This repository has been archived by the owner on Aug 22, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
113 lines (94 loc) · 2.97 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package main // import "github.com/Jimdo/vault-unseal"
import (
"bytes"
"encoding/json"
"fmt"
"log"
"net/http"
"os"
"sync"
"time"
"golang.org/x/net/context"
"golang.org/x/net/context/ctxhttp"
"github.com/Luzifer/rconfig"
)
var config = struct {
OneShot bool `flag:"oneshot,1" default:"false" description:"Only try once and exit after"`
SealTokens []string `flag:"tokens" default:"" description:"Tokens to try for unsealing the vault instance"`
VaultInstances []string `flag:"instance" env:"VAULT_ADDR" default:"http://127.0.0.1:8200" description:"Vault instance to unlock"`
Sleep int `flag:"sleep" default:"30" description:"How long to wait between sealed-state checks"`
}{}
func init() {
if err := rconfig.Parse(&config); err != nil {
log.Printf("Unable to parse CLI parameters: %s\n", err)
os.Exit(1)
}
if len(config.SealTokens) == 1 && config.SealTokens[0] == "" {
if len(rconfig.Args()) <= 1 {
log.Println("You must provide at least one token.")
os.Exit(1)
}
config.SealTokens = rconfig.Args()[1:]
}
}
func main() {
var wg sync.WaitGroup
for {
for i := range config.VaultInstances {
wg.Add(1)
go func(i int) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer wg.Done()
defer cancel()
if err := unsealInstance(ctx, config.VaultInstances[i]); err != nil {
log.Printf("[ERR] %s", err)
}
}(i)
}
if config.OneShot {
break
} else {
<-time.After(time.Duration(config.Sleep) * time.Second)
}
}
wg.Wait()
}
func unsealInstance(ctx context.Context, instance string) error {
s := sealStatus{}
r, err := ctxhttp.Get(ctx, http.DefaultClient, instance+"/v1/sys/seal-status")
if err != nil {
return fmt.Errorf("[%s] An error ocurred while reading seal-status: %s", instance, err)
}
defer r.Body.Close()
if err := json.NewDecoder(r.Body).Decode(&s); err != nil {
return fmt.Errorf("[%s] Unable to decode seal-status: %s", instance, err)
}
if s.Sealed {
for _, token := range config.SealTokens {
log.Printf("[%s] Vault instance is sealed (missing %d tokens), trying to unlock...", instance, s.T-s.Progress)
body := bytes.NewBuffer([]byte{})
json.NewEncoder(body).Encode(map[string]interface{}{
"key": token,
})
r, _ := http.NewRequest("PUT", instance+"/v1/sys/unseal", body)
resp, err := ctxhttp.Do(ctx, http.DefaultClient, r)
if err != nil {
return fmt.Errorf("[%s] An error ocurred while doing unseal: %s", instance, err)
}
defer resp.Body.Close()
if err := json.NewDecoder(resp.Body).Decode(&s); err != nil {
return fmt.Errorf("[%s] Unable to decode seal-status: %s", instance, err)
}
if !s.Sealed {
log.Printf("[%s] Unseal successfully finished.", instance)
break
}
}
if s.Sealed {
log.Printf("[%s] Vault instance is still sealed (missing %d tokens), I don't have any more tokens.", instance, s.T-s.Progress)
}
} else {
log.Printf("[%s] Vault instance is already unsealed.", instance)
}
return nil
}