Hooks into StateGet and StatePut for grabbing identity.secret from Vault

This commit is contained in:
Grant Limberg 2018-01-10 16:50:58 -08:00
parent 9574d635c1
commit 5ff0653f9e

View File

@ -480,7 +480,7 @@ public:
// HashiCorp Vault Settings
bool _vaultEnabled;
std::string _vaultURL;
std::string _vaultKey;
std::string _vaultToken;
std::string _vaultPath; // defaults to cubbyhole/zerotier/identity.secret for per-access key storage
// Set to false to force service to stop
@ -517,7 +517,7 @@ public:
#endif
,_vaultEnabled(false)
,_vaultURL()
,_vaultKey()
,_vaultToken()
,_vaultPath("cubbyhole/zerotier/identity.secret")
,_run(true)
{
@ -1530,15 +1530,15 @@ public:
if (!url.empty())
_vaultURL = url;
const std::string key(OSUtils::jsonString(vault["vaultKey"], "").c_str());
if (!key.empty())
_vaultKey = key;
const std::string token(OSUtils::jsonString(vault["vaultToken"], "").c_str());
if (!token.empty())
_vaultToken = token;
const std::string path(OSUtils::jsonString(vault["vaultPath"], "").c_str());
if (!path.empty())
_vaultPath = path;
if (!_vaultURL.empty() && !_vaultKey.empty())
if (!_vaultURL.empty() && !_vaultToken.empty())
_vaultEnabled = true;
}
}
@ -2109,8 +2109,18 @@ public:
}
}
inline void nodeVaultPutIdentitySecret(const void *data, int len)
{
return;
}
inline void nodeStatePutFunction(enum ZT_StateObjectType type,const uint64_t id[2],const void *data,int len)
{
if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) {
nodeVaultPutIdentitySecret(data, len);
return;
}
char p[1024];
FILE *f;
bool secure = false;
@ -2177,8 +2187,21 @@ public:
}
}
inline int nodeVaultGetIdentitySecret(void *data, unsigned int maxlen)
{
return 0;
}
inline int nodeStateGetFunction(enum ZT_StateObjectType type,const uint64_t id[2],void *data,unsigned int maxlen)
{
if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) {
int retval = nodeVaultGetIdentitySecret(data, maxlen);
if (retval >= 0)
return retval;
// else continue file based lookup
}
char p[4096];
switch(type) {
case ZT_STATE_OBJECT_IDENTITY_PUBLIC:
@ -2206,6 +2229,15 @@ public:
if (f) {
int n = (int)fread(data,1,maxlen,f);
fclose(f);
if (_vaultEnabled && type == ZT_STATE_OBJECT_IDENTITY_SECRET) {
// If we've gotten here while Vault is enabled, Vault does not know the key and it's been
// read from disk instead.
//
// We should put the value in Vault and remove the local file.
nodeVaultPutIdentitySecret(data, n);
unlink(p);
}
if (n >= 0)
return n;
}