vault/command/write.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package command

import (
	"fmt"
	"io"
	"os"
	"strings"

	"github.com/hashicorp/cli"
	"github.com/hashicorp/vault/api"
	"github.com/posener/complete"
)

var (
	_ cli.Command             = (*WriteCommand)(nil)
	_ cli.CommandAutocomplete = (*WriteCommand)(nil)
)

// MFAMethodInfo contains the information about an MFA method
type MFAMethodInfo struct {
	methodID    string
	methodType  string
	usePasscode bool
}

// WriteCommand is a Command that puts data into the Vault.
type WriteCommand struct {
	*BaseCommand

	flagForce bool

	testStdin io.Reader // for tests
}

func (c *WriteCommand) Synopsis() string {
	return "Write data, configuration, and secrets"
}

func (c *WriteCommand) Help() string {
	helpText := `
Usage: vault write [options] PATH [DATA K=V...]

  Writes data to Vault at the given path. The data can be credentials, secrets,
  configuration, or arbitrary data. The specific behavior of this command is
  determined at the thing mounted at the path.

  Data is specified as "key=value" pairs. If the value begins with an "@", then
  it is loaded from a file. If the value is "-", Vault will read the value from
  stdin.

  Store an arbitrary secret in the token's cubbyhole.

      $ vault write cubbyhole/git-credentials username="student01" password="p@$$w0rd"

  Create a new encryption key in the transit secrets engine:

      $ vault write -force transit/keys/my-key

  The -force / -f flag allows a write operation without any input data.

  Upload an AWS IAM policy from a file on disk:

      $ vault write aws/roles/ops policy=@policy.json

  Configure access to Consul by providing an access token:

      $ echo $MY_TOKEN | vault write consul/config/access token=-

  Create a token

      $ vault write auth/token/create policies="admin" policies="secops" ttl=8h num_uses=3

  For a full list of examples and paths, please see the documentation that
  corresponds to the secret engines in use.

` + c.Flags().Help()

	return strings.TrimSpace(helpText)
}

func (c *WriteCommand) Flags() *FlagSets {
	set := c.flagSet(FlagSetHTTP | FlagSetOutputField | FlagSetOutputFormat)
	f := set.NewFlagSet("Command Options")

	f.BoolVar(&BoolVar{
		Name:       "force",
		Aliases:    []string{"f"},
		Target:     &c.flagForce,
		Default:    false,
		EnvVar:     "",
		Completion: complete.PredictNothing,
		Usage: "Allow the operation to continue with no key=value pairs. This " +
			"allows writing to keys that do not need or expect data.",
	})

	return set
}

func (c *WriteCommand) AutocompleteArgs() complete.Predictor {
	// Return an anything predictor here. Without a way to access help
	// information, we don't know what paths we could write to.
	return complete.PredictAnything
}

func (c *WriteCommand) AutocompleteFlags() complete.Flags {
	return c.Flags().Completions()
}

func (c *WriteCommand) Run(args []string) int {
	f := c.Flags()

	if err := f.Parse(args); err != nil {
		c.UI.Error(err.Error())
		return 1
	}

	args = f.Args()
	switch {
	case len(args) < 1:
		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
		return 1
	case len(args) == 1 && !c.flagForce:
		c.UI.Error("Must supply data or use -force")
		return 1
	}

	// Pull our fake stdin if needed
	stdin := (io.Reader)(os.Stdin)
	if c.testStdin != nil {
		stdin = c.testStdin
	}

	path := sanitizePath(args[0])

	data, err := parseArgsData(stdin, args[1:])
	if err != nil {
		c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))
		return 1
	}

	client, err := c.Client()
	if err != nil {
		c.UI.Error(err.Error())
		return 2
	}

	secret, err := client.Logical().Write(path, data)
	return handleWriteSecretOutput(c.BaseCommand, path, secret, err)
}

func handleWriteSecretOutput(c *BaseCommand, path string, secret *api.Secret, err error) int {
	if err != nil {
		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
		if secret != nil {
			OutputSecret(c.UI, secret)
		}
		return 2
	}
	if secret == nil {
		// Don't output anything unless using the "table" format
		// and even then, don't output anything if a specific field was requested
		if c.flagField == "" && Format(c.UI) == "table" {
			c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))
		}
		return 0
	}

	// Currently, if there is only one MFA method configured, the login
	// request is validated interactively
	methodInfo := c.getInteractiveMFAMethodInfo(secret)
	if methodInfo != nil {
		secret, err = c.validateMFA(secret.Auth.MFARequirement.MFARequestID, *methodInfo)
		if err != nil {
			c.UI.Error(err.Error())
			return 2
		}
	} else if c.getMFAValidationRequired(secret) {
		c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+
			"MFA validation. Please make sure to validate the login by sending another "+
			"request to sys/mfa/validate endpoint.") + "\n")
	}

	// Handle single field output
	if c.flagField != "" {
		return PrintRawField(c.UI, secret, c.flagField)
	}

	return OutputSecret(c.UI, secret)
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 12:00:52 -04:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#22290) * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com> 2023-08-10 21:14:03 -04:00			`// SPDX-License-Identifier: BUSL-1.1`
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 12:00:52 -04:00
command/get,put 2015-03-04 14:08:13 -05:00			`package command`

			`import (`
command/write 2015-03-15 23:35:33 -04:00			`"fmt"`
command/write: can write arbitrary data from stdin 2015-03-15 23:40:12 -04:00			`"io"`
			`"os"`
command/get,put 2015-03-04 14:08:13 -05:00			`"strings"`
helper/kv-builder 2015-04-08 01:30:25 -04:00
Switch from mitchellh/cli to hashicorp/cli (#24239) @mitchellh suggested we fork `cli` and switch to that. Since we primarily use the interfaces in `cli`, and the new fork has not changed those, this is (mostly) a drop-in replacement. A small fix will be necessary for Vault Enterprise, I believe. 2023-12-04 14:05:02 -05:00			`"github.com/hashicorp/cli"`
Add PATCH support to Vault CLI (#17650) * Add patch support to CLI This is based off the existing write command, using the JSONMergePatch(...) API client method rather than Write(...), allowing us to update specific fields. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add documentation on PATCH support Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-10-26 14:30:40 -04:00			`"github.com/hashicorp/vault/api"`
Add basic autocompletion (#3223) * Add basic autocompletion * Add autocomplete to some common commands * Autocomplete the generate-root flags * Add information about autocomplete to the docs 2017-08-24 18:23:40 -04:00			`"github.com/posener/complete"`
command/get,put 2015-03-04 14:08:13 -05:00			`)`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 12:43:39 -04:00			`var (`
			`_ cli.Command = (*WriteCommand)(nil)`
			`_ cli.CommandAutocomplete = (*WriteCommand)(nil)`
			`)`
Update write command 2017-09-05 00:05:47 -04:00
interactive CLI for mfa login (#14131) * Login MFA * ENT OSS segragation (#14088) * Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path * adding use_passcode field to DUO config (#14059) * add changelog * preventing replay attack on MFA passcodes (#14056) * preventing replay attack on MFA passcodes * using %w instead of %s for error * Improve CLI command for login mfa (#14106) CLI prints a warning message indicating the login request needs to get validated * adding the validity period of a passcode to error messages (#14115) * interactive CLI for mfa login * minor fixes * bail if no input was inserted * change label name * interactive CLI when single methodID is returned from login request * minor fix * adding changelog * addressing feedback * a user with a terminal should be able to choose between interactive and non-interactive. A user without a terminal should not be able to use the interactive mode. Co-authored-by: Josh Black <raskchanky@gmail.com> 2022-02-24 15:16:15 -05:00			`// MFAMethodInfo contains the information about an MFA method`
			`type MFAMethodInfo struct {`
			`methodID string`
			`methodType string`
			`usePasscode bool`
			`}`

command/write 2015-03-15 23:35:33 -04:00			`// WriteCommand is a Command that puts data into the Vault.`
			`type WriteCommand struct {`
Update write command 2017-09-05 00:05:47 -04:00			`*BaseCommand`

			`flagForce bool`
command/write: can write arbitrary data from stdin 2015-03-15 23:40:12 -04:00
Update write command 2017-09-05 00:05:47 -04:00			`testStdin io.Reader // for tests`
			`}`

			`func (c *WriteCommand) Synopsis() string {`
Update write command 2017-09-07 22:04:16 -04:00			`return "Write data, configuration, and secrets"`
Update write command 2017-09-05 00:05:47 -04:00			`}`

			`func (c *WriteCommand) Help() string {`
			helpText := `
			`Usage: vault write [options] PATH [DATA K=V...]`

			`Writes data to Vault at the given path. The data can be credentials, secrets,`
			`configuration, or arbitrary data. The specific behavior of this command is`
Update write command 2017-09-07 22:04:16 -04:00			`determined at the thing mounted at the path.`
Update write command 2017-09-05 00:05:47 -04:00
			`Data is specified as "key=value" pairs. If the value begins with an "@", then`
			`it is loaded from a file. If the value is "-", Vault will read the value from`
			`stdin.`

Core: CLI Doc improvements to example read / write. (#19064) * Core: CLI Doc imporvements to example read / write. Resolves #16788 * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog filename. * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog.. * Updated read example to use token lookup instead. 2024-08-09 11:48:21 -04:00			`Store an arbitrary secret in the token's cubbyhole.`
Update write command 2017-09-05 00:05:47 -04:00
Core: CLI Doc improvements to example read / write. (#19064) * Core: CLI Doc imporvements to example read / write. Resolves #16788 * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog filename. * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog.. * Updated read example to use token lookup instead. 2024-08-09 11:48:21 -04:00			`$ vault write cubbyhole/git-credentials username="student01" password="p@$$w0rd"`
Update write command 2017-09-05 00:05:47 -04:00
Update write command 2017-09-07 22:04:16 -04:00			`Create a new encryption key in the transit secrets engine:`
Update write command 2017-09-05 00:05:47 -04:00
Core: CLI Doc improvements to example read / write. (#19064) * Core: CLI Doc imporvements to example read / write. Resolves #16788 * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog filename. * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog.. * Updated read example to use token lookup instead. 2024-08-09 11:48:21 -04:00			`$ vault write -force transit/keys/my-key`

			`The -force / -f flag allows a write operation without any input data.`
Update write command 2017-09-05 00:05:47 -04:00
			`Upload an AWS IAM policy from a file on disk:`

			`$ vault write aws/roles/ops policy=@policy.json`

			`Configure access to Consul by providing an access token:`

			`$ echo $MY_TOKEN \| vault write consul/config/access token=-`

Core: CLI Doc improvements to example read / write. (#19064) * Core: CLI Doc imporvements to example read / write. Resolves #16788 * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog filename. * Core: CLI Doc imporvements to example read / write. Resolves #16788. Updated Changelog.. * Updated read example to use token lookup instead. 2024-08-09 11:48:21 -04:00			`Create a token`

			`$ vault write auth/token/create policies="admin" policies="secops" ttl=8h num_uses=3`

Update write command 2017-09-05 00:05:47 -04:00			`For a full list of examples and paths, please see the documentation that`
Update write command 2017-09-07 22:04:16 -04:00			`corresponds to the secret engines in use.`
Update write command 2017-09-05 00:05:47 -04:00
			` + c.Flags().Help()

			`return strings.TrimSpace(helpText)`
			`}`

			`func (c WriteCommand) Flags() FlagSets {`
			`set := c.flagSet(FlagSetHTTP \| FlagSetOutputField \| FlagSetOutputFormat)`
			`f := set.NewFlagSet("Command Options")`

			`f.BoolVar(&BoolVar{`
			`Name: "force",`
			`Aliases: []string{"f"},`
			`Target: &c.flagForce,`
			`Default: false,`
			`EnvVar: "",`
			`Completion: complete.PredictNothing,`
			`Usage: "Allow the operation to continue with no key=value pairs. This " +`
			`"allows writing to keys that do not need or expect data.",`
			`})`

			`return set`
			`}`

			`func (c *WriteCommand) AutocompleteArgs() complete.Predictor {`
			`// Return an anything predictor here. Without a way to access help`
			`// information, we don't know what paths we could write to.`
			`return complete.PredictAnything`
			`}`

			`func (c *WriteCommand) AutocompleteFlags() complete.Flags {`
			`return c.Flags().Completions()`
command/get,put 2015-03-04 14:08:13 -05:00			`}`

command/write 2015-03-15 23:35:33 -04:00			`func (c *WriteCommand) Run(args []string) int {`
Update write command 2017-09-05 00:05:47 -04:00			`f := c.Flags()`

			`if err := f.Parse(args); err != nil {`
			`c.UI.Error(err.Error())`
command/get,put 2015-03-04 14:08:13 -05:00			`return 1`
			`}`

Update write command 2017-09-07 22:04:16 -04:00			`args = f.Args()`
			`switch {`
			`case len(args) < 1:`
			`c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))`
Write always needs a path, even with force. (#2675) Fixes #2674 2017-05-04 06:40:58 -04:00			`return 1`
Update write command 2017-09-07 22:04:16 -04:00			`case len(args) == 1 && !c.flagForce:`
			`c.UI.Error("Must supply data or use -force")`
command/write 2015-03-15 23:35:33 -04:00			`return 1`
			`}`

Update write command 2017-09-05 00:05:47 -04:00			`// Pull our fake stdin if needed`
			`stdin := (io.Reader)(os.Stdin)`
			`if c.testStdin != nil {`
			`stdin = c.testStdin`
command/write 2015-03-15 23:35:33 -04:00			`}`
command/write: can write arbitrary data from stdin 2015-03-15 23:40:12 -04:00
Update write command 2017-09-07 22:04:16 -04:00			`path := sanitizePath(args[0])`

			`data, err := parseArgsData(stdin, args[1:])`
command/write: new format 2015-03-31 20:16:12 -04:00			`if err != nil {`
Update write command 2017-09-05 00:05:47 -04:00			`c.UI.Error(fmt.Sprintf("Failed to parse K=V data: %s", err))`
command/write: new format 2015-03-31 20:16:12 -04:00			`return 1`
command/write: can write arbitrary data from stdin 2015-03-15 23:40:12 -04:00			`}`
command/write 2015-03-15 23:35:33 -04:00
			`client, err := c.Client()`
			`if err != nil {`
Update write command 2017-09-05 00:05:47 -04:00			`c.UI.Error(err.Error())`
command/write 2015-03-15 23:35:33 -04:00			`return 2`
			`}`

command/write: handle writes with output 2015-04-27 17:55:43 -04:00			`secret, err := client.Logical().Write(path, data)`
Add PATCH support to Vault CLI (#17650) * Add patch support to CLI This is based off the existing write command, using the JSONMergePatch(...) API client method rather than Write(...), allowing us to update specific fields. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add documentation on PATCH support Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-10-26 14:30:40 -04:00			`return handleWriteSecretOutput(c.BaseCommand, path, secret, err)`
			`}`

			`func handleWriteSecretOutput(c BaseCommand, path string, secret api.Secret, err error) int {`
command/write: handle writes with output 2015-04-27 17:55:43 -04:00			`if err != nil {`
Update write command 2017-09-05 00:05:47 -04:00			`c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))`
Rejig 404 handling again. (#4264) Done this way, existing tests pass, and it makes logical sense, so we're likely to have the least impact like this. 2018-04-04 04:41:46 -04:00			`if secret != nil {`
			`OutputSecret(c.UI, secret)`
			`}`
Update write command 2017-09-05 00:05:47 -04:00			`return 2`
command/write 2015-03-15 23:35:33 -04:00			`}`
command/write: handle writes with output 2015-04-27 17:55:43 -04:00			`if secret == nil {`
Update write command 2017-09-05 00:05:47 -04:00			`// Don't output anything unless using the "table" format`
Don't say "Success!" when a specific field is requested. (#21546) * add a test to show the bug * do not output a "Success!" message if a specific field was requested * Create 21545.txt * Fix changelog name --------- Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com> 2023-08-17 11:49:04 -04:00			`// and even then, don't output anything if a specific field was requested`
			`if c.flagField == "" && Format(c.UI) == "table" {`
Update write command 2017-09-05 00:05:47 -04:00			`c.UI.Info(fmt.Sprintf("Success! Data written to: %s", path))`
Add `-field` and `-format` to write command. Fixes #1186 2016-03-17 14:57:30 -04:00			`}`
command/write: handle writes with output 2015-04-27 17:55:43 -04:00			`return 0`
			`}`

Store login MFA secret with tokenhelper (#17040) * Store login MFA secret with tokenhelper * Clean up and refactor tokenhelper paths * Refactor totp test code for re-use * Add login MFA command tests * Use longer sleep times and sha512 for totp test * Add changelog 2022-10-26 17:02:26 -04:00			`// Currently, if there is only one MFA method configured, the login`
			`// request is validated interactively`
			`methodInfo := c.getInteractiveMFAMethodInfo(secret)`
			`if methodInfo != nil {`
			`secret, err = c.validateMFA(secret.Auth.MFARequirement.MFARequestID, *methodInfo)`
			`if err != nil {`
			`c.UI.Error(err.Error())`
			`return 2`
interactive CLI for mfa login (#14131) * Login MFA * ENT OSS segragation (#14088) * Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path * adding use_passcode field to DUO config (#14059) * add changelog * preventing replay attack on MFA passcodes (#14056) * preventing replay attack on MFA passcodes * using %w instead of %s for error * Improve CLI command for login mfa (#14106) CLI prints a warning message indicating the login request needs to get validated * adding the validity period of a passcode to error messages (#14115) * interactive CLI for mfa login * minor fixes * bail if no input was inserted * change label name * interactive CLI when single methodID is returned from login request * minor fix * adding changelog * addressing feedback * a user with a terminal should be able to choose between interactive and non-interactive. A user without a terminal should not be able to use the interactive mode. Co-authored-by: Josh Black <raskchanky@gmail.com> 2022-02-24 15:16:15 -05:00			`}`
Store login MFA secret with tokenhelper (#17040) * Store login MFA secret with tokenhelper * Clean up and refactor tokenhelper paths * Refactor totp test code for re-use * Add login MFA command tests * Use longer sleep times and sha512 for totp test * Add changelog 2022-10-26 17:02:26 -04:00			`} else if c.getMFAValidationRequired(secret) {`
Login MFA (#14025) * Login MFA * ENT OSS segragation (#14088) * Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path * adding use_passcode field to DUO config (#14059) * add changelog * preventing replay attack on MFA passcodes (#14056) * preventing replay attack on MFA passcodes * using %w instead of %s for error * Improve CLI command for login mfa (#14106) CLI prints a warning message indicating the login request needs to get validated * adding the validity period of a passcode to error messages (#14115) * PR feedback * duo to handle preventing passcode reuse Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com> Co-authored-by: hamid ghaf <hamid@hashicorp.com> 2022-02-17 16:08:51 -05:00			`c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+`
			`"MFA validation. Please make sure to validate the login by sending another "+`
interactive CLI for mfa login (#14131) * Login MFA * ENT OSS segragation (#14088) * Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path * adding use_passcode field to DUO config (#14059) * add changelog * preventing replay attack on MFA passcodes (#14056) * preventing replay attack on MFA passcodes * using %w instead of %s for error * Improve CLI command for login mfa (#14106) CLI prints a warning message indicating the login request needs to get validated * adding the validity period of a passcode to error messages (#14115) * interactive CLI for mfa login * minor fixes * bail if no input was inserted * change label name * interactive CLI when single methodID is returned from login request * minor fix * adding changelog * addressing feedback * a user with a terminal should be able to choose between interactive and non-interactive. A user without a terminal should not be able to use the interactive mode. Co-authored-by: Josh Black <raskchanky@gmail.com> 2022-02-24 15:16:15 -05:00			`"request to sys/mfa/validate endpoint.") + "\n")`
			`}`

			`// Handle single field output`
			`if c.flagField != "" {`
			`return PrintRawField(c.UI, secret, c.flagField)`
			`}`

			`return OutputSecret(c.UI, secret)`
			`}`