Port over some changes

Makefile

@@ -82,8 +82,10 @@ proto:
 	protoc -I helper/forwarding -I vault -I ../../.. vault/*.proto --go_out=plugins=grpc:vault
 	protoc -I helper/storagepacker helper/storagepacker/types.proto --go_out=plugins=grpc:helper/storagepacker
 	protoc -I helper/forwarding -I vault -I ../../.. helper/forwarding/types.proto --go_out=plugins=grpc:helper/forwarding
+	protoc -I physical physical/types.proto --go_out=plugins=grpc:physical
 	protoc -I helper/identity -I ../../.. helper/identity/types.proto --go_out=plugins=grpc:helper/identity
 	sed -i -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/protobuf:"/sentinel:"" protobuf:"/' helper/identity/types.pb.go helper/storagepacker/types.pb.go
+	sed -i -e 's/Iv/IV/' -e 's/Hmac/HMAC/' physical/types.pb.go
 
 fmtcheck:
 	@sh -c "'$(CURDIR)/scripts/gofmtcheck.sh'"

api/sys_auth.go

@@ -87,6 +87,7 @@ type EnableAuthOptions struct {
 	Config      AuthConfigInput `json:"config" structs:"config"`
 	Local       bool            `json:"local" structs:"local"`
 	PluginName  string          `json:"plugin_name,omitempty" structs:"plugin_name,omitempty"`
+	SealWrap    bool            `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap"`
 }
 
 type AuthConfigInput struct {
@@ -99,6 +100,7 @@ type AuthMount struct {
 	Accessor    string           `json:"accessor" structs:"accessor" mapstructure:"accessor"`
 	Config      AuthConfigOutput `json:"config" structs:"config" mapstructure:"config"`
 	Local       bool             `json:"local" structs:"local" mapstructure:"local"`
+	SealWrap    bool             `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap"`
 }
 
 type AuthConfigOutput struct {

command/auth.go

@@ -377,7 +377,7 @@ func (c *AuthCommand) listMethods() int {
 	}
 	sort.Strings(paths)
 
-	columns := []string{"Path | Type | Accessor | Default TTL | Max TTL | Replication Behavior | Description"}
+	columns := []string{"Path | Type | Accessor | Default TTL | Max TTL | Replication Behavior | Seal Wrap | Description"}
 	for _, path := range paths {
 		auth := auth[path]
 		defTTL := "system"
@@ -393,7 +393,7 @@ func (c *AuthCommand) listMethods() int {
 			replicatedBehavior = "local"
 		}
 		columns = append(columns, fmt.Sprintf(
-			"%s | %s | %s | %s | %s | %s | %s", path, auth.Type, auth.Accessor, defTTL, maxTTL, replicatedBehavior, auth.Description))
+			"%s | %s | %s | %s | %s | %s | %t | %s", path, auth.Type, auth.Accessor, defTTL, maxTTL, replicatedBehavior, auth.SealWrap, auth.Description))
 	}
 
 	c.Ui.Output(columnize.SimpleFormat(columns))

command/auth_enable.go

@@ -16,12 +16,13 @@ type AuthEnableCommand struct {
 
 func (c *AuthEnableCommand) Run(args []string) int {
 	var description, path, pluginName string
-	var local bool
+	var local, sealWrap bool
 	flags := c.Meta.FlagSet("auth-enable", meta.FlagSetDefault)
 	flags.StringVar(&description, "description", "", "")
 	flags.StringVar(&path, "path", "", "")
 	flags.StringVar(&pluginName, "plugin-name", "", "")
 	flags.BoolVar(&local, "local", false, "")
+	flags.BoolVar(&sealWrap, "seal-wrap", false, "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
 		return 1
@@ -60,7 +61,8 @@ func (c *AuthEnableCommand) Run(args []string) int {
 		Config: api.AuthConfigInput{
 			PluginName: pluginName,
 		},
-		Local: local,
+		Local:    local,
+		SealWrap: sealWrap,
 	}); err != nil {
 		c.Ui.Error(fmt.Sprintf(
 			"Error: %s", err))
@@ -110,6 +112,8 @@ Auth Enable Options:
   -local                  Mark the mount as a local mount. Local mounts
                           are not replicated nor (if a secondary)
                           removed by replication.
+
+  -seal-wrap              Turn on seal wrapping for the mount.
 `
 	return strings.TrimSpace(helpText)
 }
@@ -137,5 +141,6 @@ func (c *AuthEnableCommand) AutocompleteFlags() complete.Flags {
 		"-path":        complete.PredictNothing,
 		"-plugin-name": complete.PredictNothing,
 		"-local":       complete.PredictNothing,
+		"-seal-wrap":   complete.PredictNothing,
 	}
 }

command/mount.go

@@ -16,7 +16,7 @@ type MountCommand struct {
 
 func (c *MountCommand) Run(args []string) int {
 	var description, path, defaultLeaseTTL, maxLeaseTTL, pluginName string
-	var local, forceNoCache bool
+	var local, forceNoCache, sealWrap bool
 	flags := c.Meta.FlagSet("mount", meta.FlagSetDefault)
 	flags.StringVar(&description, "description", "", "")
 	flags.StringVar(&path, "path", "", "")
@@ -25,6 +25,7 @@ func (c *MountCommand) Run(args []string) int {
 	flags.StringVar(&pluginName, "plugin-name", "", "")
 	flags.BoolVar(&forceNoCache, "force-no-cache", false, "")
 	flags.BoolVar(&local, "local", false, "")
+	flags.BoolVar(&sealWrap, "seal-wrap", false, "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
 		return 1
@@ -66,7 +67,8 @@ func (c *MountCommand) Run(args []string) int {
 			ForceNoCache:    forceNoCache,
 			PluginName:      pluginName,
 		},
-		Local: local,
+		Local:    local,
+		SealWrap: sealWrap,
 	}
 
 	if err := client.Sys().Mount(path, mountInfo); err != nil {
@@ -131,6 +133,8 @@ Mount Options:
   -local                         Mark the mount as a local mount. Local mounts
                                  are not replicated nor (if a secondary)
                                  removed by replication.
+
+  -seal-wrap                     Turn on seal wrapping for the mount.
 `
 	return strings.TrimSpace(helpText)
 }
@@ -160,5 +164,6 @@ func (c *MountCommand) AutocompleteFlags() complete.Flags {
 		"-force-no-cache":    complete.PredictNothing,
 		"-plugin-name":       complete.PredictNothing,
 		"-local":             complete.PredictNothing,
+		"-seal-wrap":         complete.PredictNothing,
 	}
 }

command/mounts.go

@@ -42,7 +42,7 @@ func (c *MountsCommand) Run(args []string) int {
 	}
 	sort.Strings(paths)
 
-	columns := []string{"Path | Type | Accessor | Plugin | Default TTL | Max TTL | Force No Cache | Replication Behavior | Description"}
+	columns := []string{"Path | Type | Accessor | Plugin | Default TTL | Max TTL | Force No Cache | Replication Behavior | Seal Wrap | Description"}
 	for _, path := range paths {
 		mount := mounts[path]
 		pluginName := "n/a"
@@ -70,8 +70,8 @@ func (c *MountsCommand) Run(args []string) int {
 			replicatedBehavior = "local"
 		}
 		columns = append(columns, fmt.Sprintf(
-			"%s | %s | %s | %s | %s | %s | %v | %s | %s", path, mount.Type, mount.Accessor, pluginName, defTTL, maxTTL,
-			mount.Config.ForceNoCache, replicatedBehavior, mount.Description))
+			"%s | %s | %s | %s | %s | %s | %v | %s | %t | %s", path, mount.Type, mount.Accessor, pluginName, defTTL, maxTTL,
+			mount.Config.ForceNoCache, replicatedBehavior, mount.SealWrap, mount.Description))
 	}
 
 	c.Ui.Output(columnize.SimpleFormat(columns))

helper/locksutil/locks.go

@@ -13,6 +13,18 @@ type LockEntry struct {
 	sync.RWMutex
 }
 
+// CreateLocks returns an array so that the locks can be itterated over in
+// order.
+//
+// This is only threadsafe if a process is using a single lock, or iterating
+// over the entire lock slice in order. Using a consistant order avoids
+// deadlocks because you can never have the following:
+//
+// Lock A, Lock B
+// Lock B, Lock A
+//
+// Where process 1 is now deadlocked trying to lock B, and process 2 deadlocked trying to lock A
+//
 func CreateLocks() []*LockEntry {
 	ret := make([]*LockEntry, LockCount)
 	for i := range ret {
@@ -30,3 +42,19 @@ func LockIndexForKey(key string) uint8 {
 func LockForKey(locks []*LockEntry, key string) *LockEntry {
 	return locks[LockIndexForKey(key)]
 }
+
+func LocksForKeys(locks []*LockEntry, keys []string) []*LockEntry {
+	lockIndexes := make(map[uint8]struct{}, len(keys))
+	for _, k := range keys {
+		lockIndexes[LockIndexForKey(k)] = struct{}{}
+	}
+
+	locksToReturn := make([]*LockEntry, 0, len(keys))
+	for i, l := range locks {
+		if _, ok := lockIndexes[uint8(i)]; ok {
+			locksToReturn = append(locksToReturn, l)
+		}
+	}
+
+	return locksToReturn
+}

physical/file/file.go

@@ -34,6 +34,10 @@ type TransactionalFileBackend struct {
 	FileBackend
 }
 
+type fileEntry struct {
+	Value []byte
+}
+
 // NewFileBackend constructs a FileBackend using the given directory
 func NewFileBackend(conf map[string]string, logger log.Logger) (physical.Backend, error) {
 	path, ok := conf["path"]
@@ -163,12 +167,15 @@ func (b *FileBackend) GetInternal(k string) (*physical.Entry, error) {
 		return nil, err
 	}
 
-	var entry physical.Entry
+	var entry fileEntry
 	if err := jsonutil.DecodeJSONFromReader(f, &entry); err != nil {
 		return nil, err
 	}
 
-	return &entry, nil
+	return &physical.Entry{
+		Key:   k,
+		Value: entry.Value,
+	}, nil
 }
 
 func (b *FileBackend) Put(entry *physical.Entry) error {
@@ -205,7 +212,9 @@ func (b *FileBackend) PutInternal(entry *physical.Entry) error {
 		return err
 	}
 	enc := json.NewEncoder(f)
-	return enc.Encode(entry)
+	return enc.Encode(&fileEntry{
+		Value: entry.Value,
+	})
 }
 
 func (b *FileBackend) List(prefix string) ([]string, error) {

physical/inmem/inmem.go

@@ -59,7 +59,7 @@ func (i *InmemBackend) Put(entry *physical.Entry) error {
 }
 
 func (i *InmemBackend) PutInternal(entry *physical.Entry) error {
-	i.root.Insert(entry.Key, entry)
+	i.root.Insert(entry.Key, entry.Value)
 	return nil
 }
 
@@ -76,7 +76,10 @@ func (i *InmemBackend) Get(key string) (*physical.Entry, error) {
 
 func (i *InmemBackend) GetInternal(key string) (*physical.Entry, error) {
 	if raw, ok := i.root.Get(key); ok {
-		return raw.(*physical.Entry), nil
+		return &physical.Entry{
+			Key:   key,
+			Value: raw.([]byte),
+		}, nil
 	}
 	return nil, nil
 }

physical/transactions.go

@@ -52,9 +52,8 @@ TxnWalk:
 			rollbackEntry := &TxnEntry{
 				Operation: PutOperation,
 				Entry: &Entry{
-					Key:      entry.Key,
-					Value:    entry.Value,
-					SealWrap: entry.SealWrap,
+					Key:   entry.Key,
+					Value: entry.Value,
 				},
 			}
 			err = t.DeleteInternal(txn.Entry.Key)
@@ -85,9 +84,8 @@ TxnWalk:
 				rollbackEntry = &TxnEntry{
 					Operation: PutOperation,
 					Entry: &Entry{
-						Key:      entry.Key,
-						Value:    entry.Value,
-						SealWrap: entry.SealWrap,
+						Key:   entry.Key,
+						Value: entry.Value,
 					},
 				}
 			}

physical/types.proto

@@ -0,0 +1,13 @@
+syntax = "proto3";
+
+package physical;
+
+message SealWrapEntry {
+    bytes ciphertext = 1;
+
+    bytes iv  = 2;
+
+    bytes hmac = 3;
+
+    bool wrapped = 4;
+}

vault/barrier.go

@@ -30,7 +30,8 @@ const (
 
 	// keyringPath is the location of the keyring data. This is encrypted
 	// by the master key.
-	keyringPath = "core/keyring"
+	keyringPath   = "core/keyring"
+	keyringPrefix = "core/"
 
 	// keyringUpgradePrefix is the path used to store keyring update entries.
 	// When running in HA mode, the active instance will install the new key