open-vault/vault/auth.go

package vault

import (
	"encoding/json"
	"errors"
	"fmt"
	"strings"

	"github.com/hashicorp/uuid"
	"github.com/hashicorp/vault/logical"
)

const (
	// coreAuthConfigPath is used to store the auth configuration.
	// Auth configuration is protected within the Vault itself, which means it
	// can only be viewed or modified after an unseal.
	coreAuthConfigPath = "core/auth"

	// credentialBarrierPrefix is the prefix to the UUID used in the
	// barrier view for the credential backends.
	credentialBarrierPrefix = "auth/"

	// credentialRoutePrefix is the mount prefix used for the router
	credentialRoutePrefix = "auth/"
)

var (
	// errLoadAuthFailed if loadCredentials encounters an error
	errLoadAuthFailed = errors.New("failed to setup auth table")
)

// enableCredential is used to enable a new credential backend
func (c *Core) enableCredential(entry *MountEntry) error {
	c.auth.Lock()
	defer c.auth.Unlock()

	// Ensure we end the path in a slash
	if !strings.HasSuffix(entry.Path, "/") {
		entry.Path += "/"
	}

	// Ensure there is a name
	if entry.Path == "/" {
		return fmt.Errorf("backend path must be specified")
	}

	// Look for matching name
	for _, ent := range c.auth.Entries {
		switch {
		// Existing is oauth/github/ new is oauth/ or
		// existing is oauth/ and new is oauth/github/
		case strings.HasPrefix(ent.Path, entry.Path):
			fallthrough
		case strings.HasPrefix(entry.Path, ent.Path):
			return logical.CodedError(409, "path is already in use")
		}
	}

	// Ensure the token backend is a singleton
	if entry.Type == "token" {
		return fmt.Errorf("token credential backend cannot be instantiated")
	}

	// Generate a new UUID and view
	entry.UUID = uuid.GenerateUUID()
	view := NewBarrierView(c.barrier, credentialBarrierPrefix+entry.UUID+"/")

	// Create the new backend
	backend, err := c.newCredentialBackend(entry.Type, c.mountEntrySysView(entry), view, nil)
	if err != nil {
		return err
	}

	// Update the auth table
	newTable := c.auth.ShallowClone()
	newTable.Entries = append(newTable.Entries, entry)
	if err := c.persistAuth(newTable); err != nil {
		return errors.New("failed to update auth table")
	}
	c.auth = newTable

	// Mount the backend
	path := credentialRoutePrefix + entry.Path
	if err := c.router.Mount(backend, path, entry, view); err != nil {
		return err
	}
	c.logger.Printf("[INFO] core: enabled credential backend '%s' type: %s",
		entry.Path, entry.Type)
	return nil
}

// disableCredential is used to disable an existing credential backend
func (c *Core) disableCredential(path string) error {
	c.auth.Lock()
	defer c.auth.Unlock()

	// Ensure we end the path in a slash
	if !strings.HasSuffix(path, "/") {
		path += "/"
	}

	// Ensure the token backend is not affected
	if path == "token/" {
		return fmt.Errorf("token credential backend cannot be disabled")
	}

	// Store the view for this backend
	fullPath := credentialRoutePrefix + path
	view := c.router.MatchingStorageView(fullPath)
	if view == nil {
		return fmt.Errorf("no matching backend")
	}

	// Mark the entry as tainted
	if err := c.taintCredEntry(path); err != nil {
		return err
	}

	// Taint the router path to prevent routing
	if err := c.router.Taint(fullPath); err != nil {
		return err
	}

	// Revoke credentials from this path
	if err := c.expiration.RevokePrefix(fullPath); err != nil {
		return err
	}

	// Unmount the backend
	if err := c.router.Unmount(fullPath); err != nil {
		return err
	}

	// Clear the data in the view
	if view != nil {
		if err := ClearView(view); err != nil {
			return err
		}
	}

	// Remove the mount table entry
	if err := c.removeCredEntry(path); err != nil {
		return err
	}
	c.logger.Printf("[INFO] core: disabled credential backend '%s'", path)
	return nil
}

// removeCredEntry is used to remove an entry in the auth table
func (c *Core) removeCredEntry(path string) error {
	// Taint the entry from the auth table
	newTable := c.auth.ShallowClone()
	newTable.Remove(path)

	// Update the auth table
	if err := c.persistAuth(newTable); err != nil {
		return errors.New("failed to update auth table")
	}
	c.auth = newTable
	return nil
}

// taintCredEntry is used to mark an entry in the auth table as tainted
func (c *Core) taintCredEntry(path string) error {
	// Taint the entry from the auth table
	newTable := c.auth.ShallowClone()
	found := newTable.SetTaint(path, true)

	// Ensure there was a match
	if !found {
		return fmt.Errorf("no matching backend")
	}

	// Update the auth table
	if err := c.persistAuth(newTable); err != nil {
		return errors.New("failed to update auth table")
	}
	c.auth = newTable
	return nil
}

// loadCredentials is invoked as part of postUnseal to load the auth table
func (c *Core) loadCredentials() error {
	// Load the existing mount table
	raw, err := c.barrier.Get(coreAuthConfigPath)
	if err != nil {
		c.logger.Printf("[ERR] core: failed to read auth table: %v", err)
		return errLoadAuthFailed
	}
	if raw != nil {
		c.auth = &MountTable{}
		if err := json.Unmarshal(raw.Value, c.auth); err != nil {
			c.logger.Printf("[ERR] core: failed to decode auth table: %v", err)
			return errLoadAuthFailed
		}
	}

	// Done if we have restored the auth table
	if c.auth != nil {
		return nil
	}

	// Create and persist the default auth table
	c.auth = defaultAuthTable()
	if err := c.persistAuth(c.auth); err != nil {
		c.logger.Printf("[ERR] core: failed to persist auth table: %v", err)
		return errLoadAuthFailed
	}
	return nil
}

// persistAuth is used to persist the auth table after modification
func (c *Core) persistAuth(table *MountTable) error {
	// Marshal the table
	raw, err := json.Marshal(table)
	if err != nil {
		c.logger.Printf("[ERR] core: failed to encode auth table: %v", err)
		return err
	}

	// Create an entry
	entry := &Entry{
		Key:   coreAuthConfigPath,
		Value: raw,
	}

	// Write to the physical backend
	if err := c.barrier.Put(entry); err != nil {
		c.logger.Printf("[ERR] core: failed to persist auth table: %v", err)
		return err
	}
	return nil
}

// setupCredentials is invoked after we've loaded the auth table to
// initialize the credential backends and setup the router
func (c *Core) setupCredentials() error {
	var backend logical.Backend
	var view *BarrierView
	var err error
	for _, entry := range c.auth.Entries {
		// Create a barrier view using the UUID
		view = NewBarrierView(c.barrier, credentialBarrierPrefix+entry.UUID+"/")

		// Initialize the backend
		backend, err = c.newCredentialBackend(entry.Type, c.mountEntrySysView(entry), view, nil)
		if err != nil {
			c.logger.Printf(
				"[ERR] core: failed to create credential entry %s: %v",
				entry.Path, err)
			return errLoadAuthFailed
		}

		// Mount the backend
		path := credentialRoutePrefix + entry.Path
		err = c.router.Mount(backend, path, entry, view)
		if err != nil {
			c.logger.Printf("[ERR] core: failed to mount auth entry %s: %v", entry.Path, err)
			return errLoadAuthFailed
		}

		// Ensure the path is tainted if set in the mount table
		if entry.Tainted {
			c.router.Taint(path)
		}

		// Check if this is the token store
		if entry.Type == "token" {
			c.tokenStore = backend.(*TokenStore)

			// this is loaded *after* the normal mounts, including cubbyhole
			c.router.tokenStoreSalt = c.tokenStore.salt
			c.tokenStore.cubbyholeBackend = c.router.MatchingBackend("cubbyhole/").(*CubbyholeBackend)
		}
	}
	return nil
}

// teardownCredentials is used before we seal the vault to reset the credential
// backends to their unloaded state. This is reversed by loadCredentials.
func (c *Core) teardownCredentials() error {
	c.auth = nil
	c.tokenStore = nil
	return nil
}

// newCredentialBackend is used to create and configure a new credential backend by name
func (c *Core) newCredentialBackend(
	t string, sysView logical.SystemView, view logical.Storage, conf map[string]string) (logical.Backend, error) {
	f, ok := c.credentialBackends[t]
	if !ok {
		return nil, fmt.Errorf("unknown backend type: %s", t)
	}

	config := &logical.BackendConfig{
		StorageView: view,
		Logger:      c.logger,
		Config:      conf,
		System:      sysView,
	}

	b, err := f(config)
	if err != nil {
		return nil, err
	}

	return b, nil
}

// defaultAuthTable creates a default auth table
func defaultAuthTable() *MountTable {
	table := &MountTable{}
	tokenAuth := &MountEntry{
		Path:        "token/",
		Type:        "token",
		Description: "token based credentials",
		UUID:        uuid.GenerateUUID(),
	}
	table.Entries = append(table.Entries, tokenAuth)
	return table
}
vault: Adding hooks for auth loading 2015-03-18 22:30:31 +00:00			`package vault`

vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`import (`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`"strings"`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00
Use split-out hashicorp/uuid 2015-10-12 18:07:12 +00:00			`"github.com/hashicorp/uuid"`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`"github.com/hashicorp/vault/logical"`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`)`

			`const (`
			`// coreAuthConfigPath is used to store the auth configuration.`
			`// Auth configuration is protected within the Vault itself, which means it`
			`// can only be viewed or modified after an unseal.`
			`coreAuthConfigPath = "core/auth"`

			`// credentialBarrierPrefix is the prefix to the UUID used in the`
			`// barrier view for the credential backends.`
			`credentialBarrierPrefix = "auth/"`

vault: Change constant name 2015-03-19 16:56:39 +00:00			`// credentialRoutePrefix is the mount prefix used for the router`
			`credentialRoutePrefix = "auth/"`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`)`

			`var (`
Run preSeal if postUnseal fails. This also ensures that every error path out of postUnseal returns an error. Fixes #733 2015-11-02 16:01:00 +00:00			`// errLoadAuthFailed if loadCredentials encounters an error`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`errLoadAuthFailed = errors.New("failed to setup auth table")`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`)`

vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`// enableCredential is used to enable a new credential backend`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`func (c Core) enableCredential(entry MountEntry) error {`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`c.auth.Lock()`
			`defer c.auth.Unlock()`

vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`// Ensure we end the path in a slash`
			`if !strings.HasSuffix(entry.Path, "/") {`
			`entry.Path += "/"`
			`}`

vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`// Ensure there is a name`
vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`if entry.Path == "/" {`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`return fmt.Errorf("backend path must be specified")`
			`}`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00
			`// Look for matching name`
			`for _, ent := range c.auth.Entries {`
vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`switch {`
			`// Existing is oauth/github/ new is oauth/ or`
			`// existing is oauth/ and new is oauth/github/`
			`case strings.HasPrefix(ent.Path, entry.Path):`
			`fallthrough`
			`case strings.HasPrefix(entry.Path, ent.Path):`
See if this clears build error 2015-08-13 17:17:04 +00:00			`return logical.CodedError(409, "path is already in use")`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`}`
			`}`

			`// Ensure the token backend is a singleton`
			`if entry.Type == "token" {`
			`return fmt.Errorf("token credential backend cannot be instantiated")`
			`}`

			`// Generate a new UUID and view`
helper/uuid: single generateUUID definition 2015-06-30 19:38:32 +00:00			`entry.UUID = uuid.GenerateUUID()`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`view := NewBarrierView(c.barrier, credentialBarrierPrefix+entry.UUID+"/")`

vault: provide view to backend initializer for setup 2015-07-01 00:30:43 +00:00			`// Create the new backend`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`backend, err := c.newCredentialBackend(entry.Type, c.mountEntrySysView(entry), view, nil)`
vault: provide view to backend initializer for setup 2015-07-01 00:30:43 +00:00			`if err != nil {`
			`return err`
			`}`

vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`// Update the auth table`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`newTable := c.auth.ShallowClone()`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`newTable.Entries = append(newTable.Entries, entry)`
			`if err := c.persistAuth(newTable); err != nil {`
			`return errors.New("failed to update auth table")`
			`}`
			`c.auth = newTable`

			`// Mount the backend`
vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`path := credentialRoutePrefix + entry.Path`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`if err := c.router.Mount(backend, path, entry, view); err != nil {`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`return err`
			`}`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`c.logger.Printf("[INFO] core: enabled credential backend '%s' type: %s",`
			`entry.Path, entry.Type)`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`return nil`
			`}`

			`// disableCredential is used to disable an existing credential backend`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`func (c *Core) disableCredential(path string) error {`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`c.auth.Lock()`
			`defer c.auth.Unlock()`

vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`// Ensure we end the path in a slash`
			`if !strings.HasSuffix(path, "/") {`
			`path += "/"`
			`}`

vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`// Ensure the token backend is not affected`
vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`if path == "token/" {`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`return fmt.Errorf("token credential backend cannot be disabled")`
			`}`

vault: disable credential backend revokes tokens 2015-04-03 23:07:45 +00:00			`// Store the view for this backend`
			`fullPath := credentialRoutePrefix + path`
Move more cubby logic outside of router into auth setup 2015-09-15 16:27:22 +00:00			`view := c.router.MatchingStorageView(fullPath)`
vault: Do early check for missing backend 2015-04-03 23:09:06 +00:00			`if view == nil {`
			`return fmt.Errorf("no matching backend")`
			`}`
vault: disable credential backend revokes tokens 2015-04-03 23:07:45 +00:00
			`// Mark the entry as tainted`
			`if err := c.taintCredEntry(path); err != nil {`
			`return err`
			`}`

			`// Taint the router path to prevent routing`
			`if err := c.router.Taint(fullPath); err != nil {`
			`return err`
			`}`

			`// Revoke credentials from this path`
			`if err := c.expiration.RevokePrefix(fullPath); err != nil {`
			`return err`
			`}`

			`// Unmount the backend`
			`if err := c.router.Unmount(fullPath); err != nil {`
			`return err`
			`}`

			`// Clear the data in the view`
			`if view != nil {`
			`if err := ClearView(view); err != nil {`
			`return err`
vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`}`
			`}`

vault: disable credential backend revokes tokens 2015-04-03 23:07:45 +00:00			`// Remove the mount table entry`
			`if err := c.removeCredEntry(path); err != nil {`
			`return err`
			`}`
			`c.logger.Printf("[INFO] core: disabled credential backend '%s'", path)`
			`return nil`
			`}`

			`// removeCredEntry is used to remove an entry in the auth table`
			`func (c *Core) removeCredEntry(path string) error {`
			`// Taint the entry from the auth table`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`newTable := c.auth.ShallowClone()`
vault: disable credential backend revokes tokens 2015-04-03 23:07:45 +00:00			`newTable.Remove(path)`

			`// Update the auth table`
			`if err := c.persistAuth(newTable); err != nil {`
			`return errors.New("failed to update auth table")`
			`}`
			`c.auth = newTable`
			`return nil`
			`}`

			`// taintCredEntry is used to mark an entry in the auth table as tainted`
			`func (c *Core) taintCredEntry(path string) error {`
			`// Taint the entry from the auth table`
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 02:17:49 +00:00			`newTable := c.auth.ShallowClone()`
vault: disable credential backend revokes tokens 2015-04-03 23:07:45 +00:00			`found := newTable.SetTaint(path, true)`

vault: first pass at enable/disable auth backends 2015-03-19 02:36:17 +00:00			`// Ensure there was a match`
			`if !found {`
			`return fmt.Errorf("no matching backend")`
			`}`

			`// Update the auth table`
			`if err := c.persistAuth(newTable); err != nil {`
			`return errors.New("failed to update auth table")`
			`}`
			`c.auth = newTable`
			`return nil`
			`}`

vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`// loadCredentials is invoked as part of postUnseal to load the auth table`
			`func (c *Core) loadCredentials() error {`
			`// Load the existing mount table`
			`raw, err := c.barrier.Get(coreAuthConfigPath)`
			`if err != nil {`
			`c.logger.Printf("[ERR] core: failed to read auth table: %v", err)`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`return errLoadAuthFailed`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`
			`if raw != nil {`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`c.auth = &MountTable{}`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`if err := json.Unmarshal(raw.Value, c.auth); err != nil {`
			`c.logger.Printf("[ERR] core: failed to decode auth table: %v", err)`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`return errLoadAuthFailed`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`
			`}`

			`// Done if we have restored the auth table`
			`if c.auth != nil {`
			`return nil`
			`}`

			`// Create and persist the default auth table`
			`c.auth = defaultAuthTable()`
			`if err := c.persistAuth(c.auth); err != nil {`
Run preSeal if postUnseal fails. This also ensures that every error path out of postUnseal returns an error. Fixes #733 2015-11-02 16:01:00 +00:00			`c.logger.Printf("[ERR] core: failed to persist auth table: %v", err)`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`return errLoadAuthFailed`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`
			`return nil`
			`}`

			`// persistAuth is used to persist the auth table after modification`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`func (c Core) persistAuth(table MountTable) error {`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`// Marshal the table`
			`raw, err := json.Marshal(table)`
			`if err != nil {`
			`c.logger.Printf("[ERR] core: failed to encode auth table: %v", err)`
			`return err`
			`}`

			`// Create an entry`
			`entry := &Entry{`
			`Key: coreAuthConfigPath,`
			`Value: raw,`
			`}`

			`// Write to the physical backend`
			`if err := c.barrier.Put(entry); err != nil {`
			`c.logger.Printf("[ERR] core: failed to persist auth table: %v", err)`
			`return err`
			`}`
			`return nil`
			`}`

			`// setupCredentials is invoked after we've loaded the auth table to`
vault: Adding hooks for auth loading 2015-03-18 22:30:31 +00:00			`// initialize the credential backends and setup the router`
			`func (c *Core) setupCredentials() error {`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`var backend logical.Backend`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`var view *BarrierView`
			`var err error`
			`for _, entry := range c.auth.Entries {`
vault: provide view to backend initializer for setup 2015-07-01 00:30:43 +00:00			`// Create a barrier view using the UUID`
			`view = NewBarrierView(c.barrier, credentialBarrierPrefix+entry.UUID+"/")`

vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`// Initialize the backend`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`backend, err = c.newCredentialBackend(entry.Type, c.mountEntrySysView(entry), view, nil)`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`if err != nil {`
			`c.logger.Printf(`
Fix problematic logging statements. Fixes #665. 2015-10-03 01:31:46 +00:00			`"[ERR] core: failed to create credential entry %s: %v",`
			`entry.Path, err)`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`return errLoadAuthFailed`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`

			`// Mount the backend`
vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`path := credentialRoutePrefix + entry.Path`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`err = c.router.Mount(backend, path, entry, view)`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`if err != nil {`
Fix problematic logging statements. Fixes #665. 2015-10-03 01:31:46 +00:00			`c.logger.Printf("[ERR] core: failed to mount auth entry %s: %v", entry.Path, err)`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`return errLoadAuthFailed`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`
vault: Track the token store in core 2015-03-23 20:41:05 +00:00
vault: disable credential backend revokes tokens 2015-04-03 23:07:45 +00:00			`// Ensure the path is tainted if set in the mount table`
			`if entry.Tainted {`
			`c.router.Taint(path)`
			`}`

vault: Track the token store in core 2015-03-23 20:41:05 +00:00			`// Check if this is the token store`
			`if entry.Type == "token" {`
			`c.tokenStore = backend.(*TokenStore)`
Move more cubby logic outside of router into auth setup 2015-09-15 16:27:22 +00:00
			`// this is loaded after the normal mounts, including cubbyhole`
Fix situation where a new required singleton backend would not be activated upon upgrade. 2015-09-21 21:54:36 +00:00			`c.router.tokenStoreSalt = c.tokenStore.salt`
Directly pass the cubbyhole backend to the token store and bypass logic in router 2015-09-15 17:49:53 +00:00			`c.tokenStore.cubbyholeBackend = c.router.MatchingBackend("cubbyhole/").(*CubbyholeBackend)`
vault: Track the token store in core 2015-03-23 20:41:05 +00:00			`}`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`
vault: Adding hooks for auth loading 2015-03-18 22:30:31 +00:00			`return nil`
			`}`

			`// teardownCredentials is used before we seal the vault to reset the credential`
			`// backends to their unloaded state. This is reversed by loadCredentials.`
			`func (c *Core) teardownCredentials() error {`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`c.auth = nil`
vault: Track the token store in core 2015-03-23 20:41:05 +00:00			`c.tokenStore = nil`
vault: Adding hooks for auth loading 2015-03-18 22:30:31 +00:00			`return nil`
			`}`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00
			`// newCredentialBackend is used to create and configure a new credential backend by name`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`func (c *Core) newCredentialBackend(`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00			`t string, sysView logical.SystemView, view logical.Storage, conf map[string]string) (logical.Backend, error) {`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`f, ok := c.credentialBackends[t]`
			`if !ok {`
			`return nil, fmt.Errorf("unknown backend type: %s", t)`
			`}`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00
vault: provide view to backend initializer for setup 2015-07-01 00:30:43 +00:00			`config := &logical.BackendConfig{`
Rename View to StorageView to make it more distinct from SystemView 2015-09-09 19:42:29 +00:00			`StorageView: view,`
			`Logger: c.logger,`
			`Config: conf,`
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens. 2015-09-10 01:58:09 +00:00			`System: sysView,`
vault: provide view to backend initializer for setup 2015-07-01 00:30:43 +00:00			`}`

			`b, err := f(config)`
			`if err != nil {`
			`return nil, err`
			`}`
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests. 2015-09-04 20:58:12 +00:00
vault: provide view to backend initializer for setup 2015-07-01 00:30:43 +00:00			`return b, nil`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`

			`// defaultAuthTable creates a default auth table`
vault: Switch AuthTable to using MountTable 2015-03-19 16:54:57 +00:00			`func defaultAuthTable() *MountTable {`
			`table := &MountTable{}`
			`tokenAuth := &MountEntry{`
vault: Allow deep paths for auth mounting 2015-04-03 21:24:00 +00:00			`Path: "token/",`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`Type: "token",`
			`Description: "token based credentials",`
helper/uuid: single generateUUID definition 2015-06-30 19:38:32 +00:00			`UUID: uuid.GenerateUUID(),`
vault: first pass at initializing credential backends 2015-03-18 22:46:07 +00:00			`}`
			`table.Entries = append(table.Entries, tokenAuth)`
			`return table`
			`}`