logical: move cred stuff over here

2015-03-30 17:46:18 -07:00 · 2015-03-30 17:46:18 -07:00 · 62ee621ea3
parent 2c3657f4fe
commit 62ee621ea3
10 changed files with 54 additions and 51 deletions
--- a/credential/credential.go
+++ b/credential/credential.go
@ -27,12 +27,6 @@ const (
 type Backend interface {
 	logical.Backend

-	// LoginPaths is a list of paths that are unauthenticated and used
-	// only for logging in. These paths cannot be reached via HandleRequest,
-	// and are sent to HandleLogin instead. Paths are enforced exactly
-	// or using a prefix match if they end in '*'
-	LoginPaths() []string
-
 	// HandleLogin is used to handle a login request and generate a response.
 	// The backend is allowed to ignore this request if it is not applicable.
 	HandleLogin(req *Request) (*Response, error)
--- a/logical/framework/backend.go
+++ b/logical/framework/backend.go
@ -21,12 +21,12 @@ type Backend struct {
 	// paths, including adding or removing, is not allowed once the
 	// backend is in use).
 	//
-	// PathsRoot is the list of path patterns that denote the
-	// paths above that require root-level privileges. These can't be
+	// PathsSpecial is the list of path patterns that denote the
+	// paths above that require special privileges. These can't be
 	// regular expressions, it is either exact match or prefix match.
 	// For prefix match, append '*' as a suffix.
-	Paths     []*Path
-	PathsRoot []string
+	Paths        []*Path
+	PathsSpecial *logical.Paths

 	// Secrets is the list of secret types that this backend can
 	// return. It is used to automatically generate proper responses,
@ -105,8 +105,8 @@ func (b *Backend) HandleRequest(req *logical.Request) (*logical.Response, error)
 }

 // logical.Backend impl.
-func (b *Backend) RootPaths() []string {
-	return b.PathsRoot
+func (b *Backend) SpecialPaths() *logical.Paths {
+	return b.PathsSpecial
 }

 // Route looks up the path that would be used for a given path string.
--- a/logical/logical.go
+++ b/logical/logical.go
@ -13,12 +13,23 @@ type Backend interface {
 	// The backends must check the operation type and handle appropriately.
 	HandleRequest(*Request) (*Response, error)

-	// RootPaths is a list of paths that require root level privileges.
-	// These paths will be enforced by the router so that backends do
-	// not need to handle the authorization. Paths are enforced exactly
-	// or using a prefix match if they end in '*'
-	RootPaths() []string
+	// SpecialPaths is a list of paths that are special in some way.
+	// See PathType for the types of special paths. The key is the type
+	// of the special path, and the value is a list of paths for this type.
+	// This is not a regular expression but is an exact match. If the path
+	// ends in '*' then it is a prefix-based match. The '*' can only appear
+	// at the end.
+	SpecialPaths() *Paths
 }

 // Factory is the factory function to create a logical backend.
 type Factory func(map[string]string) (Backend, error)
+
+// Paths is the structure of special paths that is used for SpecialPaths.
+type Paths struct {
+	// Root are the paths that require a root token to access
+	Root []string
+
+	// Unauthenticated are the paths that can be accessed without any auth.
+	Unauthenticated []string
+}
--- a/vault/auth_test.go
+++ b/vault/auth_test.go
@ -30,12 +30,11 @@ func (n *NoopCred) HandleRequest(req *logical.Request) (*logical.Response, error
 	return n.Response, nil
 }

-func (n *NoopCred) RootPaths() []string {
-	return n.Root
-}
-
-func (n *NoopCred) LoginPaths() []string {
-	return n.Login
+func (n *NoopCred) SpecialPaths() *logical.Paths {
+	return &logical.Paths{
+		Root:            n.Root,
+		Unauthenticated: n.Login,
+	}
 }

 func (n *NoopCred) HandleLogin(req *credential.Request) (*credential.Response, error) {
--- a/vault/logical_passthrough_test.go
+++ b/vault/logical_passthrough_test.go
@ -10,8 +10,8 @@ import (

 func TestPassthroughBackend_RootPaths(t *testing.T) {
 	b := testPassthroughBackend()
-	root := b.RootPaths()
-	if len(root) != 0 {
+	root := b.SpecialPaths()
+	if root != nil {
 		t.Fatalf("unexpected: %v", root)
 	}
 }
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -12,13 +12,15 @@ func NewSystemBackend(core *Core) logical.Backend {
 	b := &SystemBackend{Core: core}

 	return &framework.Backend{
-		PathsRoot: []string{
-			"mounts/*",
-			"auth/*",
-			"remount",
-			"revoke-prefix/*",
-			"policy",
-			"policy/*",
+		PathsSpecial: &logical.Paths{
+			Root: []string{
+				"mounts/*",
+				"auth/*",
+				"remount",
+				"revoke-prefix/*",
+				"policy",
+				"policy/*",
+			},
 		},

 		Paths: []*framework.Path{
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@ -19,7 +19,7 @@ func TestSystemBackend_RootPaths(t *testing.T) {
 	}

 	b := testSystemBackend(t)
-	actual := b.RootPaths()
+	actual := b.SpecialPaths().Root
 	if !reflect.DeepEqual(actual, expected) {
 		t.Fatalf("bad: %#v", actual)
 	}
--- a/vault/router.go
+++ b/vault/router.go
@ -42,21 +42,18 @@ func (r *Router) Mount(backend logical.Backend, prefix string, view *BarrierView
 		return fmt.Errorf("cannot mount under existing mount '%s'", existing)
 	}

-	// Get the root paths
-	rootPaths := pathsToRadix(backend.RootPaths())
-
-	// Check if this is a credential backend, calculate the login paths
-	var loginPaths *radix.Tree
-	if cred, ok := backend.(credential.Backend); ok {
-		loginPaths = pathsToRadix(cred.LoginPaths())
+	// Build the paths
+	paths := backend.SpecialPaths()
+	if paths == nil {
+		paths = new(logical.Paths)
 	}

 	// Create a mount entry
 	me := &mountEntry{
 		backend:    backend,
 		view:       view,
-		rootPaths:  rootPaths,
-		loginPaths: loginPaths,
+		rootPaths:  pathsToRadix(paths.Root),
+		loginPaths: pathsToRadix(paths.Unauthenticated),
 	}
 	r.root.Insert(prefix, me)
 	return nil
@ -228,8 +225,8 @@ func (r *Router) LoginPath(path string) bool {
 	return match == remain
 }

-// pathsToRadix converts a list of paths potentially ending with
-// a wildcard expansion "*" into a radix tree.
+// pathsToRadix converts a the mapping of special paths to a mapping
+// of special paths to radix trees.
 func pathsToRadix(paths []string) *radix.Tree {
 	tree := radix.New()
 	for _, path := range paths {
@ -238,7 +235,9 @@ func pathsToRadix(paths []string) *radix.Tree {
 		if prefixMatch {
 			path = path[:len(path)-1]
 		}
+
 		tree.Insert(path, prefixMatch)
 	}
+
 	return tree
 }
--- a/vault/router_test.go
+++ b/vault/router_test.go
@ -25,8 +25,10 @@ func (n *NoopBackend) HandleRequest(req *logical.Request) (*logical.Response, er
 	return n.Response, nil
 }

-func (n *NoopBackend) RootPaths() []string {
-	return n.Root
+func (n *NoopBackend) SpecialPaths() *logical.Paths {
+	return &logical.Paths{
+		Root: n.Root,
+	}
 }

 func TestRouter_Mount(t *testing.T) {
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -317,11 +317,7 @@ func (ts *TokenStore) HandleRequest(req *logical.Request) (*logical.Response, er
 	return nil, logical.ErrUnsupportedPath
 }

-func (ts *TokenStore) RootPaths() []string {
-	return nil
-}
-
-func (ts *TokenStore) LoginPaths() []string {
+func (ts *TokenStore) SpecialPaths() *logical.Paths {
 	return nil
 }