check.go similarity index 100% rename from vendor/github.com/burntsushi/toml/type_check.go rename to vendor/github.com/BurntSushi/toml/type_check.go diff --git a/vendor/github.com/burntsushi/toml/type_fields.go b/vendor/github.com/BurntSushi/toml/type_fields.go similarity index 100% rename from vendor/github.com/burntsushi/toml/type_fields.go rename to vendor/github.com/BurntSushi/toml/type_fields.go diff --git a/vendor/github.com/burntsushi/toml/COMPATIBLE b/vendor/github.com/burntsushi/toml/COMPATIBLE deleted file mode 100644 index 21e0938caefb..000000000000 --- a/vendor/github.com/burntsushi/toml/COMPATIBLE +++ /dev/null @@ -1,3 +0,0 @@ -Compatible with TOML version -[v0.2.0](https://github.com/mojombo/toml/blob/master/versions/toml-v0.2.0.md) - diff --git a/vendor/github.com/burntsushi/toml/COPYING b/vendor/github.com/burntsushi/toml/COPYING deleted file mode 100644 index 5a8e332545f6..000000000000 --- a/vendor/github.com/burntsushi/toml/COPYING +++ /dev/null @@ -1,14 +0,0 @@ - DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE - Version 2, December 2004 - - Copyright (C) 2004 Sam Hocevar - - Everyone is permitted to copy and distribute verbatim or modified - copies of this license document, and changing it is allowed as long - as the name is changed. - - DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. You just DO WHAT THE FUCK YOU WANT TO. - diff --git a/vendor/github.com/hashicorp/consul-template/CHANGELOG.md b/vendor/github.com/hashicorp/consul-template/CHANGELOG.md index c7f092876abe..e04dcccdb22d 100644 --- a/vendor/github.com/hashicorp/consul-template/CHANGELOG.md +++ b/vendor/github.com/hashicorp/consul-template/CHANGELOG.md @@ -1,4 +1,21 @@ -## UNRELEASED +## v0.21.0 (August 05, 2019) + +IMPROVEMENTS: + +* Migrated to use Go modules [[GH-1244](https://github.com/hashicorp/consul-template/pull/1244), [GH-1173](https://github.com/hashicorp/consul-template/issues/1173), [GH-1208](https://github.com/hashicorp/consul-template/pull/1208)[GH-1232](https://github.com/hashicorp/consul-template/pull/1232)] +* Template blacklist feature [[GH-1243](https://github.com/hashicorp/consul-template/pull/1243)] + +## v0.20.1 (July 30, 2019) + +BUG FIXES: + +* Fixed issue with exec running before template rendering when wait is set [[GH-1229](https://github.com/hashicorp/consul-template/issues/1229), [GH-1209](https://github.com/hashicorp/consul-template/issues/1209)] +* Fixed issue with templates not rendering with `-once` [[GH-1227](https://github.com/hashicorp/consul-template/pull/1227), [GH-1196](https://github.com/hashicorp/consul-template/issues/1196), [GH-1207](https://github.com/hashicorp/consul-template/issues/1207)] +* Fixed regression with ~/.vault-token and with vault_agent_token_file not respecting renew_token [[GH-1228](https://github.com/hashicorp/consul-template/issues/1228), [GH-1189](https://github.com/hashicorp/consul-template/issues/1189)] +* CA certificates missing from docker 'light' image [[GH-1200](https://github.com/hashicorp/consul-template/issues/1200)] +* Fixed issue with dedup data garbage in Consul KV [[GH-1158](https://github.com/hashicorp/consul-template/issues/1158), [[GH-1168](https://github.com/hashicorp/consul-template/issues/1168)] +* Fixed bad case in import path [[GH-1139](https://github.com/hashicorp/consul-template/issues/1139)] +* Documented limits on using "." in service names [[GH-1205](https://github.com/hashicorp/consul-template/issues/1205)] ## v0.20.0 (February 19, 2019) diff --git a/vendor/github.com/hashicorp/consul-template/Gopkg.lock b/vendor/github.com/hashicorp/consul-template/Gopkg.lock deleted file mode 100644 index 114d6ff4b4a8..000000000000 --- a/vendor/github.com/hashicorp/consul-template/Gopkg.lock +++ /dev/null @@ -1,696 +0,0 @@ -# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. - - -[[projects]] - digest = "1:7202718ddfaa07d3c88e6d7bee854aa2ddceea5c75fa74c6c9f33de4db677ece" - name = "github.com/Jeffail/gabs" - packages = ["."] - pruneopts = "" - revision = "2a3aa15961d5fee6047b8151b67ac2f08ba2c48c" - version = "1.0" - -[[projects]] - digest = "1:b0fe84bcee1d0c3579d855029ccd3a76deea187412da2976985e4946289dbb2c" - name = "github.com/NYTimes/gziphandler" - packages = ["."] - pruneopts = "" - revision = "2600fb119af974220d3916a5916d6e31176aac1b" - version = "v1.0.1" - -[[projects]] - digest = "1:8855efc2aff3afd6319da41b22a8ca1cfd1698af05a24852c01636ba65b133f0" - name = "github.com/SermoDigital/jose" - packages = [ - ".", - "crypto", - "jws", - "jwt", - ] - pruneopts = "" - revision = "f6df55f235c24f236d11dbcf665249a59ac2021f" - version = "1.1" - -[[projects]] - branch = "master" - digest = "1:a96de7a26ef8bf2eccf3c5fc8039455b0259b19af1a91b7749afd674e3971efa" - name = "github.com/armon/go-metrics" - packages = ["."] - pruneopts = "" - revision = "9a4b6e10bed6220a1665955aa2b75afc91eb10b3" - -[[projects]] - branch = "master" - digest = "1:2a1e6af234d7de1ccf4504f397cf7cfa82922ee59b29252e3c34cb38d0b91989" - name = "github.com/armon/go-radix" - packages = ["."] - pruneopts = "" - revision = "1fca145dffbcaa8fe914309b1ec0cfc67500fe61" - -[[projects]] - digest = "1:62fe5a93293c353dafe321ad07419b680257596b0886fc5d21cd1fd42ad8ef45" - name = "github.com/asaskevich/govalidator" - packages = ["."] - pruneopts = "" - revision = "73945b6115bfbbcc57d89b7316e28109364124e1" - version = "v7" - -[[projects]] - digest = "1:289dd4d7abfb3ad2b5f728fbe9b1d5c1bf7d265a3eb9ef92869af1f7baba4c7a" - name = "github.com/burntsushi/toml" - packages = ["."] - pruneopts = "" - revision = "b26d9c308763d68093482582cea63d69be07a0f0" - version = "v0.3.0" - -[[projects]] - digest = "1:56c130d885a4aacae1dd9c7b71cfe39912c7ebc1ff7d2b46083c8812996dc43b" - name = "github.com/davecgh/go-spew" - packages = ["spew"] - pruneopts = "" - revision = "346938d642f2ec3594ed81d874461961cd0faa76" - version = "v1.1.0" - -[[projects]] - digest = "1:044b2f1eea2f5cfb0d3678baf60892734f59d5c2ea3932cb6ed894a97ccba15c" - name = "github.com/elazarl/go-bindata-assetfs" - packages = ["."] - pruneopts = "" - revision = "30f82fa23fd844bd5bb1e5f216db87fd77b5eb43" - version = "v1.0.0" - -[[projects]] - digest = "1:55848e643a99a9dfceb19e090ce67111328fbb1780f34c62a0430994ff85fb90" - name = "github.com/fatih/structs" - packages = ["."] - pruneopts = "" - revision = "a720dfa8df582c51dee1b36feabb906bde1588bd" - version = "v1.0" - -[[projects]] - digest = "1:24f8932912fd9331367d38715bb74be889dc2f94d401109c3aa3db8b3aa246c5" - name = "github.com/go-sql-driver/mysql" - packages = ["."] - pruneopts = "" - revision = "a0583e0143b1624142adab07e0e97fe106d99561" - version = "v1.3" - -[[projects]] - digest = "1:3dd078fda7500c341bc26cfbc6c6a34614f295a2457149fc1045cab767cbcf18" - name = "github.com/golang/protobuf" - packages = [ - "proto", - "ptypes", - "ptypes/any", - "ptypes/duration", - "ptypes/timestamp", - ] - pruneopts = "" - revision = "aa810b61a9c79d51363740d207bb46cf8e620ed5" - version = "v1.2.0" - -[[projects]] - branch = "master" - digest = "1:09307dfb1aa3f49a2bf869dcfa4c6c06ecd3c207221bd1c1a1141f0e51f209eb" - name = "github.com/golang/snappy" - packages = ["."] - pruneopts = "" - revision = "553a641470496b2327abcac10b36396bd98e45c9" - -[[projects]] - branch = "master" - digest = "1:355da89acb2e3ee7342821708e2d1d51b29487e0642f5356282c42e2a9d3763f" - name = "github.com/hashicorp/consul" - packages = [ - "api", - "lib/freeport", - "testutil", - "testutil/retry", - ] - pruneopts = "" - revision = "73e3252076f69a06386a98a528bb79fa43bd538e" - -[[projects]] - branch = "master" - digest = "1:304c322b62533a48ac052ffee80f67087fce1bc07186cd4e610a1b0e77765836" - name = "github.com/hashicorp/errwrap" - packages = ["."] - pruneopts = "" - revision = "7554cd9344cec97297fa6649b055a8c98c2a1e55" - -[[projects]] - digest = "1:05334858a0cfb538622a066e065287f63f42bee26a7fda93a789674225057201" - name = "github.com/hashicorp/go-cleanhttp" - packages = ["."] - pruneopts = "" - revision = "e8ab9daed8d1ddd2d3c4efba338fe2eeae2e4f18" - version = "v0.5.0" - -[[projects]] - branch = "master" - digest = "1:504ef443922ff6f9e03d00babe3ac6c2fcb44f4fe6244c82cbb77d7ca76fdd87" - name = "github.com/hashicorp/go-gatedio" - packages = ["."] - pruneopts = "" - revision = "8b8de1022221dde1fb52fa25d0caab46e59c8c14" - -[[projects]] - branch = "master" - digest = "1:0b41d818c95c27c2618eef67569afb6356c3e55d7e8459fdf21ed015884f83ef" - name = "github.com/hashicorp/go-hclog" - packages = ["."] - pruneopts = "" - revision = "4783caec6f2e5cdd47fab8b2bb47ce2ce5c546b7" - -[[projects]] - branch = "master" - digest = "1:6546c6d83de55dc47f3211e82d1e588baeb432e33859ccb1195ce52890466053" - name = "github.com/hashicorp/go-immutable-radix" - packages = ["."] - pruneopts = "" - revision = "8aac2701530899b64bdea735a1de8da899815220" - -[[projects]] - branch = "master" - digest = "1:7b4ee3a9138e3757a0238f2e12b97e2c6a33a5b9230386ea99692a56f6f0bc2a" - name = "github.com/hashicorp/go-memdb" - packages = ["."] - pruneopts = "" - revision = "032f93b25becbfd6c3bb074a1049d98b7e105440" - -[[projects]] - branch = "master" - digest = "1:7660b6ee3fd92bcb9b19f5d359d3fbc8e853257d8a3d49e0424d00b6faa69cfd" - name = "github.com/hashicorp/go-multierror" - packages = ["."] - pruneopts = "" - revision = "83588e72410abfbe4df460eeb6f30841ae47d4c4" - -[[projects]] - branch = "master" - digest = "1:2474b03b87dbe1274652da5541e18fec7125107fcd5a83d5928d1616f851394c" - name = "github.com/hashicorp/go-plugin" - packages = [ - ".", - "internal/proto", - ] - pruneopts = "" - revision = "362c99b11937c6a84686ee5726a8170e921ab406" - -[[projects]] - digest = "1:776139dc18d63ef223ffaca5d8e9a3057174890f84393d3c881e934100b66dbc" - name = "github.com/hashicorp/go-retryablehttp" - packages = ["."] - pruneopts = "" - revision = "73489d0a1476f0c9e6fb03f9c39241523a496dfd" - version = "v0.5.2" - -[[projects]] - branch = "master" - digest = "1:ff65bf6fc4d1116f94ac305342725c21b55c16819c2606adc8f527755716937f" - name = "github.com/hashicorp/go-rootcerts" - packages = ["."] - pruneopts = "" - revision = "6bb64b370b90e7ef1fa532be9e591a81c3493e00" - -[[projects]] - digest = "1:ea71015bc8aa9b98a1fde564e24123260330b55bda32d8ed5ce227d3dc58d64e" - name = "github.com/hashicorp/go-sockaddr" - packages = ["."] - pruneopts = "" - revision = "3aed17b5ee41761cc2b04f2a94c7107d428967e5" - version = "v1.0.1" - -[[projects]] - branch = "master" - digest = "1:4d9d876a856ada3b553062ac8e50331a9a539e12893c0c4a50d8ae2af4242685" - name = "github.com/hashicorp/go-syslog" - packages = ["."] - pruneopts = "" - revision = "326bf4a7f709d263f964a6a96558676b103f3534" - -[[projects]] - branch = "master" - digest = "1:50518e39c832eacbbd55a0ca08c6490911fe9483b06fa77468693a31b7893f3e" - name = "github.com/hashicorp/go-uuid" - packages = ["."] - pruneopts = "" - revision = "64130c7a86d732268a38cb04cfbaf0cc987fda98" - -[[projects]] - digest = "1:b759103c9b4135568253c17d2866064cde398e93764b611caabf5aa8e3059685" - name = "github.com/hashicorp/go-version" - packages = ["."] - pruneopts = "" - revision = "d40cf49b3a77bba84a7afdbd7f1dc295d114efb1" - version = "v1.1.0" - -[[projects]] - branch = "master" - digest = "1:43987212a2f16bfacc1a286e9118f212d60c136ed53c6c9477c18921db53140b" - name = "github.com/hashicorp/golang-lru" - packages = [ - ".", - "simplelru", - ] - pruneopts = "" - revision = "0a025b7e63adc15a622f29b0b2c4c3848243bbf6" - -[[projects]] - branch = "master" - digest = "1:147d671753effde6d3bcd58fc74c1d67d740196c84c280c762a5417319499972" - name = "github.com/hashicorp/hcl" - packages = [ - ".", - "hcl/ast", - "hcl/parser", - "hcl/scanner", - "hcl/strconv", - "hcl/token", - "json/parser", - "json/scanner", - "json/token", - ] - pruneopts = "" - revision = "23c074d0eceb2b8a5bfdbb271ab780cde70f05a8" - -[[projects]] - branch = "master" - digest = "1:8b7dd3b581147b44cf522c66894b9119ab845c346d8f124d83f77ab499cf7ca3" - name = "github.com/hashicorp/logutils" - packages = ["."] - pruneopts = "" - revision = "0dc08b1671f34c4250ce212759ebd880f743d883" - -[[projects]] - digest = "1:f72168ea995f398bab88e84bd1ff58a983466ba162fb8d50d47420666cd57fad" - name = "github.com/hashicorp/serf" - packages = ["coordinate"] - pruneopts = "" - revision = "d6574a5bb1226678d7010325fb6c985db20ee458" - version = "v0.8.1" - -[[projects]] - branch = "master" - digest = "1:ac8c3b2c00d263ab59323ef42ca6a85145447a4fd8c9dd661d88156fe7efe006" - name = "github.com/hashicorp/vault" - packages = [ - "api", - "audit", - "builtin/logical/database/dbplugin", - "builtin/logical/pki", - "builtin/logical/transit", - "builtin/plugin", - "helper/base62", - "helper/certutil", - "helper/compressutil", - "helper/consts", - "helper/cryptoutil", - "helper/dbtxn", - "helper/errutil", - "helper/forwarding", - "helper/hclutil", - "helper/identity", - "helper/identity/mfa", - "helper/jsonutil", - "helper/kdf", - "helper/keysutil", - "helper/license", - "helper/locksutil", - "helper/logging", - "helper/mlock", - "helper/namespace", - "helper/parseutil", - "helper/pathmanager", - "helper/pgpkeys", - "helper/pluginutil", - "helper/policyutil", - "helper/reload", - "helper/salt", - "helper/storagepacker", - "helper/strutil", - "helper/tlsutil", - "helper/wrapping", - "helper/xor", - "http", - "logical", - "logical/framework", - "logical/plugin", - "logical/plugin/pb", - "physical", - "physical/inmem", - "plugins", - "plugins/database/mysql", - "plugins/database/postgresql", - "plugins/helper/database/connutil", - "plugins/helper/database/credsutil", - "plugins/helper/database/dbutil", - "shamir", - "vault", - "vault/seal", - "version", - ] - pruneopts = "" - revision = "be968f0edd5991df4237ab184ab94ea649d15b43" - -[[projects]] - branch = "master" - digest = "1:18f7a8c6df80b7ad85be744c6b6334983539896350d77760e90d8462ff51be6d" - name = "github.com/hashicorp/vault-plugin-secrets-kv" - packages = ["."] - pruneopts = "" - revision = "edbfe287c5d9277cecf2c91c79ffcc34f19d2049" - -[[projects]] - branch = "master" - digest = "1:755f0590df531fdf5221158ba457555b525ea497f27ae1b8b195da7d0906d4a6" - name = "github.com/hashicorp/yamux" - packages = ["."] - pruneopts = "" - revision = "f5742cb6b85602e7fa834e9d5d91a7d7fa850824" - -[[projects]] - branch = "master" - digest = "1:5d8602d6ebb444e0c18792d61fd4bb302a0d4d0b02cebf50c475f9dbeaabb884" - name = "github.com/jefferai/jsonx" - packages = ["."] - pruneopts = "" - revision = "9cc31c3135eef39b8e72585f37efa92b6ca314d0" - -[[projects]] - branch = "master" - digest = "1:ad122173a3e31da3986e097c26422fe9c765899e2afdf86eeca1ec360e57eff9" - name = "github.com/keybase/go-crypto" - packages = [ - "brainpool", - "cast5", - "curve25519", - "ed25519", - "ed25519/internal/edwards25519", - "openpgp", - "openpgp/armor", - "openpgp/ecdh", - "openpgp/elgamal", - "openpgp/errors", - "openpgp/packet", - "openpgp/s2k", - "rsa", - ] - pruneopts = "" - revision = "f63716704117f5bd34d8f0f068f7e8369d20d4ab" - -[[projects]] - branch = "master" - digest = "1:c7bbf42b56f999fc18f12707f6f9a3f47171de8bc6d4d7d3e8449093d55a4629" - name = "github.com/lib/pq" - packages = [ - ".", - "oid", - ] - pruneopts = "" - revision = "b609790bd85edf8e9ab7e0f8912750a786177bcf" - -[[projects]] - digest = "1:477cce5379198d3b8230b5c0961c61fcd1b337371cda81318e89a109245d83cb" - name = "github.com/mattn/go-shellwords" - packages = ["."] - pruneopts = "" - revision = "02e3cf038dcea8290e44424da473dd12be796a8a" - version = "v1.0.3" - -[[projects]] - branch = "master" - digest = "1:ae14aee05347b333fd7ab0c801c789438ef559cfb1307b53d5c42ea3cf6d61b6" - name = "github.com/mitchellh/copystructure" - packages = ["."] - pruneopts = "" - revision = "d23ffcb85de31694d6ccaa23ccb4a03e55c1303f" - -[[projects]] - branch = "master" - digest = "1:59d11e81d6fdd12a771321696bb22abdd9a94d26ac864787e98c9b419e428734" - name = "github.com/mitchellh/go-homedir" - packages = ["."] - pruneopts = "" - revision = "b8bc1bf767474819792c23f32d8286a45736f1c6" - -[[projects]] - branch = "master" - digest = "1:51c98e2c9a8d0a724a69f46421876af14e12132cb02f1d0e144785d752247162" - name = "github.com/mitchellh/go-testing-interface" - packages = ["."] - pruneopts = "" - revision = "a61a99592b77c9ba629d254a693acffaeb4b7e28" - -[[projects]] - branch = "master" - digest = "1:0de0f377aeccd41384e883c59c6f184c9db01c96db33a2724a1eaadd60f92629" - name = "github.com/mitchellh/hashstructure" - packages = ["."] - pruneopts = "" - revision = "2bca23e0e452137f789efbc8610126fd8b94f73b" - -[[projects]] - branch = "master" - digest = "1:30a2adc78c422ebd23aac9cfece529954d5eacf9ddbe37345f2a17439f8fa849" - name = "github.com/mitchellh/mapstructure" - packages = ["."] - pruneopts = "" - revision = "06020f85339e21b2478f756a78e295255ffa4d6a" - -[[projects]] - branch = "master" - digest = "1:a5aebbd13aa160140a1fd1286b94cd8c6ba3d1522014fd04508d7f36d5bb8d19" - name = "github.com/mitchellh/reflectwalk" - packages = ["."] - pruneopts = "" - revision = "63d60e9d0dbc60cf9164e6510889b0db6683d98c" - -[[projects]] - digest = "1:94e9081cc450d2cdf4e6886fc2c06c07272f86477df2d74ee5931951fa3d2577" - name = "github.com/oklog/run" - packages = ["."] - pruneopts = "" - revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" - version = "v1.0.0" - -[[projects]] - digest = "1:4c0404dc03d974acd5fcd8b8d3ce687b13bd169db032b89275e8b9d77b98ce8c" - name = "github.com/patrickmn/go-cache" - packages = ["."] - pruneopts = "" - revision = "a3647f8e31d79543b2d0f0ae2fe5c379d72cedc0" - version = "v2.1.0" - -[[projects]] - digest = "1:a1d7aa6caa82465a50a4c1da6f8dc9ff2ab4624a41b7020ef3d1fbed9ba9845d" - name = "github.com/pierrec/lz4" - packages = [ - ".", - "internal/xxh32", - ] - pruneopts = "" - revision = "473cd7ce01a1113208073166464b98819526150e" - version = "v2.0.8" - -[[projects]] - digest = "1:7365acd48986e205ccb8652cc746f09c8b7876030d53710ea6ef7d0bd0dcd7ca" - name = "github.com/pkg/errors" - packages = ["."] - pruneopts = "" - revision = "645ef00459ed84a119197bfb8d8205042c6df63d" - version = "v0.8.0" - -[[projects]] - digest = "1:256484dbbcd271f9ecebc6795b2df8cad4c458dd0f5fd82a8c2fa0c29f233411" - name = "github.com/pmezard/go-difflib" - packages = ["difflib"] - pruneopts = "" - revision = "792786c7400a136282c1664665ae0a8db921c6c2" - version = "v1.0.0" - -[[projects]] - digest = "1:29df111893b87bd947307aab294c042e900c2f29c53ad3896127955b4283728a" - name = "github.com/ryanuber/go-glob" - packages = ["."] - pruneopts = "" - revision = "572520ed46dbddaed19ea3d9541bdd0494163693" - version = "v0.1" - -[[projects]] - digest = "1:3926a4ec9a4ff1a072458451aa2d9b98acd059a45b38f7335d31e06c3d6a0159" - name = "github.com/stretchr/testify" - packages = ["assert"] - pruneopts = "" - revision = "69483b4bd14f5845b5a1e55bca19e954e827f1d0" - version = "v1.1.4" - -[[projects]] - branch = "master" - digest = "1:ee71b3559000aca2562869f53fe762743e84bf4f0993240d4c2e37f9122a032b" - name = "golang.org/x/crypto" - packages = [ - "blake2b", - "chacha20poly1305", - "cryptobyte", - "cryptobyte/asn1", - "curve25519", - "ed25519", - "ed25519/internal/edwards25519", - "hkdf", - "internal/chacha20", - "internal/subtle", - "poly1305", - "ssh", - ] - pruneopts = "" - revision = "193df9c0f06f8bb35fba505183eaf0acc0136505" - -[[projects]] - branch = "master" - digest = "1:e3fd71c3687fb1d263e491fc3bd9013858aeb30a6393fc9b77cbbdc37d0f9727" - name = "golang.org/x/net" - packages = [ - "context", - "http2", - "http2/hpack", - "idna", - "internal/timeseries", - "lex/httplex", - "trace", - ] - pruneopts = "" - revision = "c73622c77280266305273cb545f54516ced95b93" - -[[projects]] - branch = "master" - digest = "1:489610147902fe0c7229218c749bb25a8a9ecce0d726ae4f8662517319f32554" - name = "golang.org/x/sys" - packages = [ - "cpu", - "unix", - ] - pruneopts = "" - revision = "41f3e6584952bb034a481797859f6ab34b6803bd" - -[[projects]] - branch = "master" - digest = "1:bf8bd584b40670bc7e4a50bde42e87ede902ab048c84b2d1710aab4d76dac7a1" - name = "golang.org/x/text" - packages = [ - "collate", - "collate/build", - "internal/colltab", - "internal/gen", - "internal/tag", - "internal/triegen", - "internal/ucd", - "language", - "secure/bidirule", - "transform", - "unicode/bidi", - "unicode/cldr", - "unicode/norm", - "unicode/rangetable", - ] - pruneopts = "" - revision = "6eab0e8f74e86c598ec3b6fad4888e0c11482d48" - -[[projects]] - branch = "master" - digest = "1:14cb1d4240bcbbf1386ae763957e04e2765ec4e4ce7bb2769d05fa6faccd774e" - name = "golang.org/x/time" - packages = ["rate"] - pruneopts = "" - revision = "85acf8d2951cb2a3bde7632f9ff273ef0379bcbd" - -[[projects]] - branch = "master" - digest = "1:180913ea45cbe0072abce387a686b929908f8213106a735fe1d1273ae5239648" - name = "google.golang.org/genproto" - packages = ["googleapis/rpc/status"] - pruneopts = "" - revision = "f676e0f3ac6395ff1a529ae59a6670878a8371a6" - -[[projects]] - digest = "1:39d4d828b87d58d114fdc211f0638f32dcae84019fe17d6b48f9b697f4b60213" - name = "google.golang.org/grpc" - packages = [ - ".", - "balancer", - "balancer/base", - "balancer/roundrobin", - "binarylog/grpc_binarylog_v1", - "codes", - "connectivity", - "credentials", - "credentials/internal", - "encoding", - "encoding/proto", - "grpclog", - "health", - "health/grpc_health_v1", - "internal", - "internal/backoff", - "internal/binarylog", - "internal/channelz", - "internal/envconfig", - "internal/grpcrand", - "internal/grpcsync", - "internal/syscall", - "internal/transport", - "keepalive", - "metadata", - "naming", - "peer", - "resolver", - "resolver/dns", - "resolver/passthrough", - "stats", - "status", - "tap", - ] - pruneopts = "" - revision = "a02b0774206b209466313a0b525d2c738fe407eb" - version = "v1.18.0" - -[[projects]] - branch = "v2" - digest = "1:81314a486195626940617e43740b4fa073f265b0715c9f54ce2027fee1cb5f61" - name = "gopkg.in/yaml.v2" - packages = ["."] - pruneopts = "" - revision = "eb3733d160e74a9c7e442f435eb3bea458e1d19f" - -[solve-meta] - analyzer-name = "dep" - analyzer-version = 1 - input-imports = [ - "github.com/burntsushi/toml", - "github.com/hashicorp/consul/api", - "github.com/hashicorp/consul/testutil", - "github.com/hashicorp/go-gatedio", - "github.com/hashicorp/go-hclog", - "github.com/hashicorp/go-multierror", - "github.com/hashicorp/go-rootcerts", - "github.com/hashicorp/go-syslog", - "github.com/hashicorp/hcl", - "github.com/hashicorp/logutils", - "github.com/hashicorp/vault-plugin-secrets-kv", - "github.com/hashicorp/vault/api", - "github.com/hashicorp/vault/builtin/logical/pki", - "github.com/hashicorp/vault/builtin/logical/transit", - "github.com/hashicorp/vault/helper/namespace", - "github.com/hashicorp/vault/http", - "github.com/hashicorp/vault/logical", - "github.com/hashicorp/vault/physical/inmem", - "github.com/hashicorp/vault/vault", - "github.com/mattn/go-shellwords", - "github.com/mitchellh/go-homedir", - "github.com/mitchellh/hashstructure", - "github.com/mitchellh/mapstructure", - "github.com/pkg/errors", - "github.com/stretchr/testify/assert", - "gopkg.in/yaml.v2", - ] - solver-name = "gps-cdcl" - solver-version = 1 diff --git a/vendor/github.com/hashicorp/consul-template/Gopkg.toml b/vendor/github.com/hashicorp/consul-template/Gopkg.toml deleted file mode 100644 index 8ebdd4f5bd93..000000000000 --- a/vendor/github.com/hashicorp/consul-template/Gopkg.toml +++ /dev/null @@ -1,64 +0,0 @@ - -[[constraint]] - name = "github.com/burntsushi/toml" - version = "0.3.0" - -[[constraint]] - name = "github.com/hashicorp/consul" - branch = "master" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/go-gatedio" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/go-multierror" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/go-rootcerts" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/go-syslog" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/hcl" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/logutils" - -[[constraint]] - branch = "master" - name = "github.com/hashicorp/vault" - -[[constraint]] - name = "github.com/mattn/go-shellwords" - version = "1.0.3" - -[[constraint]] - name = "github.com/mgutz/logxi" - version = "1.0.0" - -[[constraint]] - branch = "master" - name = "github.com/mitchellh/go-homedir" - -[[constraint]] - branch = "master" - name = "github.com/mitchellh/mapstructure" - -[[constraint]] - name = "github.com/pkg/errors" - version = "0.8.0" - -[[constraint]] - name = "github.com/stretchr/testify" - version = "1.1.4" - -[[constraint]] - branch = "v2" - name = "gopkg.in/yaml.v2" diff --git a/vendor/github.com/hashicorp/consul-template/Makefile b/vendor/github.com/hashicorp/consul-template/Makefile index 76b06b57eac3..0d5e40b508e6 100644 --- a/vendor/github.com/hashicorp/consul-template/Makefile +++ b/vendor/github.com/hashicorp/consul-template/Makefile @@ -14,14 +14,12 @@ GOTAGS ?= GOMAXPROCS ?= 4 # Get the project metadata -GOVERSION := 1.12.5 -PROJECT := $(CURRENT_DIR:$(GOPATH)/src/%=%) -OWNER := $(notdir $(patsubst %/,%,$(dir $(PROJECT)))) +GO_DOCKER_VERSION ?= 1.12 +PROJECT := $(shell go list -m -mod=vendor) +OWNER := "hashicorp" NAME := $(notdir $(PROJECT)) GIT_COMMIT ?= $(shell git rev-parse --short HEAD) VERSION := $(shell awk -F\" '/Version/ { print $$2; exit }' "${CURRENT_DIR}/version/version.go") -EXTERNAL_TOOLS = \ - github.com/golang/dep/cmd/dep # Current system information GOOS ?= $(shell go env GOOS) @@ -45,9 +43,6 @@ LD_FLAGS ?= \ # List of Docker targets to build DOCKER_TARGETS ?= alpine light scratch -# List of tests to run -TEST ?= ./... - # Create a cross-compile target for every os-arch pairing. This will generate # a make target for each os/arch like "make linux/amd64" as well as generate a # meta target (build) for compiling everything. @@ -85,24 +80,11 @@ pristine: --rm \ --dns="8.8.8.8" \ --volume="${CURRENT_DIR}:/go/src/${PROJECT}" \ + --volume="${GOPATH}/pkg/mod:/go/pkg/mod" \ --workdir="/go/src/${PROJECT}" \ - "golang:${GOVERSION}" env GOCACHE=/tmp make -j4 build - -# bootstrap installs the necessary go tools for development or build. -bootstrap: - @echo "==> Bootstrapping ${PROJECT}" - @for t in ${EXTERNAL_TOOLS}; do \ - echo "--> Installing $$t" ; \ - go get -u "$$t"; \ - done -.PHONY: bootstrap - -# deps updates all dependencies for this project. -deps: - @echo "==> Updating deps for ${PROJECT}" - @dep ensure -update - @dep prune -.PHONY: deps + --env=CGO_ENABLED="0" \ + --env=GO111MODULE=on \ + "golang:${GO_DOCKER_VERSION}" env GOCACHE=/tmp make -j4 build # dev builds and installs the project locally. dev: @@ -141,6 +123,7 @@ endif define make-docker-target docker-build/$1: @echo "==> Building ${1} Docker container for ${PROJECT}" + @go mod vendor @docker build \ --rm \ --force-rm \ @@ -149,10 +132,12 @@ define make-docker-target --file="docker/${1}/Dockerfile" \ --build-arg="LD_FLAGS=${LD_FLAGS}" \ --build-arg="GOTAGS=${GOTAGS}" \ + --build-arg="GOVERSION=${GO_DOCKER_VERSION}" \ $(if $(filter $1,scratch),--tag="${OWNER}/${NAME}",) \ --tag="${OWNER}/${NAME}:${1}" \ --tag="${OWNER}/${NAME}:${VERSION}-${1}" \ "${CURRENT_DIR}" + @rm -rf "${CURRENT_DIR}/vendor/" .PHONY: docker-build/$1 docker-build:: docker-build/$1 @@ -173,7 +158,7 @@ $(foreach target,$(DOCKER_TARGETS),$(eval $(call make-docker-target,$(target)))) # test runs the test suite. test: @echo "==> Testing ${NAME}" - @go test -timeout=30s -parallel=20 -failfast -tags="${GOTAGS}" ./... ${TESTARGS} + @go test -count=1 -timeout=30s -parallel=20 -failfast -tags="${GOTAGS}" ./... ${TESTARGS} .PHONY: test # test-race runs the test suite. diff --git a/vendor/github.com/hashicorp/consul-template/README.md b/vendor/github.com/hashicorp/consul-template/README.md index 8b6919d422c8..fb8f34dab9b4 100644 --- a/vendor/github.com/hashicorp/consul-template/README.md +++ b/vendor/github.com/hashicorp/consul-template/README.md @@ -279,7 +279,7 @@ vault { # Template having a stale credential. # # Note: If you set this to a value that is higher than your default TTL or - # max TTL, Consul Template will always read a new secret! + # max TTL (as set in vault), Consul Template will always read a new secret! # # This should also be less than or around 1/3 of your TTL for a predictable # behaviour. See https://github.com/hashicorp/vault/issues/3414 @@ -302,7 +302,8 @@ vault { # This tells Consul Template to load the Vault token from the contents of a file. # If this field is specified: - # - Consul Template will not try to renew the Vault token. + # - by default Consul Template will not try to renew the Vault token, if you want it + # to renew you will nee dto specify renew_token = true as below. # - Consul Template will periodically stat the file and update the token if it has # changed. # vault_agent_token_file = "/tmp/vault/agent/token" @@ -494,6 +495,15 @@ template { left_delimiter = "{{" right_delimiter = "}}" + # These are functions that are not permitted in the template. If a template + # includes one of these functions, it will exit with an error. + function_blacklist = [] + + # If a sandbox path is provided, any path provided to the `file` function is + # checked that it falls within the sandbox path. Relative paths that try to + # traverse outside the sandbox path will exit with an error. + sandbox_path = "" + # This is the `minimum(:maximum)` to wait before rendering a new template to # disk and triggering a command, separated by a colon (`:`). If the optional # maximum value is omitted, it is assumed to be 4x the required minimum value. @@ -825,7 +835,7 @@ To access a versioned secret value (for the K/V version 2 backend): When omitting the `?version` parameter, the latest version of the secret will be fetched. Note the nested `.Data.data` syntax when referencing the secret value. -For more information about using the K/V v2 backend, see the +For more information about using the K/V v2 backend, see the [Vault Documentation](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html). When using Vault versions 0.10.0/0.10.1, the secret path will have to be prefixed @@ -1494,8 +1504,8 @@ plugin. {{ plugin "my-plugin" }} ``` -The plugin can take an arbitrary number of string arguments, and can be the -target of a pipeline that produces strings as well. This is most commonly +The plugin can take an arbitrary number of string arguments, and can be the +target of a pipeline that produces strings as well. This is most commonly combined with a JSON filter for customization: ```liquid @@ -1798,7 +1808,7 @@ $ NAME [INPUT...] that is found on the `PATH`. - `INPUT` - input from the template. There will be one INPUT for every argument passed - to the `plugin` function. If the arguments contain whitespace, that whitespace + to the `plugin` function. If the arguments contain whitespace, that whitespace will be passed as if the argument were quoted by the shell. #### Important Notes @@ -2227,7 +2237,7 @@ following to generate all binaries: $ make build ``` -If you want to run the tests, first [install consul locally](https://www.consul.io/docs/install/index.html), then: +If you want to run the tests, first install [consul](https://www.consul.io/docs/install/index.html) and [vault](https://www.vaultproject.io/docs/install/) locally, then: ```shell $ make test diff --git a/vendor/github.com/hashicorp/consul-template/config/template.go b/vendor/github.com/hashicorp/consul-template/config/template.go index 63eb99c5f7d1..4f69bfb6033f 100644 --- a/vendor/github.com/hashicorp/consul-template/config/template.go +++ b/vendor/github.com/hashicorp/consul-template/config/template.go @@ -75,6 +75,15 @@ type TemplateConfig struct { // delimiter is utilized when parsing the template. LeftDelim *string `mapstructure:"left_delimiter"` RightDelim *string `mapstructure:"right_delimiter"` + + // FunctionBlacklist is a list of functions that this template is not + // permitted to run. + FunctionBlacklist []string `mapstructure:"function_blacklist"` + + // SandboxPath adds a prefix to any path provided to the `file` function + // and causes an error if a relative path tries to traverse outside that + // prefix. + SandboxPath *string `mapstructure:"sandbox_path"` } // DefaultTemplateConfig returns a configuration that is populated with the @@ -123,6 +132,11 @@ func (c *TemplateConfig) Copy() *TemplateConfig { o.LeftDelim = c.LeftDelim o.RightDelim = c.RightDelim + for _, fun := range c.FunctionBlacklist { + o.FunctionBlacklist = append(o.FunctionBlacklist, fun) + } + o.SandboxPath = c.SandboxPath + return &o } @@ -196,6 +210,13 @@ func (c *TemplateConfig) Merge(o *TemplateConfig) *TemplateConfig { r.RightDelim = o.RightDelim } + for _, fun := range o.FunctionBlacklist { + r.FunctionBlacklist = append(r.FunctionBlacklist, fun) + } + if o.SandboxPath != nil { + r.SandboxPath = o.SandboxPath + } + return r } @@ -263,6 +284,10 @@ func (c *TemplateConfig) Finalize() { if c.RightDelim == nil { c.RightDelim = String("") } + + if c.SandboxPath == nil { + c.SandboxPath = String("") + } } // GoString defines the printable version of this struct. @@ -285,6 +310,8 @@ func (c *TemplateConfig) GoString() string { "Wait:%#v, "+ "LeftDelim:%s, "+ "RightDelim:%s"+ + "FunctionBlacklist:%s"+ + "SandboxPath:%s"+ "}", BoolGoString(c.Backup), StringGoString(c.Command), @@ -299,6 +326,8 @@ func (c *TemplateConfig) GoString() string { c.Wait, StringGoString(c.LeftDelim), StringGoString(c.RightDelim), + c.FunctionBlacklist, + StringGoString(c.SandboxPath), ) } diff --git a/vendor/github.com/hashicorp/consul-template/config/vault.go b/vendor/github.com/hashicorp/consul-template/config/vault.go index e25e776154e3..0ba4cce73a65 100644 --- a/vendor/github.com/hashicorp/consul-template/config/vault.go +++ b/vendor/github.com/hashicorp/consul-template/config/vault.go @@ -8,6 +8,10 @@ import ( ) const ( + // XXX Change use to api.EnvVaultSkipVerify once we've updated vendored + // vault to version 1.1.0 or newer. + EnvVaultSkipVerify = "VAULT_SKIP_VERIFY" + // DefaultVaultGrace is the default grace period before which to read a new // secret from Vault. If a lease is due to expire in 15 seconds, Consul // Template will read a new secret at that time minus this value. @@ -209,9 +213,13 @@ func (c *VaultConfig) Finalize() { } if c.RenewToken == nil { + default_renew := DefaultVaultRenewToken + if c.VaultAgentTokenFile != nil { + default_renew = false + } c.RenewToken = boolFromEnv([]string{ "VAULT_RENEW_TOKEN", - }, DefaultVaultRenewToken) + }, default_renew) } if c.Retry == nil { @@ -242,7 +250,8 @@ func (c *VaultConfig) Finalize() { c.SSL.ServerName = stringFromEnv([]string{api.EnvVaultTLSServerName}, "") } if c.SSL.Verify == nil { - c.SSL.Verify = antiboolFromEnv([]string{api.EnvVaultInsecure}, true) + c.SSL.Verify = antiboolFromEnv([]string{ + EnvVaultSkipVerify, api.EnvVaultInsecure}, true) } c.SSL.Finalize() @@ -256,9 +265,16 @@ func (c *VaultConfig) Finalize() { }, "") } - if c.VaultAgentTokenFile != nil { + if c.VaultAgentTokenFile == nil { + if StringVal(c.Token) == "" { + if homePath != "" { + c.Token = stringFromFile([]string{ + homePath + "/.vault-token", + }, "") + } + } + } else { c.Token = stringFromFile([]string{*c.VaultAgentTokenFile}, "") - c.RenewToken = Bool(false) } if c.Transport == nil { diff --git a/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go b/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go index 4f0e21b72116..eae6fc916746 100644 --- a/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go +++ b/vendor/github.com/hashicorp/consul-template/dependency/vault_read.go @@ -147,10 +147,10 @@ func (d *VaultReadQuery) readSecret(clients *ClientSet, opts *QueryOptions) (*ap if d.isKVv2 == nil { mountPath, isKVv2, err := isKVv2(vaultClient, d.rawPath) if err != nil { - return nil, errors.Wrap(err, d.String()) - } - - if isKVv2 { + log.Printf("[WARN] %s: failed to check if %s is KVv2, assume not: %s", d, d.rawPath, err) + isKVv2 = false + d.secretPath = d.rawPath + } else if isKVv2 { d.secretPath = addPrefixToVKVPath(d.rawPath, mountPath, "data") } else { d.secretPath = d.rawPath diff --git a/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go b/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go index 4970301d5cdd..22aad3aa2421 100644 --- a/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go +++ b/vendor/github.com/hashicorp/consul-template/dependency/vault_write.go @@ -173,7 +173,9 @@ func (d *VaultWriteQuery) writeSecret(clients *ClientSet, opts *QueryOptions) (* return nil, errors.Wrap(err, d.String()) } if vaultSecret == nil { - return nil, fmt.Errorf("no secret exists at %s", d.path) + if _, isv2, _ := isKVv2(clients.Vault(), d.path); isv2 { + return nil, fmt.Errorf("no secret exists at %s", d.path) + } } return vaultSecret, nil diff --git a/vendor/github.com/hashicorp/consul-template/go.mod b/vendor/github.com/hashicorp/consul-template/go.mod new file mode 100644 index 000000000000..4698887d37de --- /dev/null +++ b/vendor/github.com/hashicorp/consul-template/go.mod @@ -0,0 +1,42 @@ +module github.com/hashicorp/consul-template + +go 1.12 + +require ( + github.com/BurntSushi/toml v0.3.1 + github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878 // indirect + github.com/frankban/quicktest v1.4.0 // indirect + github.com/google/btree v1.0.0 // indirect + github.com/hashicorp/consul/api v1.1.0 + github.com/hashicorp/consul/sdk v0.1.1 + github.com/hashicorp/go-gatedio v0.5.0 + github.com/hashicorp/go-immutable-radix v1.1.0 // indirect + github.com/hashicorp/go-msgpack v0.5.5 // indirect + github.com/hashicorp/go-multierror v1.0.0 + github.com/hashicorp/go-rootcerts v1.0.1 + github.com/hashicorp/go-syslog v1.0.0 + github.com/hashicorp/golang-lru v0.5.3 // indirect + github.com/hashicorp/hcl v1.0.0 + github.com/hashicorp/logutils v1.0.0 + github.com/hashicorp/memberlist v0.1.4 // indirect + github.com/hashicorp/serf v0.8.3 // indirect + github.com/hashicorp/vault/api v1.0.5-0.20190730042357-746c0b111519 + github.com/mattn/go-shellwords v1.0.5 + github.com/miekg/dns v1.1.15 // indirect + github.com/mitchellh/go-homedir v1.1.0 + github.com/mitchellh/hashstructure v1.0.0 + github.com/mitchellh/mapstructure v1.1.2 + github.com/pierrec/lz4 v2.2.5+incompatible // indirect + github.com/pkg/errors v0.8.1 + github.com/stretchr/testify v1.3.0 + golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 // indirect + golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 // indirect + golang.org/x/sys v0.0.0-20190730183949-1393eb018365 // indirect + golang.org/x/text v0.3.2 // indirect + gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect + gopkg.in/yaml.v2 v2.2.2 +) + +replace github.com/golang/lint => golang.org/x/lint v0.0.0-20190409202823-959b441ac422 + +replace sourcegraph.com/sourcegraph/go-diff => github.com/sourcegraph/go-diff v0.5.1 diff --git a/vendor/github.com/hashicorp/consul-template/go.sum b/vendor/github.com/hashicorp/consul-template/go.sum new file mode 100644 index 000000000000..4fd78bc91c9f --- /dev/null +++ b/vendor/github.com/hashicorp/consul-template/go.sum @@ -0,0 +1,228 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da h1:8GUt8eRujhVEGZFFEjBj46YV4rDjvGrNxb0KMWYkL2I= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878 h1:EFSB7Zo9Eg91v7MJPVsifUysc/wPdN+NOnVe6bWbdBM= +github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 h1:BUAU3CGlLvorLI26FmByPp2eC2qla6E1Tw+scpcg/to= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/frankban/quicktest v1.4.0 h1:rCSCih1FnSWJEel/eub9wclBSqpF2F/PuvxUWGWnbO8= +github.com/frankban/quicktest v1.4.0/go.mod h1:36zfPVQyHxymz4cH7wlDmVwDrJuljRB60qkgn7rorfQ= +github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc= +github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c h1:964Od4U6p2jUkFxvCydnIczKteheJEzHRToSGK3Bnlw= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/hashicorp/consul v1.5.3 h1:EmTWRf/cuqZk6Ug9tgFUVE9xNgJPpmBvJwJMvm+agSk= +github.com/hashicorp/consul/api v1.1.0 h1:BNQPM9ytxj6jbjjdRPioQ94T6YXriSopn0i8COv6SRA= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1 h1:LnuDWGNsoajlhGyHJvuWW6FVqRl8JOTPqS6CPTsYjhY= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-gatedio v0.5.0 h1:Jm1X5yP4yCqqWj5L1TgW7iZwCVPGtVc+mro5r/XX7Tg= +github.com/hashicorp/go-gatedio v0.5.0/go.mod h1:Lr3t8L6IyxD3DAeaUxGcgl2JnRUpWMCsmBl4Omu/2t4= +github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= +github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-immutable-radix v1.0.0 h1:AKDB1HM5PWEA7i4nhcpwOrO2byshxBjXVn/J/3+z5/0= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix v1.1.0 h1:vN9wG1D6KG6YHRTWr8512cxGOVgTMEfgEdSj/hr8MPc= +github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI= +github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-retryablehttp v0.5.4 h1:1BZvpawXoJCWX6pNtow9+rpEj+3itIlutiqnntI6jOE= +github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-rootcerts v1.0.1 h1:DMo4fmknnz0E0evoNYnV48RjWndOsmd6OW+09R3cEP8= +github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3 h1:YPkqC67at8FYaadspW/6uE0COsBxS2656RLEr8Bppgk= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.1.4 h1:gkyML/r71w3FL8gUi74Vk76avkj/9lYAY9lvg0OcoGs= +github.com/hashicorp/memberlist v0.1.4/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.8.3 h1:MWYcmct5EtKz0efYooPcL0yNkem+7kWxqXDi/UIh+8k= +github.com/hashicorp/serf v0.8.3/go.mod h1:UpNcs7fFbpKIyZaUuSW6EPiH+eZC7OuyFD+wc1oal+k= +github.com/hashicorp/vault/api v1.0.5-0.20190730042357-746c0b111519 h1:2qdbEUXjHohC+OYHtVU5lujvPAHPKYR4IMs9rsiUTk8= +github.com/hashicorp/vault/api v1.0.5-0.20190730042357-746c0b111519/go.mod h1:i9PKqwFko/s/aihU1uuHGh/FaQS+Xcgvd9dvnfAvQb0= +github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8 h1:fLUoZ8cI/pqlVCk09r88cVoY7ggKEl1A4e6Mujr3RvU= +github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-shellwords v1.0.5 h1:JhhFTIOslh5ZsPrpa3Wdg8bF0WI3b44EMblmU9wIsXc= +github.com/mattn/go-shellwords v1.0.5/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/miekg/dns v1.0.14 h1:9jZdLNd/P4+SfEJ0TNyxYpsK8N4GtfylBLqtbYN1sbA= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= +github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-testing-interface v1.0.0 h1:fzU/JVNcaqHQEcVFAKeR41fkiLdIPrefOvVG1VZ96U0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/hashstructure v1.0.0 h1:ZkRJX1CyOoTkar7p/mLS5TZU4nJ1Rn/F8u9dGS02Q3Y= +github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pierrec/lz4 v2.0.5+incompatible h1:2xWsjqPFWcplujydGg4WmhC/6fZqK42wMM8aXeqhl0I= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pierrec/lz4 v2.2.5+incompatible h1:xOYu2+sKj87pJz7V+I7260354UlcRyAZUGhMCToTzVw= +github.com/pierrec/lz4 v2.2.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190730183949-1393eb018365 h1:SaXEMXhWzMJThc05vu6uh61Q245r4KaWMrsTedk0FDc= +golang.org/x/sys v0.0.0-20190730183949-1393eb018365/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU= +golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4= +gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/vendor/github.com/hashicorp/consul-template/manager/dedup.go b/vendor/github.com/hashicorp/consul-template/manager/dedup.go index ae49e060e409..3f5f9a9503d0 100644 --- a/vendor/github.com/hashicorp/consul-template/manager/dedup.go +++ b/vendor/github.com/hashicorp/consul-template/manager/dedup.go @@ -36,9 +36,7 @@ var ( ) const ( - // templateDataFlag is added as a flag to the shared data values - // so that we can use it as a sanity check - templateDataFlag = 0x22b9a127a2c03520 + templateNoDataStr = "__NO_DATA__" ) // templateData is GOB encoded share the dependency values @@ -52,6 +50,10 @@ type templateData struct { Data map[string]interface{} } +func templateNoData() []byte { + return []byte(templateNoDataStr) +} + // DedupManager is used to de-duplicate which instance of Consul-Template // is handling each template. For each template, a lock path is determined // using the MD5 of the template. This path is used to elect a "leader" @@ -154,9 +156,10 @@ START: sessionCh := make(chan struct{}) ttl := fmt.Sprintf("%.6fs", float64(*d.config.TTL)/float64(time.Second)) se := &consulapi.SessionEntry{ - Name: "Consul-Template de-duplication", - Behavior: "delete", - TTL: ttl, + Name: "Consul-Template de-duplication", + Behavior: "delete", + TTL: ttl, + LockDelay: 1 * time.Millisecond, } id, _, err := session.Create(se, nil) if err != nil { @@ -257,7 +260,7 @@ func (d *DedupManager) UpdateDeps(t *template.Template, deps []dep.Dependency) e kvPair := consulapi.KVPair{ Key: dataPath, Value: buf.Bytes(), - Flags: templateDataFlag, + Flags: consulapi.LockFlagValue, } client := d.clients.Consul() if _, err := client.KV().Put(&kvPair, nil); err != nil { @@ -409,7 +412,7 @@ START: } // Parse the data file - if pair != nil && pair.Flags == templateDataFlag { + if pair != nil && pair.Flags == consulapi.LockFlagValue && !bytes.Equal(pair.Value, templateNoData()) { d.parseData(pair.Key, pair.Value) } goto START @@ -456,7 +459,8 @@ func (d *DedupManager) attemptLock(client *consulapi.Client, session string, ses log.Printf("[INFO] (dedup) attempting lock for template hash %s", t.ID()) basePath := path.Join(*d.config.Prefix, t.ID()) lopts := &consulapi.LockOptions{ - Key: path.Join(basePath, "lock"), + Key: path.Join(basePath, "data"), + Value: templateNoData(), Session: session, MonitorRetries: 3, MonitorRetryTime: 3 * time.Second, @@ -491,11 +495,17 @@ func (d *DedupManager) attemptLock(client *consulapi.Client, session string, ses case <-sessionCh: log.Printf("[INFO] (dedup) releasing session '%s'", lopts.Key) d.setLeader(t, nil) - lock.Unlock() + _, err = client.Session().Destroy(session, nil) + if err != nil { + log.Printf("[ERROR] (dedup) failed destroying session '%s', %s", session, err) + } return case <-d.stopCh: log.Printf("[INFO] (dedup) releasing lock '%s'", lopts.Key) - lock.Unlock() + _, err = client.Session().Destroy(session, nil) + if err != nil { + log.Printf("[ERROR] (dedup) failed destroying session '%s', %s", session, err) + } return } } diff --git a/vendor/github.com/hashicorp/consul-template/manager/runner.go b/vendor/github.com/hashicorp/consul-template/manager/runner.go index 0efb711610b9..496cb05e09d3 100644 --- a/vendor/github.com/hashicorp/consul-template/manager/runner.go +++ b/vendor/github.com/hashicorp/consul-template/manager/runner.go @@ -16,8 +16,8 @@ import ( "github.com/hashicorp/consul-template/renderer" "github.com/hashicorp/consul-template/template" "github.com/hashicorp/consul-template/watch" - "github.com/hashicorp/go-multierror" - "github.com/mattn/go-shellwords" + multierror "github.com/hashicorp/go-multierror" + shellwords "github.com/mattn/go-shellwords" "github.com/pkg/errors" ) @@ -221,31 +221,6 @@ func (r *Runner) Start() { } for { - // Enable quiescence for all templates if we have specified wait - // intervals. - NEXT_Q: - for _, t := range r.templates { - if _, ok := r.quiescenceMap[t.ID()]; ok { - continue NEXT_Q - } - - for _, c := range r.templateConfigsFor(t) { - if *c.Wait.Enabled { - log.Printf("[DEBUG] (runner) enabling template-specific quiescence for %q", t.ID()) - r.quiescenceMap[t.ID()] = newQuiescence( - r.quiescenceCh, *c.Wait.Min, *c.Wait.Max, t) - continue NEXT_Q - } - } - - if *r.config.Wait.Enabled { - log.Printf("[DEBUG] (runner) enabling global quiescence for %q", t.ID()) - r.quiescenceMap[t.ID()] = newQuiescence( - r.quiescenceCh, *r.config.Wait.Min, *r.config.Wait.Max, t) - continue NEXT_Q - } - } - // Warn the user if they are watching too many dependencies. if r.watcher.Size() > saneViewLimit { log.Printf("[WARN] (runner) watching %d dependencies - watching this "+ @@ -256,6 +231,32 @@ func (r *Runner) Start() { if r.allTemplatesRendered() { log.Printf("[DEBUG] (runner) all templates rendered") + // Enable quiescence for all templates if we have specified wait + // intervals. + NEXT_Q: + for _, t := range r.templates { + if _, ok := r.quiescenceMap[t.ID()]; ok { + continue NEXT_Q + } + + for _, c := range r.templateConfigsFor(t) { + if *c.Wait.Enabled { + log.Printf("[DEBUG] (runner) enabling template-specific "+ + "quiescence for %q", t.ID()) + r.quiescenceMap[t.ID()] = newQuiescence( + r.quiescenceCh, *c.Wait.Min, *c.Wait.Max, t) + continue NEXT_Q + } + } + + if *r.config.Wait.Enabled { + log.Printf("[DEBUG] (runner) enabling global quiescence for %q", + t.ID()) + r.quiescenceMap[t.ID()] = newQuiescence( + r.quiescenceCh, *r.config.Wait.Min, *r.config.Wait.Max, t) + continue NEXT_Q + } + } // If an exec command was given and a command is not currently running, // spawn the child process for supervision. @@ -850,11 +851,13 @@ func (r *Runner) init() error { // destinations. for _, ctmpl := range *r.config.Templates { tmpl, err := template.NewTemplate(&template.NewTemplateInput{ - Source: config.StringVal(ctmpl.Source), - Contents: config.StringVal(ctmpl.Contents), - ErrMissingKey: config.BoolVal(ctmpl.ErrMissingKey), - LeftDelim: config.StringVal(ctmpl.LeftDelim), - RightDelim: config.StringVal(ctmpl.RightDelim), + Source: config.StringVal(ctmpl.Source), + Contents: config.StringVal(ctmpl.Contents), + ErrMissingKey: config.BoolVal(ctmpl.ErrMissingKey), + LeftDelim: config.StringVal(ctmpl.LeftDelim), + RightDelim: config.StringVal(ctmpl.RightDelim), + FunctionBlacklist: ctmpl.FunctionBlacklist, + SandboxPath: config.StringVal(ctmpl.SandboxPath), }) if err != nil { return err @@ -938,14 +941,16 @@ func (r *Runner) templateConfigsFor(tmpl *template.Template) []*config.TemplateC // TemplateConfigMapping returns a mapping between the template ID and the set // of TemplateConfig represented by the template ID -func (r *Runner) TemplateConfigMapping() map[string][]config.TemplateConfig { - m := make(map[string][]config.TemplateConfig, len(r.ctemplatesMap)) +func (r *Runner) TemplateConfigMapping() map[string][]*config.TemplateConfig { + // this method is primarily used to support embedding consul-template + // in other applications (ex. Nomad) + m := make(map[string][]*config.TemplateConfig, len(r.ctemplatesMap)) for id, set := range r.ctemplatesMap { - ctmpls := make([]config.TemplateConfig, len(set)) + ctmpls := make([]*config.TemplateConfig, len(set)) m[id] = ctmpls for i, ctmpl := range set { - ctmpls[i] = *ctmpl + ctmpls[i] = ctmpl } } diff --git a/vendor/github.com/hashicorp/consul-template/template/funcs.go b/vendor/github.com/hashicorp/consul-template/template/funcs.go index c0048df016c3..2270f6fd290e 100644 --- a/vendor/github.com/hashicorp/consul-template/template/funcs.go +++ b/vendor/github.com/hashicorp/consul-template/template/funcs.go @@ -8,6 +8,7 @@ import ( "io/ioutil" "os" "os/exec" + "path/filepath" "reflect" "regexp" "strconv" @@ -15,7 +16,7 @@ import ( "text/template" "time" - "github.com/burntsushi/toml" + "github.com/BurntSushi/toml" dep "github.com/hashicorp/consul-template/dependency" "github.com/pkg/errors" yaml "gopkg.in/yaml.v2" @@ -98,12 +99,15 @@ func executeTemplateFunc(t *template.Template) func(string, ...interface{}) (str } // fileFunc returns or accumulates file dependencies. -func fileFunc(b *Brain, used, missing *dep.Set) func(string) (string, error) { +func fileFunc(b *Brain, used, missing *dep.Set, sandboxPath string) func(string) (string, error) { return func(s string) (string, error) { if len(s) == 0 { return "", nil } - + err := pathInSandbox(sandboxPath, s) + if err != nil { + return "", err + } d, err := dep.NewFileQuery(s) if err != nil { return "", err @@ -1156,3 +1160,27 @@ func modulo(b, a interface{}) (interface{}, error) { return nil, fmt.Errorf("modulo: unknown type for %q (%T)", av, a) } } + +// blacklisted always returns an error, to be used in place of blacklisted template functions +func blacklisted(...string) (string, error) { + return "", errors.New("function is disabled") +} + +// pathInSandbox returns an error if the provided path doesn't fall within the +// sandbox or if the file can't be evaluated (missing, invalid symlink, etc.) +func pathInSandbox(sandbox, path string) error { + if sandbox != "" { + s, err := filepath.EvalSymlinks(path) + if err != nil { + return err + } + s, err = filepath.Rel(sandbox, s) + if err != nil { + return err + } + if strings.HasPrefix(s, "..") { + return fmt.Errorf("'%s' is outside of sandbox", path) + } + } + return nil +} diff --git a/vendor/github.com/hashicorp/consul-template/template/template.go b/vendor/github.com/hashicorp/consul-template/template/template.go index 88150d46c45f..ff3f36f213de 100644 --- a/vendor/github.com/hashicorp/consul-template/template/template.go +++ b/vendor/github.com/hashicorp/consul-template/template/template.go @@ -45,6 +45,15 @@ type Template struct { // errMissingKey causes the template processing to exit immediately if a map // is indexed with a key that does not exist. errMissingKey bool + + // functionBlacklist are functions not permitted to be executed + // when we render this template + functionBlacklist []string + + // sandboxPath adds a prefix to any path provided to the `file` function + // and causes an error if a relative path tries to traverse outside that + // prefix. + sandboxPath string } // NewTemplateInput is used as input when creating the template. @@ -62,6 +71,15 @@ type NewTemplateInput struct { // LeftDelim and RightDelim are the template delimiters. LeftDelim string RightDelim string + + // FunctionBlacklist are functions not permitted to be executed + // when we render this template + FunctionBlacklist []string + + // SandboxPath adds a prefix to any path provided to the `file` function + // and causes an error if a relative path tries to traverse outside that + // prefix. + SandboxPath string } // NewTemplate creates and parses a new Consul Template template at the given @@ -86,6 +104,8 @@ func NewTemplate(i *NewTemplateInput) (*Template, error) { t.leftDelim = i.LeftDelim t.rightDelim = i.RightDelim t.errMissingKey = i.ErrMissingKey + t.functionBlacklist = i.FunctionBlacklist + t.sandboxPath = i.SandboxPath if i.Source != "" { contents, err := ioutil.ReadFile(i.Source) @@ -153,12 +173,15 @@ func (t *Template) Execute(i *ExecuteInput) (*ExecuteResult, error) { tmpl := template.New("") tmpl.Delims(t.leftDelim, t.rightDelim) + tmpl.Funcs(funcMap(&funcMapInput{ - t: tmpl, - brain: i.Brain, - env: i.Env, - used: &used, - missing: &missing, + t: tmpl, + brain: i.Brain, + env: i.Env, + used: &used, + missing: &missing, + functionBlacklist: t.functionBlacklist, + sandboxPath: t.sandboxPath, })) if t.errMissingKey { @@ -187,21 +210,23 @@ func (t *Template) Execute(i *ExecuteInput) (*ExecuteResult, error) { // funcMapInput is input to the funcMap, which builds the template functions. type funcMapInput struct { - t *template.Template - brain *Brain - env []string - used *dep.Set - missing *dep.Set + t *template.Template + brain *Brain + env []string + functionBlacklist []string + sandboxPath string + used *dep.Set + missing *dep.Set } // funcMap is the map of template functions to their respective functions. func funcMap(i *funcMapInput) template.FuncMap { var scratch Scratch - return template.FuncMap{ + r := template.FuncMap{ // API functions "datacenters": datacentersFunc(i.brain, i.used, i.missing), - "file": fileFunc(i.brain, i.used, i.missing), + "file": fileFunc(i.brain, i.used, i.missing, i.sandboxPath), "key": keyFunc(i.brain, i.used, i.missing), "keyExists": keyExistsFunc(i.brain, i.used, i.missing), "keyOrDefault": keyWithDefaultFunc(i.brain, i.used, i.missing), @@ -263,4 +288,12 @@ func funcMap(i *funcMapInput) template.FuncMap { "divide": divide, "modulo": modulo, } + + for _, bf := range i.functionBlacklist { + if _, ok := r[bf]; ok { + r[bf] = blacklisted + } + } + + return r } diff --git a/vendor/github.com/hashicorp/consul-template/version/version.go b/vendor/github.com/hashicorp/consul-template/version/version.go index 29721f5f366e..6e12bfc06dc6 100644 --- a/vendor/github.com/hashicorp/consul-template/version/version.go +++ b/vendor/github.com/hashicorp/consul-template/version/version.go @@ -2,7 +2,7 @@ package version import "fmt" -const Version = "0.20.1-dev" +const Version = "0.21.0" var ( Name string diff --git a/vendor/vendor.json b/vendor/vendor.json index 8e1c0a5bd0e3..68b09ed4ecc1 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -6,6 +6,7 @@ {"path":"github.com/Azure/azure-sdk-for-go/version","checksumSHA1":"FAw+h8wS2QiQEIVC3z/8R2q1bvY=","revision":"767429fcb996dad413936d682c28301e6739bade","revisionTime":"2018-05-01T22:35:11Z"}, {"path":"github.com/Azure/go-ansiterm","checksumSHA1":"9NFR6RG8H2fNyKHscGmuGLQhRm4=","revision":"d6e3b3328b783f23731bc4d058875b0371ff8109","revisionTime":"2017-09-29T23:40:23Z","version":"master","versionExact":"master"}, {"path":"github.com/Azure/go-ansiterm/winterm","checksumSHA1":"3/UphB+6Hbx5otA4PjFjvObT+L4=","revision":"d6e3b3328b783f23731bc4d058875b0371ff8109","revisionTime":"2017-09-29T23:40:23Z","version":"master","versionExact":"master"}, + {"path":"github.com/BurntSushi/toml","checksumSHA1":"Pc2ORQp+VY3Un/dkh4QwLC7R6lE=","revision":"3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005","revisionTime":"2018-08-15T10:47:33Z"}, {"path":"github.com/DataDog/datadog-go/statsd","checksumSHA1":"WvApwvvSe3i/3KO8300dyeFmkbI=","revision":"b10af4b12965a1ad08d164f57d14195b4140d8de","revisionTime":"2017-08-09T10:47:06Z"}, {"path":"github.com/LK4D4/joincontext","checksumSHA1":"Jmf4AnrptgBdQ5TPBJ2M89nooIQ=","revision":"1724345da6d5bcc8b66fefb843b607ab918e175c","revisionTime":"2017-10-26T17:01:39Z"}, {"path":"github.com/Microsoft/go-winio","checksumSHA1":"nEVw+80Junfo7iEY7ThP7Ci9Pyk=","origin":"github.com/endocrimes/go-winio","revision":"fb47a8b419480a700368c176bc1d5d7e3393b98d","revisionTime":"2019-06-20T17:03:19Z","version":"dani/safe-relisten","versionExact":"dani/safe-relisten"}, @@ -53,7 +54,6 @@ {"path":"github.com/bgentry/speakeasy","checksumSHA1":"7SbTaY0kaYxgQrG3/9cjrI+BcyU=","revision":"36e9cfdd690967f4f690c6edcc9ffacd006014a0"}, {"path":"github.com/bgentry/speakeasy/example","checksumSHA1":"twtRfb6484vfr2qqjiFkLThTjcQ=","revision":"36e9cfdd690967f4f690c6edcc9ffacd006014a0"}, {"path":"github.com/boltdb/bolt","checksumSHA1":"R1Q34Pfnt197F/nCOO9kG8c+Z90=","comment":"v1.2.0","revision":"2f1ce7a837dcb8da3ec595b1dac9d0632f0f99e8","revisionTime":"2017-07-17T17:11:48Z","version":"v1.3.1","versionExact":"v1.3.1"}, - {"path":"github.com/burntsushi/toml","checksumSHA1":"InIrfOI7Ys1QqZpCgTB4yW1G32M=","revision":"99064174e013895bbd9b025c31100bd1d9b590ca","revisionTime":"2016-07-17T15:07:09Z"}, {"path":"github.com/checkpoint-restore/go-criu/rpc","checksumSHA1":"k3xD77kpUpECrHCffQKb1nttiDM=","revision":"bdb7599cd87b22701b5c89b37940ea882a7d7dec","revisionTime":"2019-01-09T18:43:17Z"}, {"path":"github.com/circonus-labs/circonus-gometrics","checksumSHA1":"H4RhrnI0P34qLB9345G4r7CAwpU=","revision":"d6e3aea90ab9f90fe8456e13fc520f43d102da4d","revisionTime":"2019-01-28T15:50:09Z","version":"=v2","versionExact":"v2"}, {"path":"github.com/circonus-labs/circonus-gometrics/api","checksumSHA1":"xtzLG2UjYF1lnD33Wk+Nu/KOO6E=","revision":"d6e3aea90ab9f90fe8456e13fc520f43d102da4d","revisionTime":"2019-01-28T15:50:09Z","version":"=v2","versionExact":"v2"}, @@ -163,17 +163,17 @@ {"path":"github.com/gorilla/context","checksumSHA1":"g/V4qrXjUGG9B+e3hB+4NAYJ5Gs=","revision":"08b5f424b9271eedf6f9f0ce86cb9396ed337a42","revisionTime":"2016-08-17T18:46:32Z"}, {"path":"github.com/gorilla/mux","checksumSHA1":"STQSdSj2FcpCf0NLfdsKhNutQT0=","revision":"e48e440e4c92e3251d812f8ce7858944dfa3331c","revisionTime":"2018-08-07T07:52:56Z"}, {"path":"github.com/gorilla/websocket","checksumSHA1":"gr0edNJuVv4+olNNZl5ZmwLgscA=","revision":"0ec3d1bd7fe50c503d6df98ee649d81f4857c564","revisionTime":"2019-03-06T00:42:57Z"}, - {"path":"github.com/hashicorp/consul-template","checksumSHA1":"k5zZ8xCgta0EJ2sZWPEs1kAM5Vw=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/child","checksumSHA1":"AhDPiKa7wzh3SE6Gx0WrsDYwBHg=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/config","checksumSHA1":"BIIejfVMt8xA1bGtJswPpT+wwMA=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/dependency","checksumSHA1":"kMdbOWSNfm8Imce6y6cweX+EVNg=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/logging","checksumSHA1":"o5N7SV389Ej+3b1iRNmz1dx5e1M=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/manager","checksumSHA1":"9lrVI3BnWtC5Z2l/LXdK0e2yJjI=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/renderer","checksumSHA1":"DUHtghMoLyrgPhv4lexVniBuWYk=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/signals","checksumSHA1":"YSEUV/9/k85XciRKu0cngxdjZLE=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/template","checksumSHA1":"Y0Ws3O64np8sFDE/3vAx8lFUHxc=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/version","checksumSHA1":"85qK+LAbb/oAjvdDqVOLi4tMxZk=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, - {"path":"github.com/hashicorp/consul-template/watch","checksumSHA1":"cJxopvJKg7DBBb8tnDsfmBp5Q8I=","revision":"4058b146979c4feb0551d39b8795a31409b3e6bf","revisionTime":"2019-07-17T18:51:08Z"}, + {"path":"github.com/hashicorp/consul-template","checksumSHA1":"237KekVBW1eZohSDylZzT+/0NQI=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/child","checksumSHA1":"AhDPiKa7wzh3SE6Gx0WrsDYwBHg=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/config","checksumSHA1":"hjsBe5Qnn0DCttJkSNjy9mreW5Q=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/dependency","checksumSHA1":"S2ktxYTJRgmUE1GC5Bv+ZAmYWgE=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/logging","checksumSHA1":"o5N7SV389Ej+3b1iRNmz1dx5e1M=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/manager","checksumSHA1":"Ozv8RPN8d//DoFpwR2mQ/xMWhcs=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/renderer","checksumSHA1":"DUHtghMoLyrgPhv4lexVniBuWYk=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/signals","checksumSHA1":"YSEUV/9/k85XciRKu0cngxdjZLE=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/template","checksumSHA1":"mmM6LpEgkbLjobfgabon11mz40M=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/version","checksumSHA1":"eWyAvppME/4vsmaazcrf3oEbzGo=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, + {"path":"github.com/hashicorp/consul-template/watch","checksumSHA1":"cJxopvJKg7DBBb8tnDsfmBp5Q8I=","revision":"9e45d493d7fffa8a61dd315b714c39d1103da051","revisionTime":"2019-08-12T18:34:47Z"}, {"path":"github.com/hashicorp/consul/agent/consul/autopilot","checksumSHA1":"+I7fgoQlrnTUGW5krqNLadWwtjg=","revision":"fb848fc48818f58690db09d14640513aa6bf3c02","revisionTime":"2018-04-13T17:05:42Z"}, {"path":"github.com/hashicorp/consul/api","checksumSHA1":"7JPBtnIgLkdcJ0ldXMTEnVjNEjA=","revision":"40cec98468b829e5cdaacb0629b3e23a028db688","revisionTime":"2019-05-22T20:19:12Z"}, {"path":"github.com/hashicorp/consul/command/flags","checksumSHA1":"soNN4xaHTbeXFgNkZ7cX0gbFXQk=","revision":"fb848fc48818f58690db09d14640513aa6bf3c02","revisionTime":"2018-04-13T17:05:42Z"}, From af389da62e0f56778f69d403f6e4235934c9bce6 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Fri, 2 Aug 2019 15:20:14 -0400 Subject: [PATCH 2/2] client/template: configuration for function blacklist and sandboxing When rendering a task template, the `plugin` function is no longer permitted by default and will raise an error. An operator can opt-in to permitting this function with the new `template.function_blacklist` field in the client configuration. When rendering a task template, path parameters for the `file` function will be treated as relative to the task directory by default. Relative paths or symlinks that point outside the task directory will raise an error. An operator can opt-out of this protection with the new `template.disable_file_sandbox` field in the client configuration. --- .../taskrunner/template/template.go | 14 +++--- .../taskrunner/template/template_test.go | 9 +++- client/config/config.go | 44 ++++++++++++------- command/agent/agent.go | 2 + command/agent/config.go | 29 ++++++++++++ command/agent/config_test.go | 8 ++++ .../source/docs/configuration/client.html.md | 17 +++++++ 7 files changed, 100 insertions(+), 23 deletions(-) diff --git a/client/allocrunner/taskrunner/template/template.go b/client/allocrunner/taskrunner/template/template.go index fe1338c40b9c..e22bea0ce4b4 100644 --- a/client/allocrunner/taskrunner/template/template.go +++ b/client/allocrunner/taskrunner/template/template.go @@ -545,11 +545,11 @@ func maskProcessEnv(env map[string]string) map[string]string { // parseTemplateConfigs converts the tasks templates in the config into // consul-templates -func parseTemplateConfigs(config *TaskTemplateManagerConfig) (map[ctconf.TemplateConfig]*structs.Template, error) { +func parseTemplateConfigs(config *TaskTemplateManagerConfig) (map[*ctconf.TemplateConfig]*structs.Template, error) { allowAbs := config.ClientConfig.ReadBoolDefault(hostSrcOption, true) taskEnv := config.EnvBuilder.Build() - ctmpls := make(map[ctconf.TemplateConfig]*structs.Template, len(config.Templates)) + ctmpls := make(map[*ctconf.TemplateConfig]*structs.Template, len(config.Templates)) for _, tmpl := range config.Templates { var src, dest string if tmpl.SourcePath != "" { @@ -573,6 +573,10 @@ func parseTemplateConfigs(config *TaskTemplateManagerConfig) (map[ctconf.Templat ct.Contents = &tmpl.EmbeddedTmpl ct.LeftDelim = &tmpl.LeftDelim ct.RightDelim = &tmpl.RightDelim + ct.FunctionBlacklist = config.ClientConfig.TemplateConfig.FunctionBlacklist + if !config.ClientConfig.TemplateConfig.DisableSandbox { + ct.SandboxPath = &config.TaskDir + } // Set the permissions if tmpl.Perms != "" { @@ -585,7 +589,7 @@ func parseTemplateConfigs(config *TaskTemplateManagerConfig) (map[ctconf.Templat } ct.Finalize() - ctmpls[*ct] = tmpl + ctmpls[ct] = tmpl } return ctmpls, nil @@ -594,7 +598,7 @@ func parseTemplateConfigs(config *TaskTemplateManagerConfig) (map[ctconf.Templat // newRunnerConfig returns a consul-template runner configuration, setting the // Vault and Consul configurations based on the clients configs. func newRunnerConfig(config *TaskTemplateManagerConfig, - templateMapping map[ctconf.TemplateConfig]*structs.Template) (*ctconf.Config, error) { + templateMapping map[*ctconf.TemplateConfig]*structs.Template) (*ctconf.Config, error) { cc := config.ClientConfig conf := ctconf.DefaultConfig() @@ -603,7 +607,7 @@ func newRunnerConfig(config *TaskTemplateManagerConfig, flat := ctconf.TemplateConfigs(make([]*ctconf.TemplateConfig, 0, len(templateMapping))) for ctmpl := range templateMapping { local := ctmpl - flat = append(flat, &local) + flat = append(flat, local) } conf.Templates = &flat diff --git a/client/allocrunner/taskrunner/template/template_test.go b/client/allocrunner/taskrunner/template/template_test.go index bf834f512c59..4a563a850ba8 100644 --- a/client/allocrunner/taskrunner/template/template_test.go +++ b/client/allocrunner/taskrunner/template/template_test.go @@ -125,8 +125,13 @@ func newTestHarness(t *testing.T, templates []*structs.Template, consul, vault b mockHooks: NewMockTaskHooks(), templates: templates, node: mock.Node(), - config: &config.Config{Region: region}, - emitRate: DefaultMaxTemplateEventRate, + config: &config.Config{ + Region: region, + TemplateConfig: &config.ClientTemplateConfig{ + FunctionBlacklist: []string{"plugin"}, + DisableSandbox: false, + }}, + emitRate: DefaultMaxTemplateEventRate, } // Build the task environment diff --git a/client/config/config.go b/client/config/config.go index d6e09fde9990..f03a1fb05e28 100644 --- a/client/config/config.go +++ b/client/config/config.go @@ -201,6 +201,9 @@ type Config struct { // DisableRemoteExec disables remote exec targeting tasks on this client DisableRemoteExec bool + // TemplateConfig includes configuration for template rendering + TemplateConfig *ClientTemplateConfig + // BackwardsCompatibleMetrics determines whether to show methods of // displaying metrics for older versions, or to only show the new format BackwardsCompatibleMetrics bool @@ -239,6 +242,11 @@ type Config struct { HostVolumes map[string]*structs.ClientHostVolumeConfig } +type ClientTemplateConfig struct { + FunctionBlacklist []string + DisableSandbox bool +} + func (c *Config) Copy() *Config { nc := new(Config) *nc = *c @@ -254,22 +262,26 @@ func (c *Config) Copy() *Config { // DefaultConfig returns the default configuration func DefaultConfig() *Config { return &Config{ - Version: version.GetVersion(), - VaultConfig: config.DefaultVaultConfig(), - ConsulConfig: config.DefaultConsulConfig(), - LogOutput: os.Stderr, - Region: "global", - StatsCollectionInterval: 1 * time.Second, - TLSConfig: &config.TLSConfig{}, - LogLevel: "DEBUG", - GCInterval: 1 * time.Minute, - GCParallelDestroys: 2, - GCDiskUsageThreshold: 80, - GCInodeUsageThreshold: 70, - GCMaxAllocs: 50, - NoHostUUID: true, - DisableTaggedMetrics: false, - DisableRemoteExec: false, + Version: version.GetVersion(), + VaultConfig: config.DefaultVaultConfig(), + ConsulConfig: config.DefaultConsulConfig(), + LogOutput: os.Stderr, + Region: "global", + StatsCollectionInterval: 1 * time.Second, + TLSConfig: &config.TLSConfig{}, + LogLevel: "DEBUG", + GCInterval: 1 * time.Minute, + GCParallelDestroys: 2, + GCDiskUsageThreshold: 80, + GCInodeUsageThreshold: 70, + GCMaxAllocs: 50, + NoHostUUID: true, + DisableTaggedMetrics: false, + DisableRemoteExec: false, + TemplateConfig: &ClientTemplateConfig{ + FunctionBlacklist: []string{"plugin"}, + DisableSandbox: false, + }, BackwardsCompatibleMetrics: false, RPCHoldTimeout: 5 * time.Second, } diff --git a/command/agent/agent.go b/command/agent/agent.go index 6cfe7266badd..475d7379b0be 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -468,6 +468,8 @@ func convertClientConfig(agentConfig *Config) (*clientconfig.Config, error) { conf.ClientMaxPort = uint(agentConfig.Client.ClientMaxPort) conf.ClientMinPort = uint(agentConfig.Client.ClientMinPort) conf.DisableRemoteExec = agentConfig.Client.DisableRemoteExec + conf.TemplateConfig.FunctionBlacklist = agentConfig.Client.TemplateConfig.FunctionBlacklist + conf.TemplateConfig.DisableSandbox = agentConfig.Client.TemplateConfig.DisableSandbox hvMap := make(map[string]*structs.ClientHostVolumeConfig, len(agentConfig.Client.HostVolumes)) for _, v := range agentConfig.Client.HostVolumes { diff --git a/command/agent/config.go b/command/agent/config.go index 435484a7794e..5c36e376273e 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -242,6 +242,9 @@ type ClientConfig struct { // DisableRemoteExec disables remote exec targeting tasks on this client DisableRemoteExec bool `hcl:"disable_remote_exec"` + // TemplateConfig includes configuration for template rendering + TemplateConfig *ClientTemplateConfig `hcl:"template"` + // ServerJoin contains information that is used to attempt to join servers ServerJoin *ServerJoin `hcl:"server_join"` @@ -266,6 +269,20 @@ type ClientConfig struct { BridgeNetworkSubnet string `hcl:"bridge_network_subnet"` } +// ClientTemplateConfig is configuration on the client specific to template +// rendering +type ClientTemplateConfig struct { + + // FunctionBlacklist disables functions in consul-template that + // are unsafe because they expose information from the client host. + FunctionBlacklist []string `hcl:"function_blacklist"` + + // DisableSandbox allows templates to access arbitrary files on the + // client host. By default templates can access files only within + // the task directory. + DisableSandbox bool `hcl:"disable_file_sandbox"` +} + // ACLConfig is configuration specific to the ACL system type ACLConfig struct { // Enabled controls if we are enforce and manage ACLs @@ -675,6 +692,10 @@ func DevConfig() *Config { conf.Client.GCDiskUsageThreshold = 99 conf.Client.GCInodeUsageThreshold = 99 conf.Client.GCMaxAllocs = 50 + conf.Client.TemplateConfig = &ClientTemplateConfig{ + FunctionBlacklist: []string{"plugin"}, + DisableSandbox: false, + } conf.Telemetry.PrometheusMetrics = true conf.Telemetry.PublishAllocationMetrics = true conf.Telemetry.PublishNodeMetrics = true @@ -716,6 +737,10 @@ func DefaultConfig() *Config { RetryInterval: 30 * time.Second, RetryMaxAttempts: 0, }, + TemplateConfig: &ClientTemplateConfig{ + FunctionBlacklist: []string{"plugin"}, + DisableSandbox: false, + }, }, Server: &ServerConfig{ Enabled: false, @@ -1295,6 +1320,10 @@ func (a *ClientConfig) Merge(b *ClientConfig) *ClientConfig { result.DisableRemoteExec = b.DisableRemoteExec } + if b.TemplateConfig != nil { + result.TemplateConfig = b.TemplateConfig + } + // Add the servers result.Servers = append(result.Servers, b.Servers...) diff --git a/command/agent/config_test.go b/command/agent/config_test.go index d4fea75110a3..d5d49bc4be5e 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -94,6 +94,10 @@ func TestConfig_Merge(t *testing.T) { MaxKillTimeout: "20s", ClientMaxPort: 19996, DisableRemoteExec: false, + TemplateConfig: &ClientTemplateConfig{ + FunctionBlacklist: []string{"plugin"}, + DisableSandbox: false, + }, Reserved: &Resources{ CPU: 10, MemoryMB: 10, @@ -253,6 +257,10 @@ func TestConfig_Merge(t *testing.T) { MemoryMB: 105, MaxKillTimeout: "50s", DisableRemoteExec: false, + TemplateConfig: &ClientTemplateConfig{ + FunctionBlacklist: []string{"plugin"}, + DisableSandbox: false, + }, Reserved: &Resources{ CPU: 15, MemoryMB: 15, diff --git a/website/source/docs/configuration/client.html.md b/website/source/docs/configuration/client.html.md index 8e50f53404c4..b40af69ac086 100644 --- a/website/source/docs/configuration/client.html.md +++ b/website/source/docs/configuration/client.html.md @@ -147,6 +147,10 @@ driver) but will be removed in a future release. - `bridge_network_subnet` `(string: "172.26.66.0/23")` - Specifies the subnet which the client will use to allocate IP addresses from. +- `template` ([Template](#template-parameters): nil) - Specifies + controls on the behavior of task [`template`](/docs/job-specification/template.html) stanzas. + + ### `chroot_env` Parameters Drivers based on [isolated fork/exec](/docs/drivers/exec.html) implement file @@ -329,6 +333,19 @@ see the [drivers documentation](/docs/drivers/index.html). reserve on all fingerprinted network devices. Ranges can be specified by using a hyphen separated the two inclusive ends. + +### `template` Parameters + +- `function_blacklist` `([]string: ["plugin"])` - Specifies a list of template + rendering functions that should be disallowed in job specs. By default the + `plugin` function is disallowed as it allows running arbitrary commands on + the host as root (unless Nomad is configured to run as a non-root user). + +- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary + files on the client host via the `file` function. By default templates can + access files only within the task directory. + + ## `client` Examples ### Common Setup