diff --git a/http/logical_test.go b/http/logical_test.go index 3de658286..7d48c6c36 100644 --- a/http/logical_test.go +++ b/http/logical_test.go @@ -155,6 +155,7 @@ func TestLogical_CreateToken(t *testing.T) { }) var actual map[string]interface{} + var nilWarnings interface{} expected := map[string]interface{}{ "lease_id": "", "renewable": false, @@ -166,7 +167,7 @@ func TestLogical_CreateToken(t *testing.T) { "lease_duration": float64(0), "renewable": false, }, - "warnings": []interface{}{"policy \"root\" does not exist"}, + "warnings": nilWarnings, } testResponseStatus(t, resp, 200) testResponseBody(t, resp, &actual) diff --git a/vault/core.go b/vault/core.go index 83e401372..afd6d4e61 100644 --- a/vault/core.go +++ b/vault/core.go @@ -237,7 +237,7 @@ type Core struct { rollback *RollbackManager // policy store is used to manage named ACL policies - policy *PolicyStore + policyStore *PolicyStore // token store is used to manage authentication tokens tokenStore *TokenStore @@ -697,7 +697,7 @@ func (c *Core) checkToken( } // Construct the corresponding ACL object - acl, err := c.policy.ACL(te.Policies...) + acl, err := c.policyStore.ACL(te.Policies...) if err != nil { c.logger.Printf("[ERR] core: failed to construct ACL: %v", err) return nil, nil, ErrInternalError diff --git a/vault/dynamic_system_view.go b/vault/dynamic_system_view.go index 703a25a06..c8d04a344 100644 --- a/vault/dynamic_system_view.go +++ b/vault/dynamic_system_view.go @@ -32,7 +32,7 @@ func (d dynamicSystemView) SudoPrivilege(path string, token string) bool { } // Construct the corresponding ACL object - acl, err := d.core.policy.ACL(te.Policies...) + acl, err := d.core.policyStore.ACL(te.Policies...) if err != nil { d.core.logger.Printf("[ERR] failed to retrieve ACL for policies [%#v]: %s", te.Policies, err) return false diff --git a/vault/logical_system.go b/vault/logical_system.go index ee8c0c355..73bbb5f56 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -741,7 +741,7 @@ func (b *SystemBackend) handleDisableAuth( func (b *SystemBackend) handlePolicyList( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { // Get all the configured policies - policies, err := b.Core.policy.ListPolicies() + policies, err := b.Core.policyStore.ListPolicies() // Add the special "root" policy policies = append(policies, "root") @@ -753,7 +753,7 @@ func (b *SystemBackend) handlePolicyRead( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { name := data.Get("name").(string) - policy, err := b.Core.policy.GetPolicy(name) + policy, err := b.Core.policyStore.GetPolicy(name) if err != nil { return handleError(err) } @@ -786,7 +786,7 @@ func (b *SystemBackend) handlePolicySet( parse.Name = strings.ToLower(name) // Update the policy - if err := b.Core.policy.SetPolicy(parse); err != nil { + if err := b.Core.policyStore.SetPolicy(parse); err != nil { return handleError(err) } return nil, nil @@ -796,7 +796,7 @@ func (b *SystemBackend) handlePolicySet( func (b *SystemBackend) handlePolicyDelete( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { name := data.Get("name").(string) - if err := b.Core.policy.DeletePolicy(name); err != nil { + if err := b.Core.policyStore.DeletePolicy(name); err != nil { return handleError(err) } return nil, nil diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 19dcc5f3c..f1a621f07 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -682,7 +682,7 @@ func TestSystemBackend_rawWrite(t *testing.T) { } // Read the policy! - p, err := c.policy.GetPolicy("test") + p, err := c.policyStore.GetPolicy("test") if err != nil { t.Fatalf("err: %v", err) } @@ -709,7 +709,7 @@ func TestSystemBackend_rawDelete(t *testing.T) { // set the policy! p := &Policy{Name: "test"} - err := c.policy.SetPolicy(p) + err := c.policyStore.SetPolicy(p) if err != nil { t.Fatalf("err: %v", err) } @@ -725,8 +725,8 @@ func TestSystemBackend_rawDelete(t *testing.T) { } // Policy should be gone - c.policy.lru.Purge() - out, err := c.policy.GetPolicy("test") + c.policyStore.lru.Purge() + out, err := c.policyStore.GetPolicy("test") if err != nil { t.Fatalf("err: %v", err) } diff --git a/vault/policy_store.go b/vault/policy_store.go index bef087ef5..81aa175f4 100644 --- a/vault/policy_store.go +++ b/vault/policy_store.go @@ -49,14 +49,25 @@ func (c *Core) setupPolicyStore() error { view := c.systemBarrierView.SubView(policySubPath) // Create the policy store - c.policy = NewPolicyStore(view) + c.policyStore = NewPolicyStore(view) + + /* + // Ensure that the default policy exists, and if not, create it + policy, err := c.policyStore.GetPolicy("default") + if err != nil { + return errwrap.Wrapf("error fetching default policy from store: {{err}}", err) + } + if policy == nil { + c.policyStore.createDefaultPolicy() + } + */ return nil } // teardownPolicyStore is used to reverse setupPolicyStore // when the vault is being sealed. func (c *Core) teardownPolicyStore() error { - c.policy = nil + c.policyStore = nil return nil } @@ -187,3 +198,9 @@ func (ps *PolicyStore) ACL(names ...string) (*ACL, error) { } return acl, nil } + +/* +func (ps *PolicyStore) createDefaultPolicy() error { + return nil +} +*/ diff --git a/vault/token_store.go b/vault/token_store.go index ea9665e6a..9bbccf9d5 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -61,8 +61,8 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error) view: view, } - if c.policy != nil { - t.policyLookupFunc = c.policy.GetPolicy + if c.policyStore != nil { + t.policyLookupFunc = c.policyStore.GetPolicy } // Setup the salt