From 61bf06307c4f3be41c0c74a95d55305e8e2ae732 Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Thu, 18 Aug 2016 18:57:33 -0700 Subject: [PATCH] Commit Vault Accessors to vault and return the response --- nomad/node_endpoint.go | 41 +++++++++++++++++++++++++++++++++++++--- nomad/structs/structs.go | 3 ++- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/nomad/node_endpoint.go b/nomad/node_endpoint.go index d4fe1e7db..4175dbfc6 100644 --- a/nomad/node_endpoint.go +++ b/nomad/node_endpoint.go @@ -922,9 +922,9 @@ func (n *Node) DeriveVaultToken(args *structs.DeriveVaultTokenRequest, if node == nil { return fmt.Errorf("Node %q does not exist", args.NodeID) } - //if node.SecretID != args.SecretID { - //return fmt.Errorf("SecretID mismatch") - //} + if node.SecretID != args.SecretID { + return fmt.Errorf("SecretID mismatch") + } alloc, err := snap.AllocByID(args.AllocID) if err != nil { @@ -1007,6 +1007,41 @@ func (n *Node) DeriveVaultToken(args *structs.DeriveVaultTokenRequest, // Wait for everything to complete or for an error err = g.Wait() + if err != nil { + // TODO Revoke any created token + return err + } + // Commit to Raft before returning any of the tokens + accessors := make([]*structs.VaultAccessor, 0, len(results)) + tokens := make(map[string]string, len(results)) + for task, secret := range results { + w := secret.WrapInfo + if w == nil { + return fmt.Errorf("Vault returned Secret without WrapInfo") + } + + tokens[task] = w.Token + accessor := &structs.VaultAccessor{ + Accessor: w.WrappedAccessor, + Task: task, + NodeID: alloc.NodeID, + AllocID: alloc.ID, + CreationTTL: w.TTL, + } + + accessors = append(accessors, accessor) + } + + req := structs.VaultAccessorRegisterRequest{Accessors: accessors} + _, index, err := n.srv.raftApply(structs.VaultAccessorRegisterRequestType, &req) + if err != nil { + n.srv.logger.Printf("[ERR] nomad.client: Register Vault accessors failed: %v", err) + return err + } + + reply.Index = index + reply.Tasks = tokens + n.srv.setQueryMeta(&reply.QueryMeta) return nil } diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index 7f1079372..adfa3a5ae 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -377,7 +377,7 @@ type VaultAccessor struct { Task string NodeID string Accessor string - CreationTTL int64 + CreationTTL int // Raft Indexes CreateIndex uint64 @@ -385,6 +385,7 @@ type VaultAccessor struct { // DeriveVaultTokenResponse returns the wrapped tokens for each requested task type DeriveVaultTokenResponse struct { + // Tasks is a mapping between the task name and the wrapped token Tasks map[string]string QueryMeta }