From 0b9c4ebaffe1257a083688a08cbac1c80cf7c419 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Fri, 13 Mar 2015 11:16:24 -0700
Subject: [PATCH] vault: Support a pre-seal teardown

---
 vault/core.go      | 20 ++++++++++++++++++--
 vault/core_test.go | 11 +++++++++++
 vault/mount.go     |  9 +++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/vault/core.go b/vault/core.go
index 0cb497de59..cea1884571 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -386,7 +386,7 @@ func (c *Core) Unseal(key []byte) (bool, error) {
 	return true, nil
 }
 
-// Seal is used to re-seal the Vault. This requires the Vaultto
+// Seal is used to re-seal the Vault. This requires the Vault to
 // be unsealed again to perform any further operations.
 func (c *Core) Seal() error {
 	c.stateLock.Lock()
@@ -394,8 +394,15 @@ func (c *Core) Seal() error {
 	if c.sealed {
 		return nil
 	}
-	c.logger.Printf("[INFO] core: vault is being sealed")
 	c.sealed = true
+
+	// Do pre-seal teardown
+	if err := c.preSeal(); err != nil {
+		c.logger.Printf("[ERR] core: pre-seal teardown failed: %v", err)
+		return fmt.Errorf("internal error")
+	}
+
+	c.logger.Printf("[INFO] core: vault is being sealed")
 	return c.barrier.Seal()
 }
 
@@ -415,3 +422,12 @@ func (c *Core) postUnseal() error {
 	}
 	return nil
 }
+
+// preSeal is invoked before the barrier is sealed, allowing
+// for any state teardown required.
+func (c *Core) preSeal() error {
+	if err := c.unloadMounts(); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/vault/core_test.go b/vault/core_test.go
index 7458c892a0..78741fdbab 100644
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -332,3 +332,14 @@ func TestCore_Route_Sealed(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 }
+
+// Attempt to unseal after doing a first seal
+func TestCore_SealUnseal(t *testing.T) {
+	c, key := testUnsealedCore(t)
+	if err := c.Seal(); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if unseal, err := c.Unseal(key); err != nil || !unseal {
+		t.Fatalf("err: %v", err)
+	}
+}
diff --git a/vault/mount.go b/vault/mount.go
index c899ed4da5..20e5bf3958 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -151,6 +151,15 @@ func (c *Core) setupMounts() error {
 	return nil
 }
 
+// unloadMounts is used before we seal the vault to reset the mounts to
+// their unloaded state. This is reversed by load and setup mounts.
+func (c *Core) unloadMounts() error {
+	c.mounts = nil
+	c.router = NewRouter()
+	c.systemView = nil
+	return nil
+}
+
 // mountEntry is used to create a new mount entry
 func (c *Core) mountEntry(me *MountEntry) error {
 	c.mountsLock.Lock()