From 3dd27d2173d36a5ed40880d17cf644d9c96a1cd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erik=20Hedenstro=CC=88m?= <erik@hedenstroem.com>
Date: Wed, 2 Nov 2016 18:04:11 +0100
Subject: [PATCH] Implemeted proper escaping of values for shell. Added vault
 setup example. Enabled write command to read value from stdin.

---
 .gitignore   |  1 +
 README.md    | 38 ++++++++++++++++++++++++++++++++++++++
 acl.hcl      |  3 +++
 cmd/read.go  | 10 ++++++++--
 cmd/write.go | 17 ++++++++++++++---
 5 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 README.md
 create mode 100644 acl.hcl

diff --git a/.gitignore b/.gitignore
index 51573bb..495a93b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,4 +24,5 @@ _testmain.go
 *.test
 *.prof
 
+.env
 vaultenv
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..431a267
--- /dev/null
+++ b/README.md
@@ -0,0 +1,38 @@
+# Vault Environment Tool
+
+The following example sets up a policy with read-only access to secrets, and an 'lts' role that has a token ttl of 10 years.
+
+
+```
+> vault policy-write secret-ro acl.hcl
+> vault write /auth/token/roles/lts allowed_policies="secret-ro" period="87600h"
+> vault token-create -role lts
+
+Key            	Value
+---            	-----
+token          	15958ab2-0e1a-3264-ff47-6963ed45aa68
+token_accessor 	815f1db5-2fd0-2471-e233-faf6fc9718c9
+token_duration 	87600h0m0s
+token_renewable	true
+token_policies 	[default secret-ro]
+
+> export VAULT_TOKEN=15958ab2-0e1a-3264-ff47-6963ed45aa68
+> vault read auth/token/lookup-self
+
+Key             	Value
+---             	-----
+accessor        	815f1db5-2fd0-2471-e233-faf6fc9718c9
+creation_time   	1478099538
+creation_ttl    	315360000
+display_name    	token
+explicit_max_ttl	0
+id              	15958ab2-0e1a-3264-ff47-6963ed45aa68
+meta            	<nil>
+num_uses        	0
+orphan          	false
+path            	auth/token/create/lts
+policies        	[default secret-ro]
+renewable       	true
+role            	lts
+ttl             	315359676
+```
diff --git a/acl.hcl b/acl.hcl
new file mode 100644
index 0000000..03dcb46
--- /dev/null
+++ b/acl.hcl
@@ -0,0 +1,3 @@
+path "secret/*" {
+  policy = "read"
+}
diff --git a/cmd/read.go b/cmd/read.go
index fd17995..33cc960 100644
--- a/cmd/read.go
+++ b/cmd/read.go
@@ -4,10 +4,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 
 	"gitlab.hedenstroem.com/go/vaultenv/vault"
 
+	"strconv"
+
+	"strings"
+
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -24,7 +27,10 @@ var readCmd = &cobra.Command{
 		if data != nil {
 			if viper.GetBool("shell") {
 				for k, v := range data {
-					fmt.Printf("%s=%s; export %s;\n", strings.ToUpper(k), v, strings.ToUpper(k))
+					qv := strconv.QuoteToASCII(v.(string))
+					qv = strings.Replace(qv, "'", "\\x27", -1)
+					qv = qv[1 : len(qv)-1]
+					fmt.Printf("%s=$'%s'; export %s;\n", k, qv, k)
 				}
 			} else {
 				b, _ := json.MarshalIndent(data, "", "\t")
diff --git a/cmd/write.go b/cmd/write.go
index 74e4bc7..4c5fae4 100644
--- a/cmd/write.go
+++ b/cmd/write.go
@@ -2,6 +2,8 @@ package cmd
 
 import (
 	"errors"
+	"io/ioutil"
+	"os"
 
 	"github.com/spf13/cobra"
 	"gitlab.hedenstroem.com/go/vaultenv/vault"
@@ -12,12 +14,21 @@ var writeCmd = &cobra.Command{
 	Short: "write Short",
 	Long:  `write Long`,
 	RunE: func(cmd *cobra.Command, args []string) (err error) {
-		if len(args) != 3 {
-			return errors.New("Expected 3 arguments")
+		if len(args) < 2 {
+			return errors.New("Expected at least 2 arguments")
 		}
 		data, err := vault.GetSecret(args[0])
 		if data != nil {
-			data[args[1]] = args[2]
+			if len(args) == 2 {
+				var b []byte
+				b, err = ioutil.ReadAll(os.Stdin)
+				if err != nil {
+					return
+				}
+				data[args[1]] = string(b)
+			} else {
+				data[args[1]] = args[2]
+			}
 			err = vault.PostSecret(args[0], data)
 		}
 		return
-- 
GitLab