Init role does not depend on vault state

Role initialization should not depend on vault state SMS start is independent of vault state Any calls to SMS will fail since backend is not active yet Issue-ID: AAF-155 Change-Id: I810eb145b4eab4717dede12e79880aced08caaa2 Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
author: Kiran Kamineni <kiran.k.kamineni@intel.com> 2018-03-02 12:49:06 -0800
committer: Girish Havaldar <hg0071052@techmahindra.com> 2018-03-06 05:06:24 +0000
commit: ef8434768db4b99b69ae8bd0c0ec515041f618c0 (patch)
tree: b6ecb32ebd4695a8fcd601907c7e539cf804c168
parent: 5a4dfbf75e292a03d73c5a7690d78547b45ffc88 (diff)
5 files changed, 26 insertions, 48 deletions
diff --git a/sms-service/src/sms/backend/backend.go b/sms-service/src/sms/backend/backend.go
index a1055e6..61af995 100644
--- a/sms-service/src/sms/backend/backend.go
+++ b/sms-service/src/sms/backend/backend.go
@@ -46,9 +46,7 @@ type SecretBackend interface {
 	Init() error
 
 	GetStatus() (bool, error)
-	GetSecretDomain(name string) (SecretDomain, error)
 	GetSecret(dom string, sec string) (Secret, error)
-
 	ListSecret(dom string) ([]string, error)
 
 	CreateSecretDomain(name string) (SecretDomain, error)
diff --git a/sms-service/src/sms/backend/backend_test.go b/sms-service/src/sms/backend/backend_test.go
index 92ca971..674c03f 100644
--- a/sms-service/src/sms/backend/backend_test.go
+++ b/sms-service/src/sms/backend/backend_test.go
@@ -28,10 +28,10 @@ func TestInitSecretBackend(t *testing.T) {
 	sec, err := InitSecretBackend()
 	// We expect an error to be returned as Init expects
 	// backend to be running
-	if err == nil {
-		t.Fatal("InitSecretBackend : error creating")
+	if err != nil {
+		t.Fatal("InitSecretBackend : Expected nil as Init is independent of Vault")
 	}
-	if sec != nil {
-		t.Fatal("InitSecretBackend: returned SecretBackend was *NOT* nil, expected nil")
+	if sec == nil {
+		t.Fatal("InitSecretBackend: returned SecretBackend was nil")
 	}
 }
diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go
index c3bbbc5..d92ac43 100644
--- a/sms-service/src/sms/backend/vault.go
+++ b/sms-service/src/sms/backend/vault.go
@@ -22,7 +22,6 @@ import (
 
 	"errors"
 	"fmt"
-	"log"
 	"strings"
 	"sync"
 	"time"
@@ -30,19 +29,17 @@ import (
 
 // Vault is the main Struct used in Backend to initialize the struct
 type Vault struct {
-	vaultAddress   string
-	vaultToken     string
-	vaultMount     string
-	vaultTempToken string
-
-	vaultClient       *vaultapi.Client
 	engineType        string
+	initRoleDone      bool
 	policyName        string
 	roleID            string
 	secretID          string
+	tokenLock         sync.Mutex
+	vaultAddress      string
+	vaultClient       *vaultapi.Client
+	vaultMount        string
 	vaultTempTokenTTL time.Time
-
-	tokenLock sync.Mutex
+	vaultToken        string
 }
 
 // Init will initialize the vault connection
@@ -57,25 +54,16 @@ func (v *Vault) Init() error {
 	}
 
 	v.engineType = "kv"
+	v.initRoleDone = false
 	v.policyName = "smsvaultpolicy"
-	v.vaultMount = "sms"
 	v.vaultClient = client
-
-	// Check if vault is ready and unsealed
-	seal, err := v.GetStatus()
-	if err != nil {
-		return err
-	}
-	if seal == true {
-		return fmt.Errorf("Vault is still sealed. Unseal before use")
-	}
+	v.vaultMount = "sms"
 
 	err = v.initRole()
 	if err != nil {
-		log.Fatalln("Unable to initRole in Vault. Exiting...")
+		//print error message and try to initrole later
 	}
 
-	v.checkToken()
 	return nil
 }
 
@@ -90,12 +78,6 @@ func (v *Vault) GetStatus() (bool, error) {
 	return sealStatus.Sealed, nil
 }
 
-// GetSecretDomain returns any information related to the secretDomain
-// More information can be added in the future with updates to the struct
-func (v *Vault) GetSecretDomain(name string) (SecretDomain, error) {
-	return SecretDomain{}, nil
-}
-
 // GetSecret returns a secret mounted on a particular domain name
 // The secret itself is referenced via its name which translates to
 // a mount path in vault
@@ -191,6 +173,7 @@ func (v *Vault) CreateSecret(dom string, sec Secret) error {
 	dom = v.vaultMount + "/" + dom
 
 	// Vault return is empty on successful write
+	// TODO: Check if values is not empty
 	_, err = v.vaultClient.Logical().Write(dom+"/"+sec.Name, sec.Values)
 	if err != nil {
 		return errors.New("Unable to create Secret at provided path")
@@ -255,13 +238,7 @@ func (v *Vault) initRole() error {
 		"policies":  [2]string{"default", v.policyName},
 	}
 
-	// Delete role if it already exists
-	_, err = v.vaultClient.Logical().Delete("auth/approle/role/" + rName)
-	if err != nil {
-		return errors.New("Unable to delete existing role")
-	}
-
-	//Check if approle is mounted
+	//Check if applrole is mounted
 	authMounts, err := v.vaultClient.Sys().ListAuth()
 	if err != nil {
 		return errors.New("Unable to get mounted auth backends")
@@ -296,7 +273,7 @@ func (v *Vault) initRole() error {
 	}
 
 	v.secretID = sec.Data["secret_id"].(string)
-
+	v.initRoleDone = true
 	return nil
 }
 
@@ -306,6 +283,14 @@ func (v *Vault) checkToken() error {
 	v.tokenLock.Lock()
 	defer v.tokenLock.Unlock()
 
+	// Init Role if it is not yet done
+	if v.initRoleDone == false {
+		err := v.initRole()
+		if err != nil {
+			return err
+		}
+	}
+
 	// Return immediately if token still has life
 	if v.vaultClient.Token() != "" &&
 		time.Since(v.vaultTempTokenTTL) < time.Minute*50 {
@@ -321,8 +306,7 @@ func (v *Vault) checkToken() error {
 
 	tok, err := out.TokenID()
 
-	v.vaultTempToken = tok
 	v.vaultTempTokenTTL = time.Now()
-	v.vaultClient.SetToken(v.vaultTempToken)
+	v.vaultClient.SetToken(tok)
 	return nil
 }
diff --git a/sms-service/src/sms/handler/handler_test.go b/sms-service/src/sms/handler/handler_test.go
index d8f9f9f..56aa5ac 100644
--- a/sms-service/src/sms/handler/handler_test.go
+++ b/sms-service/src/sms/handler/handler_test.go
@@ -42,10 +42,6 @@ func (b *TestBackend) GetStatus() (bool, error) {
 	return true, nil
 }
 
-func (b *TestBackend) GetSecretDomain(name string) (smsbackend.SecretDomain, error) {
-	return smsbackend.SecretDomain{}, nil
-}
-
 func (b *TestBackend) GetSecret(dom string, sec string) (smsbackend.Secret, error) {
 	return smsbackend.Secret{}, nil
 }
diff --git a/sms-service/src/sms/smsconfig.json b/sms-service/src/sms/smsconfig.json
index e8e8245..9afa299 100644
--- a/sms-service/src/sms/smsconfig.json
+++ b/sms-service/src/sms/smsconfig.json
@@ -4,5 +4,5 @@
     "serverkey":  "auth/server.key",
 
     "vaultaddress":     "http://localhost:8200",
-    "vaulttoken":       "1ee03564-80d8-2080-2c77-0bb097cba512"
+    "vaulttoken":       "f56d2c0e-d58d-2be2-aed4-bb9931bedad2"
 }
author	Kiran Kamineni <kiran.k.kamineni@intel.com>	2018-03-02 12:49:06 -0800
committer	Girish Havaldar <hg0071052@techmahindra.com>	2018-03-06 05:06:24 +0000
commit	ef8434768db4b99b69ae8bd0c0ec515041f618c0 (patch)
tree	b6ecb32ebd4695a8fcd601907c7e539cf804c168
parent	5a4dfbf75e292a03d73c5a7690d78547b45ffc88 (diff)