Spelling (hashicorp#4119)

CHANGELOG.md

@@ -417,7 +417,7 @@ BUG FIXES:
 DEPRECATIONS/CHANGES:
 
  * HSM config parameter requirements: When using Vault with an HSM, a new
-   paramter is required: `hmac_key_label`.  This performs a similar function to
+   parameter is required: `hmac_key_label`.  This performs a similar function to
    `key_label` but for the HMAC key Vault will use. Vault will generate a
    suitable key if this value is specified and `generate_key` is set true.
  * API HTTP client behavior: When calling `NewClient` the API no longer
@@ -694,7 +694,7 @@ FEATURES:
  * **GCP IAM Auth Backend**: There is now an authentication backend that allows
    using GCP IAM credentials to retrieve Vault tokens. This is available as
    both a plugin and built-in to Vault.
- * **PingID Push Support for Path-Baased MFA (Enterprise)**: PingID Push can
+ * **PingID Push Support for Path-Based MFA (Enterprise)**: PingID Push can
    now be used for MFA with the new path-based MFA introduced in Vault
    Enterprise 0.8.
  * **Permitted DNS Domains Support in PKI**: The `pki` backend now supports
@@ -820,7 +820,7 @@ IMPROVEMENTS:
    client certificate verification when `tls_require_and_verify_client_cert` is
    enabled [GH-3034]
  * storage/cockroachdb: Add CockroachDB storage backend [GH-2713]
- * storage/couchdb: Add CouchhDB storage backend [GH-2880]
+ * storage/couchdb: Add CouchDB storage backend [GH-2880]
  * storage/mssql: Add `max_parallel` [GH-3026]
  * storage/postgresql: Add `max_parallel` [GH-3026]
  * storage/postgresql: Improve listing speed [GH-2945]

Makefile

@@ -15,7 +15,7 @@ GO_VERSION_MIN=1.9
 
 default: dev
 
-# bin generates the releaseable binaries for Vault
+# bin generates the releasable binaries for Vault
 bin: prep
 	@CGO_ENABLED=0 BUILD_TAGS='$(BUILD_TAGS)' sh -c "'$(CURDIR)/scripts/build.sh'"
 

api/logical.go

@@ -178,7 +178,7 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
 	wrappedSecret := new(Secret)
 	buf := bytes.NewBufferString(secret.Data["response"].(string))
 	if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
-		return nil, fmt.Errorf("error unmarshaling wrapped secret: %s", err)
+		return nil, fmt.Errorf("error unmarshalling wrapped secret: %s", err)
 	}
 
 	return wrappedSecret, nil

api/secret_test.go

@@ -1190,7 +1190,7 @@ func TestSecret_TokenMetadata(t *testing.T) {
 			false,
 		},
 		{
-			"real_auth_metdata",
+			"real_auth_metadata",
 			&api.Secret{
 				Auth: &api.SecretAuth{
 					Metadata: map[string]string{"foo": "bar"},

api/sys_auth.go

@@ -78,7 +78,7 @@ func (c *Sys) DisableAuth(path string) error {
 }
 
 // Structures for the requests/resposne are all down here. They aren't
-// individually documentd because the map almost directly to the raw HTTP API
+// individually documented because the map almost directly to the raw HTTP API
 // documentation. Please refer to that documentation for more details.
 
 type EnableAuthOptions struct {

builtin/credential/approle/path_role.go

@@ -88,7 +88,7 @@ type roleIDStorageEntry struct {
 // role/<role_name>/bound-cidr-list - For updating the param
 // role/<role_name>/period - For updating the param
 // role/<role_name>/role-id - For fetching the role_id of an role
-// role/<role_name>/secret-id - For issuing a secret_id against an role, also to list the secret_id_accessorss
+// role/<role_name>/secret-id - For issuing a secret_id against an role, also to list the secret_id_accessors
 // role/<role_name>/custom-secret-id - For assigning a custom SecretID against an role
 // role/<role_name>/secret-id/lookup - For reading the properties of a secret_id
 // role/<role_name>/secret-id/destroy - For deleting a secret_id

builtin/credential/approle/validation.go

@@ -235,7 +235,7 @@ func (b *backend) validateBindSecretID(ctx context.Context, req *logical.Request
 	}
 
 	// If there exists a single use left, delete the SecretID entry from
-	// the storage but do not fail the validation request. Subsequest
+	// the storage but do not fail the validation request. Subsequent
 	// requests to use the same SecretID will fail.
 	if result.SecretIDNumUses == 1 {
 		// Delete the secret IDs accessor first

builtin/credential/aws/backend.go

@@ -46,7 +46,7 @@ type backend struct {
 	// tidy the blacklist and whitelist entries.
 	tidyCooldownPeriod time.Duration
 
-	// nextTidyTime holds the time at which the periodic func should initiatite
+	// nextTidyTime holds the time at which the periodic func should initiate
 	// the tidy operations. This is set by the periodicFunc based on the value
 	// of tidyCooldownPeriod.
 	nextTidyTime time.Time

builtin/credential/aws/backend_test.go

@@ -1173,7 +1173,7 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("bad: failed to login: resp:%#v\nerr:%v", resp, err)
 	}
 
-	// Attempt to re-login with the identity signture
+	// Attempt to re-login with the identity signature
 	delete(loginInput, "pkcs7")
 	loginInput["identity"] = identityDoc
 	loginInput["signature"] = identityDocSig

builtin/credential/aws/path_config_certificate.go

@@ -416,14 +416,14 @@ func (b *backend) pathConfigCertificateCreateUpdate(ctx context.Context, req *lo
 }
 
 // Struct awsPublicCert holds the AWS Public Key that is used to verify the PKCS#7 signature
-// of the instnace identity document.
+// of the instance identity document.
 type awsPublicCert struct {
 	AWSPublicCert string `json:"aws_public_cert"`
 	Type          string `json:"type"`
 }
 
 const pathConfigCertificateSyn = `
-Adds the AWS Public Key that is used to verify the PKCS#7 signature of the identidy document.
+Adds the AWS Public Key that is used to verify the PKCS#7 signature of the identity document.
 `
 
 const pathConfigCertificateDesc = `

builtin/credential/aws/path_login.go

@@ -841,7 +841,7 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
 
 // handleRoleTagLogin is used to fetch the role tag of the instance and
 // verifies it to be correct.  Then the policies for the login request will be
-// set off of the role tag, if certain creteria satisfies.
+// set off of the role tag, if certain criteria satisfies.
 func (b *backend) handleRoleTagLogin(ctx context.Context, s logical.Storage, roleName string, roleEntry *awsRoleEntry, instance *ec2.Instance) (*roleTagLoginResponse, error) {
 	if roleEntry == nil {
 		return nil, fmt.Errorf("nil role entry")
@@ -1467,7 +1467,7 @@ func buildHttpRequest(method, endpoint string, parsedUrl *url.URL, body string,
 	// The use cases we want to support, in order of increasing complexity, are:
 	// 1. All defaults (client assumes sts.amazonaws.com and server has no override)
 	// 2. Alternate STS regions: client wants to go to a specific region, in which case
-	//    Vault must be confiugred with that endpoint as well. The client's signed request
+	//    Vault must be configured with that endpoint as well. The client's signed request
 	//    will include a signature over what the client expects the Host header to be,
 	//    so we cannot change that and must match.
 	// 3. Alternate STS regions with a proxy that is transparent to Vault's clients.
@@ -1477,14 +1477,14 @@ func buildHttpRequest(method, endpoint string, parsedUrl *url.URL, body string,
 	// It's also annoying because:
 	// 1. The AWS Sigv4 algorithm requires the Host header to be defined
 	// 2. Some of the official SDKs (at least botocore and aws-sdk-go) don't actually
-	//    incude an explicit Host header in the HTTP requests they generate, relying on
+	//    include an explicit Host header in the HTTP requests they generate, relying on
 	//    the underlying HTTP library to do that for them.
 	// 3. To get a validly signed request, the SDKs check if a Host header has been set
 	//    and, if not, add an inferred host header (based on the URI) to the internal
 	//    data structure used for calculating the signature, but never actually expose
 	//    that to clients. So then they just "hope" that the underlying library actually
 	//    adds the right Host header which was included in the signature calculation.
-	// We could either explicity require all Vault clients to explicitly add the Host header
+	// We could either explicitly require all Vault clients to explicitly add the Host header
 	// in the encoded request, or we could also implicitly infer it from the URI.
 	// We choose to support both -- allow you to explicitly set a Host header, but if not,
 	// infer one from the URI.
@@ -1706,7 +1706,7 @@ implemented based on that inferred type.
 
 An EC2 instance is authenticated using the PKCS#7 signature of the instance identity
 document and a client created nonce. This nonce should be unique and should be used by
-the instance for all future logins, unless 'disallow_reauthenitcation' option on the
+the instance for all future logins, unless 'disallow_reauthentication' option on the
 registered role is enabled, in which case client nonce is optional.
 
 First login attempt, creates a whitelist entry in Vault associating the instance to the nonce

builtin/credential/aws/path_role_tag.go

@@ -390,7 +390,7 @@ func createRoleTagNonce() (string, error) {
 	}
 }
 
-// Struct roleTag represents a role tag in a struc form.
+// Struct roleTag represents a role tag in a struct form.
 type roleTag struct {
 	Version                  string        `json:"version"`
 	InstanceID               string        `json:"instance_id"`

builtin/credential/cert/backend_test.go

@@ -1444,7 +1444,7 @@ func Test_Renew(t *testing.T) {
 		t.Fatal("expected error")
 	}
 
-	// Put the policies back, this shold be okay
+	// Put the policies back, this should be okay
 	fd.Raw["policies"] = "bar,foo"
 	resp, err = b.pathCertWrite(context.Background(), req, fd)
 	if err != nil {

builtin/credential/cert/cli.go

@@ -42,7 +42,7 @@ func (h *CLIHandler) Help() string {
 	help := `
 Usage: vault login -method=cert [CONFIG K=V...]
 
-  The certificate auth method allows uers to authenticate with a
+  The certificate auth method allows users to authenticate with a
   client certificate passed with the request. The -client-cert and -client-key
   flags are included with the "vault login" command, NOT as configuration to the
   auth method.

builtin/credential/cert/path_login.go

@@ -266,7 +266,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d
 func (b *backend) matchesConstraints(clientCert *x509.Certificate, trustedChain []*x509.Certificate, config *ParsedCert) bool {
 	return !b.checkForChainInCRLs(trustedChain) &&
 		b.matchesNames(clientCert, config) &&
-		b.matchesCertificateExtenions(clientCert, config)
+		b.matchesCertificateExtensions(clientCert, config)
 }
 
 // matchesNames verifies that the certificate matches at least one configured
@@ -297,9 +297,9 @@ func (b *backend) matchesNames(clientCert *x509.Certificate, config *ParsedCert)
 	return false
 }
 
-// matchesCertificateExtenions verifies that the certificate matches configured
+// matchesCertificateExtensions verifies that the certificate matches configured
 // required extensions
-func (b *backend) matchesCertificateExtenions(clientCert *x509.Certificate, config *ParsedCert) bool {
+func (b *backend) matchesCertificateExtensions(clientCert *x509.Certificate, config *ParsedCert) bool {
 	// If no required extensions, nothing to check here
 	if len(config.Entry.RequiredExtensions) == 0 {
 		return true

builtin/credential/ldap/backend.go

@@ -421,5 +421,5 @@ to set of policies.
 
 Configuration of the server is done through the "config" and "groups"
 endpoints by a user with root access. Authentication is then done
-by suppying the two fields for "login".
+by supplying the two fields for "login".
 `

builtin/credential/ldap/backend_test.go

@@ -449,7 +449,7 @@ func testAccStepLogin(t *testing.T, user string, pass string) logicaltest.TestSt
 		},
 		Unauthenticated: true,
 
-		// Verifies user tesla maps to groups via local group (engineers) as well as remote group (Scientiests)
+		// Verifies user tesla maps to groups via local group (engineers) as well as remote group (Scientists)
 		Check: logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
 	}
 }
@@ -463,7 +463,7 @@ func testAccStepLoginNoGroupDN(t *testing.T, user string, pass string) logicalte
 		},
 		Unauthenticated: true,
 
-		// Verifies a search without defined GroupDN returns a warnting rather than failing
+		// Verifies a search without defined GroupDN returns a warning rather than failing
 		Check: func(resp *logical.Response) error {
 			if len(resp.Warnings) != 1 {
 				return fmt.Errorf("expected a warning due to no group dn, got: %#v", resp.Warnings)

builtin/credential/okta/backend.go

@@ -106,7 +106,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 		Data: map[string]interface{}{},
 	}
 
-	// More about Okta's Auth transation state here:
+	// More about Okta's Auth transaction state here:
 	// https://developer.okta.com/docs/api/resources/authn#transaction-state
 
 	// If lockout failures are not configured to be hidden, the status needs to
@@ -321,5 +321,5 @@ groups are pulled down from Okta.
 
 Configuration of the connection is done through the "config" and "policies"
 endpoints by a user with root access. Authentication is then done
-by suppying the two fields for "login".
+by supplying the two fields for "login".
 `

builtin/credential/okta/path_config.go

@@ -40,7 +40,7 @@ func pathConfig(b *backend) *framework.Path {
 			},
 			"base_url": &framework.FieldSchema{
 				Type:        framework.TypeString,
-				Description: `The base domain to use for the Okta API. When not specified in the configuraiton, "okta.com" is used.`,
+				Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`,
 			},
 			"production": &framework.FieldSchema{
 				Type:        framework.TypeBool,

builtin/credential/radius/backend.go

@@ -59,8 +59,8 @@ a RADIUS server, checking username and associating users
 to set of policies.
 
 Configuration of the server is done through the "config" and "users"
-endpoints by a user with approriate access mandated by policy.
-Authentication is then done by suppying the two fields for "login".
+endpoints by a user with appropriate access mandated by policy.
+Authentication is then done by supplying the two fields for "login".
 
 The backend optionally allows to grant a set of policies to any 
 user that successfully authenticates against the RADIUS server, 

builtin/credential/userpass/backend.go

@@ -56,5 +56,5 @@ are supported.
 
 The username/password combination is configured using the "users/"
 endpoints by a user with root access. Authentication is then done
-by suppying the two fields for "login".
+by supplying the two fields for "login".
 `

builtin/logical/aws/path_config_root.go

@@ -91,6 +91,6 @@ Configure the root credentials that are used to manage IAM.
 const pathConfigRootHelpDesc = `
 Before doing anything, the AWS backend needs credentials that are able
 to manage IAM policies, users, access keys, etc. This endpoint is used
-to configure those credentials. They don't necessarilly need to be root
+to configure those credentials. They don't necessarily need to be root
 keys as long as they have permission to manage IAM.
 `

builtin/logical/cassandra/path_config_connection.go

@@ -213,7 +213,7 @@ Configure the connection information to talk to Cassandra.
 const pathConfigConnectionHelpDesc = `
 This path configures the connection information used to connect to Cassandra.
 
-"hosts" is a comma-deliniated list of hostnames in the Cassandra cluster.
+"hosts" is a comma-delimited list of hostnames in the Cassandra cluster.
 
 "username" and "password" are self-explanatory, although the given user
 must have superuser access within Cassandra. Note that since this backend

builtin/logical/cassandra/path_roles.go

@@ -186,7 +186,7 @@ If no "creation_cql" parameter is given, a default will be used:
 This default should be suitable for Cassandra installations using the password
 authenticator but not configured to use authorization.
 
-Similarly, the "rollback_cql" is used if user creation fails, in the absense of
+Similarly, the "rollback_cql" is used if user creation fails, in the absence of
 Cassandra transactions. The default should be suitable for almost any
 instance of Cassandra:
 

builtin/logical/cassandra/test-fixtures/cassandra.yaml

@@ -250,7 +250,7 @@ commit_failure_policy: stop
 #
 # Valid values are either "auto" (omitting the value) or a value greater 0.
 #
-# Note that specifying a too large value will result in long running GCs and possbily
+# Note that specifying a too large value will result in long running GCs and possibly
 # out-of-memory errors. Keep the value at a small fraction of the heap.
 #
 # If you constantly see "prepared statements discarded in the last minute because
@@ -259,7 +259,7 @@ commit_failure_policy: stop
 # i.e. use bind markers for variable parts.
 #
 # Do only change the default value, if you really have more prepared statements than
-# fit in the cache. In most cases it is not neccessary to change this value.
+# fit in the cache. In most cases it is not necessary to change this value.
 # Constantly re-preparing statements is a performance penalty.
 #
 # Default value ("auto") is 1/256th of the heap or 10MB, whichever is greater
@@ -1021,7 +1021,7 @@ client_encryption_options:
     keystore: conf/.keystore
     keystore_password: cassandra
     # require_client_auth: false
-    # Set trustore and truststore_password if require_client_auth is true
+    # Set truststore and truststore_password if require_client_auth is true
     # truststore: conf/.truststore
     # truststore_password: cassandra
     # More advanced defaults below:
@@ -1080,7 +1080,7 @@ windows_timer_interval: 1
 
 # Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from
 # a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by
-# the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys
+# the "key_alias" is the only key that will be used for encrypt operations; previously used keys
 # can still (and should!) be in the keystore and will be used on decrypt operations
 # (to handle the case of key rotation).
 #
@@ -1114,7 +1114,7 @@ transparent_data_encryption_options:
 # tombstones seen in memory so we can return them to the coordinator, which
 # will use them to make sure other replicas also know about the deleted rows.
 # With workloads that generate a lot of tombstones, this can cause performance
-# problems and even exaust the server heap.
+# problems and even exhaust the server heap.
 # (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)
 # Adjust the thresholds here if you understand the dangers and want to
 # scan more tombstones anyway.  These thresholds may also be adjusted at runtime

builtin/logical/database/backend_test.go

@@ -614,7 +614,7 @@ func TestBackend_roleCrud(t *testing.T) {
 	}
 
 	if !reflect.DeepEqual(expected, actual) {
-		t.Fatalf("Statements did not match, exepected %#v, got %#v", expected, actual)
+		t.Fatalf("Statements did not match, expected %#v, got %#v", expected, actual)
 	}
 
 	// Delete the role

builtin/logical/database/dbplugin/client.go

@@ -67,7 +67,7 @@ func newPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunne
 		return nil, errors.New("unsupported client type")
 	}
 
-	// Wrap RPC implimentation in DatabasePluginClient
+	// Wrap RPC implementation in DatabasePluginClient
 	return &DatabasePluginClient{
 		client:   client,
 		Database: db,

builtin/logical/database/dbplugin/plugin.go

@@ -46,7 +46,7 @@ func PluginFactory(ctx context.Context, pluginName string, sys pluginutil.LookRu
 		var ok bool
 		db, ok = dbRaw.(Database)
 		if !ok {
-			return nil, fmt.Errorf("unsuported database type: %s", pluginName)
+			return nil, fmt.Errorf("unsupported database type: %s", pluginName)
 		}
 
 		transport = "builtin"

builtin/logical/database/dbplugin/plugin_test.go

@@ -258,7 +258,7 @@ func TestPlugin_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	err = db.RevokeUser(context.Background(), dbplugin.Statements{}, us)
 	if err != nil {
 		t.Fatalf("err: %s", err)
@@ -398,7 +398,7 @@ func TestPlugin_NetRPC_RevokeUser(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	// Test default revoke statememts
+	// Test default revoke statements
 	err = db.RevokeUser(context.Background(), dbplugin.Statements{}, us)
 	if err != nil {
 		t.Fatalf("err: %s", err)