Move more cubby logic outside of router into auth setup
This commit is contained in:
Jeff Mitchell
parent
bdb8cf128d
commit
849b78daee
|
|
@ -106,7 +106,7 @@ func (c *Core) disableCredential(path string) error {
|
|||
|
||||
// Store the view for this backend
|
||||
fullPath := credentialRoutePrefix + path
|
||||
view := c.router.MatchingView(fullPath)
|
||||
view := c.router.MatchingStorageView(fullPath)
|
||||
if view == nil {
|
||||
return fmt.Errorf("no matching backend")
|
||||
}
|
||||
|
|
@ -266,6 +266,15 @@ func (c *Core) setupCredentials() error {
|
|||
// Check if this is the token store
|
||||
if entry.Type == "token" {
|
||||
c.tokenStore = backend.(*TokenStore)
|
||||
|
||||
// this is loaded *after* the normal mounts, including cubbyhole
|
||||
c.router.tokenStoreSalt = backend.(*TokenStore).salt
|
||||
|
||||
c.tokenStore.cubbyConfig = cubbyholeConfig{
|
||||
revokeFunc: c.router.MatchingBackend("cubbyhole/").(*CubbyholeBackend).revoke,
|
||||
storageView: c.router.MatchingStorageView("cubbyhole/"),
|
||||
saltUUID: c.router.MatchingMountEntry("cubbyhole/").UUID,
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -91,16 +91,16 @@ func TestCore_EnableCredential_twice_409(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
// 2nd should be a 409 error
|
||||
err2 := c.enableCredential(me)
|
||||
switch err2.(type) {
|
||||
case logical.HTTPCodedError:
|
||||
if err2.(logical.HTTPCodedError).Code() != 409 {
|
||||
t.Fatalf("invalid code given")
|
||||
}
|
||||
default:
|
||||
t.Fatalf("expected a different error type")
|
||||
}
|
||||
// 2nd should be a 409 error
|
||||
err2 := c.enableCredential(me)
|
||||
switch err2.(type) {
|
||||
case logical.HTTPCodedError:
|
||||
if err2.(logical.HTTPCodedError).Code() != 409 {
|
||||
t.Fatalf("invalid code given")
|
||||
}
|
||||
default:
|
||||
t.Fatalf("expected a different error type")
|
||||
}
|
||||
}
|
||||
|
||||
func TestCore_EnableCredential_Token(t *testing.T) {
|
||||
|
|
@ -194,7 +194,7 @@ func TestCore_DisableCredential_Cleanup(t *testing.T) {
|
|||
}
|
||||
|
||||
// Store the view
|
||||
view := c.router.MatchingView("auth/foo/")
|
||||
view := c.router.MatchingStorageView("auth/foo/")
|
||||
|
||||
// Inject data
|
||||
se := &logical.StorageEntry{
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, erro
|
|||
}
|
||||
b.Backend.Setup(conf)
|
||||
|
||||
return b, nil
|
||||
return &b, nil
|
||||
}
|
||||
|
||||
// CubbyholeBackend is used for storing secrets directly into the physical
|
||||
|
|
|
|||
|
|
@ -227,7 +227,7 @@ func (c *Core) unmount(path string) error {
|
|||
}
|
||||
|
||||
// Store the view for this backend
|
||||
view := c.router.MatchingView(path)
|
||||
view := c.router.MatchingStorageView(path)
|
||||
|
||||
// Mark the entry as tainted
|
||||
if err := c.taintMountEntry(path); err != nil {
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) {
|
|||
}
|
||||
|
||||
// Store the view
|
||||
view := c.router.MatchingView("test/")
|
||||
view := c.router.MatchingStorageView("test/")
|
||||
|
||||
// Inject data
|
||||
se := &logical.StorageEntry{
|
||||
|
|
@ -241,7 +241,7 @@ func TestCore_Remount_Cleanup(t *testing.T) {
|
|||
}
|
||||
|
||||
// Store the view
|
||||
view := c.router.MatchingView("test/")
|
||||
view := c.router.MatchingStorageView("test/")
|
||||
|
||||
// Inject data
|
||||
se := &logical.StorageEntry{
|
||||
|
|
|
|||
|
|
@ -29,12 +29,12 @@ func NewRouter() *Router {
|
|||
|
||||
// routeEntry is used to represent a mount point in the router
|
||||
type routeEntry struct {
|
||||
tainted bool
|
||||
backend logical.Backend
|
||||
mountEntry *MountEntry
|
||||
view *BarrierView
|
||||
rootPaths *radix.Tree
|
||||
loginPaths *radix.Tree
|
||||
tainted bool
|
||||
backend logical.Backend
|
||||
mountEntry *MountEntry
|
||||
storageView *BarrierView
|
||||
rootPaths *radix.Tree
|
||||
loginPaths *radix.Tree
|
||||
}
|
||||
|
||||
// SaltID is used to apply a salt and hash to an ID to make sure its not reversable
|
||||
|
|
@ -44,7 +44,7 @@ func (re *routeEntry) SaltID(id string) string {
|
|||
|
||||
// Mount is used to expose a logical backend at a given prefix, using a unique salt,
|
||||
// and the barrier view for that path.
|
||||
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, view *BarrierView) error {
|
||||
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error {
|
||||
r.l.Lock()
|
||||
defer r.l.Unlock()
|
||||
|
||||
|
|
@ -61,32 +61,15 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount
|
|||
|
||||
// Create a mount entry
|
||||
re := &routeEntry{
|
||||
tainted: false,
|
||||
backend: backend,
|
||||
mountEntry: mountEntry,
|
||||
view: view,
|
||||
rootPaths: pathsToRadix(paths.Root),
|
||||
loginPaths: pathsToRadix(paths.Unauthenticated),
|
||||
tainted: false,
|
||||
backend: backend,
|
||||
mountEntry: mountEntry,
|
||||
storageView: storageView,
|
||||
rootPaths: pathsToRadix(paths.Root),
|
||||
loginPaths: pathsToRadix(paths.Unauthenticated),
|
||||
}
|
||||
r.root.Insert(prefix, re)
|
||||
|
||||
switch mountEntry.Type {
|
||||
case "token":
|
||||
// this is loaded *after* the normal mounts, including cubbyhole
|
||||
r.tokenStoreSalt = backend.(*TokenStore).salt
|
||||
// We still hold the lock for the tree so we can't call MatchingBackend
|
||||
_, raw, ok := r.root.LongestPrefix("cubbyhole/")
|
||||
if !ok {
|
||||
return fmt.Errorf("unable to find cubbyhole")
|
||||
}
|
||||
cubbyRouteEntry := raw.(*routeEntry)
|
||||
cubbyBackend := cubbyRouteEntry.backend.(CubbyholeBackend)
|
||||
re.backend.(*TokenStore).cubbyConfig = cubbyholeConfig{
|
||||
revokeFunc: cubbyBackend.revoke,
|
||||
storageView: cubbyRouteEntry.view,
|
||||
saltUUID: cubbyRouteEntry.mountEntry.UUID,
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -156,14 +139,14 @@ func (r *Router) MatchingMount(path string) string {
|
|||
}
|
||||
|
||||
// MatchingView returns the view used for a path
|
||||
func (r *Router) MatchingView(path string) *BarrierView {
|
||||
func (r *Router) MatchingStorageView(path string) *BarrierView {
|
||||
r.l.RLock()
|
||||
_, raw, ok := r.root.LongestPrefix(path)
|
||||
r.l.RUnlock()
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
return raw.(*routeEntry).view
|
||||
return raw.(*routeEntry).storageView
|
||||
}
|
||||
|
||||
// MatchingMountEntry returns the MountEntry used for a path
|
||||
|
|
@ -240,7 +223,7 @@ func (r *Router) Route(req *logical.Request) (*logical.Response, error) {
|
|||
}
|
||||
|
||||
// Attach the storage view for the request
|
||||
req.Storage = re.view
|
||||
req.Storage = re.storageView
|
||||
|
||||
// Hash the request token unless this is the token backend
|
||||
clientToken := req.ClientToken
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ func TestRouter_Mount(t *testing.T) {
|
|||
t.Fatalf("bad: %s", path)
|
||||
}
|
||||
|
||||
if v := r.MatchingView("prod/aws/foo"); v != view {
|
||||
if v := r.MatchingStorageView("prod/aws/foo"); v != view {
|
||||
t.Fatalf("bad: %s", v)
|
||||
}
|
||||
|
||||
|
|
@ -81,7 +81,7 @@ func TestRouter_Mount(t *testing.T) {
|
|||
t.Fatalf("bad: %s", path)
|
||||
}
|
||||
|
||||
if v := r.MatchingView("stage/aws/foo"); v != nil {
|
||||
if v := r.MatchingStorageView("stage/aws/foo"); v != nil {
|
||||
t.Fatalf("bad: %s", v)
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue