diff options
author | Kiran Kamineni <kiran.k.kamineni@intel.com> | 2018-03-02 12:49:06 -0800 |
---|---|---|
committer | Girish Havaldar <hg0071052@techmahindra.com> | 2018-03-06 05:06:24 +0000 |
commit | ef8434768db4b99b69ae8bd0c0ec515041f618c0 (patch) | |
tree | b6ecb32ebd4695a8fcd601907c7e539cf804c168 /sms-service/src | |
parent | 5a4dfbf75e292a03d73c5a7690d78547b45ffc88 (diff) |
Init role does not depend on vault state
Role initialization should not depend on vault state
SMS start is independent of vault state
Any calls to SMS will fail since backend is not active yet
Issue-ID: AAF-155
Change-Id: I810eb145b4eab4717dede12e79880aced08caaa2
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
Diffstat (limited to 'sms-service/src')
-rw-r--r-- | sms-service/src/sms/backend/backend.go | 2 | ||||
-rw-r--r-- | sms-service/src/sms/backend/backend_test.go | 8 | ||||
-rw-r--r-- | sms-service/src/sms/backend/vault.go | 58 | ||||
-rw-r--r-- | sms-service/src/sms/handler/handler_test.go | 4 | ||||
-rw-r--r-- | sms-service/src/sms/smsconfig.json | 2 |
5 files changed, 26 insertions, 48 deletions
diff --git a/sms-service/src/sms/backend/backend.go b/sms-service/src/sms/backend/backend.go index a1055e6..61af995 100644 --- a/sms-service/src/sms/backend/backend.go +++ b/sms-service/src/sms/backend/backend.go @@ -46,9 +46,7 @@ type SecretBackend interface { Init() error GetStatus() (bool, error) - GetSecretDomain(name string) (SecretDomain, error) GetSecret(dom string, sec string) (Secret, error) - ListSecret(dom string) ([]string, error) CreateSecretDomain(name string) (SecretDomain, error) diff --git a/sms-service/src/sms/backend/backend_test.go b/sms-service/src/sms/backend/backend_test.go index 92ca971..674c03f 100644 --- a/sms-service/src/sms/backend/backend_test.go +++ b/sms-service/src/sms/backend/backend_test.go @@ -28,10 +28,10 @@ func TestInitSecretBackend(t *testing.T) { sec, err := InitSecretBackend() // We expect an error to be returned as Init expects // backend to be running - if err == nil { - t.Fatal("InitSecretBackend : error creating") + if err != nil { + t.Fatal("InitSecretBackend : Expected nil as Init is independent of Vault") } - if sec != nil { - t.Fatal("InitSecretBackend: returned SecretBackend was *NOT* nil, expected nil") + if sec == nil { + t.Fatal("InitSecretBackend: returned SecretBackend was nil") } } diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go index c3bbbc5..d92ac43 100644 --- a/sms-service/src/sms/backend/vault.go +++ b/sms-service/src/sms/backend/vault.go @@ -22,7 +22,6 @@ import ( "errors" "fmt" - "log" "strings" "sync" "time" @@ -30,19 +29,17 @@ import ( // Vault is the main Struct used in Backend to initialize the struct type Vault struct { - vaultAddress string - vaultToken string - vaultMount string - vaultTempToken string - - vaultClient *vaultapi.Client engineType string + initRoleDone bool policyName string roleID string secretID string + tokenLock sync.Mutex + vaultAddress string + vaultClient *vaultapi.Client + vaultMount string vaultTempTokenTTL time.Time - - tokenLock sync.Mutex + vaultToken string } // Init will initialize the vault connection @@ -57,25 +54,16 @@ func (v *Vault) Init() error { } v.engineType = "kv" + v.initRoleDone = false v.policyName = "smsvaultpolicy" - v.vaultMount = "sms" v.vaultClient = client - - // Check if vault is ready and unsealed - seal, err := v.GetStatus() - if err != nil { - return err - } - if seal == true { - return fmt.Errorf("Vault is still sealed. Unseal before use") - } + v.vaultMount = "sms" err = v.initRole() if err != nil { - log.Fatalln("Unable to initRole in Vault. Exiting...") + //print error message and try to initrole later } - v.checkToken() return nil } @@ -90,12 +78,6 @@ func (v *Vault) GetStatus() (bool, error) { return sealStatus.Sealed, nil } -// GetSecretDomain returns any information related to the secretDomain -// More information can be added in the future with updates to the struct -func (v *Vault) GetSecretDomain(name string) (SecretDomain, error) { - return SecretDomain{}, nil -} - // GetSecret returns a secret mounted on a particular domain name // The secret itself is referenced via its name which translates to // a mount path in vault @@ -191,6 +173,7 @@ func (v *Vault) CreateSecret(dom string, sec Secret) error { dom = v.vaultMount + "/" + dom // Vault return is empty on successful write + // TODO: Check if values is not empty _, err = v.vaultClient.Logical().Write(dom+"/"+sec.Name, sec.Values) if err != nil { return errors.New("Unable to create Secret at provided path") @@ -255,13 +238,7 @@ func (v *Vault) initRole() error { "policies": [2]string{"default", v.policyName}, } - // Delete role if it already exists - _, err = v.vaultClient.Logical().Delete("auth/approle/role/" + rName) - if err != nil { - return errors.New("Unable to delete existing role") - } - - //Check if approle is mounted + //Check if applrole is mounted authMounts, err := v.vaultClient.Sys().ListAuth() if err != nil { return errors.New("Unable to get mounted auth backends") @@ -296,7 +273,7 @@ func (v *Vault) initRole() error { } v.secretID = sec.Data["secret_id"].(string) - + v.initRoleDone = true return nil } @@ -306,6 +283,14 @@ func (v *Vault) checkToken() error { v.tokenLock.Lock() defer v.tokenLock.Unlock() + // Init Role if it is not yet done + if v.initRoleDone == false { + err := v.initRole() + if err != nil { + return err + } + } + // Return immediately if token still has life if v.vaultClient.Token() != "" && time.Since(v.vaultTempTokenTTL) < time.Minute*50 { @@ -321,8 +306,7 @@ func (v *Vault) checkToken() error { tok, err := out.TokenID() - v.vaultTempToken = tok v.vaultTempTokenTTL = time.Now() - v.vaultClient.SetToken(v.vaultTempToken) + v.vaultClient.SetToken(tok) return nil } diff --git a/sms-service/src/sms/handler/handler_test.go b/sms-service/src/sms/handler/handler_test.go index d8f9f9f..56aa5ac 100644 --- a/sms-service/src/sms/handler/handler_test.go +++ b/sms-service/src/sms/handler/handler_test.go @@ -42,10 +42,6 @@ func (b *TestBackend) GetStatus() (bool, error) { return true, nil } -func (b *TestBackend) GetSecretDomain(name string) (smsbackend.SecretDomain, error) { - return smsbackend.SecretDomain{}, nil -} - func (b *TestBackend) GetSecret(dom string, sec string) (smsbackend.Secret, error) { return smsbackend.Secret{}, nil } diff --git a/sms-service/src/sms/smsconfig.json b/sms-service/src/sms/smsconfig.json index e8e8245..9afa299 100644 --- a/sms-service/src/sms/smsconfig.json +++ b/sms-service/src/sms/smsconfig.json @@ -4,5 +4,5 @@ "serverkey": "auth/server.key", "vaultaddress": "http://localhost:8200", - "vaulttoken": "1ee03564-80d8-2080-2c77-0bb097cba512" + "vaulttoken": "f56d2c0e-d58d-2be2-aed4-bb9931bedad2" } |