From 849b78daeefa31a8e124115117c3dbc45d109d56 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 15 Sep 2015 12:27:22 -0400 Subject: [PATCH] Move more cubby logic outside of router into auth setup --- vault/auth.go | 11 ++++++++- vault/auth_test.go | 22 ++++++++--------- vault/logical_cubbyhole.go | 2 +- vault/mount.go | 2 +- vault/mount_test.go | 4 ++-- vault/router.go | 49 +++++++++++++------------------------- vault/router_test.go | 4 ++-- 7 files changed, 43 insertions(+), 51 deletions(-) diff --git a/vault/auth.go b/vault/auth.go index e259d0928..4e1c5fcb9 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -106,7 +106,7 @@ func (c *Core) disableCredential(path string) error { // Store the view for this backend fullPath := credentialRoutePrefix + path - view := c.router.MatchingView(fullPath) + view := c.router.MatchingStorageView(fullPath) if view == nil { return fmt.Errorf("no matching backend") } @@ -266,6 +266,15 @@ func (c *Core) setupCredentials() error { // Check if this is the token store if entry.Type == "token" { c.tokenStore = backend.(*TokenStore) + + // this is loaded *after* the normal mounts, including cubbyhole + c.router.tokenStoreSalt = backend.(*TokenStore).salt + + c.tokenStore.cubbyConfig = cubbyholeConfig{ + revokeFunc: c.router.MatchingBackend("cubbyhole/").(*CubbyholeBackend).revoke, + storageView: c.router.MatchingStorageView("cubbyhole/"), + saltUUID: c.router.MatchingMountEntry("cubbyhole/").UUID, + } } } return nil diff --git a/vault/auth_test.go b/vault/auth_test.go index e55adea67..6b179046d 100644 --- a/vault/auth_test.go +++ b/vault/auth_test.go @@ -91,16 +91,16 @@ func TestCore_EnableCredential_twice_409(t *testing.T) { t.Fatalf("err: %v", err) } - // 2nd should be a 409 error - err2 := c.enableCredential(me) - switch err2.(type) { - case logical.HTTPCodedError: - if err2.(logical.HTTPCodedError).Code() != 409 { - t.Fatalf("invalid code given") - } - default: - t.Fatalf("expected a different error type") - } + // 2nd should be a 409 error + err2 := c.enableCredential(me) + switch err2.(type) { + case logical.HTTPCodedError: + if err2.(logical.HTTPCodedError).Code() != 409 { + t.Fatalf("invalid code given") + } + default: + t.Fatalf("expected a different error type") + } } func TestCore_EnableCredential_Token(t *testing.T) { @@ -194,7 +194,7 @@ func TestCore_DisableCredential_Cleanup(t *testing.T) { } // Store the view - view := c.router.MatchingView("auth/foo/") + view := c.router.MatchingStorageView("auth/foo/") // Inject data se := &logical.StorageEntry{ diff --git a/vault/logical_cubbyhole.go b/vault/logical_cubbyhole.go index b365c1b5a..a1eff245b 100644 --- a/vault/logical_cubbyhole.go +++ b/vault/logical_cubbyhole.go @@ -37,7 +37,7 @@ func CubbyholeBackendFactory(conf *logical.BackendConfig) (logical.Backend, erro } b.Backend.Setup(conf) - return b, nil + return &b, nil } // CubbyholeBackend is used for storing secrets directly into the physical diff --git a/vault/mount.go b/vault/mount.go index 282544946..348a89344 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -227,7 +227,7 @@ func (c *Core) unmount(path string) error { } // Store the view for this backend - view := c.router.MatchingView(path) + view := c.router.MatchingStorageView(path) // Mark the entry as tainted if err := c.taintMountEntry(path); err != nil { diff --git a/vault/mount_test.go b/vault/mount_test.go index 30bbc7573..aa90bfd4d 100644 --- a/vault/mount_test.go +++ b/vault/mount_test.go @@ -124,7 +124,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) { } // Store the view - view := c.router.MatchingView("test/") + view := c.router.MatchingStorageView("test/") // Inject data se := &logical.StorageEntry{ @@ -241,7 +241,7 @@ func TestCore_Remount_Cleanup(t *testing.T) { } // Store the view - view := c.router.MatchingView("test/") + view := c.router.MatchingStorageView("test/") // Inject data se := &logical.StorageEntry{ diff --git a/vault/router.go b/vault/router.go index 697d3581c..37fad8350 100644 --- a/vault/router.go +++ b/vault/router.go @@ -29,12 +29,12 @@ func NewRouter() *Router { // routeEntry is used to represent a mount point in the router type routeEntry struct { - tainted bool - backend logical.Backend - mountEntry *MountEntry - view *BarrierView - rootPaths *radix.Tree - loginPaths *radix.Tree + tainted bool + backend logical.Backend + mountEntry *MountEntry + storageView *BarrierView + rootPaths *radix.Tree + loginPaths *radix.Tree } // SaltID is used to apply a salt and hash to an ID to make sure its not reversable @@ -44,7 +44,7 @@ func (re *routeEntry) SaltID(id string) string { // Mount is used to expose a logical backend at a given prefix, using a unique salt, // and the barrier view for that path. -func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, view *BarrierView) error { +func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error { r.l.Lock() defer r.l.Unlock() @@ -61,32 +61,15 @@ func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *Mount // Create a mount entry re := &routeEntry{ - tainted: false, - backend: backend, - mountEntry: mountEntry, - view: view, - rootPaths: pathsToRadix(paths.Root), - loginPaths: pathsToRadix(paths.Unauthenticated), + tainted: false, + backend: backend, + mountEntry: mountEntry, + storageView: storageView, + rootPaths: pathsToRadix(paths.Root), + loginPaths: pathsToRadix(paths.Unauthenticated), } r.root.Insert(prefix, re) - switch mountEntry.Type { - case "token": - // this is loaded *after* the normal mounts, including cubbyhole - r.tokenStoreSalt = backend.(*TokenStore).salt - // We still hold the lock for the tree so we can't call MatchingBackend - _, raw, ok := r.root.LongestPrefix("cubbyhole/") - if !ok { - return fmt.Errorf("unable to find cubbyhole") - } - cubbyRouteEntry := raw.(*routeEntry) - cubbyBackend := cubbyRouteEntry.backend.(CubbyholeBackend) - re.backend.(*TokenStore).cubbyConfig = cubbyholeConfig{ - revokeFunc: cubbyBackend.revoke, - storageView: cubbyRouteEntry.view, - saltUUID: cubbyRouteEntry.mountEntry.UUID, - } - } return nil } @@ -156,14 +139,14 @@ func (r *Router) MatchingMount(path string) string { } // MatchingView returns the view used for a path -func (r *Router) MatchingView(path string) *BarrierView { +func (r *Router) MatchingStorageView(path string) *BarrierView { r.l.RLock() _, raw, ok := r.root.LongestPrefix(path) r.l.RUnlock() if !ok { return nil } - return raw.(*routeEntry).view + return raw.(*routeEntry).storageView } // MatchingMountEntry returns the MountEntry used for a path @@ -240,7 +223,7 @@ func (r *Router) Route(req *logical.Request) (*logical.Response, error) { } // Attach the storage view for the request - req.Storage = re.view + req.Storage = re.storageView // Hash the request token unless this is the token backend clientToken := req.ClientToken diff --git a/vault/router_test.go b/vault/router_test.go index f7e30e6ad..79e05bf41 100644 --- a/vault/router_test.go +++ b/vault/router_test.go @@ -73,7 +73,7 @@ func TestRouter_Mount(t *testing.T) { t.Fatalf("bad: %s", path) } - if v := r.MatchingView("prod/aws/foo"); v != view { + if v := r.MatchingStorageView("prod/aws/foo"); v != view { t.Fatalf("bad: %s", v) } @@ -81,7 +81,7 @@ func TestRouter_Mount(t *testing.T) { t.Fatalf("bad: %s", path) } - if v := r.MatchingView("stage/aws/foo"); v != nil { + if v := r.MatchingStorageView("stage/aws/foo"); v != nil { t.Fatalf("bad: %s", v) }