vault: Setup expiration manager on unseal

vault/core.go

@@ -19,10 +19,6 @@ const (
 	// it even with the Vault sealed. This is required so that we know
 	// how many secret parts must be used to reconstruct the master key.
 	coreSealConfigPath = "core/seal-config"
-
-	// expirationSubPath is the sub-path used for the expiration manager
-	// view. This is nested under the system view.
-	expirationSubPath = "expire/"
 )
 
 var (
@@ -115,6 +111,10 @@ type Core struct {
 	// systemView is the barrier view for the system backend
 	systemView *BarrierView
 
+	// expiration manager is used for managing vaultIDs,
+	// renewal, expiration and revocation
+	expiration *ExpirationManager
+
 	logger *log.Logger
 }
 
@@ -410,5 +410,8 @@ func (c *Core) postUnseal() error {
 	if err := c.setupMounts(); err != nil {
 		return err
 	}
+	if err := c.setupExpiration(); err != nil {
+		return err
+	}
 	return nil
 }

vault/expiration.go

@@ -0,0 +1,36 @@
+package vault
+
+const (
+	// expirationSubPath is the sub-path used for the expiration manager
+	// view. This is nested under the system view.
+	expirationSubPath = "expire/"
+)
+
+// ExpirationManager is used by the Core to manage leases. Secrets
+// can provide a lease, meaning that they can be renewed or revoked.
+// If a secret is not renewed in timely manner, it may be expired, and
+// the ExpirationManager will handle doing automatic revocation.
+type ExpirationManager struct {
+	view *BarrierView
+}
+
+// NewExpirationManager creates a new ExpirationManager that is backed
+// using a given view.
+func NewExpirationManager(view *BarrierView) *ExpirationManager {
+	exp := &ExpirationManager{
+		view: view,
+	}
+	return exp
+}
+
+// setupExpiration is invoked after we've loaded the mount table to
+// initialize the expiration manager
+func (c *Core) setupExpiration() error {
+	// Create a sub-view
+	view := c.systemView.SubView(expirationSubPath)
+
+	// Create the manager
+	mgr := NewExpirationManager(view)
+	c.expiration = mgr
+	return nil
+}