From 8c5450b26359deb30fa4cd586643b382096a8396 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 6 Nov 2017 10:13:45 -0500 Subject: [PATCH 1/3] WIP client fixes --- api/client.go | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/api/client.go b/api/client.go index ca34f51f353b..1bd036410e2b 100644 --- a/api/client.go +++ b/api/client.go @@ -13,6 +13,7 @@ import ( "sync" "time" + "github.com/hashicorp/errwrap" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" "github.com/hashicorp/vault/helper/parseutil" @@ -63,6 +64,10 @@ type Config struct { // Timeout is for setting custom timeout parameter in the HttpClient Timeout time.Duration + + // If there is an error when creating the configuration, this will be the + // error + Error error } // TLSConfig contains the parameters needed to configure TLS on the HTTP client @@ -110,17 +115,15 @@ func DefaultConfig() *Config { MinVersion: tls.VersionTLS12, } if err := http2.ConfigureTransport(transport); err != nil { + config.Error = err return nil } if err := config.ReadEnvironment(); err != nil { + config.Error = err return nil } - if v := os.Getenv(EnvVaultAddress); v != "" { - config.Address = v - } - // Ensure redirects are not automatically followed // Note that this is sane for the API client as it has its own // redirect handling logic (and thus also for command/meta), @@ -142,10 +145,11 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error { if c.HttpClient == nil { c.HttpClient = DefaultConfig().HttpClient } + clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig var clientCert tls.Certificate foundClientCert := false - if t.CACert != "" || t.CAPath != "" || t.ClientCert != "" || t.ClientKey != "" || t.Insecure { + if t.ClientCert != "" || t.ClientKey != "" { if t.ClientCert != "" && t.ClientKey != "" { var err error clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey) @@ -158,20 +162,24 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error { } } - clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig - rootConfig := &rootcerts.Config{ - CAFile: t.CACert, - CAPath: t.CAPath, - } - if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil { - return err + if t.CACert != "" || t.CAPath != "" { + rootConfig := &rootcerts.Config{ + CAFile: t.CACert, + CAPath: t.CAPath, + } + if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil { + return err + } } - clientTLSConfig.InsecureSkipVerify = t.Insecure + if t.Insecure { + clientTLSConfig.InsecureSkipVerify = true + } if foundClientCert { clientTLSConfig.Certificates = []tls.Certificate{clientCert} } + if t.TLSServerName != "" { clientTLSConfig.ServerName = t.TLSServerName } @@ -290,6 +298,9 @@ func NewClient(c *Config) (*Client, error) { if def == nil { return nil, fmt.Errorf("could not create/read default configuration") } + if def.Error != nil { + return nil, errwrap.Wrapf("error encountered setting up default configuration: {{err}}", def.Error) + } if c == nil { c = def From 95f430e2586cd0db6cb64af828a9cf998291c9d3 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 6 Nov 2017 10:23:36 -0500 Subject: [PATCH 2/3] DefaultConfig() already reads the environment --- meta/meta.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/meta/meta.go b/meta/meta.go index d75f1054c55b..dcb9f7f3d5ca 100644 --- a/meta/meta.go +++ b/meta/meta.go @@ -6,7 +6,6 @@ import ( "io" "os" - "github.com/hashicorp/errwrap" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/command/token" "github.com/hashicorp/vault/helper/flag-slice" @@ -80,11 +79,6 @@ func (m *Meta) DefaultWrappingLookupFunc(operation, path string) string { func (m *Meta) Client() (*api.Client, error) { config := api.DefaultConfig() - err := config.ReadEnvironment() - if err != nil { - return nil, errwrap.Wrapf("error reading environment: {{err}}", err) - } - if m.flagAddress != "" { config.Address = m.flagAddress } From e40b830aa41a788510a9f50aa72980f32f4733ab Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 6 Nov 2017 10:41:43 -0500 Subject: [PATCH 3/3] Conver to switch --- api/client.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/api/client.go b/api/client.go index 1bd036410e2b..f1f6754d357d 100644 --- a/api/client.go +++ b/api/client.go @@ -149,17 +149,17 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error { var clientCert tls.Certificate foundClientCert := false - if t.ClientCert != "" || t.ClientKey != "" { - if t.ClientCert != "" && t.ClientKey != "" { - var err error - clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey) - if err != nil { - return err - } - foundClientCert = true - } else if t.ClientCert != "" || t.ClientKey != "" { - return fmt.Errorf("Both client cert and client key must be provided") + + switch { + case t.ClientCert != "" && t.ClientKey != "": + var err error + clientCert, err = tls.LoadX509KeyPair(t.ClientCert, t.ClientKey) + if err != nil { + return err } + foundClientCert = true + case t.ClientCert != "" || t.ClientKey != "": + return fmt.Errorf("Both client cert and client key must be provided") } if t.CACert != "" || t.CAPath != "" {