vault: integrate policy and token store into core

vault/core.go

@@ -125,6 +125,12 @@ type Core struct {
 	// rollback manager is used to run rollbacks periodically
 	rollback *RollbackManager
 
+	// policy store is used to manage named ACL policies
+	policy *PolicyStore
+
+	// toekn store is used to manage tokens
+	tokens *TokenStore
+
 	logger *log.Logger
 }
 
@@ -470,12 +476,24 @@ func (c *Core) postUnseal() error {
 	if err := c.startRollback(); err != nil {
 		return err
 	}
+	if err := c.setupPolicyStore(); err != nil {
+		return nil
+	}
+	if err := c.setupTokenStore(); err != nil {
+		return nil
+	}
 	return nil
 }
 
 // preSeal is invoked before the barrier is sealed, allowing
 // for any state teardown required.
 func (c *Core) preSeal() error {
+	if err := c.teardownTokenStore(); err != nil {
+		return err
+	}
+	if err := c.teardownPolicyStore(); err != nil {
+		return err
+	}
 	if err := c.stopRollback(); err != nil {
 		return err
 	}

vault/policy_store.go

@@ -2,32 +2,49 @@ package vault
 
 import (
 	"fmt"
-	"log"
-	"os"
 
 	"github.com/hashicorp/vault/logical"
 )
 
+const (
+	// policySubPath is the sub-path used for the policy store
+	// view. This is nested under the system view.
+	policySubPath = "policy/"
+)
+
 // PolicyStore is used to provide durable storage of policy, and to
 // manage ACLs associated with them.
 type PolicyStore struct {
-	view   *BarrierView
-	logger *log.Logger
+	view *BarrierView
 }
 
 // NewPolicyStore creates a new PolicyStore that is backed
 // using a given view. It used used to durable store and manage named policy.
-func NewPolicyStore(view *BarrierView, logger *log.Logger) *PolicyStore {
-	if logger == nil {
-		logger = log.New(os.Stderr, "", log.LstdFlags)
-	}
+func NewPolicyStore(view *BarrierView) *PolicyStore {
 	p := &PolicyStore{
-		view:   view,
-		logger: logger,
+		view: view,
 	}
 	return p
 }
 
+// setupPolicyStore is used to initialize the policy store
+// when the vault is being unsealed.
+func (c *Core) setupPolicyStore() error {
+	// Create a sub-view
+	view := c.systemView.SubView(policySubPath)
+
+	// Create the policy store
+	c.policy = NewPolicyStore(view)
+	return nil
+}
+
+// teardownPolicyStore is used to reverse setupPolicyStore
+// when the vault is being sealed.
+func (c *Core) teardownPolicyStore() error {
+	c.policy = nil
+	return nil
+}
+
 // SetPolicy is used to create or update the given policy
 func (ps *PolicyStore) SetPolicy(p *Policy) error {
 	if p.Name == "root" {

vault/policy_store_test.go

@@ -8,7 +8,7 @@ import (
 func mockPolicyStore(t *testing.T) *PolicyStore {
 	_, barrier, _ := mockBarrier(t)
 	view := NewBarrierView(barrier, "foo/")
-	p := NewPolicyStore(view, nil)
+	p := NewPolicyStore(view)
 	return p
 }
 

vault/token_store.go

@@ -23,6 +23,10 @@ const (
 	// that token names cannot be guessed as that would compromise their
 	// use.
 	tokenSaltLocation = "salt"
+
+	// tokenSubPath is the sub-path used for the token store
+	// view. This is nested under the system view.
+	tokenSubPath = "token/"
 )
 
 // TokenStore is used to manage client tokens. Tokens are used for
@@ -63,6 +67,28 @@ func NewTokenStore(view *BarrierView) (*TokenStore, error) {
 	return t, nil
 }
 
+// setupTokenStore is used to initialize the token store
+// when the vault is being unsealed.
+func (c *Core) setupTokenStore() error {
+	// Create a sub-view
+	view := c.systemView.SubView(tokenSubPath)
+
+	// Create the token store
+	ts, err := NewTokenStore(view)
+	if err != nil {
+		return err
+	}
+	c.tokens = ts
+	return nil
+}
+
+// teardownTokenStore is used to reverse setupTokenStore
+// when the vault is being sealed.
+func (c *Core) teardownTokenStore() error {
+	c.tokens = nil
+	return nil
+}
+
 // TokenEntry is used to represent a given token
 type TokenEntry struct {
 	ID       string   // ID of this entry, generally a random UUID