vault: Setup the mount tables after load

2015-03-11 15:50:27 -07:00 · 2015-03-11 15:50:27 -07:00 · b212890043
parent 10afebabdd
commit b212890043
2 changed files with 48 additions and 11 deletions
--- a/vault/core.go
+++ b/vault/core.go
@ -121,13 +121,6 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 		sealed:   true,
 		logger:   conf.logger,
 	}
-
-	// Create and mount the system backend
-	sys := &SystemBackend{
-		core: c,
-	}
-	c.router.Mount(sys, "system", "sys/", nil)
-
 	return c, nil
 }

@ -149,10 +142,13 @@ func (c *Core) HandleRequest(req *Request) (*Response, error) {
 func (c *Core) Initialized() (bool, error) {
 	// Check the barrier first
 	init, err := c.barrier.Initialized()
-	if err != nil || !init {
+	if err != nil {
 		c.logger.Printf("[ERR] core: barrier init check failed: %v", err)
 		return false, err
 	}
+	if !init {
+		return false, nil
+	}
 	if !init {
 		c.logger.Printf("[INFO] core: security barrier not initialized")
 		return false, nil
@ -377,5 +373,8 @@ func (c *Core) postUnseal() error {
 	if err := c.loadMounts(); err != nil {
 		return err
 	}
+	if err := c.setupMounts(); err != nil {
+		return err
+	}
 	return nil
 }
--- a/vault/mount.go
+++ b/vault/mount.go
@ -10,6 +10,15 @@ const (
 	// Mounts are protected within the Vault itself, which means they
 	// can only be viewed or modified after an unseal.
 	coreMountConfigPath = "core/mounts"
+
+	// backendBarrierPrefix is the prefix to the UUID used in the
+	// barrier view for the backends.
+	backendBarrierPrefix = "logical/"
+)
+
+var (
+	// loadMountsFailed if loadMounts encounters an error
+	loadMountsFailed = errors.New("failed to setup mount table")
 )

 // MountTable is used to represent the internal mount table
@ -31,13 +40,13 @@ func (c *Core) loadMounts() error {
 	raw, err := c.barrier.Get(coreMountConfigPath)
 	if err != nil {
 		c.logger.Printf("[ERR] core: failed to read mount table: %v", err)
-		return errors.New("failed to setup mount table")
+		return loadMountsFailed
 	}
 	if raw != nil {
 		c.mounts = &MountTable{}
 		if err := json.Unmarshal(raw.Value, c.mounts); err != nil {
 			c.logger.Printf("[ERR] core: failed to decode mount table: %v", err)
-			return errors.New("failed to setup mount table")
+			return loadMountsFailed
 		}
 	}

@ -49,7 +58,7 @@ func (c *Core) loadMounts() error {
 	// Create and persist the default mount table
 	c.mounts = defaultMountTable()
 	if err := c.persistMounts(); err != nil {
-		return errors.New("failed to setup mount table")
+		return loadMountsFailed
 	}
 	return nil
 }
@ -77,6 +86,35 @@ func (c *Core) persistMounts() error {
 	return nil
 }

+// setupMounts is invoked after we've loaded the mount table to
+// initialize the logical backends and setup the router
+func (c *Core) setupMounts() error {
+	var backend LogicalBackend
+	var err error
+	for _, entry := range c.mounts.Entries {
+		// Initialize the backend, special casing for system
+		if entry.Type == "system" {
+			backend = &SystemBackend{core: c}
+		} else {
+			backend, err = NewBackend(entry.Type, nil)
+			if err != nil {
+				c.logger.Printf("[ERR] core: failed to create mount entry %#v: %v", entry, err)
+				return loadMountsFailed
+			}
+		}
+
+		// Create a barrier view using the UUID
+		view := NewBarrierView(c.barrier, backendBarrierPrefix+entry.UUID+"/")
+
+		// Mount the backend
+		if err := c.router.Mount(backend, entry.Type, entry.Path, view); err != nil {
+			c.logger.Printf("[ERR] core: failed to mount entry %#v: %v", entry, err)
+			return loadMountsFailed
+		}
+	}
+	return nil
+}
+
 // defaultMountTable creates a default mount table
 func defaultMountTable() *MountTable {
 	table := &MountTable{}