The API for mounts changed, among other things, and safe needs to be updated to handle newer versions of vault.

We should support "path:key" format across most (all?) command in safe, like set, delete, move, and copy.

Sometimes Vault owners decide to use self-signed certificates. safe needs to handle this properly, and honor the VAULT_SKIP_VERIFY environment variable, just like the Vault CLI itself.

I want this to work:

$ safe read secret/handshake
--- # secret/handshake
knock: knock

$  safe read secret/handshake:knock
!! secret not found

Ideally, it works like this little spruce+jq pipeline:

$ safe read secret/handshake | spruce json | jq -r ".knock"
knock

Since there is no way to list all the backends at once, we should just default to secret/ if there are no arguments. It's what most people (I've observed) expect.

The following command:

safe write secret/path username=admin password

Enters interactive mode, and prints nothing but:

password [hidden]:
password [confirm]:

To be nice to end users, it should do the following:

username: admin
password [hidden]:
password [confirm]:

Needed to reset terminal to get back to seeing what I've been typing.

If you try to safe seal without an authorized token, you get back a 500, which is less than useful.

→  safe seal
!! received HTTP 500 response

If you first auth, it works as intended:

→  safe auth token
Authenticating against safe1 at https://10.244.4.2
Token:

→  safe seal
sealed https://10.244.4.4:443...
sealed https://10.244.4.3:443...
sealed https://10.244.4.2:443...

→  safe status
https://10.244.4.2:443 is sealed
https://10.244.4.3:443 is sealed
https://10.244.4.4:443 is sealed

Modify safe seal so that it can recognize the "unauthenticated" error condition and print something helpful to the screen.

From codex:

All templates that need to use safe should verify that the user is targeted to the Vault they want to use, before we go blindly generating credentials and stuffing them in the vault.

I do not care what order they are displayed in, but thought it was odd that the order changed on consecutive safe tagets commands. Probably related to go's hashing algorithm.
norm@ip-10-30-0-102:$ safe target prodc
Now targeting prodc at https://10.30.3.16:8200
norm@ip-10-30-0-102:$ safe targets

prodb https://10.30.2.16:8200
prodc https://10.30.3.16:8200
proto http://127.0.0.1:8200
proda https://10.30.1.16:8200

norm@ip-10-30-0-102:~$ safe targets

proda https://10.30.1.16:8200
prodb https://10.30.2.16:8200
prodc https://10.30.3.16:8200
proto http://127.0.0.1:8200

norm@ip-10-30-0-102:~$

safe targets will color highlight the active target but if you direct that information into a file, there is no way to know the active target.

Having safe target work similarly to bosh target would provide some consistency in UI usage.

$ safe export secret
!! secret not found

It would be nice if we could safe curl [-X method] /v1/sys/et/cetera for troubleshooting and diagnostic purposes.

For HA vaults, it may be good to investigate an --endpoint flag to target a specific backend (vs. the active one)

For users who straddle two or more vaults, using safe is a PITA. It involves setting the VAULT_ADDR explicitly and re-authing every time you change between the vaults.

Ideally, we support a safe target [<endpoint>] <alias> command that will target a different vault, a safe auth ... command to do the authentication, and store the tokens in a secure rc file in the user's $HOME directory.

Build a new command, safe exists that will take a single path and one or more attributes, and exit 0 if the path exists, and contains all of the attributes, or exit 1 otherwise.

This command should produce no output.

Use case:

if ! safe exists secret/account username password; then
  safe set secret/thing username -- \
       gen secret/thing password
fi

The help screen is too long to be useful.

Break it up into a top-level that lists out commands and their usage, and command-specific help screens that are invoked by safe help <command>

safe move and safe copy should accept an option to recurse through subtrees and move/copy them as well.

safe target <url> <alias> should detect if the user swapped alias and url, and Do The Right Thing. URLs are required to have scheme, so we should be able to detect which one starts matches m|https?://| and set that as the URL and the other as the alias

When writing automation scripts using safe, it would be great fun to allow the automator to introduce prompt commands that guide the operator in entering the correct credentials.

Use case:

safe \
  prompt "Enter the credentials for RabbitMQ" -- \
  write secret/rabbitmq username=admin password

Right now, if you Ctrl-C safe while it's in non-echo mode, the terminal remains in non-echo mode when returned to the shell. This necessitates blind-typing 'reset' to get it back to normal.

We should be better about this.

there is a bug in the latest safe version that let genesis crash

  gen ${VAULT_PREFIX}/creds/cc bulk_api -- \
  gen ${VAULT_PREFIX}/creds/cc internal_api -- \
  gen ${VAULT_PREFIX}/creds/cc staging_upload -- \
  gen ${VAULT_PREFIX}/creds/cc db_encryption_key -- \
  gen ${VAULT_PREFIX}/creds/consul encryption_key -- \
  gen ${VAULT_PREFIX}/creds/gorouter route_svcs_secret -- \
  gen ${VAULT_PREFIX}/creds/gorouter status_api_pass -- \
  gen ${VAULT_PREFIX}/creds/loggregator endpoint_secret -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets admin_client -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets cc_broker -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets cc_client -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets cc_routing -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets cc_user_lookup -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets doppler -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets firehose -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets gorouter -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets login -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets notifications -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets ssh_proxy -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets tcp_emitter -- \
  gen ${VAULT_PREFIX}/creds/uaa/secrets tcp_router -- \
  gen ${VAULT_PREFIX}/creds/nats password -- \
  gen ${VAULT_PREFIX}/creds/blobstore webdav_password -- \
  gen ${VAULT_PREFIX}/creds/blobstore secret -- \
  gen ${VAULT_PREFIX}/creds/diego encryption_key -- \
  gen ${VAULT_PREFIX}/creds/diego secret -- \
  gen ${VAULT_PREFIX}/creds/db uaaadmin -- \
  gen ${VAULT_PREFIX}/creds/db ccadmin -- \
  gen ${VAULT_PREFIX}/creds/db diegoadmin -- \
  gen ${VAULT_PREFIX}/uaadb password -- \
  gen ${VAULT_PREFIX}/ccdb password -- \
  gen ${VAULT_PREFIX}/diegodb password -- \
  gen ${VAULT_PREFIX}/routingdb password -- \
  >/dev/null
Generating secrets
/tmp/build/01f561ac/gopath/src/github.com/starkandwayne/safe/vendor/github.com/pborman/getopt/string.go:52: --policy already declared at /tmp/build/01f561ac/gopath/src/github.com/starkandwayne/safe/vendor/github.com/pborman/getopt/string.go:52%

this piece of code in .env_hooks/setup_cf_secrets

the error exists since 0.0.30

When copying and pasting our of a password manager (for example) the confirm field is superfluous.

We should add a new verb, paste, that behaves like write but doesn't do the confirmation, and also doesn't introduce extraneous linebreaks

Support a -k option to safe target.

If specified, along with the name / URL, it will set or update a "don't validate SSL" flag in ~/.saferc

For example (assuming 127.0.0.1:8200 has a self-signed cert):

safe target local https://127.0.0.1:8200
safe read secret/handshake           # should fail

safe target -k local https://127.0.0.1:8200
safe read secret/handshake           # success!

safe target local
safe read secret/handshake           # success!

safe target local https://127.0.0.1:8200
safe read secret/handshake           # should fail

i would think i could skip authentication by providing a VAULT_TOKEN, but this doesn't seem to work.

$ safe status
You are not authenticated to a Vault.
Try safe auth ldap
 or safe auth github
 or safe auth token

could it be masked by a silent cert validation error?

$ safe vault status
Error checking seal status: Get https://sdp-vault-dev:27003/v1/sys/seal-status: x509: certificate is valid for vault, not sdp-vault-dev

$ vault capabilities /
Capabilities: [root]

safe ls secret would show the folders and secrets one level beneath secret

Design questions:
formatting:

• newline separated?
• should folders appear ending with a slash? colored blue?

behavior:

• should ls on a secret (leaf node) err... or maybe warn? (actual ls does neither, so maybe not)

Problem is probably with the usage of the errIfFolderExists function sooo... that would be my bad.

safe should really support multiline input somehow, using some special delimiter to terminate.

On an alpine:3.5 container I installed safe but its giving this error:

curl -L https://github.com/starkandwayne/safe/releases/download/v0.1.3/safe-linux-amd64 -O
chmod +x safe-linux-amd64
./safe-linux-amd64

Error:

bash: ./safe-linux-amd64: No such file or directory

Same for v0.1.2.

Ideas?

The cert attribute looks like this:

CA cert 1
CA cert 2

certificate

The extra blank line is causing issues with some pedantic software. HAproxy is definitely having issues.

Build a new command set, safe x509 for dealing with x509 PKI certificate stuff, without being constrained by the limitations of the pki backend in Vault.

This new command should allow us to issue new certificate authorities, storing the certificate and key somewhere under secret/, and also use those CAs (identified by path) to sign other certificates and store them in under other arbitrary paths under secret/.

We should allow the special cases of self-signed certificates and intermediary CAs.

The point of this new command is to expose as much raw functionality as possible for setting up complicated PKI implementations as possible. In part, this replaces safe {pki,cert,ca-pem,crl-pem,revoke} A future command will be introduced to provide a more simplified interaction for zone-based authority domains like those found in Cloud Foundry. That command will use backend logic that we build out for the x509 command (but not call front-end commands directly)

Example invocations:

# Issue a simple self-signed certificate
safe x509 issue secret/my/cert --name www.example.com

# Put some alias (Domain and IP SANs) in the self-signed cert
safe x509 issue secret/my/cert --name www.example.com --name example.com

# Create a Certificate Authority
safe x509 issue --ca secret/my/ca --ttl 10y

# Issue a 2-year certificate, signed by the CA we just created
safe x509 issue secret/my/cert --signed-by secret/my/ca --ttl 2y --name mail.example.com

# Revoke a certificate
safe x509 revoke secret/my/cert --signed-by secret/my/ca

For certificate authorities, the following attributes should be set on the CA path:

• certificate - PEM-encoded X.509 certificate
• key - PEM-encoded RSA secret key (un-encrypted)
• serial - Certificate serial number for this CA (used internally by safe x509)
• crl - PEM-encoded Certificate Revocation List for this CA

For non-CA certificates, the following attributes should be set on the certificate path:

• certificate - PEM-encoded X.509 certificate
• key - PEM-encoded RSA secret key (un-encrypted)

With a secret/aws path, and a secret/aws/prod/... path, we get this on safe tree:

Coming from previous versions of safe, it used VAULT_ADDR as the target. Recommend this as the default behaviour.

If there's a backwards-compatible way to support safe gen [len] path key1 key2 ... keyN, it would be great, so that we can make use of that similarly to safe set path key1 key2 ... keyN.

Extend safe to initialize and unseal vault. Should deal with ha standby copies as well.

If given, behave like the -d argument to regular tree, i.e. don't display paths, just intervening directory leaves. Perhaps have some additional stats per directory, like number of keys under each (say, -l)?

→  safe help
Usage: safe <command> [options...]

Valid subcommands are:

    targets     List all Vaults that have been targeted
    target      Target a new or existing Vault
    auth        Authenticate against the currently targeted Vault

    tree        Print a tree listing of all reachable keys for each path

    read        Retrieve and print the values of one or more paths
    write       Update a single path with new keys

    delete      Remove multiple paths from the Vault
    move        Move a secret from one path to another
    copy        Copy a secret from one path to another

    gen         Generate a new, random secret
    ssh         Generate a new SSH RSA keypair
    rsa         Generate a new RSA keypair

    export      Export one or more paths to a backup file
    import      Import a Vault backup file

    vault       Run arbitrary commands through the Vault CLI

Try 'safe help <thing>' for detailed information,
 or 'safe commands' for a list of all commands.

this output is out of date. it should really give the output of safe commands

→  safe commands
Valid commands are:

    auth        Authenticate to the current target
    ca-pem      Retrieve the Vault Certificate Authority (CA) Certificate
    cert        Issue a Certificate using the Vault PKI backend
    copy        Copy a secret from one path to another
    crl-pem     Retrieve the Vault Certificate Revocation List
    curl        Issue arbitrary HTTP requests to the current Vault (for diagnostics)
    delete      Remove one or more path from the Vault
    dhparam     Generate Diffie-Helman key exchange parameters
    env         Print the VAULT_ADDR and VAULT_TOKEN for the current target
    exists      Check to see if a secret exists in the Vault
    export      Export one or more subtrees for migration / backup purposes
    fmt         Reformat an existing name/value pair, into a new name
    gen         Generate a random password
    get         Retrieve and print the values of one or more paths
    import      Import name/value pairs into the current Vault
    move        Move a secret from one path to another
    paste       Create or update a secret
    paths       Print all of the known paths, one per line
    pki         Configure the PKI backend on the target Vault
    prompt      Print a prompt (useful for scripting safe command sets)
    revoke      Revoke a Vault-issued Certificate
    rsa         Generate a new RSA keypair
    seal        Seal the current target
    set         Create or update a secret
    ssh         Generate one or more new SSH RSA keypair(s)
    status      Print the status of the current targets backend nodes
    target      Target a new Vault, or set your current Vault target
    targets     List all targeted Vaults
    tree        Print a tree listing of one or more paths
    unseal      Unseal the current target
    vault       Run arbitrary Vault CLI commands against the current target
    version     Print the version of the safe CLI

Try 'safe help <command>' for detailed information

→  safe auth github
Authenticating against redacted at redacted
Github Personal Access Token:
!! API 500 Internal Server Error

500 errors generally are supposed to mean something is broken. Granted, this is only because this is actually what Vault sends back if it doesn't get a happy response.

12:44:02:0 tom@Light ~
→  curl $VAULT_ADDR/v1/auth/github/login     -d '{ "token": "saonetht"}' -v
*   Trying redacted...
* TCP_NODELAY set
* Connected to redacted on port 8200 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: redacted
* Server certificate: redacted
* Server certificate: redacted
> POST /v1/auth/github/login HTTP/1.1
> Host: redacted:8200
> User-Agent: curl/7.51.0
> Accept: */*
> Content-Length: 22
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 22 out of 22 bytes
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json
< Date: Mon, 27 Mar 2017 16:43:20 GMT
< Content-Length: 87
<
{"errors":["GET redacted.com/api/v3/user: 401 Bad credentials []"]}
* Curl_http_done: called premature == 0
* Connection #0 to host redacted left intact

Should we maybe parse the response body for the 401 Bad credentials part, and if we get it, say something more helpful along the lines of The provided access token is not authorized to provide access to the Vault

Could you please add a Windows version?

Add bash autocompletion rules for safe, for both commands and backends/paths.

$ safe target -k   https://10.4.1.16:8200 proto
safe target - Target a new Vault, or set your current Vault target
USAGE: safe target [-k] [URL] [ALIAS]

Targeting like this:

 safe target proto https://10.4.1.16:8200

works fine but since -k cannot be set spruce behaves incorrectly (see geofffranks/spruce#187)

At Allstate we are working on defining the process of initializing and performing rekey processes periodically on a vault server.

This is our current plan: given a list of emails and PGP pub keys belonging to each of the team member of the platform team we will perform an initialization/rekey process that would generate the master key and split it, encrypt each part of it with the provided keys and send them via email.

usage could be something like:

safe init keys.yml

would this be suitable for a PR in this project?

Add a new command, safe x509 details or safe x509 show that takes a path, and then prints out useful information about that certificate. I've been showing a few people the following trick:

safe read path/to/cert | openssl x509 -noout -text

which works, but has the following drawbacks:

1. Requires openssl to be installed locally (minor)
2. The -noout and -text options don't immediately spring to mind to someone who isn't steeped in the usage of the OpenSSL CLI
3. It shows lots of other (interesting, but mostly unimportant) information like modulus and exponent; the proposed command would hide those, and focus on the user-facing details.

Mock Interaction:

$ safe x509 show secret/my/cert
cn=my.example.com,ou=whatever,o=etc
signed by cn=ca.example.com,ou=whatever,o=etc
uses a 4096-bit RSA key

expires in: 364 days
valid from Jun 1st 2017 - May 31st 2018
for the following names:
   - my.example.com (DNS)
   - www.example.com (DNS)
   - 10.10.10.10 (IP)
   - [email protected] (email)

and here's what an expired certificate might look like:

$ safe x509 show secret/my/cert
cn=old.example.com,ou=whatever,o=etc
signed by cn=ca.example.com,ou=whatever,o=etc
uses a 2048-bit RSA key

EXPIRED 17 DAYS AGO
valid from May 20th 2016 - May 19th 2017
for the following names:
   - expired.example.com (DNS)

(with appropriate coloring to convey importance of values, expiration failure, etc.)

Right now, safe cert stuffs the key and cert attributes into the Vault when it generates a new key and certificate. Some applications (like newer haproxy jobs in cf-release), want the cert+key combined into a single manifest property.

We can solve this by adding a combined key that is the cert, a few newlines, and the key.

Some minor issues:

• The -k flag doesn't seem to take effect when specifying the args as alias url, but does with url alias

Some features that would be useful while interacting with the PKI backend:

1. command for safe to generate a signed certificate (it would then store serial, cert, and key in the secret backend - keys aren't stored in the pki backend after they're created)
2. command for safe to revoke a signed certificate based on a secret backend path (or a serial number). If path was provided, look up the serial number stored there, and revoke that cert.
3. command to grab the CRL pemfile
4. command to grab the CA pemfile

Potentially other features for working with PKI roles, configuration, and CA creation?

No good deed goes unpunished (Clare Boothe Luce)

running vault server -dev

$ safe vault list secret/aws
Keys
proto/
$ safe tree
!! secret not found
$ safe target
Currently targeting proto at http://127.0.0.1:8200
$ safe vault version
Vault v0.6.0
$ safe vault status
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0

High-Availability Enabled: false

safe find -name key would find keys with name key.

Discussion points I can think of......

• What flags from normal find should be supported?
• Should we provide a way to search for keys within a secret?