Use capabilities to determine upsert-ability in transit.

builtin/logical/transit/path_encrypt.go

@@ -30,14 +30,28 @@ func (b *backend) pathEncrypt() *framework.Path {
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.CreateOperation: b.pathEncryptWrite,
 			logical.UpdateOperation: b.pathEncryptWrite,
 		},
 
+		ExistenceCheck: b.pathEncryptExistenceCheck,
+
 		HelpSynopsis:    pathEncryptHelpSyn,
 		HelpDescription: pathEncryptHelpDesc,
 	}
 }
 
+func (b *backend) pathEncryptExistenceCheck(
+	req *logical.Request, d *framework.FieldData) (bool, error) {
+	name := d.Get("name").(string)
+	lp, err := b.policies.getPolicy(req, name)
+	if err != nil {
+		return false, err
+	}
+
+	return lp != nil, nil
+}
+
 func (b *backend) pathEncryptWrite(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	name := d.Get("name").(string)
@@ -65,7 +79,19 @@ func (b *backend) pathEncryptWrite(
 
 	// Error if invalid policy
 	if lp == nil {
-		return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest
+		if req.Operation != logical.CreateOperation {
+			return logical.ErrorResponse("policy not found"), logical.ErrInvalidRequest
+		}
+
+		isDerived := len(context) != 0
+
+		lp, err = b.policies.generatePolicy(req.Storage, name, isDerived)
+		// If the error is that the policy has been created in the interim we
+		// will get the policy back, so only consider it an error if err is not
+		// nil and we do not get a policy back
+		if err != nil && lp != nil {
+			return nil, err
+		}
 	}
 
 	lp.RLock()