open-vault/builtin/logical/transit/backend.go

package transit

import (
	"context"
	"strings"

	"github.com/hashicorp/vault/helper/keysutil"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
	b := Backend(conf)
	if err := b.Setup(ctx, conf); err != nil {
		return nil, err
	}
	return b, nil
}

func Backend(conf *logical.BackendConfig) *backend {
	var b backend
	b.Backend = &framework.Backend{
		PathsSpecial: &logical.Paths{
			SealWrapStorage: []string{
				"archive/",
				"policy/",
			},
		},

		Paths: []*framework.Path{
			// Rotate/Config needs to come before Keys
			// as the handler is greedy
			b.pathConfig(),
			b.pathRotate(),
			b.pathRewrap(),
			b.pathKeys(),
			b.pathListKeys(),
			b.pathExportKeys(),
			b.pathEncrypt(),
			b.pathDecrypt(),
			b.pathDatakey(),
			b.pathRandom(),
			b.pathHash(),
			b.pathHMAC(),
			b.pathSign(),
			b.pathVerify(),
			b.pathBackup(),
			b.pathRestore(),
			b.pathTrim(),
		},

		Secrets:     []*framework.Secret{},
		Invalidate:  b.invalidate,
		BackendType: logical.TypeLogical,
	}

	b.lm = keysutil.NewLockManager(conf.System.CachingDisabled())

	return &b
}

type backend struct {
	*framework.Backend
	lm *keysutil.LockManager
}

func (b *backend) invalidate(_ context.Context, key string) {
	if b.Logger().IsDebug() {
		b.Logger().Debug("invalidating key", "key", key)
	}
	switch {
	case strings.HasPrefix(key, "policy/"):
		name := strings.TrimPrefix(key, "policy/")
		b.lm.InvalidatePolicy(name)
	}
}
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`package transit`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`"strings"`

Pulled out transit's lock manager and policy structs into a helper 2016-10-26 23:52:31 +00:00			`"github.com/hashicorp/vault/helper/keysutil"`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`b := Backend(conf)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := b.Setup(ctx, conf); err != nil {`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`return nil, err`
			`}`
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs 2017-07-20 17:28:40 +00:00			`return b, nil`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`func Backend(conf logical.BackendConfig) backend {`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`var b backend`
			`b.Backend = &framework.Backend{`
Final sync 2017-10-23 21:39:21 +00:00			`PathsSpecial: &logical.Paths{`
			`SealWrapStorage: []string{`
			`"archive/",`
			`"policy/",`
			`},`
			`},`

Adding transit logical backend 2015-04-16 00:08:12 +00:00			`Paths: []*framework.Path{`
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-17 22:49:50 +00:00			`// Rotate/Config needs to come before Keys`
Enhance transit backend: * Remove raw endpoint from transit * Add multi-key structure * Add enable, disable, rewrap, and rotate functionality * Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function * Unit tests for everything 2015-09-14 20:28:46 +00:00			`// as the handler is greedy`
Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config" This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a. 2016-02-02 14:26:25 +00:00			`b.pathConfig(),`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`b.pathRotate(),`
			`b.pathRewrap(),`
			`b.pathKeys(),`
Add ability to list keys in transit backend (#1987) 2016-10-18 14:13:01 +00:00			`b.pathListKeys(),`
Adding support for exportable transit keys (#2133) 2017-01-23 16:04:43 +00:00			`b.pathExportKeys(),`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`b.pathEncrypt(),`
			`b.pathDecrypt(),`
			`b.pathDatakey(),`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`b.pathRandom(),`
			`b.pathHash(),`
			`b.pathHMAC(),`
			`b.pathSign(),`
			`b.pathVerify(),`
Transit: backup/restore (#3637) 2017-12-14 17:51:50 +00:00			`b.pathBackup(),`
			`b.pathRestore(),`
Transit: Key Trim (#5388) * Support key trimming * Add doc * Move trimming to its own endpoint * Remove trimmed_min_version field from config endpoint * Fix description * Doc updates * Fix response json in docs * Address review feedback * s/min_version/min_available_version * Commenting and error statement updates 2018-10-17 16:05:05 +00:00			`b.pathTrim(),`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`},`

Add BackendType to existing backends (#3078) 2017-07-28 18:04:46 +00:00			`Secrets: []*framework.Secret{},`
			`Invalidate: b.invalidate,`
			`BackendType: logical.TypeLogical,`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

Pulled out transit's lock manager and policy structs into a helper 2016-10-26 23:52:31 +00:00			`b.lm = keysutil.NewLockManager(conf.System.CachingDisabled())`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00
			`return &b`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`

			`type backend struct {`
			`*framework.Backend`
Pulled out transit's lock manager and policy structs into a helper 2016-10-26 23:52:31 +00:00			`lm *keysutil.LockManager`
Adding transit logical backend 2015-04-16 00:08:12 +00:00			`}`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b *backend) invalidate(_ context.Context, key string) {`
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go 2018-04-03 00:46:59 +00:00			`if b.Logger().IsDebug() {`
			`b.Logger().Debug("invalidating key", "key", key)`
More porting from rep (#2388) * More porting from rep * Address review feedback 2017-02-16 21:29:30 +00:00			`}`
			`switch {`
			`case strings.HasPrefix(key, "policy/"):`
			`name := strings.TrimPrefix(key, "policy/")`
			`b.lm.InvalidatePolicy(name)`
			`}`
			`}`