From 5ff0653f9e194a499fe1ac085b1a9b1b51643017 Mon Sep 17 00:00:00 2001 From: Grant Limberg Date: Wed, 10 Jan 2018 16:50:58 -0800 Subject: [PATCH] Hooks into StateGet and StatePut for grabbing identity.secret from Vault --- service/OneService.cpp | 44 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/service/OneService.cpp b/service/OneService.cpp index 56f2551e0..672e3799b 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -480,7 +480,7 @@ public: // HashiCorp Vault Settings bool _vaultEnabled; std::string _vaultURL; - std::string _vaultKey; + std::string _vaultToken; std::string _vaultPath; // defaults to cubbyhole/zerotier/identity.secret for per-access key storage // Set to false to force service to stop @@ -517,7 +517,7 @@ public: #endif ,_vaultEnabled(false) ,_vaultURL() - ,_vaultKey() + ,_vaultToken() ,_vaultPath("cubbyhole/zerotier/identity.secret") ,_run(true) { @@ -1530,15 +1530,15 @@ public: if (!url.empty()) _vaultURL = url; - const std::string key(OSUtils::jsonString(vault["vaultKey"], "").c_str()); - if (!key.empty()) - _vaultKey = key; + const std::string token(OSUtils::jsonString(vault["vaultToken"], "").c_str()); + if (!token.empty()) + _vaultToken = token; const std::string path(OSUtils::jsonString(vault["vaultPath"], "").c_str()); if (!path.empty()) _vaultPath = path; - if (!_vaultURL.empty() && !_vaultKey.empty()) + if (!_vaultURL.empty() && !_vaultToken.empty()) _vaultEnabled = true; } } @@ -2109,8 +2109,18 @@ public: } } + inline void nodeVaultPutIdentitySecret(const void *data, int len) + { + return; + } + inline void nodeStatePutFunction(enum ZT_StateObjectType type,const uint64_t id[2],const void *data,int len) { + if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) { + nodeVaultPutIdentitySecret(data, len); + return; + } + char p[1024]; FILE *f; bool secure = false; @@ -2176,9 +2186,22 @@ public: OSUtils::rm(p); } } + + inline int nodeVaultGetIdentitySecret(void *data, unsigned int maxlen) + { + return 0; + } inline int nodeStateGetFunction(enum ZT_StateObjectType type,const uint64_t id[2],void *data,unsigned int maxlen) { + if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) { + int retval = nodeVaultGetIdentitySecret(data, maxlen); + if (retval >= 0) + return retval; + + // else continue file based lookup + } + char p[4096]; switch(type) { case ZT_STATE_OBJECT_IDENTITY_PUBLIC: @@ -2206,6 +2229,15 @@ public: if (f) { int n = (int)fread(data,1,maxlen,f); fclose(f); + + if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) { + // If we've gotten here while Vault is enabled, Vault does not know the key and it's been + // read from disk instead. + // + // We should put the value in Vault and remove the local file. + nodeVaultPutIdentitySecret(data, n); + unlink(p); + } if (n >= 0) return n; }