-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathbackend.go
124 lines (101 loc) · 2.59 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package cognito
import (
"context"
"fmt"
"strings"
"sync"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
// backend wraps the backend framework and adds a map for storing key value pairs
type cognitoSecretBackend struct {
*framework.Backend
client client
lock sync.RWMutex
}
var _ logical.Factory = Factory
// Factory configures and returns Cognito backends
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
b, err := newBackend()
if err != nil {
return nil, err
}
if conf == nil {
return nil, fmt.Errorf("configuration passed into backend is nil")
}
if err := b.Setup(ctx, conf); err != nil {
return nil, err
}
return b, nil
}
func newBackend() (*cognitoSecretBackend, error) {
b := cognitoSecretBackend{}
b.Backend = &framework.Backend{
Help: strings.TrimSpace(cognitoHelp),
PathsSpecial: &logical.Paths{
SealWrapStorage: []string{
"config",
},
},
Paths: framework.PathAppend(
pathsRole(&b),
[]*framework.Path{
pathConfig(&b),
pathCreds(&b),
},
),
Secrets: []*framework.Secret{
secretUser(&b),
},
BackendType: logical.TypeLogical,
}
return &b, nil
}
func (b *cognitoSecretBackend) getClient(ctx context.Context, req *logical.Request) (client, error) {
b.lock.RLock()
unlockFunc := b.lock.RUnlock
defer func() { unlockFunc() }()
if b.client != nil {
return b.client, nil
}
b.lock.RUnlock()
b.lock.Lock()
unlockFunc = b.lock.Unlock
if b.client != nil {
return b.client, nil
}
config, _ := b.getConfig(ctx, req.Storage)
if config != nil {
c := &clientImpl{
AwsAccessKeyId: config.AwsAccessKeyId,
AwsAssumeRoleArn: config.AwsAssumeRoleArn,
AwsSecretAccessKey: config.AwsSecretAccessKey,
AwsSessionToken: config.AwsSessionToken,
}
b.client = c
return c, nil
} else {
c := &clientImpl{}
b.client = c
return c, nil
}
}
// reset clears the backend's cached client
// This is used when the configuration changes and a new client should be
// created with the updated settings.
func (b *cognitoSecretBackend) reset() {
b.lock.Lock()
defer b.lock.Unlock()
b.client = nil
}
func (b *cognitoSecretBackend) handleExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) {
out, err := req.Storage.Get(ctx, req.Path)
if err != nil {
return false, errwrap.Wrapf("existence check failed: {{err}}", err)
}
return out != nil, nil
}
const cognitoHelp = `
The cognito backend is a secrets backend for AWS generating credentials for an AWS Cognito user pool.
`