-
Notifications
You must be signed in to change notification settings - Fork 1
/
backend.go
106 lines (89 loc) · 2.17 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package boundarysecrets
import (
"context"
"strings"
"sync"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
// Factory Implements a storage backend and sets this up
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
b := backend()
if err := b.Setup(ctx, conf); err != nil {
return nil, err
}
return b, nil
}
type boundaryBackend struct {
*framework.Backend
lock sync.RWMutex
client *boundaryClient
}
func backend() *boundaryBackend {
var b = boundaryBackend{}
b.Backend = &framework.Backend{
Help: strings.TrimSpace(backendHelp),
PathsSpecial: &logical.Paths{
LocalStorage: []string{
framework.WALPrefix,
},
SealWrapStorage: []string{
"config",
"role/*",
},
},
Paths: framework.PathAppend(
pathRole(&b),
[]*framework.Path{
pathConfig(&b),
pathCredentials(&b),
},
),
Secrets: []*framework.Secret{b.boundaryAccount(), b.boundaryWorker()}, // Add boundary users secrets generation here.
BackendType: logical.TypeLogical,
Invalidate: b.invalidate,
}
return &b
}
func (b *boundaryBackend) reset() {
b.lock.Lock()
defer b.lock.Unlock()
b.client = nil
}
func (b *boundaryBackend) invalidate(ctx context.Context, key string) {
if key == "config" {
b.reset()
}
}
// getClient returns a new Boundary client that is configured and has been authenticated.
func (b *boundaryBackend) getClient(ctx context.Context, s logical.Storage) (*boundaryClient, error) {
b.lock.RLock()
unlockFunc := b.lock.RUnlock
defer func() { unlockFunc() }()
if b.client != nil {
return b.client, nil
}
b.lock.RUnlock()
b.lock.Lock()
unlockFunc = b.lock.Unlock
//
config, err := getConfig(ctx, s)
if err != nil {
return nil, err
}
if config == nil {
config = new(boundaryConfig)
}
b.client, err = newClient(config)
if err != nil {
return nil, err
}
// adding to debug client connection issue
b.Logger()
return b.client, nil
}
const backendHelp = `
The Boundary secrets backend dynamically generates user or worker tokens.
After mounting this backend, credentials to manage Boundary user tokens
must be configured with the "config/" endpoints.
`