2025-10-21 17:20:20 -04:00
// Copyright IBM Corp. 2016, 2025
2023-08-10 21:14:03 -04:00
// SPDX-License-Identifier: BUSL-1.1
2023-03-15 12:00:52 -04:00
2017-08-28 16:44:35 -04:00
package command
import (
"bytes"
"flag"
"fmt"
"io"
2024-01-09 09:29:30 -05:00
"net/http"
2018-07-12 18:38:18 -04:00
"os"
2017-08-28 16:44:35 -04:00
"regexp"
"strings"
"sync"
"time"
2023-12-04 14:05:02 -05:00
"github.com/hashicorp/cli"
2024-01-09 09:29:30 -05:00
hcpvlib "github.com/hashicorp/vault-hcp-lib"
2017-08-28 16:44:35 -04:00
"github.com/hashicorp/vault/api"
2024-03-04 13:29:20 -05:00
"github.com/hashicorp/vault/api/cliconfig"
"github.com/hashicorp/vault/api/tokenhelper"
2024-02-13 17:07:02 -05:00
"github.com/hashicorp/vault/command/config"
2018-08-10 12:13:06 -04:00
"github.com/hashicorp/vault/helper/namespace"
2025-02-27 17:57:46 -05:00
"github.com/hashicorp/vault/internalshared/configutil"
2022-03-14 15:54:41 -04:00
"github.com/mattn/go-isatty"
2024-04-02 18:24:40 -04:00
"github.com/mitchellh/go-homedir"
2017-08-28 16:44:35 -04:00
"github.com/pkg/errors"
"github.com/posener/complete"
)
2018-08-22 14:37:40 -04:00
const (
// maxLineLength is the maximum width of any line.
maxLineLength int = 78
2018-09-05 15:52:54 -04:00
// notSetValue is a flag value for a not-set value
notSetValue = "(not set)"
2018-08-22 14:37:40 -04:00
)
2017-08-28 16:44:35 -04:00
// reRemoveWhitespace is a regular expression for stripping whitespace from
// a string.
var reRemoveWhitespace = regexp . MustCompile ( ` [\s]+ ` )
type BaseCommand struct {
UI cli . Ui
flags * FlagSets
flagsOnce sync . Once
2023-05-17 09:38:34 -04:00
flagAddress string
flagAgentProxyAddress string
flagCACert string
flagCAPath string
flagClientCert string
flagClientKey string
flagNamespace string
flagNS string
flagPolicyOverride bool
flagTLSServerName string
flagTLSSkipVerify bool
flagDisableRedirects bool
flagWrapTTL time . Duration
flagUnlockKey string
2017-08-28 16:44:35 -04:00
2019-02-01 17:13:51 -05:00
flagFormat string
flagField string
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
flagDetailed bool
2019-02-01 17:13:51 -05:00
flagOutputCurlString bool
2022-04-27 19:35:18 -04:00
flagOutputPolicy bool
2022-02-24 15:16:15 -05:00
flagNonInteractive bool
2023-10-30 11:08:55 -04:00
addrWarning string
2017-08-28 16:44:35 -04:00
2018-03-30 12:11:10 -04:00
flagMFA [ ] string
2021-10-27 11:04:04 -04:00
flagHeader map [ string ] string
2024-03-04 13:29:20 -05:00
tokenHelper tokenhelper . TokenHelper
2024-01-09 09:29:30 -05:00
hcpTokenHelper hcpvlib . HCPTokenHelper
2017-08-28 16:44:35 -04:00
2025-05-21 09:10:20 -04:00
flagSnapshotID string
2017-08-29 00:24:22 -04:00
client * api . Client
VAULT-32657 deprecate duplicate attributes in HCL configs and policies (#30386)
* upgrade hcl dependency on api pkg
This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.
The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.
Also leaving some TODOs to make next deprecation
steps easier.
* upgrade hcl dependency in vault and sdk pkgs
* upgrade hcl dependency in vault and sdk pkgs
* add CLI warnings to commands that take a config
- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server
* ignore duplicates on ParseKMSes function
* Extend policy parsing functions and warn on policy store
* Add warning on policy fmt with duplicate attributes
* Add warnings when creating/updating policy with duplicate HCL attrs
* Add log warning when switchedGetPolicy finds duplicate attrs
Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal
* Print log warnings when token inline policy has duplicate attrs
No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)
* add changelog and deprecation notice
* add missing copywrite notice
* fix copy-paste mistake
good thing it was covered by unit tests
* Fix manual parsing of telemetry field in SharedConfig
This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
https://github.com/hashicorp/hcl/commit/e80118accb521e47bc5b93104bf46c67d89d2242
This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.
Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.
An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does
note how it's template not templates
* Fix linter complaints
* Update command/base_predict.go
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* address review
* remove copywrite headers
* re-add copywrite headers
* make fmt
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* undo changes to deprecation.mdx
* remove deprecation doc
* fix conflict with changes from main
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-05-23 15:02:07 -04:00
// hclDuplicateKeysWarningPrinted tracks if a command execution has already printed the warning, to avoid printing
// it multiple times on a single execution.
// TODO (HCL_DUP_KEYS_DEPRECATION): remove this once we don't use the warning anymore
hclDuplicateKeysWarningPrinted bool
2017-08-28 16:44:35 -04:00
}
// Client returns the HTTP API client. The client is cached on the command to
// save performance on future calls.
func ( c * BaseCommand ) Client ( ) ( * api . Client , error ) {
2017-08-29 00:24:22 -04:00
// Read the test client if present
if c . client != nil {
2024-04-02 18:24:40 -04:00
// Ignoring homedir errors here and moving on to avoid
// spamming user with warnings/errors that homedir isn't set.
path , err := homedir . Dir ( )
if err == nil {
if err := c . applyHCPConfig ( path ) ; err != nil {
return nil , err
}
2023-10-30 11:08:55 -04:00
}
2024-01-09 09:29:30 -05:00
return c . client , nil
2023-10-30 11:08:55 -04:00
}
2017-08-29 00:24:22 -04:00
config := api . DefaultConfig ( )
if err := config . ReadEnvironment ( ) ; err != nil {
return nil , errors . Wrap ( err , "failed to read environment" )
}
if c . flagAddress != "" {
config . Address = c . flagAddress
}
2023-05-17 09:38:34 -04:00
if c . flagAgentProxyAddress != "" {
2024-10-04 14:29:03 -04:00
config . AgentAddress = c . flagAgentProxyAddress
2019-02-14 20:10:36 -05:00
}
2017-08-29 00:24:22 -04:00
2019-02-01 17:13:51 -05:00
if c . flagOutputCurlString {
config . OutputCurlString = c . flagOutputCurlString
}
2022-04-27 19:35:18 -04:00
if c . flagOutputPolicy {
config . OutputPolicy = c . flagOutputPolicy
}
2019-02-01 17:13:51 -05:00
2017-08-29 00:24:22 -04:00
// If we need custom TLS configuration, then set it
if c . flagCACert != "" || c . flagCAPath != "" || c . flagClientCert != "" ||
c . flagClientKey != "" || c . flagTLSServerName != "" || c . flagTLSSkipVerify {
t := & api . TLSConfig {
CACert : c . flagCACert ,
CAPath : c . flagCAPath ,
ClientCert : c . flagClientCert ,
ClientKey : c . flagClientKey ,
TLSServerName : c . flagTLSServerName ,
Insecure : c . flagTLSSkipVerify ,
2017-08-28 16:44:35 -04:00
}
2019-12-18 05:22:15 -05:00
// Setup TLS config
if err := config . ConfigureTLS ( t ) ; err != nil {
return nil , errors . Wrap ( err , "failed to setup TLS config" )
}
2017-08-29 00:24:22 -04:00
}
// Build the client
client , err := api . NewClient ( config )
if err != nil {
return nil , errors . Wrap ( err , "failed to create client" )
}
2018-07-12 18:38:18 -04:00
// Turn off retries on the CLI
if os . Getenv ( api . EnvVaultMaxRetries ) == "" {
client . SetMaxRetries ( 0 )
}
2017-08-29 00:24:22 -04:00
// Set the wrapping function
client . SetWrappingLookupFunc ( c . DefaultWrappingLookupFunc )
// Get the token if it came in from the environment
token := client . Token ( )
// If we don't have a token, check the token helper
if token == "" {
2017-09-04 23:53:57 -04:00
helper , err := c . TokenHelper ( )
if err != nil {
return nil , errors . Wrap ( err , "failed to get token helper" )
}
token , err = helper . Get ( )
if err != nil {
return nil , errors . Wrap ( err , "failed to get token from token helper" )
2017-08-28 16:44:35 -04:00
}
2017-08-29 00:24:22 -04:00
}
2017-08-28 16:44:35 -04:00
2017-08-29 00:24:22 -04:00
// Set the token
if token != "" {
client . SetToken ( token )
}
2017-08-28 16:44:35 -04:00
2018-03-30 12:11:10 -04:00
client . SetMFACreds ( c . flagMFA )
2018-08-27 12:03:39 -04:00
// flagNS takes precedence over flagNamespace. After resolution, point both
// flags to the same value to be able to use them interchangeably anywhere.
2018-09-05 15:52:54 -04:00
if c . flagNS != notSetValue {
2018-08-27 12:03:39 -04:00
c . flagNamespace = c . flagNS
}
2018-09-05 15:52:54 -04:00
if c . flagNamespace != notSetValue {
2018-08-22 14:37:40 -04:00
client . SetNamespace ( namespace . Canonicalize ( c . flagNamespace ) )
}
2018-11-20 12:33:00 -05:00
if c . flagPolicyOverride {
client . SetPolicyOverride ( c . flagPolicyOverride )
}
2018-03-30 12:11:10 -04:00
2021-10-27 11:04:04 -04:00
if c . flagHeader != nil {
var forbiddenHeaders [ ] string
for key , val := range c . flagHeader {
if strings . HasPrefix ( key , "X-Vault-" ) {
forbiddenHeaders = append ( forbiddenHeaders , key )
continue
}
client . AddHeader ( key , val )
}
if len ( forbiddenHeaders ) > 0 {
return nil , fmt . Errorf ( "failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only" , strings . Join ( forbiddenHeaders , ", " ) )
}
}
2018-02-06 13:06:17 -05:00
c . client = client
2024-04-02 18:24:40 -04:00
// Ignoring homedir errors here and moving on to avoid
// spamming user with warnings/errors that homedir isn't set.
path , err := homedir . Dir ( )
if err == nil {
if err := c . applyHCPConfig ( path ) ; err != nil {
return nil , err
}
2024-01-09 09:29:30 -05:00
}
if c . addrWarning != "" && c . UI != nil {
2024-05-30 09:48:06 -04:00
if os . Getenv ( "VAULT_ADDR" ) == "" && ! c . flags . hadAddressFlag {
2024-01-09 09:29:30 -05:00
if ! c . flagNonInteractive && isatty . IsTerminal ( os . Stdin . Fd ( ) ) {
c . UI . Warn ( wrapAtLength ( c . addrWarning ) )
}
}
}
2017-08-29 00:24:22 -04:00
return client , nil
2017-08-28 16:44:35 -04:00
}
2024-04-02 18:24:40 -04:00
func ( c * BaseCommand ) applyHCPConfig ( path string ) error {
2024-01-09 09:29:30 -05:00
if c . hcpTokenHelper == nil {
c . hcpTokenHelper = c . HCPTokenHelper ( )
}
2024-04-02 18:24:40 -04:00
hcpToken , err := c . hcpTokenHelper . GetHCPToken ( path )
2024-01-09 09:29:30 -05:00
if err != nil {
return err
}
if hcpToken != nil {
cookie := & http . Cookie {
Name : "hcp_access_token" ,
Value : hcpToken . AccessToken ,
Expires : hcpToken . AccessTokenExpiry ,
}
if err := c . client . SetHCPCookie ( cookie ) ; err != nil {
return fmt . Errorf ( "unable to correctly connect to the HCP Vault cluster; please reconnect to HCP: %w" , err )
}
if err := c . client . SetAddress ( hcpToken . ProxyAddr ) ; err != nil {
return fmt . Errorf ( "unable to correctly set the HCP address: %w" , err )
}
// remove address warning since address was set to HCP's address
c . addrWarning = ""
}
return nil
}
2018-03-16 13:14:32 -04:00
// SetAddress sets the token helper on the command; useful for the demo server and other outside cases.
func ( c * BaseCommand ) SetAddress ( addr string ) {
c . flagAddress = addr
}
2018-03-16 11:31:00 -04:00
// SetTokenHelper sets the token helper on the command.
2024-03-04 13:29:20 -05:00
func ( c * BaseCommand ) SetTokenHelper ( th tokenhelper . TokenHelper ) {
2018-03-16 11:31:00 -04:00
c . tokenHelper = th
}
2017-09-04 23:53:57 -04:00
// TokenHelper returns the token helper attached to the command.
2024-03-04 13:29:20 -05:00
func ( c * BaseCommand ) TokenHelper ( ) ( tokenhelper . TokenHelper , error ) {
2017-09-04 23:53:57 -04:00
if c . tokenHelper != nil {
return c . tokenHelper , nil
}
VAULT-32657 deprecate duplicate attributes in HCL configs and policies (#30386)
* upgrade hcl dependency on api pkg
This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.
The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.
Also leaving some TODOs to make next deprecation
steps easier.
* upgrade hcl dependency in vault and sdk pkgs
* upgrade hcl dependency in vault and sdk pkgs
* add CLI warnings to commands that take a config
- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server
* ignore duplicates on ParseKMSes function
* Extend policy parsing functions and warn on policy store
* Add warning on policy fmt with duplicate attributes
* Add warnings when creating/updating policy with duplicate HCL attrs
* Add log warning when switchedGetPolicy finds duplicate attrs
Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal
* Print log warnings when token inline policy has duplicate attrs
No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)
* add changelog and deprecation notice
* add missing copywrite notice
* fix copy-paste mistake
good thing it was covered by unit tests
* Fix manual parsing of telemetry field in SharedConfig
This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
https://github.com/hashicorp/hcl/commit/e80118accb521e47bc5b93104bf46c67d89d2242
This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.
Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.
An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does
note how it's template not templates
* Fix linter complaints
* Update command/base_predict.go
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* address review
* remove copywrite headers
* re-add copywrite headers
* make fmt
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* undo changes to deprecation.mdx
* remove deprecation doc
* fix conflict with changes from main
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-05-23 15:02:07 -04:00
// TODO (HCL_DUP_KEYS_DEPRECATION): Return to DefaultTokenHelper once duplicates are forbidden
helper , duplicates , err := cliconfig . DefaultTokenHelperCheckDuplicates ( )
2017-09-04 23:53:57 -04:00
if err != nil {
return nil , err
}
VAULT-32657 deprecate duplicate attributes in HCL configs and policies (#30386)
* upgrade hcl dependency on api pkg
This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.
The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.
Also leaving some TODOs to make next deprecation
steps easier.
* upgrade hcl dependency in vault and sdk pkgs
* upgrade hcl dependency in vault and sdk pkgs
* add CLI warnings to commands that take a config
- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server
* ignore duplicates on ParseKMSes function
* Extend policy parsing functions and warn on policy store
* Add warning on policy fmt with duplicate attributes
* Add warnings when creating/updating policy with duplicate HCL attrs
* Add log warning when switchedGetPolicy finds duplicate attrs
Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal
* Print log warnings when token inline policy has duplicate attrs
No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)
* add changelog and deprecation notice
* add missing copywrite notice
* fix copy-paste mistake
good thing it was covered by unit tests
* Fix manual parsing of telemetry field in SharedConfig
This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
https://github.com/hashicorp/hcl/commit/e80118accb521e47bc5b93104bf46c67d89d2242
This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.
Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.
An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does
note how it's template not templates
* Fix linter complaints
* Update command/base_predict.go
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* address review
* remove copywrite headers
* re-add copywrite headers
* make fmt
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* undo changes to deprecation.mdx
* remove deprecation doc
* fix conflict with changes from main
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-05-23 15:02:07 -04:00
if duplicates && ! c . hclDuplicateKeysWarningPrinted {
c . hclDuplicateKeysWarningPrinted = true
c . UI . Warn ( "WARNING: Duplicate keys found in the Vault token helper configuration file, duplicate keys in HCL files are deprecated and will be forbidden in a future release." )
}
2017-09-04 23:53:57 -04:00
return helper , nil
}
2024-01-09 09:29:30 -05:00
// HCPTokenHelper returns the HCPToken helper attached to the command.
func ( c * BaseCommand ) HCPTokenHelper ( ) hcpvlib . HCPTokenHelper {
if c . hcpTokenHelper != nil {
return c . hcpTokenHelper
}
return config . DefaultHCPTokenHelper ( )
}
2017-08-28 16:44:35 -04:00
// DefaultWrappingLookupFunc is the default wrapping function based on the
// CLI flag.
func ( c * BaseCommand ) DefaultWrappingLookupFunc ( operation , path string ) string {
if c . flagWrapTTL != 0 {
return c . flagWrapTTL . String ( )
}
return api . DefaultWrappingLookupFunc ( operation , path )
}
2023-06-16 16:03:07 -04:00
// getMFAValidationRequired checks to see if the secret exists and has an MFA
2022-10-26 17:02:26 -04:00
// requirement. If MFA is required and the number of constraints is greater than
// 1, we can assert that interactive validation is not required.
func ( c * BaseCommand ) getMFAValidationRequired ( secret * api . Secret ) bool {
if secret != nil && secret . Auth != nil && secret . Auth . MFARequirement != nil {
if c . flagMFA == nil && len ( secret . Auth . MFARequirement . MFAConstraints ) == 1 {
return true
} else if len ( secret . Auth . MFARequirement . MFAConstraints ) > 1 {
return true
}
2022-03-14 15:54:41 -04:00
}
return false
}
2022-10-26 17:02:26 -04:00
// getInteractiveMFAMethodInfo returns MFA method information only if operating
// in interactive mode and one MFA method is configured.
func ( c * BaseCommand ) getInteractiveMFAMethodInfo ( secret * api . Secret ) * MFAMethodInfo {
if secret == nil || secret . Auth == nil || secret . Auth . MFARequirement == nil {
return nil
}
mfaConstraints := secret . Auth . MFARequirement . MFAConstraints
if c . flagNonInteractive || len ( mfaConstraints ) != 1 || ! isatty . IsTerminal ( os . Stdin . Fd ( ) ) {
return nil
}
for _ , mfaConstraint := range mfaConstraints {
2022-03-14 15:54:41 -04:00
if len ( mfaConstraint . Any ) != 1 {
2022-10-26 17:02:26 -04:00
return nil
2022-03-14 15:54:41 -04:00
}
2022-10-26 17:02:26 -04:00
return & MFAMethodInfo {
2022-03-14 15:54:41 -04:00
methodType : mfaConstraint . Any [ 0 ] . Type ,
methodID : mfaConstraint . Any [ 0 ] . ID ,
usePasscode : mfaConstraint . Any [ 0 ] . UsesPasscode ,
}
}
2022-10-26 17:02:26 -04:00
return nil
2022-03-14 15:54:41 -04:00
}
2022-10-26 17:02:26 -04:00
func ( c * BaseCommand ) validateMFA ( reqID string , methodInfo MFAMethodInfo ) ( * api . Secret , error ) {
2022-03-14 15:54:41 -04:00
var passcode string
var err error
if methodInfo . usePasscode {
passcode , err = c . UI . AskSecret ( fmt . Sprintf ( "Enter the passphrase for methodID %q of type %q:" , methodInfo . methodID , methodInfo . methodType ) )
if err != nil {
2022-10-26 17:02:26 -04:00
return nil , fmt . Errorf ( "failed to read passphrase: %w. please validate the login by sending a request to sys/mfa/validate" , err )
2022-03-14 15:54:41 -04:00
}
} else {
c . UI . Warn ( "Asking Vault to perform MFA validation with upstream service. " +
"You should receive a push notification in your authenticator app shortly" )
}
// passcode could be an empty string
2022-04-15 14:13:15 -04:00
mfaPayload := map [ string ] interface { } {
methodInfo . methodID : [ ] string { passcode } ,
2022-03-14 15:54:41 -04:00
}
client , err := c . Client ( )
if err != nil {
2022-10-26 17:02:26 -04:00
return nil , err
2022-03-14 15:54:41 -04:00
}
2022-10-26 17:02:26 -04:00
return client . Sys ( ) . MFAValidate ( reqID , mfaPayload )
2022-03-14 15:54:41 -04:00
}
2017-08-28 16:44:35 -04:00
type FlagSetBit uint
const (
FlagSetNone FlagSetBit = 1 << iota
FlagSetHTTP
FlagSetOutputField
FlagSetOutputFormat
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
FlagSetOutputDetailed
2025-05-21 09:10:20 -04:00
FlagSetSnapshot
2017-08-28 16:44:35 -04:00
)
// flagSet creates the flags for this command. The result is cached on the
// command to save performance on future calls.
func ( c * BaseCommand ) flagSet ( bit FlagSetBit ) * FlagSets {
c . flagsOnce . Do ( func ( ) {
set := NewFlagSets ( c . UI )
2018-02-12 18:12:16 -05:00
// These flag sets will apply to all leaf subcommands.
// TODO: Optional, but FlagSetHTTP can be safely removed from the individual
// Flags() subcommands.
bit = bit | FlagSetHTTP
2017-08-28 16:44:35 -04:00
if bit & FlagSetHTTP != 0 {
f := set . NewFlagSet ( "HTTP Options" )
2018-03-16 13:41:27 -04:00
addrStringVar := & StringVar {
2025-02-27 17:57:46 -05:00
Name : flagNameAddress ,
Target : & c . flagAddress ,
EnvVar : api . EnvVaultAddress ,
Completion : complete . PredictAnything ,
Normalizers : [ ] func ( string ) string { configutil . NormalizeAddr } ,
Usage : "Address of the Vault server." ,
2018-03-16 13:41:27 -04:00
}
2023-10-30 11:08:55 -04:00
2018-03-16 13:41:27 -04:00
if c . flagAddress != "" {
addrStringVar . Default = c . flagAddress
} else {
addrStringVar . Default = "https://127.0.0.1:8200"
2023-10-30 11:08:55 -04:00
c . addrWarning = fmt . Sprintf ( "WARNING! VAULT_ADDR and -address unset. Defaulting to %s." , addrStringVar . Default )
2018-03-16 13:41:27 -04:00
}
f . StringVar ( addrStringVar )
2017-08-28 16:44:35 -04:00
2019-02-14 20:10:36 -05:00
agentAddrStringVar := & StringVar {
2025-02-27 17:57:46 -05:00
Name : "agent-address" ,
Target : & c . flagAgentProxyAddress ,
EnvVar : api . EnvVaultAgentAddr ,
Completion : complete . PredictAnything ,
Normalizers : [ ] func ( string ) string { configutil . NormalizeAddr } ,
Usage : "Address of the Agent." ,
2019-02-14 20:10:36 -05:00
}
f . StringVar ( agentAddrStringVar )
2017-08-28 16:44:35 -04:00
f . StringVar ( & StringVar {
2019-02-28 17:29:28 -05:00
Name : flagNameCACert ,
2017-08-28 16:44:35 -04:00
Target : & c . flagCACert ,
Default : "" ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultCACert ,
2017-08-28 16:44:35 -04:00
Completion : complete . PredictFiles ( "*" ) ,
Usage : "Path on the local disk to a single PEM-encoded CA " +
"certificate to verify the Vault server's SSL certificate. This " +
2018-03-20 14:54:10 -04:00
"takes precedence over -ca-path." ,
2017-08-28 16:44:35 -04:00
} )
f . StringVar ( & StringVar {
2019-02-28 17:29:28 -05:00
Name : flagNameCAPath ,
2017-08-28 16:44:35 -04:00
Target : & c . flagCAPath ,
Default : "" ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultCAPath ,
2017-08-28 16:44:35 -04:00
Completion : complete . PredictDirs ( "*" ) ,
Usage : "Path on the local disk to a directory of PEM-encoded CA " +
"certificates to verify the Vault server's SSL certificate." ,
} )
f . StringVar ( & StringVar {
2019-03-01 15:11:16 -05:00
Name : flagNameClientCert ,
2017-08-28 16:44:35 -04:00
Target : & c . flagClientCert ,
Default : "" ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultClientCert ,
2017-08-28 16:44:35 -04:00
Completion : complete . PredictFiles ( "*" ) ,
Usage : "Path on the local disk to a single PEM-encoded CA " +
"certificate to use for TLS authentication to the Vault server. If " +
"this flag is specified, -client-key is also required." ,
} )
f . StringVar ( & StringVar {
2019-03-01 15:11:16 -05:00
Name : flagNameClientKey ,
2017-08-28 16:44:35 -04:00
Target : & c . flagClientKey ,
Default : "" ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultClientKey ,
2017-08-28 16:44:35 -04:00
Completion : complete . PredictFiles ( "*" ) ,
Usage : "Path on the local disk to a single PEM-encoded private key " +
"matching the client certificate from -client-cert." ,
} )
2018-08-10 12:13:06 -04:00
f . StringVar ( & StringVar {
Name : "namespace" ,
Target : & c . flagNamespace ,
2018-09-05 15:52:54 -04:00
Default : notSetValue , // this can never be a real value
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultNamespace ,
2018-08-10 12:13:06 -04:00
Completion : complete . PredictAnything ,
Usage : "The namespace to use for the command. Setting this is not " +
2018-08-22 14:37:40 -04:00
"necessary but allows using relative paths. -ns can be used as " +
"shortcut." ,
} )
f . StringVar ( & StringVar {
Name : "ns" ,
Target : & c . flagNS ,
2018-09-05 15:52:54 -04:00
Default : notSetValue , // this can never be a real value
2018-08-22 14:37:40 -04:00
Completion : complete . PredictAnything ,
Hidden : true ,
2018-08-27 12:03:39 -04:00
Usage : "Alias for -namespace. This takes precedence over -namespace." ,
2018-08-10 12:13:06 -04:00
} )
2017-08-28 16:44:35 -04:00
f . StringVar ( & StringVar {
2019-10-29 09:11:01 -04:00
Name : flagTLSServerName ,
2017-08-28 16:44:35 -04:00
Target : & c . flagTLSServerName ,
Default : "" ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultTLSServerName ,
2017-08-28 16:44:35 -04:00
Completion : complete . PredictAnything ,
Usage : "Name to use as the SNI host when connecting to the Vault " +
"server via TLS." ,
} )
f . BoolVar ( & BoolVar {
2019-02-28 17:29:28 -05:00
Name : flagNameTLSSkipVerify ,
2017-09-04 23:54:13 -04:00
Target : & c . flagTLSSkipVerify ,
Default : false ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultSkipVerify ,
2017-08-28 16:44:35 -04:00
Usage : "Disable verification of TLS certificates. Using this option " +
2019-03-05 15:19:52 -05:00
"is highly discouraged as it decreases the security of data " +
2017-08-28 16:44:35 -04:00
"transmissions to and from the Vault server." ,
} )
2018-11-20 12:33:00 -05:00
2022-09-30 04:29:37 -04:00
f . BoolVar ( & BoolVar {
Name : flagNameDisableRedirects ,
Target : & c . flagDisableRedirects ,
Default : false ,
EnvVar : api . EnvVaultDisableRedirects ,
Usage : "Disable the default client behavior, which honors a single " +
"redirect response from a request" ,
} )
2018-11-20 12:33:00 -05:00
f . BoolVar ( & BoolVar {
Name : "policy-override" ,
Target : & c . flagPolicyOverride ,
Default : false ,
Usage : "Override a Sentinel policy that has a soft-mandatory " +
"enforcement_level specified" ,
} )
2017-08-28 16:44:35 -04:00
f . DurationVar ( & DurationVar {
Name : "wrap-ttl" ,
Target : & c . flagWrapTTL ,
Default : 0 ,
2019-02-28 17:29:28 -05:00
EnvVar : api . EnvVaultWrapTTL ,
2017-08-28 16:44:35 -04:00
Completion : complete . PredictAnything ,
Usage : "Wraps the response in a cubbyhole token with the requested " +
"TTL. The response is available via the \"vault unwrap\" command. " +
"The TTL is specified as a numeric string with suffix like \"30s\" " +
2017-09-04 23:54:13 -04:00
"or \"5m\"." ,
2017-08-28 16:44:35 -04:00
} )
2018-03-30 12:11:10 -04:00
f . StringSliceVar ( & StringSliceVar {
Name : "mfa" ,
Target : & c . flagMFA ,
Default : nil ,
EnvVar : api . EnvVaultMFA ,
Completion : complete . PredictAnything ,
Usage : "Supply MFA credentials as part of X-Vault-MFA header." ,
} )
2019-02-01 17:13:51 -05:00
f . BoolVar ( & BoolVar {
Name : "output-curl-string" ,
Target : & c . flagOutputCurlString ,
Default : false ,
Usage : "Instead of executing the request, print an equivalent cURL " +
"command string and exit." ,
} )
2022-04-27 19:35:18 -04:00
f . BoolVar ( & BoolVar {
Name : "output-policy" ,
Target : & c . flagOutputPolicy ,
Default : false ,
Usage : "Instead of executing the request, print an example HCL " +
"policy that would be required to run this command, and exit." ,
} )
2021-10-22 16:22:49 -04:00
f . StringVar ( & StringVar {
Name : "unlock-key" ,
Target : & c . flagUnlockKey ,
Default : notSetValue ,
Completion : complete . PredictNothing ,
Usage : "Key to unlock a namespace API lock." ,
} )
2021-10-27 11:04:04 -04:00
f . StringMapVar ( & StringMapVar {
Name : "header" ,
Target : & c . flagHeader ,
Completion : complete . PredictAnything ,
Usage : "Key-value pair provided as key=value to provide http header added to any request done by the CLI." +
"Trying to add headers starting with 'X-Vault-' is forbidden and will make the command fail " +
"This can be specified multiple times." ,
} )
2022-02-24 15:16:15 -05:00
f . BoolVar ( & BoolVar {
Name : "non-interactive" ,
Target : & c . flagNonInteractive ,
Default : false ,
Usage : "When set true, prevents asking the user for input via the terminal." ,
} )
2017-08-28 16:44:35 -04:00
}
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
if bit & ( FlagSetOutputField | FlagSetOutputFormat | FlagSetOutputDetailed ) != 0 {
outputSet := set . NewFlagSet ( "Output Options" )
2017-08-28 16:44:35 -04:00
if bit & FlagSetOutputField != 0 {
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
outputSet . StringVar ( & StringVar {
2017-08-28 16:44:35 -04:00
Name : "field" ,
Target : & c . flagField ,
Default : "" ,
Completion : complete . PredictAnything ,
Usage : "Print only the field with the given name. Specifying " +
"this option will take precedence over other formatting " +
"directives. The result will not have a trailing newline " +
2018-05-22 08:30:13 -04:00
"making it ideal for piping to other processes." ,
2017-08-28 16:44:35 -04:00
} )
}
if bit & FlagSetOutputFormat != 0 {
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
outputSet . StringVar ( & StringVar {
2017-08-28 16:44:35 -04:00
Name : "format" ,
Target : & c . flagFormat ,
Default : "table" ,
2018-02-12 18:12:16 -05:00
EnvVar : EnvVaultFormat ,
2022-10-28 12:53:23 -04:00
Completion : complete . PredictSet ( "table" , "json" , "yaml" , "pretty" , "raw" ) ,
2021-03-03 13:59:50 -05:00
Usage : ` Print the output in the given format . Valid formats
2022-10-28 12:53:23 -04:00
are "table" , "json" , "yaml" , or "pretty" . "raw" is allowed
for ' vault read ' operations only . ` ,
2017-08-28 16:44:35 -04:00
} )
}
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
if bit & FlagSetOutputDetailed != 0 {
outputSet . BoolVar ( & BoolVar {
Name : "detailed" ,
Target : & c . flagDetailed ,
Default : false ,
EnvVar : EnvVaultDetailed ,
Usage : "Enables additional metadata during some operations" ,
} )
}
2025-05-21 09:10:20 -04:00
if bit & FlagSetSnapshot != 0 {
outputSet . StringVar ( & StringVar {
Name : "snapshot-id" ,
Target : & c . flagSnapshotID ,
Default : "" ,
Completion : complete . PredictAnything ,
Usage : "ID of the loaded snapshot that this command will use" ,
} )
}
2017-08-28 16:44:35 -04:00
}
c . flags = set
} )
return c . flags
}
// FlagSets is a group of flag sets.
type FlagSets struct {
flagSets [ ] * FlagSet
mainSet * flag . FlagSet
hiddens map [ string ] struct { }
completions complete . Flags
2022-07-27 14:00:03 -04:00
ui cli . Ui
2024-05-30 09:48:06 -04:00
// hadAddressFlag signals if the FlagSet had an -address
// flag set, for the purposes of warning (see also:
// BaseCommand::addrWarning).
hadAddressFlag bool
2017-08-28 16:44:35 -04:00
}
// NewFlagSets creates a new flag sets.
func NewFlagSets ( ui cli . Ui ) * FlagSets {
mainSet := flag . NewFlagSet ( "" , flag . ContinueOnError )
2017-08-30 12:48:39 -04:00
// Errors and usage are controlled by the CLI.
mainSet . Usage = func ( ) { }
2024-05-30 09:48:06 -04:00
mainSet . SetOutput ( io . Discard )
2017-08-28 16:44:35 -04:00
return & FlagSets {
flagSets : make ( [ ] * FlagSet , 0 , 6 ) ,
mainSet : mainSet ,
hiddens : make ( map [ string ] struct { } ) ,
completions : complete . Flags { } ,
2022-07-27 14:00:03 -04:00
ui : ui ,
2017-08-28 16:44:35 -04:00
}
}
// NewFlagSet creates a new flag set from the given flag sets.
func ( f * FlagSets ) NewFlagSet ( name string ) * FlagSet {
flagSet := NewFlagSet ( name )
2017-09-04 23:53:13 -04:00
flagSet . mainSet = f . mainSet
flagSet . completions = f . completions
f . flagSets = append ( f . flagSets , flagSet )
2017-08-28 16:44:35 -04:00
return flagSet
}
2017-09-04 23:53:13 -04:00
// Completions returns the completions for this flag set.
2017-08-28 16:44:35 -04:00
func ( f * FlagSets ) Completions ( ) complete . Flags {
return f . completions
}
2022-10-28 12:53:23 -04:00
type (
ParseOptions interface { }
ParseOptionAllowRawFormat bool
2023-05-08 12:15:44 -04:00
DisableDisplayFlagWarning bool
2022-10-28 12:53:23 -04:00
)
2017-08-28 16:44:35 -04:00
// Parse parses the given flags, returning any errors.
2022-07-27 14:00:03 -04:00
// Warnings, if any, regarding the arguments format are sent to stdout
2022-10-28 12:53:23 -04:00
func ( f * FlagSets ) Parse ( args [ ] string , opts ... ParseOptions ) error {
2024-05-30 09:48:06 -04:00
// Before parsing, check to see if we have an address flag, for the
// purposes of warning later. This must be done now, as the argument
// will be removed during parsing.
for _ , arg := range args {
if strings . HasPrefix ( arg , "-address" ) {
f . hadAddressFlag = true
}
}
2022-07-27 14:00:03 -04:00
err := f . mainSet . Parse ( args )
2023-05-08 12:15:44 -04:00
displayFlagWarningsDisabled := false
for _ , opt := range opts {
if value , ok := opt . ( DisableDisplayFlagWarning ) ; ok {
displayFlagWarningsDisabled = bool ( value )
}
}
if ! displayFlagWarningsDisabled {
warnings := generateFlagWarnings ( f . Args ( ) )
if warnings != "" && Format ( f . ui ) == "table" {
f . ui . Warn ( warnings )
}
2022-07-27 14:00:03 -04:00
}
2022-10-28 12:53:23 -04:00
if err != nil {
return err
}
// Now surface any other errors.
return generateFlagErrors ( f , opts ... )
2017-08-28 16:44:35 -04:00
}
2018-02-12 18:12:16 -05:00
// Parsed reports whether the command-line flags have been parsed.
func ( f * FlagSets ) Parsed ( ) bool {
return f . mainSet . Parsed ( )
}
2017-08-28 16:44:35 -04:00
// Args returns the remaining args after parsing.
func ( f * FlagSets ) Args ( ) [ ] string {
return f . mainSet . Args ( )
}
2018-03-09 14:32:28 -05:00
// Visit visits the flags in lexicographical order, calling fn for each. It
// visits only those flags that have been set.
func ( f * FlagSets ) Visit ( fn func ( * flag . Flag ) ) {
f . mainSet . Visit ( fn )
}
2017-08-28 16:44:35 -04:00
// Help builds custom help for this command, grouping by flag set.
2022-07-27 14:00:03 -04:00
func ( f * FlagSets ) Help ( ) string {
2017-08-28 16:44:35 -04:00
var out bytes . Buffer
2022-07-27 14:00:03 -04:00
for _ , set := range f . flagSets {
2017-08-28 16:44:35 -04:00
printFlagTitle ( & out , set . name + ":" )
set . VisitAll ( func ( f * flag . Flag ) {
// Skip any hidden flags
2017-09-04 23:53:13 -04:00
if v , ok := f . Value . ( FlagVisibility ) ; ok && v . Hidden ( ) {
2017-08-28 16:44:35 -04:00
return
}
printFlagDetail ( & out , f )
} )
}
return strings . TrimRight ( out . String ( ) , "\n" )
}
// FlagSet is a grouped wrapper around a real flag set and a grouped flag set.
type FlagSet struct {
name string
flagSet * flag . FlagSet
mainSet * flag . FlagSet
completions complete . Flags
}
// NewFlagSet creates a new flag set.
func NewFlagSet ( name string ) * FlagSet {
return & FlagSet {
name : name ,
flagSet : flag . NewFlagSet ( name , flag . ContinueOnError ) ,
}
}
// Name returns the name of this flag set.
func ( f * FlagSet ) Name ( ) string {
return f . name
}
func ( f * FlagSet ) Visit ( fn func ( * flag . Flag ) ) {
f . flagSet . Visit ( fn )
}
func ( f * FlagSet ) VisitAll ( fn func ( * flag . Flag ) ) {
f . flagSet . VisitAll ( fn )
}
2017-09-04 23:53:13 -04:00
// printFlagTitle prints a consistently-formatted title to the given writer.
func printFlagTitle ( w io . Writer , s string ) {
fmt . Fprintf ( w , "%s\n\n" , s )
}
// printFlagDetail prints a single flag to the given writer.
func printFlagDetail ( w io . Writer , f * flag . Flag ) {
// Check if the flag is hidden - do not print any flag detail or help output
// if it is hidden.
if h , ok := f . Value . ( FlagVisibility ) ; ok && h . Hidden ( ) {
return
}
// Check for a detailed example
example := ""
if t , ok := f . Value . ( FlagExample ) ; ok {
example = t . Example ( )
}
if example != "" {
fmt . Fprintf ( w , " -%s=<%s>\n" , f . Name , example )
} else {
fmt . Fprintf ( w , " -%s\n" , f . Name )
}
usage := reRemoveWhitespace . ReplaceAllString ( f . Usage , " " )
indented := wrapAtLengthWithPadding ( usage , 6 )
fmt . Fprintf ( w , "%s\n\n" , indented )
}
