Hooks into StateGet and StatePut for grabbing identity.secret from Vault

This commit is contained in:
Grant Limberg 2018-01-10 16:50:58 -08:00
parent 9574d635c1
commit 5ff0653f9e

View File

@ -480,7 +480,7 @@ public:
// HashiCorp Vault Settings // HashiCorp Vault Settings
bool _vaultEnabled; bool _vaultEnabled;
std::string _vaultURL; std::string _vaultURL;
std::string _vaultKey; std::string _vaultToken;
std::string _vaultPath; // defaults to cubbyhole/zerotier/identity.secret for per-access key storage std::string _vaultPath; // defaults to cubbyhole/zerotier/identity.secret for per-access key storage
// Set to false to force service to stop // Set to false to force service to stop
@ -517,7 +517,7 @@ public:
#endif #endif
,_vaultEnabled(false) ,_vaultEnabled(false)
,_vaultURL() ,_vaultURL()
,_vaultKey() ,_vaultToken()
,_vaultPath("cubbyhole/zerotier/identity.secret") ,_vaultPath("cubbyhole/zerotier/identity.secret")
,_run(true) ,_run(true)
{ {
@ -1530,15 +1530,15 @@ public:
if (!url.empty()) if (!url.empty())
_vaultURL = url; _vaultURL = url;
const std::string key(OSUtils::jsonString(vault["vaultKey"], "").c_str()); const std::string token(OSUtils::jsonString(vault["vaultToken"], "").c_str());
if (!key.empty()) if (!token.empty())
_vaultKey = key; _vaultToken = token;
const std::string path(OSUtils::jsonString(vault["vaultPath"], "").c_str()); const std::string path(OSUtils::jsonString(vault["vaultPath"], "").c_str());
if (!path.empty()) if (!path.empty())
_vaultPath = path; _vaultPath = path;
if (!_vaultURL.empty() && !_vaultKey.empty()) if (!_vaultURL.empty() && !_vaultToken.empty())
_vaultEnabled = true; _vaultEnabled = true;
} }
} }
@ -2109,8 +2109,18 @@ public:
} }
} }
inline void nodeVaultPutIdentitySecret(const void *data, int len)
{
return;
}
inline void nodeStatePutFunction(enum ZT_StateObjectType type,const uint64_t id[2],const void *data,int len) inline void nodeStatePutFunction(enum ZT_StateObjectType type,const uint64_t id[2],const void *data,int len)
{ {
if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) {
nodeVaultPutIdentitySecret(data, len);
return;
}
char p[1024]; char p[1024];
FILE *f; FILE *f;
bool secure = false; bool secure = false;
@ -2177,8 +2187,21 @@ public:
} }
} }
inline int nodeVaultGetIdentitySecret(void *data, unsigned int maxlen)
{
return 0;
}
inline int nodeStateGetFunction(enum ZT_StateObjectType type,const uint64_t id[2],void *data,unsigned int maxlen) inline int nodeStateGetFunction(enum ZT_StateObjectType type,const uint64_t id[2],void *data,unsigned int maxlen)
{ {
if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) {
int retval = nodeVaultGetIdentitySecret(data, maxlen);
if (retval >= 0)
return retval;
// else continue file based lookup
}
char p[4096]; char p[4096];
switch(type) { switch(type) {
case ZT_STATE_OBJECT_IDENTITY_PUBLIC: case ZT_STATE_OBJECT_IDENTITY_PUBLIC:
@ -2206,6 +2229,15 @@ public:
if (f) { if (f) {
int n = (int)fread(data,1,maxlen,f); int n = (int)fread(data,1,maxlen,f);
fclose(f); fclose(f);
if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) {
// If we've gotten here while Vault is enabled, Vault does not know the key and it's been
// read from disk instead.
//
// We should put the value in Vault and remove the local file.
nodeVaultPutIdentitySecret(data, n);
unlink(p);
}
if (n >= 0) if (n >= 0)
return n; return n;
} }