diff --git a/api/client.go b/api/client.go index ca34f51f353b..f1f6754d357d 100644 --- a/api/client.go +++ b/api/client.go @@ -13,6 +13,7 @@ import ( "sync" "time" + "github.com/hashicorp/errwrap" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" "github.com/hashicorp/vault/helper/parseutil" @@ -63,6 +64,10 @@ type Config struct { // Timeout is for setting custom timeout parameter in the HttpClient Timeout time.Duration + + // If there is an error when creating the configuration, this will be the + // error + Error error } // TLSConfig contains the parameters needed to configure TLS on the HTTP client @@ -110,17 +115,15 @@ func DefaultConfig() *Config { MinVersion: tls.VersionTLS12, } if err := http2.ConfigureTransport(transport); err != nil { + config.Error = err return nil } if err := config.ReadEnvironment(); err != nil { + config.Error = err return nil } - if v := os.Getenv(EnvVaultAddress); v != "" { - config.Address = v - } - // Ensure redirects are not automatically followed // Note that this is sane for the API client as it has its own // redirect handling logic (and thus also for command/meta), @@ -142,36 +145,41 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error { if c.HttpClient == nil { c.HttpClient = DefaultConfig().HttpClient } + clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig var clientCert tls.Certificate foundClientCert := false - if t.CACert != "" || t.CAPath != "" || t.ClientCert != "" || t.ClientKey != "" || t.Insecure { - if t.ClientCert != "" && t.ClientKey != "" { - var err error - clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey) - if err != nil { - return err - } - foundClientCert = true - } else if t.ClientCert != "" || t.ClientKey != "" { - return fmt.Errorf("Both client cert and client key must be provided") + + switch { + case t.ClientCert != "" && t.ClientKey != "": + var err error + clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey) + if err != nil { + return err } + foundClientCert = true + case t.ClientCert != "" || t.ClientKey != "": + return fmt.Errorf("Both client cert and client key must be provided") } - clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig - rootConfig := &rootcerts.Config{ - CAFile: t.CACert, - CAPath: t.CAPath, - } - if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil { - return err + if t.CACert != "" || t.CAPath != "" { + rootConfig := &rootcerts.Config{ + CAFile: t.CACert, + CAPath: t.CAPath, + } + if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil { + return err + } } - clientTLSConfig.InsecureSkipVerify = t.Insecure + if t.Insecure { + clientTLSConfig.InsecureSkipVerify = true + } if foundClientCert { clientTLSConfig.Certificates = []tls.Certificate{clientCert} } + if t.TLSServerName != "" { clientTLSConfig.ServerName = t.TLSServerName } @@ -290,6 +298,9 @@ func NewClient(c *Config) (*Client, error) { if def == nil { return nil, fmt.Errorf("could not create/read default configuration") } + if def.Error != nil { + return nil, errwrap.Wrapf("error encountered setting up default configuration: {{err}}", def.Error) + } if c == nil { c = def diff --git a/meta/meta.go b/meta/meta.go index d75f1054c55b..dcb9f7f3d5ca 100644 --- a/meta/meta.go +++ b/meta/meta.go @@ -6,7 +6,6 @@ import ( "io" "os" - "github.com/hashicorp/errwrap" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/command/token" "github.com/hashicorp/vault/helper/flag-slice" @@ -80,11 +79,6 @@ func (m *Meta) DefaultWrappingLookupFunc(operation, path string) string { func (m *Meta) Client() (*api.Client, error) { config := api.DefaultConfig() - err := config.ReadEnvironment() - if err != nil { - return nil, errwrap.Wrapf("error reading environment: {{err}}", err) - } - if m.flagAddress != "" { config.Address = m.flagAddress }