Don't write salts in initialization, look up on demand (#2702)

2025-11-07 22:13:12 +00:00 · 2017-05-09 17:51:09 -04:00
parent 254ed1f744
commit eb0e7cd0d2
22 changed files with 248 additions and 239 deletions
--- a/logical/framework/path_map_test.go
+++ b/logical/framework/path_map_test.go
@@ -1,7 +1,6 @@
 package framework

 import (
-	"sync"
 	"testing"

 	"github.com/hashicorp/vault/helper/salt"
@@ -140,14 +139,13 @@ func TestPathMap_routes(t *testing.T) {

 func TestPathMap_Salted(t *testing.T) {
 	storage := new(logical.InmemStorage)
-	var mut sync.RWMutex
 	salt, err := salt.NewSalt(storage, &salt.Config{
 		HashFunc: salt.SHA1Hash,
 	})
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	p := &PathMap{Name: "foo", Salt: salt, SaltMutex: &mut}
+	p := &PathMap{Name: "foo", Salt: salt}
 	var b logical.Backend = &Backend{Paths: p.Paths()}

 	// Write via HTTP
@@ -173,9 +171,129 @@ func TestPathMap_Salted(t *testing.T) {
 	}

 	// Ensure the path is salted
-	mut.RLock()
 	expect := salt.SaltID("a")
-	mut.RUnlock()
+	out, err = storage.Get("struct/map/foo/" + expect)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out == nil {
+		t.Fatalf("missing salted key")
+	}
+
+	// Read via HTTP
+	resp, err := b.HandleRequest(&logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "map/foo/a",
+		Storage:   storage,
+	})
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if resp.Data["value"] != "bar" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read via API
+	v, err := p.Get(storage, "a")
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if v["value"] != "bar" {
+		t.Fatalf("bad: %#v", v)
+	}
+
+	// Read via API with other casing
+	v, err = p.Get(storage, "A")
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if v["value"] != "bar" {
+		t.Fatalf("bad: %#v", v)
+	}
+
+	// Verify List
+	keys, err := p.List(storage, "")
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if len(keys) != 1 || keys[0] != expect {
+		t.Fatalf("bad: %#v", keys)
+	}
+
+	// Delete via HTTP
+	resp, err = b.HandleRequest(&logical.Request{
+		Operation: logical.DeleteOperation,
+		Path:      "map/foo/a",
+		Storage:   storage,
+	})
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Re-read via HTTP
+	resp, err = b.HandleRequest(&logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "map/foo/a",
+		Storage:   storage,
+	})
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if _, ok := resp.Data["value"]; ok {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Re-read via API
+	v, err = p.Get(storage, "a")
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+	if v != nil {
+		t.Fatalf("bad: %#v", v)
+	}
+}
+
+func TestPathMap_SaltFunc(t *testing.T) {
+	storage := new(logical.InmemStorage)
+	locSalt, err := salt.NewSalt(storage, &salt.Config{
+		HashFunc: salt.SHA1Hash,
+	})
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	saltFunc := func() (*salt.Salt, error) {
+		return locSalt, nil
+	}
+	p := &PathMap{Name: "foo", SaltFunc: saltFunc}
+	var b logical.Backend = &Backend{Paths: p.Paths()}
+
+	// Write via HTTP
+	_, err = b.HandleRequest(&logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "map/foo/a",
+		Data: map[string]interface{}{
+			"value": "bar",
+		},
+		Storage: storage,
+	})
+	if err != nil {
+		t.Fatalf("bad: %#v", err)
+	}
+
+	// Non-salted version should not be there
+	out, err := storage.Get("struct/map/foo/a")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out != nil {
+		t.Fatalf("non-salted key found")
+	}
+
+	// Ensure the path is salted
+	expect := locSalt.SaltID("a")
 	out, err = storage.Get("struct/map/foo/" + expect)
 	if err != nil {
 		t.Fatalf("err: %v", err)