-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbackend.go
112 lines (94 loc) · 2.26 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package kuma
import (
"context"
"strings"
"sync"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
const backendHelp = `
The kuma secrets backend dynamically generates user and service tokens.
After mounting this backend, credentials to manage harbor user and service tokens
must be configured with the "config/" endpoints.
`
// Factory configures and returns Kuma secrets backends.
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
b := backend()
if err := b.Setup(ctx, conf); err != nil {
return nil, err
}
return b, nil
}
// kumaBackend defines an object that
// extends the Vault backend and stores the
// target API's client.
type kumaBackend struct {
*framework.Backend
lock sync.RWMutex
client *kumaClient
}
// backend defines the target API backend
// for Vault. It must include each path
// and the secrets it will store.
func backend() *kumaBackend {
var b = kumaBackend{}
b.Backend = &framework.Backend{
Help: strings.TrimSpace(backendHelp),
PathsSpecial: &logical.Paths{
LocalStorage: []string{},
SealWrapStorage: []string{
"config",
"roles/*",
},
},
Paths: framework.PathAppend(
pathRoles(&b),
[]*framework.Path{
pathConfig(&b),
pathCreds(&b),
},
),
Secrets: []*framework.Secret{
b.kumaToken(),
},
BackendType: logical.TypeLogical,
Invalidate: b.invalidate,
}
return &b
}
// invalidate clears an existing client configuration in
// the backend
func (b *kumaBackend) invalidate(ctx context.Context, key string) {
if key == "config" {
b.reset()
}
}
func (b *kumaBackend) reset() {
b.lock.RLock()
unlockFunc := b.lock.RUnlock
// nolint:gocritic
defer func() { unlockFunc() }()
b.client = nil
}
// setupClient locks the backend as it configures and creates a
// a new client for the target API
func (b *kumaBackend) getClient(ctx context.Context, s logical.Storage) (*kumaClient, error) {
b.lock.RLock()
unlockFunc := b.lock.RUnlock
defer unlockFunc()
if b.client != nil {
return b.client, nil
}
config, err := getConfig(ctx, s)
if err != nil {
return nil, err
}
if config == nil {
config = new(kumaConfig)
}
b.client, err = newClient(config)
if err != nil {
return nil, err
}
return b.client, nil
}