diff --git a/builtin/credential/app-id/backend.go b/builtin/credential/app-id/backend.go index 2db5333a37..8e71c9ea15 100644 --- a/builtin/credential/app-id/backend.go +++ b/builtin/credential/app-id/backend.go @@ -1,7 +1,6 @@ package appId import ( - "fmt" "sync" "github.com/hashicorp/vault/helper/salt" @@ -72,8 +71,6 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) { AuthRenew: b.pathLoginRenew, - Init: b.initialize, - Invalidate: b.invalidate, } @@ -85,110 +82,45 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) { type backend struct { *framework.Backend - Salt *salt.Salt + salt *salt.Salt SaltMutex sync.RWMutex view logical.Storage MapAppId *framework.PolicyMap MapUserId *framework.PathMap } -func (b *backend) initialize() error { +func (b *backend) Salt() (*salt.Salt, error) { + b.SaltMutex.RLock() + if b.salt != nil { + defer b.SaltMutex.RUnlock() + return b.salt, nil + } + b.SaltMutex.RUnlock() b.SaltMutex.Lock() + defer b.SaltMutex.Unlock() + if b.salt != nil { + return b.salt, nil + } salt, err := salt.NewSalt(b.view, &salt.Config{ HashFunc: salt.SHA1Hash, Location: salt.DefaultLocation, }) if err != nil { - b.SaltMutex.Unlock() - return err + return nil, err } - b.Salt = salt - b.SaltMutex.Unlock() + b.salt = salt + b.MapAppId.SaltFunc = b.Salt + b.MapUserId.SaltFunc = b.Salt - b.MapAppId.Salt = salt - b.MapAppId.SaltMutex = &b.SaltMutex - b.MapUserId.Salt = salt - b.MapUserId.SaltMutex = &b.SaltMutex - - // Since the salt is new in 0.2, we need to handle this by migrating - // any existing keys to use the salt. We can deprecate this eventually, - // but for now we want a smooth upgrade experience by automatically - // upgrading to use salting. - if salt.DidGenerate() { - if err := b.upgradeToSalted(b.view); err != nil { - return err - } - } - - return nil -} - -// upgradeToSalted is used to upgrade the non-salted keys prior to -// Vault 0.2 to be salted. This is done on mount time and is only -// done once. It can be deprecated eventually, but should be around -// long enough for all 0.1.x users to upgrade. -func (b *backend) upgradeToSalted(view logical.Storage) error { - // Create a copy of MapAppId that does not use a Salt - nonSaltedAppId := new(framework.PathMap) - *nonSaltedAppId = b.MapAppId.PathMap - nonSaltedAppId.Salt = nil - - // Get the list of app-ids - keys, err := b.MapAppId.List(view, "") - if err != nil { - return fmt.Errorf("failed to list app-ids: %v", err) - } - - // Upgrade all the existing keys - for _, key := range keys { - val, err := nonSaltedAppId.Get(view, key) - if err != nil { - return fmt.Errorf("failed to read app-id: %v", err) - } - - if err := b.MapAppId.Put(view, key, val); err != nil { - return fmt.Errorf("failed to write app-id: %v", err) - } - - if err := nonSaltedAppId.Delete(view, key); err != nil { - return fmt.Errorf("failed to delete app-id: %v", err) - } - } - - // Create a copy of MapUserId that does not use a Salt - nonSaltedUserId := new(framework.PathMap) - *nonSaltedUserId = *b.MapUserId - nonSaltedUserId.Salt = nil - - // Get the list of user-ids - keys, err = b.MapUserId.List(view, "") - if err != nil { - return fmt.Errorf("failed to list user-ids: %v", err) - } - - // Upgrade all the existing keys - for _, key := range keys { - val, err := nonSaltedUserId.Get(view, key) - if err != nil { - return fmt.Errorf("failed to read user-id: %v", err) - } - - if err := b.MapUserId.Put(view, key, val); err != nil { - return fmt.Errorf("failed to write user-id: %v", err) - } - - if err := nonSaltedUserId.Delete(view, key); err != nil { - return fmt.Errorf("failed to delete user-id: %v", err) - } - } - return nil + return salt, nil } func (b *backend) invalidate(key string) { switch key { case salt.DefaultLocation: - // reread the salt - b.initialize() + b.SaltMutex.Lock() + defer b.SaltMutex.Unlock() + b.salt = nil } } diff --git a/builtin/credential/app-id/backend_test.go b/builtin/credential/app-id/backend_test.go index 2960e4060e..52d4433e44 100644 --- a/builtin/credential/app-id/backend_test.go +++ b/builtin/credential/app-id/backend_test.go @@ -51,70 +51,6 @@ func TestBackend_displayName(t *testing.T) { }) } -// Verify that we are able to update from non-salted (<0.2) to -// using a Salt for the paths -func TestBackend_upgradeToSalted(t *testing.T) { - inm := new(logical.InmemStorage) - - // Create some fake keys - se, _ := logical.StorageEntryJSON("struct/map/app-id/foo", - map[string]string{"value": "test"}) - inm.Put(se) - se, _ = logical.StorageEntryJSON("struct/map/user-id/bar", - map[string]string{"value": "foo"}) - inm.Put(se) - - // Initialize the backend, this should do the automatic upgrade - conf := &logical.BackendConfig{ - StorageView: inm, - } - backend, err := Factory(conf) - if err != nil { - t.Fatalf("err: %v", err) - } - err = backend.Initialize() - if err != nil { - t.Fatalf("err: %v", err) - } - - // Check the keys have been upgraded - out, err := inm.Get("struct/map/app-id/foo") - if err != nil { - t.Fatalf("err: %v", err) - } - if out != nil { - t.Fatalf("unexpected key") - } - out, err = inm.Get("struct/map/user-id/bar") - if err != nil { - t.Fatalf("err: %v", err) - } - if out != nil { - t.Fatalf("unexpected key") - } - - // Backend should still be able to resolve - req := logical.TestRequest(t, logical.ReadOperation, "map/app-id/foo") - req.Storage = inm - resp, err := backend.HandleRequest(req) - if err != nil { - t.Fatalf("err: %v", err) - } - if resp.Data["value"] != "test" { - t.Fatalf("bad: %#v", resp) - } - - req = logical.TestRequest(t, logical.ReadOperation, "map/user-id/bar") - req.Storage = inm - resp, err = backend.HandleRequest(req) - if err != nil { - t.Fatalf("err: %v", err) - } - if resp.Data["value"] != "foo" { - t.Fatalf("bad: %#v", resp) - } -} - func testAccStepMapAppId(t *testing.T) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.UpdateOperation, diff --git a/builtin/credential/approle/backend.go b/builtin/credential/approle/backend.go index 89836609dd..46dae815d5 100644 --- a/builtin/credential/approle/backend.go +++ b/builtin/credential/approle/backend.go @@ -93,31 +93,40 @@ func Backend(conf *logical.BackendConfig) (*backend, error) { pathTidySecretID(b), }, ), - Init: b.initialize, Invalidate: b.invalidate, } return b, nil } -func (b *backend) initialize() error { +func (b *backend) Salt() (*salt.Salt, error) { + b.saltMutex.RLock() + if b.salt != nil { + defer b.saltMutex.RUnlock() + return b.salt, nil + } + b.saltMutex.RUnlock() b.saltMutex.Lock() defer b.saltMutex.Unlock() + if b.salt != nil { + return b.salt, nil + } salt, err := salt.NewSalt(b.view, &salt.Config{ HashFunc: salt.SHA256Hash, Location: salt.DefaultLocation, }) if err != nil { - return err + return nil, err } b.salt = salt - return nil + return salt, nil } func (b *backend) invalidate(key string) { switch key { case salt.DefaultLocation: - // reread the salt - b.initialize() + b.saltMutex.Lock() + defer b.saltMutex.Unlock() + b.salt = nil } } diff --git a/builtin/credential/approle/backend_test.go b/builtin/credential/approle/backend_test.go index e49cf48f8b..2a3e3773ec 100644 --- a/builtin/credential/approle/backend_test.go +++ b/builtin/credential/approle/backend_test.go @@ -21,9 +21,5 @@ func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) { if err != nil { t.Fatal(err) } - err = b.Initialize() - if err != nil { - t.Fatal(err) - } return b, config.StorageView } diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go index ea7d847467..79ae1db1a5 100644 --- a/builtin/credential/approle/path_role.go +++ b/builtin/credential/approle/path_role.go @@ -1939,9 +1939,11 @@ func (b *backend) setRoleIDEntry(s logical.Storage, roleID string, roleIDEntry * lock.Lock() defer lock.Unlock() - b.saltMutex.RLock() - entryIndex := "role_id/" + b.salt.SaltID(roleID) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return err + } + entryIndex := "role_id/" + salt.SaltID(roleID) entry, err := logical.StorageEntryJSON(entryIndex, roleIDEntry) if err != nil { @@ -1965,9 +1967,11 @@ func (b *backend) roleIDEntry(s logical.Storage, roleID string) (*roleIDStorageE var result roleIDStorageEntry - b.saltMutex.RLock() - entryIndex := "role_id/" + b.salt.SaltID(roleID) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return nil, err + } + entryIndex := "role_id/" + salt.SaltID(roleID) if entry, err := s.Get(entryIndex); err != nil { return nil, err @@ -1991,9 +1995,11 @@ func (b *backend) roleIDEntryDelete(s logical.Storage, roleID string) error { lock.Lock() defer lock.Unlock() - b.saltMutex.RLock() - entryIndex := "role_id/" + b.salt.SaltID(roleID) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return err + } + entryIndex := "role_id/" + salt.SaltID(roleID) return s.Delete(entryIndex) } diff --git a/builtin/credential/approle/validation.go b/builtin/credential/approle/validation.go index d330b1ece5..84581a0413 100644 --- a/builtin/credential/approle/validation.go +++ b/builtin/credential/approle/validation.go @@ -469,9 +469,11 @@ func (b *backend) secretIDAccessorEntry(s logical.Storage, secretIDAccessor stri var result secretIDAccessorStorageEntry // Create index entry, mapping the accessor to the token ID - b.saltMutex.RLock() - entryIndex := "accessor/" + b.salt.SaltID(secretIDAccessor) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return nil, err + } + entryIndex := "accessor/" + salt.SaltID(secretIDAccessor) accessorLock := b.secretIDAccessorLock(secretIDAccessor) accessorLock.RLock() @@ -500,9 +502,11 @@ func (b *backend) createSecretIDAccessorEntry(s logical.Storage, entry *secretID entry.SecretIDAccessor = accessorUUID // Create index entry, mapping the accessor to the token ID - b.saltMutex.RLock() - entryIndex := "accessor/" + b.salt.SaltID(entry.SecretIDAccessor) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return err + } + entryIndex := "accessor/" + salt.SaltID(entry.SecretIDAccessor) accessorLock := b.secretIDAccessorLock(accessorUUID) accessorLock.Lock() @@ -521,9 +525,11 @@ func (b *backend) createSecretIDAccessorEntry(s logical.Storage, entry *secretID // deleteSecretIDAccessorEntry deletes the storage index mapping the accessor to a SecretID. func (b *backend) deleteSecretIDAccessorEntry(s logical.Storage, secretIDAccessor string) error { - b.saltMutex.RLock() - accessorEntryIndex := "accessor/" + b.salt.SaltID(secretIDAccessor) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return err + } + accessorEntryIndex := "accessor/" + salt.SaltID(secretIDAccessor) accessorLock := b.secretIDAccessorLock(secretIDAccessor) accessorLock.Lock() diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws/backend.go index a690385ab9..50e1e61e2f 100644 --- a/builtin/credential/aws/backend.go +++ b/builtin/credential/aws/backend.go @@ -21,9 +21,6 @@ func Factory(conf *logical.BackendConfig) (logical.Backend, error) { type backend struct { *framework.Backend - // Used during initialization to set the salt - view logical.Storage - // Lock to make changes to any of the backend's configuration endpoints. configMutex sync.RWMutex @@ -64,7 +61,6 @@ func Backend(conf *logical.BackendConfig) (*backend, error) { // Setting the periodic func to be run once in an hour. // If there is a real need, this can be made configurable. tidyCooldownPeriod: time.Hour, - view: conf.StorageView, EC2ClientsMap: make(map[string]map[string]*ec2.EC2), IAMClientsMap: make(map[string]map[string]*iam.IAM), } diff --git a/builtin/logical/pki/path_roles_test.go b/builtin/logical/pki/path_roles_test.go index 82772b0cde..1adfc9d1e0 100644 --- a/builtin/logical/pki/path_roles_test.go +++ b/builtin/logical/pki/path_roles_test.go @@ -17,10 +17,6 @@ func createBackendWithStorage(t *testing.T) (*backend, logical.Storage) { if err != nil { t.Fatal(err) } - err = b.Initialize() - if err != nil { - t.Fatal(err) - } return b, config.StorageView } diff --git a/builtin/logical/ssh/backend.go b/builtin/logical/ssh/backend.go index 0e17effecb..9c1f52b4bd 100644 --- a/builtin/logical/ssh/backend.go +++ b/builtin/logical/ssh/backend.go @@ -59,32 +59,40 @@ func Backend(conf *logical.BackendConfig) (*backend, error) { secretOTP(&b), }, - Init: b.initialize, - Invalidate: b.invalidate, } return &b, nil } -func (b *backend) initialize() error { +func (b *backend) Salt() (*salt.Salt, error) { + b.saltMutex.RLock() + if b.salt != nil { + defer b.saltMutex.RUnlock() + return b.salt, nil + } + b.saltMutex.RUnlock() b.saltMutex.Lock() defer b.saltMutex.Unlock() + if b.salt != nil { + return b.salt, nil + } salt, err := salt.NewSalt(b.view, &salt.Config{ HashFunc: salt.SHA256Hash, Location: salt.DefaultLocation, }) if err != nil { - return err + return nil, err } b.salt = salt - return nil + return salt, nil } func (b *backend) invalidate(key string) { switch key { case salt.DefaultLocation: - // reread the salt - b.initialize() + b.saltMutex.Lock() + defer b.saltMutex.Unlock() + b.salt = nil } } diff --git a/builtin/logical/ssh/path_creds_create.go b/builtin/logical/ssh/path_creds_create.go index 50b2147cdc..53d55eda68 100644 --- a/builtin/logical/ssh/path_creds_create.go +++ b/builtin/logical/ssh/path_creds_create.go @@ -207,9 +207,12 @@ func (b *backend) GenerateSaltedOTP() (string, string, error) { if err != nil { return "", "", err } - b.saltMutex.RLock() - defer b.saltMutex.RUnlock() - return str, b.salt.SaltID(str), nil + salt, err := b.Salt() + if err != nil { + return "", "", err + } + + return str, salt.SaltID(str), nil } // Generates an UUID OTP and creates an entry for the same in storage backend with its salted string. diff --git a/builtin/logical/ssh/path_verify.go b/builtin/logical/ssh/path_verify.go index 6f50facd7e..1c5e45369b 100644 --- a/builtin/logical/ssh/path_verify.go +++ b/builtin/logical/ssh/path_verify.go @@ -57,9 +57,11 @@ func (b *backend) pathVerifyWrite(req *logical.Request, d *framework.FieldData) // Create the salt of OTP because entry would have been create with the // salt and not directly of the OTP. Salt will yield the same value which // because the seed is the same, the backend salt. - b.saltMutex.RLock() - otpSalted := b.salt.SaltID(otp) - b.saltMutex.RUnlock() + salt, err := b.Salt() + if err != nil { + return nil, err + } + otpSalted := salt.SaltID(otp) // Return nil if there is no entry found for the OTP otpEntry, err := b.getOTP(req.Storage, otpSalted) diff --git a/builtin/logical/ssh/secret_otp.go b/builtin/logical/ssh/secret_otp.go index c7f73ee3c6..cc8872b5d6 100644 --- a/builtin/logical/ssh/secret_otp.go +++ b/builtin/logical/ssh/secret_otp.go @@ -33,9 +33,11 @@ func (b *backend) secretOTPRevoke(req *logical.Request, d *framework.FieldData) return nil, fmt.Errorf("secret is missing internal data") } - b.saltMutex.RLock() - defer b.saltMutex.RUnlock() - err := req.Storage.Delete("otp/" + b.salt.SaltID(otp)) + salt, err := b.Salt() + if err != nil { + return nil, err + } + err = req.Storage.Delete("otp/" + salt.SaltID(otp)) if err != nil { return nil, err } diff --git a/logical/framework/path_map.go b/logical/framework/path_map.go index 173f40ad6e..1887ae73c8 100644 --- a/logical/framework/path_map.go +++ b/logical/framework/path_map.go @@ -21,7 +21,7 @@ type PathMap struct { Schema map[string]*FieldSchema CaseSensitive bool Salt *salt.Salt - SaltMutex *sync.RWMutex + SaltFunc func() (*salt.Salt, error) once sync.Once } @@ -51,10 +51,12 @@ func (p *PathMap) pathStruct(k string) *PathStruct { } // If we have a salt, apply it before lookup - if p.Salt != nil { - p.SaltMutex.RLock() - k = p.Salt.SaltID(k) - p.SaltMutex.RUnlock() + salt := p.Salt + if p.SaltFunc != nil { + salt, _ = p.SaltFunc() + } + if salt != nil { + k = salt.SaltID(k) } return &PathStruct{ diff --git a/logical/framework/path_map_test.go b/logical/framework/path_map_test.go index 3f9758816b..485f3bcde1 100644 --- a/logical/framework/path_map_test.go +++ b/logical/framework/path_map_test.go @@ -1,7 +1,6 @@ package framework import ( - "sync" "testing" "github.com/hashicorp/vault/helper/salt" @@ -140,14 +139,13 @@ func TestPathMap_routes(t *testing.T) { func TestPathMap_Salted(t *testing.T) { storage := new(logical.InmemStorage) - var mut sync.RWMutex salt, err := salt.NewSalt(storage, &salt.Config{ HashFunc: salt.SHA1Hash, }) if err != nil { t.Fatalf("err: %v", err) } - p := &PathMap{Name: "foo", Salt: salt, SaltMutex: &mut} + p := &PathMap{Name: "foo", Salt: salt} var b logical.Backend = &Backend{Paths: p.Paths()} // Write via HTTP @@ -173,9 +171,129 @@ func TestPathMap_Salted(t *testing.T) { } // Ensure the path is salted - mut.RLock() expect := salt.SaltID("a") - mut.RUnlock() + out, err = storage.Get("struct/map/foo/" + expect) + if err != nil { + t.Fatalf("err: %v", err) + } + if out == nil { + t.Fatalf("missing salted key") + } + + // Read via HTTP + resp, err := b.HandleRequest(&logical.Request{ + Operation: logical.ReadOperation, + Path: "map/foo/a", + Storage: storage, + }) + if err != nil { + t.Fatalf("bad: %#v", err) + } + if resp.Data["value"] != "bar" { + t.Fatalf("bad: %#v", resp) + } + + // Read via API + v, err := p.Get(storage, "a") + if err != nil { + t.Fatalf("bad: %#v", err) + } + if v["value"] != "bar" { + t.Fatalf("bad: %#v", v) + } + + // Read via API with other casing + v, err = p.Get(storage, "A") + if err != nil { + t.Fatalf("bad: %#v", err) + } + if v["value"] != "bar" { + t.Fatalf("bad: %#v", v) + } + + // Verify List + keys, err := p.List(storage, "") + if err != nil { + t.Fatalf("bad: %#v", err) + } + if len(keys) != 1 || keys[0] != expect { + t.Fatalf("bad: %#v", keys) + } + + // Delete via HTTP + resp, err = b.HandleRequest(&logical.Request{ + Operation: logical.DeleteOperation, + Path: "map/foo/a", + Storage: storage, + }) + if err != nil { + t.Fatalf("bad: %#v", err) + } + if resp != nil { + t.Fatalf("bad: %#v", resp) + } + + // Re-read via HTTP + resp, err = b.HandleRequest(&logical.Request{ + Operation: logical.ReadOperation, + Path: "map/foo/a", + Storage: storage, + }) + if err != nil { + t.Fatalf("bad: %#v", err) + } + if _, ok := resp.Data["value"]; ok { + t.Fatalf("bad: %#v", resp) + } + + // Re-read via API + v, err = p.Get(storage, "a") + if err != nil { + t.Fatalf("bad: %#v", err) + } + if v != nil { + t.Fatalf("bad: %#v", v) + } +} + +func TestPathMap_SaltFunc(t *testing.T) { + storage := new(logical.InmemStorage) + locSalt, err := salt.NewSalt(storage, &salt.Config{ + HashFunc: salt.SHA1Hash, + }) + if err != nil { + t.Fatalf("err: %v", err) + } + saltFunc := func() (*salt.Salt, error) { + return locSalt, nil + } + p := &PathMap{Name: "foo", SaltFunc: saltFunc} + var b logical.Backend = &Backend{Paths: p.Paths()} + + // Write via HTTP + _, err = b.HandleRequest(&logical.Request{ + Operation: logical.UpdateOperation, + Path: "map/foo/a", + Data: map[string]interface{}{ + "value": "bar", + }, + Storage: storage, + }) + if err != nil { + t.Fatalf("bad: %#v", err) + } + + // Non-salted version should not be there + out, err := storage.Get("struct/map/foo/a") + if err != nil { + t.Fatalf("err: %v", err) + } + if out != nil { + t.Fatalf("non-salted key found") + } + + // Ensure the path is salted + expect := locSalt.SaltID("a") out, err = storage.Get("struct/map/foo/" + expect) if err != nil { t.Fatalf("err: %v", err) diff --git a/vault/auth.go b/vault/auth.go index f0c90ffadc..5a5e68b2f9 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -42,7 +42,7 @@ var ( ) // enableCredential is used to enable a new credential backend -func (c *Core) enableCredential(entry *MountEntry, skipInitialization bool) error { +func (c *Core) enableCredential(entry *MountEntry) error { // Ensure we end the path in a slash if !strings.HasSuffix(entry.Path, "/") { entry.Path += "/" @@ -99,10 +99,8 @@ func (c *Core) enableCredential(entry *MountEntry, skipInitialization bool) erro return fmt.Errorf("nil backend returned from %q factory", entry.Type) } - if !skipInitialization { - if err := backend.Initialize(); err != nil { - return err - } + if err := backend.Initialize(); err != nil { + return err } // Update the auth table diff --git a/vault/auth_test.go b/vault/auth_test.go index a82e7635d1..bc150e965c 100644 --- a/vault/auth_test.go +++ b/vault/auth_test.go @@ -49,7 +49,7 @@ func TestCore_EnableCredential(t *testing.T) { Path: "foo", Type: "noop", } - err := c.enableCredential(me, false) + err := c.enableCredential(me) if err != nil { t.Fatalf("err: %v", err) } @@ -179,13 +179,13 @@ func TestCore_EnableCredential_twice_409(t *testing.T) { Path: "foo", Type: "noop", } - err := c.enableCredential(me, false) + err := c.enableCredential(me) if err != nil { t.Fatalf("err: %v", err) } // 2nd should be a 409 error - err2 := c.enableCredential(me, false) + err2 := c.enableCredential(me) switch err2.(type) { case logical.HTTPCodedError: if err2.(logical.HTTPCodedError).Code() != 409 { @@ -203,7 +203,7 @@ func TestCore_EnableCredential_Token(t *testing.T) { Path: "foo", Type: "token", } - err := c.enableCredential(me, false) + err := c.enableCredential(me) if err.Error() != "token credential backend cannot be instantiated" { t.Fatalf("err: %v", err) } @@ -225,7 +225,7 @@ func TestCore_DisableCredential(t *testing.T) { Path: "foo", Type: "noop", } - err = c.enableCredential(me, false) + err = c.enableCredential(me) if err != nil { t.Fatalf("err: %v", err) } @@ -286,7 +286,7 @@ func TestCore_DisableCredential_Cleanup(t *testing.T) { Path: "foo", Type: "noop", } - err := c.enableCredential(me, false) + err := c.enableCredential(me) if err != nil { t.Fatalf("err: %v", err) } diff --git a/vault/expiration_test.go b/vault/expiration_test.go index b3bd618025..7598611d9e 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -1352,7 +1352,7 @@ func TestExpiration_RevokeForce(t *testing.T) { Type: "badrenew", } - err := core.mount(me, false) + err := core.mount(me) if err != nil { t.Fatal(err) } diff --git a/vault/logical_system.go b/vault/logical_system.go index 6eefad5709..b5807a2d0c 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1210,7 +1210,7 @@ func (b *SystemBackend) handleMount( } // Attempt mount - if err := b.Core.mount(me, false); err != nil { + if err := b.Core.mount(me); err != nil { b.Backend.Logger().Error("sys: mount failed", "path", me.Path, "error", err) return handleError(err) } @@ -1642,7 +1642,7 @@ func (b *SystemBackend) handleEnableAuth( } // Attempt enabling - if err := b.Core.enableCredential(me, false); err != nil { + if err := b.Core.enableCredential(me); err != nil { b.Backend.Logger().Error("sys: enable auth mount failed", "path", me.Path, "error", err) return handleError(err) } diff --git a/vault/mount.go b/vault/mount.go index 01c118dce1..1c921001c1 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -172,7 +172,7 @@ func (e *MountEntry) Clone() *MountEntry { } // Mount is used to mount a new backend to the mount table. -func (c *Core) mount(entry *MountEntry, skipInitialization bool) error { +func (c *Core) mount(entry *MountEntry) error { // Ensure we end the path in a slash if !strings.HasSuffix(entry.Path, "/") { entry.Path += "/" @@ -222,10 +222,8 @@ func (c *Core) mount(entry *MountEntry, skipInitialization bool) error { // Call initialize; this takes care of init tasks that must be run after // the ignore paths are collected - if !skipInitialization { - if err := backend.Initialize(); err != nil { - return err - } + if err := backend.Initialize(); err != nil { + return err } newTable := c.mounts.shallowClone() diff --git a/vault/mount_test.go b/vault/mount_test.go index d0647e3f22..e0b751954a 100644 --- a/vault/mount_test.go +++ b/vault/mount_test.go @@ -49,7 +49,7 @@ func TestCore_Mount(t *testing.T) { Path: "foo", Type: "generic", } - err := c.mount(me, false) + err := c.mount(me) if err != nil { t.Fatalf("err: %v", err) } @@ -226,7 +226,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) { Path: "test/", Type: "noop", } - if err := c.mount(me, false); err != nil { + if err := c.mount(me); err != nil { t.Fatalf("err: %v", err) } @@ -346,7 +346,7 @@ func TestCore_Remount_Cleanup(t *testing.T) { Path: "test/", Type: "noop", } - if err := c.mount(me, false); err != nil { + if err := c.mount(me); err != nil { t.Fatalf("err: %v", err) } @@ -458,7 +458,7 @@ func TestCore_MountTable_UpgradeToTyped(t *testing.T) { Path: "foo", Type: "noop", } - err = c.enableCredential(me, false) + err = c.enableCredential(me) if err != nil { t.Fatalf("err: %v", err) } diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go index 52553ccf23..c966b04d34 100644 --- a/vault/request_handling_test.go +++ b/vault/request_handling_test.go @@ -20,7 +20,7 @@ func TestRequestHandling_Wrapping(t *testing.T) { UUID: meUUID, Path: "wraptest", Type: "generic", - }, false) + }) if err != nil { t.Fatalf("err: %v", err) } diff --git a/vault/token_store.go b/vault/token_store.go index 1e74517d36..c0e3dec0e2 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -134,7 +134,7 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error) lookupPrefix, accessorPrefix, parentPrefix, - "salt", + salt.DefaultLocation, }, }, @@ -480,6 +480,7 @@ func (ts *TokenStore) Initialize() error { // Setup the salt salt, err := salt.NewSalt(ts.view, &salt.Config{ HashFunc: salt.SHA1Hash, + Location: salt.DefaultLocation, }) if err != nil { return err