c349e97168
/cc @armon - This is a reasonably major refactor that I think cleans up a lot of the logic with secrets in responses. The reason for the refactor is that while implementing Renew/Revoke in logical/framework I found the existing API to be really awkward to work with. Primarily, we needed a way to send down internal data for Vault core to store since not all the data you need to revoke a key is always sent down to the user (for example the user than AWS key belongs to). At first, I was doing this manually in logical/framework with req.Storage, but this is going to be such a common event that I think its something core should assist with. Additionally, I think the added context for secrets will be useful in the future when we have a Vault API for returning orphaned out keys: we can also return the internal data that might help an operator. So this leads me to this refactor. I've removed most of the fields in `logical.Response` and replaced it with a single `*Secret` pointer. If this is non-nil, then the response represents a secret. The Secret struct encapsulates all the lease info and such. It also has some fields on it that are only populated at _request_ time for Revoke/Renew operations. There is precedent for this sort of behavior in the Go stdlib where http.Request/http.Response have fields that differ based on client/server. I copied this style. All core unit tests pass. The APIs fail for obvious reasons but I'll fix that up in the next commit.
48 lines
1.4 KiB
Go
48 lines
1.4 KiB
Go
package logical
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
)
|
|
|
|
// Secret represents the secret part of a response.
|
|
type Secret struct {
|
|
// InternalData is JSON-encodable data that is stored with the secret.
|
|
// This will be sent back during a Renew/Revoke for storing internal data
|
|
// used for those operations.
|
|
InternalData map[string]interface{} `json:"internal_data"`
|
|
|
|
// Lease is the duration that this secret is valid for. Vault
|
|
// will automatically revoke it after the duration + grace period.
|
|
Lease time.Duration `json:"lease"`
|
|
LeaseGracePeriod time.Duration `json:"lease_grace_period"`
|
|
|
|
// Renewable, if true, means that this secret can be renewed.
|
|
Renewable bool `json:"renewable"`
|
|
|
|
// LeaseIncrement will be the lease increment that the user requested.
|
|
// This is only available on a Renew operation and has no effect
|
|
// when returning a response.
|
|
LeaseIncrement time.Duration `json:"-"`
|
|
|
|
// VaultID is the ID returned to the user to represent this secret.
|
|
// This is generated by Vault core. Any set value will be ignored.
|
|
// For requests, this will always be blank.
|
|
VaultID string
|
|
}
|
|
|
|
func (s *Secret) Validate() error {
|
|
if s.Lease <= 0 {
|
|
return fmt.Errorf("lease duration must not be less than zero")
|
|
}
|
|
if s.LeaseGracePeriod < 0 {
|
|
return fmt.Errorf("lease grace period must not be less than zero")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *Secret) GoString() string {
|
|
return fmt.Sprintf("*%#v", *s)
|
|
}
|