From 6b9ff3019575930d4f9614397d5979b9c763c3d6 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Thu, 12 Mar 2015 12:44:22 -0700
Subject: [PATCH] vault: Setup expiration manager on unseal

---
 vault/core.go       | 11 +++++++----
 vault/expiration.go | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100644 vault/expiration.go

diff --git a/vault/core.go b/vault/core.go
index 1c29a4afdb..0cb497de59 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -19,10 +19,6 @@ const (
 	// it even with the Vault sealed. This is required so that we know
 	// how many secret parts must be used to reconstruct the master key.
 	coreSealConfigPath = "core/seal-config"
-
-	// expirationSubPath is the sub-path used for the expiration manager
-	// view. This is nested under the system view.
-	expirationSubPath = "expire/"
 )
 
 var (
@@ -115,6 +111,10 @@ type Core struct {
 	// systemView is the barrier view for the system backend
 	systemView *BarrierView
 
+	// expiration manager is used for managing vaultIDs,
+	// renewal, expiration and revocation
+	expiration *ExpirationManager
+
 	logger *log.Logger
 }
 
@@ -410,5 +410,8 @@ func (c *Core) postUnseal() error {
 	if err := c.setupMounts(); err != nil {
 		return err
 	}
+	if err := c.setupExpiration(); err != nil {
+		return err
+	}
 	return nil
 }
diff --git a/vault/expiration.go b/vault/expiration.go
new file mode 100644
index 0000000000..06cf5f8f6f
--- /dev/null
+++ b/vault/expiration.go
@@ -0,0 +1,36 @@
+package vault
+
+const (
+	// expirationSubPath is the sub-path used for the expiration manager
+	// view. This is nested under the system view.
+	expirationSubPath = "expire/"
+)
+
+// ExpirationManager is used by the Core to manage leases. Secrets
+// can provide a lease, meaning that they can be renewed or revoked.
+// If a secret is not renewed in timely manner, it may be expired, and
+// the ExpirationManager will handle doing automatic revocation.
+type ExpirationManager struct {
+	view *BarrierView
+}
+
+// NewExpirationManager creates a new ExpirationManager that is backed
+// using a given view.
+func NewExpirationManager(view *BarrierView) *ExpirationManager {
+	exp := &ExpirationManager{
+		view: view,
+	}
+	return exp
+}
+
+// setupExpiration is invoked after we've loaded the mount table to
+// initialize the expiration manager
+func (c *Core) setupExpiration() error {
+	// Create a sub-view
+	view := c.systemView.SubView(expirationSubPath)
+
+	// Create the manager
+	mgr := NewExpirationManager(view)
+	c.expiration = mgr
+	return nil
+}