-
Notifications
You must be signed in to change notification settings - Fork 10
/
path_config.go
151 lines (129 loc) · 4.46 KB
/
path_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package gcpkms
import (
"context"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
// pathConfig defines the gcpkms/config base path on the backend.
func (b *backend) pathConfig() *framework.Path {
return &framework.Path{
Pattern: "config",
DisplayAttrs: &framework.DisplayAttributes{
OperationPrefix: operationPrefixGoogleCloudKMS,
},
HelpSynopsis: "Configure the GCP KMS secrets engine",
HelpDescription: "Configure the GCP KMS secrets engine with credentials " +
"or manage the requested scope(s).",
Fields: map[string]*framework.FieldSchema{
"credentials": &framework.FieldSchema{
Type: framework.TypeString,
Description: `
The credentials to use for authenticating to Google Cloud. Leave this blank to
use the Default Application Credentials or instance metadata authentication.
`,
},
"scopes": &framework.FieldSchema{
Type: framework.TypeCommaStringSlice,
Description: `
The list of full-URL scopes to request when authenticating. By default, this
requests https://www.googleapis.com/auth/cloudkms.
`,
},
},
ExistenceCheck: b.pathConfigExists,
Operations: map[logical.Operation]framework.OperationHandler{
logical.CreateOperation: &framework.PathOperation{
Callback: withFieldValidator(b.pathConfigWrite),
DisplayAttrs: &framework.DisplayAttributes{
OperationVerb: "configure",
},
},
logical.UpdateOperation: &framework.PathOperation{
Callback: withFieldValidator(b.pathConfigWrite),
DisplayAttrs: &framework.DisplayAttributes{
OperationVerb: "configure",
},
},
logical.ReadOperation: &framework.PathOperation{
Callback: withFieldValidator(b.pathConfigRead),
DisplayAttrs: &framework.DisplayAttributes{
OperationVerb: "read",
OperationSuffix: "configuration",
},
},
logical.DeleteOperation: &framework.PathOperation{
Callback: withFieldValidator(b.pathConfigDelete),
DisplayAttrs: &framework.DisplayAttributes{
OperationVerb: "delete",
OperationSuffix: "configuration",
},
},
},
}
}
// pathConfigExists checks if the configuration exists.
func (b *backend) pathConfigExists(ctx context.Context, req *logical.Request, _ *framework.FieldData) (bool, error) {
entry, err := req.Storage.Get(ctx, "config")
if err != nil {
return false, errwrap.Wrapf("failed to get configuration from storage: {{err}}", err)
}
if entry == nil || len(entry.Value) == 0 {
return false, nil
}
return true, nil
}
// pathConfigRead corresponds to READ gcpkms/config and is used to
// read the current configuration.
func (b *backend) pathConfigRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
c, err := b.Config(ctx, req.Storage)
if err != nil {
return nil, err
}
return &logical.Response{
Data: map[string]interface{}{
"scopes": c.Scopes,
},
}, nil
}
// pathConfigWrite corresponds to both CREATE and UPDATE gcpkms/config and is
// used to create or update the current configuration.
func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the current configuration, if it exists
c, err := b.Config(ctx, req.Storage)
if err != nil {
return nil, err
}
// Update the configuration
changed, err := c.Update(d)
if err != nil {
return nil, logical.CodedError(400, err.Error())
}
// Only do the following if the config is different
if changed {
// Generate a new storage entry
entry, err := logical.StorageEntryJSON("config", c)
if err != nil {
return nil, errwrap.Wrapf("failed to generate JSON configuration: {{err}}", err)
}
// Save the storage entry
if err := req.Storage.Put(ctx, entry); err != nil {
return nil, errwrap.Wrapf("failed to persist configuration to storage: {{err}}", err)
}
// Invalidate existing client so it reads the new configuration
b.ResetClient()
}
return nil, nil
}
// pathConfigDelete corresponds to DELETE gcpkms/config and is used to delete
// all the configuration.
func (b *backend) pathConfigDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
if err := req.Storage.Delete(ctx, "config"); err != nil {
return nil, errwrap.Wrapf("failed to delete from storage: {{err}}", err)
}
// Invalidate existing client so it reads the new configuration
b.ResetClient()
return nil, nil
}