Initial working implementation.

paxosglobal · May 27, 2018 · 0c3a4c5 · 0c3a4c5
1 parent a6230e5
commit 0c3a4c5
Show file tree

Hide file tree

Showing 9 changed files with 1,053 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,23 @@
+sudo: required
+language: go
+go:
+- "1.10"
+
+# This moves Kubernetes specific config files.
+env:
+- CHANGE_MINIKUBE_NONE_USER=true
+
+before_script:
+# Download kubectl, which is a requirement for using minikube.
+- curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/
+# Download minikube.
+- curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
+# Start Kubernetes with apiserver configured to use local test Vault for authentication.
+- sudo minikube start --vm-driver=none --bootstrapper=localkube --kubernetes-version=v1.10.0 --extra-config apiserver.Authentication.WebHook.ConfigFile=$(pwd)/testing/webhook-authn.yaml --extra-config apiserver.Authentication.WebHook.CacheTTL=0s
+# Fix the kubectl context, as it's often stale.
+- minikube update-context
+# Wait for Kubernetes to be up and ready.
+- JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}'; until kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do sleep 1; done
+
+script: KUBE_ADDR=https://$(minikube ip):8443 go test -v ./...
+
diff --git a/backend.go b/backend.go
@@ -0,0 +1,63 @@
+package main
+
+import (
+	"context"
+	"github.com/hashicorp/vault/helper/salt"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+	"sync"
+)
+
+func Factory(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error) {
+	b := Backend(c)
+	if err := b.Setup(ctx, c); err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+type backend struct {
+	*framework.Backend
+
+	storage logical.Storage
+	salt    *salt.Salt
+	// TODO: Do we need to support invalidation + salt replacement?
+	initSalt sync.Once
+}
+
+func Backend(c *logical.BackendConfig) *backend {
+	b := &backend{
+		storage: c.StorageView,
+	}
+
+	b.Backend = &framework.Backend{
+		BackendType: logical.TypeLogical,
+		PathsSpecial: &logical.Paths{
+			Unauthenticated: []string{"tokenreviews"},
+		},
+		Paths: []*framework.Path{
+			pathRoles(),
+			pathListRoles(),
+			pathToken(b),
+			pathReview(b),
+		},
+		Secrets: []*framework.Secret{
+			secretToken(b),
+		},
+		// TODO: Invalidate, Clean.
+	}
+
+	return b
+}
+
+func (b *backend) Salt(ctx context.Context) (*salt.Salt, error) {
+	var err error
+	// Initialize the salt if needed.
+	b.initSalt.Do(func() {
+		b.salt, err = salt.NewSalt(ctx, b.storage, &salt.Config{
+			HashFunc: salt.SHA256Hash,
+			Location: salt.DefaultLocation,
+		})
+	})
+	return b.salt, err
+}