Unseal backend support is now added.
The quorum client will use this api to unseal/initialize the backend
storage service
Issue-ID: AAF-156
Change-Id: Ic2726e9a5ca351912a16c3ec911d03e400233277
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
Name string `json:"name"`
}
-// SecretKeyValue is building block for a Secret
-type SecretKeyValue struct {
- Key string `json:"name"`
- Value string `json:"value"`
-}
-
// Secret is the struct that defines the structure of a secret
-// A single Secret can have any number of SecretKeyValue pairs
+// It consists of a name and map containing key value pairs
type Secret struct {
Name string `json:"name"`
Values map[string]interface{} `json:"values"`
// SecretBackend interface that will be implemented for various secret backends
type SecretBackend interface {
Init() error
-
GetStatus() (bool, error)
+ Unseal(shard string) error
+
GetSecret(dom string, sec string) (Secret, error)
ListSecret(dom string) ([]string, error)
return sealStatus.Sealed, nil
}
+// Unseal is a passthrough API that allows any
+// unseal or initialization processes for the backend
+func (v *Vault) Unseal(shard string) error {
+ sys := v.vaultClient.Sys()
+ _, err := sys.Unseal(shard)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
// GetSecret returns a secret mounted on a particular domain name
// The secret itself is referenced via its name which translates to
// a mount path in vault
defer v.tokenLock.Unlock()
// Init Role if it is not yet done
+ // Role needs to be created before token can be created
if v.initRoleDone == false {
err := v.initRole()
if err != nil {
}
-// initSMSHandler
-func (h handler) initSMSHandler(w http.ResponseWriter, r *http.Request) {
-
-}
-
-// unsealHandler
+// unsealHandler is a pass through that sends requests from quorum client
+// to the backend.
func (h handler) unsealHandler(w http.ResponseWriter, r *http.Request) {
+ // Get shards to be used for unseal
+ type unsealStruct struct {
+ UnsealShard string `json:"unsealshard"`
+ }
+
+ var inp unsealStruct
+ decoder := json.NewDecoder(r.Body)
+ decoder.DisallowUnknownFields()
+ err := decoder.Decode(&inp)
+ if err != nil {
+ http.Error(w, "Bad input JSON", http.StatusBadRequest)
+ return
+ }
+ err = h.secretBackend.Unseal(inp.UnsealShard)
+ if err != nil {
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }
}
// CreateRouter returns an http.Handler for the registered URLs
// to unseal and to provide root token to sms service
router.HandleFunc("/v1/sms/status", h.statusHandler).Methods("GET")
router.HandleFunc("/v1/sms/unseal", h.unsealHandler).Methods("POST")
- router.HandleFunc("/v1/sms/init", h.initSMSHandler).Methods("POST")
router.HandleFunc("/v1/sms/domain", h.createSecretDomainHandler).Methods("POST")
router.HandleFunc("/v1/sms/domain/{domName}", h.deleteSecretDomainHandler).Methods("DELETE")
return true, nil
}
+func (b *TestBackend) Unseal(shard string) error {
+ return nil
+}
+
func (b *TestBackend) GetSecret(dom string, sec string) (smsbackend.Secret, error) {
return smsbackend.Secret{}, nil
}