vault_client 0.3.2

A client library for HashiCorp Vault
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

//! A cache is stored on disk. This allows us to persist secrets over restart of the process, which
//! allows the client library to provide service without contacting Vault for a limited period of
//! time.

use std::collections::HashMap;
use std::fs::File;
use std::io::Write;
use std::path::Path;

use atomicwrites::{AllowOverwrite, AtomicFile};
use serde_json;

use errors::*;
use secret::pki::{CaChain, X509};

/// All secrets that the client library has ever issued will be stored in the cache. Each secret is
/// responsible for keeping its own entry in the cache up to date.
#[derive(Serialize, Deserialize, Default, PartialEq, Debug)]
pub struct Cache {
    /// PKI backend: Certificates
    pub certificates: HashMap<String, X509>,

    /// PKI backend: CA certificate chain, against which the certificates are verified.
    pub ca_certificate_chain: Option<CaChain>,
}

impl Cache {
    /// Loads the current cache. If there is no cache at the path indicated, will return an empty
    /// `Cache`.
    pub fn load(path: &Path) -> Result<Self> {
        if let Ok(file) = File::open(path) {
            serde_json::from_reader(file).chain_err(|| "Unable to parse cache on disk")
        } else {
            Ok(Default::default())
        }
    }

    /// Update the cache with new values. This is atomic.
    pub fn update<F: Fn(&mut Self)>(path: &Path, updater: F) -> Result<()> {
        debug!("Updating cache on disk");

        AtomicFile::new(path, AllowOverwrite)
            .write(|f| {
                let cache_string = {
                    let mut cache = Cache::load(path).unwrap_or_default();
                    updater(&mut cache);
                    serde_json::to_string(&cache).expect("Impossible to fail to serialize cache")
                };

                f.write_all(cache_string.as_bytes())
                    .chain_err(|| "Failed to write cache")
            })
            .chain_err(|| "Failed to update contents of on-disk cache")
            .log(|m| debug!("Successfully updated cache on disk: {:?}", m))
    }
}

#[cfg(test)]
mod tests {
    extern crate tempfile;

    use std::time::Duration;

    use self::tempfile::NamedTempFile;

    use secret::pki::X509;
    use secret::Secret;
    use Cache;

    fn new_certificate<S: Into<String>>(common_name: S) -> X509 {
        X509 {
            common_name: common_name.into(),
            certificate: "certificate".to_string(),
            issuing_ca: "issuing_ca".to_string(),
            ca_chain: None,
            private_key: "private_key".to_string(),
            private_key_type: "private_key_type".to_string(),
            serial_number: "serial_number".to_string(),
            replace_after: Duration::from_secs(100),
            lifetime: Duration::from_secs(200),
        }
    }

    #[test]
    fn insert() {
        let cache_file = NamedTempFile::new().unwrap();
        let certificate = new_certificate("foo");

        // Write the cache
        Cache::update(cache_file.path(), |cache| certificate.update_cache(cache)).unwrap();

        // `bar` not in cache
        assert!(
            !Cache::load(cache_file.path())
                .unwrap()
                .certificates
                .contains_key("bar"),
            "Unexpected key 'bar' in cache"
        );

        // Add `bar` to cache
        let new_certificate = new_certificate("bar");
        Cache::update(cache_file.path(), |cache| {
            new_certificate.update_cache(cache)
        }).unwrap();
        assert!(
            Cache::load(cache_file.path())
                .unwrap()
                .certificates
                .contains_key("foo"),
            "'foo' not in cache"
        );
        assert!(
            Cache::load(cache_file.path())
                .unwrap()
                .certificates
                .contains_key("bar"),
            "'bar' not in cache"
        );
    }

    #[test]
    fn read_write_symmetry() {
        let cache_file = NamedTempFile::new().unwrap();
        let certificate = new_certificate("foo");

        // Write the cache
        Cache::update(cache_file.path(), |cache| certificate.update_cache(cache)).unwrap();

        // Read and verify that it gives the same certificate.
        assert_eq!(
            Cache::load(cache_file.path()).unwrap().certificates["foo"],
            certificate,
            "Certificate after read/write cycle does not match original"
        );
    }

    #[test]
    fn idempotency() {
        let cache_file = NamedTempFile::new().unwrap();
        let certificate = new_certificate("foo");

        // Write the cache
        Cache::update(cache_file.path(), |cache| certificate.update_cache(cache)).unwrap();

        // Read and verify that it gives the same certificate.
        let old_cache = Cache::load(cache_file.path()).unwrap();
        assert_eq!(
            old_cache.certificates["foo"], certificate,
            "Failed to write expected certificate"
        );

        // Update the cache again.
        Cache::update(cache_file.path(), |cache| certificate.update_cache(cache)).unwrap();

        // Check that it's still the same
        assert_eq!(
            Cache::load(cache_file.path()).unwrap(),
            old_cache,
            "Cache update not idempotent"
        );
    }
}