2015-09-18 05:14:15 -04:00
/ *
Copyright 2015 Home Office All rights reserved .
Licensed under the Apache License , Version 2.0 ( the "License" ) ;
you may not use this file except in compliance with the License .
You may obtain a copy of the License at
http : //www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing , software
distributed under the License is distributed on an "AS IS" BASIS ,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
See the License for the specific language governing permissions and
limitations under the License .
* /
package main
import (
"flag"
"fmt"
"net/url"
"time"
)
// config ... the command line configuration
type config struct {
// the url for th vault server
vaultURL string
2015-09-21 06:31:12 -04:00
// a file containing the authenticate options
vaultAuthFile string
// the authentication options
vaultAuthOptions map [ string ] string
2015-09-18 05:14:15 -04:00
// the place to write the resources
2015-09-21 06:31:12 -04:00
outputDir string
2015-09-18 05:14:15 -04:00
// switch on dry run
dryRun bool
2015-09-23 09:21:54 -04:00
// skip tls verify
2015-09-23 17:39:50 -04:00
tlsVerify bool
2015-09-18 05:14:15 -04:00
// the resource items to retrieve
2015-09-23 17:39:50 -04:00
resources * VaultResources
2015-09-18 05:14:15 -04:00
// the interval for producing statistics
statsInterval time . Duration
}
var (
options config
)
func init ( ) {
2015-09-23 17:39:50 -04:00
// step: setup some defaults
options . resources = new ( VaultResources )
options . vaultAuthOptions = map [ string ] string { VaultAuth : "token" }
2015-09-18 05:14:15 -04:00
flag . StringVar ( & options . vaultURL , "vault" , getEnv ( "VAULT_ADDR" , "https://127.0.0.1:8200" ) , "the url the vault service is running behind (VAULT_ADDR if available)" )
2015-09-21 06:31:12 -04:00
flag . StringVar ( & options . vaultAuthFile , "auth" , "" , "a configuration file in a json or yaml containing authentication arguments" )
flag . StringVar ( & options . outputDir , "output" , getEnv ( "VAULT_OUTPUT" , "/etc/secrets" ) , "the full path to write the protected resources (VAULT_OUTPUT if available)" )
flag . BoolVar ( & options . dryRun , "dryrun" , false , "perform a dry run, printing the content to screen" )
2015-09-23 17:39:50 -04:00
flag . BoolVar ( & options . tlsVerify , "tls-skip-verify" , false , "whether to check and verify the vault service certificate" )
2015-09-18 12:58:52 -04:00
flag . DurationVar ( & options . statsInterval , "stats" , time . Duration ( 5 ) * time . Minute , "the interval to produce statistics on the accessed resources" )
2015-09-18 05:14:15 -04:00
flag . Var ( options . resources , "cn" , "a resource to retrieve and monitor from vault (e.g. pki:name:cert.name, secret:db_password, aws:s3_backup)" )
}
// parseOptions ... validate the command line options and validates them
func parseOptions ( ) error {
flag . Parse ( )
return validateOptions ( & options )
}
// validateOptions ... parses and validates the command line options
func validateOptions ( cfg * config ) error {
// step: validate the vault url
2015-09-21 06:31:12 -04:00
_ , err := url . Parse ( cfg . vaultURL )
2015-09-18 05:14:15 -04:00
if err != nil {
return fmt . Errorf ( "invalid vault url: '%s' specified" , cfg . vaultURL )
}
// step: read in the token if required
2015-09-21 06:31:12 -04:00
if cfg . vaultAuthFile != "" {
if exists , _ := fileExists ( cfg . vaultAuthFile ) ; ! exists {
return fmt . Errorf ( "the token file: %s does not exists, please check" , cfg . vaultAuthFile )
2015-09-18 05:14:15 -04:00
}
2015-09-21 06:31:12 -04:00
if options . vaultAuthOptions , err = readConfigFile ( options . vaultAuthFile ) ; err != nil {
return fmt . Errorf ( "unable to read in authentication options from: %s, error: %s" , cfg . vaultAuthFile , err )
2015-09-18 05:14:15 -04:00
}
}
return nil
}
