Add the ability to print curl commands from CLI #6113
Conversation
| // Build cURL string | ||
| d.parsedCurlString = "curl " | ||
| d.parsedCurlString = fmt.Sprintf("%s-X %s ", d.parsedCurlString, d.Request.Method) | ||
| for k, v := range d.Request.Header { |
There was a problem hiding this comment.
Do we want to redact known-sensitive headers such as X-Vault-Token?
There was a problem hiding this comment.
No, when it comes down to it if someone is sitting at your terminal they can easily get your token other ways. We could maybe require they put the token in an env var but it kind of breaks the point.
Maybe I'll just enhance the flag doc to explicitly mention it will do this.
There was a problem hiding this comment.
I just added a commit that changes things a little, and I'm curious about feedback. Instead of printing the token, I added a vault print token command (although maybe if we think there might be more things like this coming up it should be vault debug print-token or so), and the curl string now uses that in a bash escape.
Three items for feedback:
-
This will work with bash and zsh but not fish. Fish doesn't use backticks either, so...I guess if someone is interested they can submit a PR to check for the running shell env var and change up the output. It also obviously does not work on Windows; same story there, if people want it they could submit a PR to modify the output based on GOOS
-
Is this even a good idea? I'm not sure it's a bad idea. There are plenty of ways to fetch the Vault token: read the env var, read the file, or if you are using an external token helper this will still require any extra authentication to be performed as with a normal Vault call. You could also, on a machine with a connection to Vault and a normal default policy, call
vault token lookupand get it. On the flip side, doing it this way means the curl commands are emailable/portable -- you can send someone the line without having to do substitution. So I think it's a net neutral or positive. -
vault print tokenvs.vault debug print-token. Depends what we think we might have in the future. If we think we might have debuggish type stuff the latter makes sense. If we think we'll have more things to specifically print later, the former makes sense.
There was a problem hiding this comment.
I like the approach as you've implemented it. Keeps the token out of the history but output is still generally copy-pasteable. I think I prefer vault print token, as this feels like a generally useful capability, especially when token helpers are in the mix.
|
Hi @jefferai does this work with all vault commands? |
|
Same thing for me.
|
|
@ryan-moore-nw @jaydipdave it's the location of your |
This adds a flag
-output-curl-stringwhich will, instead of running the request, output an equivalent cURL string.It's structured in such a way that we could easily add alternative formats (httpie, wget) without having to rename things in the API or have them be totally out of date.