vault_client 0.3.2

A client library for HashiCorp Vault
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! The [secret backends](https://www.vaultproject.io/docs/secrets/index.html) supported by the
//! client library.
use std::fmt::Debug;
use std::path::PathBuf;
use std::sync::Arc;
use std::time::Duration;

use futures::Future;
use pinboard::NonEmptyPinboard;
use tokio_core::reactor::Remote;
use tokio_timer::Timer;
use vault_api::Api as VaultApi;

use self::token::Token;
use cache::Cache;
use errors::*;

pub mod pki;
pub mod token;

/// This is an interface for secrets that need to be updated in order to stay valid. Note that said
/// updates may not need to follow any strict periodicity.
pub trait Secret: Debug + Send + Sync + Clone {
    /// Ask the Vault client for a new version of this secret, valid for a longer period.
    fn get_new<T: Into<String>, V: VaultApi>(
        self,
        client: &V,
        token: T,
    ) -> Box<Future<Item = Self, Error = Error> + Send>;

    /// Callers must use this function to work out when `Secret` next needs to be updated.
    fn get_time_to_replace(&self) -> &Duration;

    /// If this secret is stored in the cache, implement this function to update it accordingly when
    /// a new value is obtained.
    fn update_cache(&self, _cache: &mut Cache) {}
}

/// Constructor for `Secrets`. This allows clients of this crate to supply some of the config
/// without needing to worry about e.g. the `VaultApi` client.
pub trait SecretBuilder<S: Secret>: Send {
    /// Construct a `Secret`
    fn build<T: Into<String>, V: VaultApi>(
        self,
        client: Arc<V>,
        token: T,
    ) -> Box<Future<Item = S, Error = Error> + Send>;
}

/// Run though one round of keeping a secret up to date. Wait for a period, then update the
/// secret and kick off another run of this function.
pub fn keep_secret_up_to_date<V, S>(
    remote: &Remote,
    secret: Arc<NonEmptyPinboard<S>>,
    client: Arc<V>,
    timer: Timer,
    cache_path: &PathBuf,
    token: Arc<NonEmptyPinboard<Token>>,
) -> Box<Future<Item = (), Error = ()> + Send>
where
    V: 'static + VaultApi + Send + Sync,
    S: 'static + Secret,
{
    let cache_path = cache_path.to_owned();

    Box::new(
        secret
            .read()
            .get_new(&*client, token.read().get_token_str().to_owned())
            .log(|m| info!("Updated secret: {:?}", m))
            .and_then({
                let cache_path = cache_path.clone();

                move |new_secret| {
                    Cache::update(&cache_path, |cache| new_secret.update_cache(cache))?;
                    Ok(new_secret)
                }
            })
            .map({
                let secret = secret.clone();

                move |new_secret| {
                    // Got the new secret. Overwrite the old one. Note that there are no guarantees here
                    // that we are not accidentally overwriting someone else's changes, as we are not using
                    // locks.
                    secret.set(new_secret.to_owned());
                    new_secret
                }
            })
            .and_then({
                let timer = timer.clone();

                move |new_secret| {
                    let duration = new_secret.get_time_to_replace();

                    // Sleep for the duration of the secret
                    debug!("Sleeping for {:?}", duration);
                    timer
                        .sleep(*duration)
                        .then(|e| e.chain_err(|| "Secret timer error"))
                }
            })
            .and_then({
                let remote = remote.to_owned();
                let timer = timer.clone();
                let secret = secret.clone();
                let client = client.clone();
                let cache_path = cache_path.clone();
                let token = token.clone();

                move |_| {
                    // Spawn a new task which does this all again
                    remote.spawn(move |handle| {
                        keep_secret_up_to_date(
                            handle.remote(),
                            secret,
                            client,
                            timer,
                            &cache_path,
                            token,
                        )
                    });
                    Ok(())
                }
            })
            .or_else({
                let remote = remote.to_owned();

                move |err| {
                    // On failure, retry every 10 minutes.
                    error!("Failure - retrying in 10 minutes: {:?}", err);

                    timer
                        .sleep(Duration::from_secs(60 * 10))
                        .then(|e| e.chain_err(|| "Retry timer error"))
                        .then({
                            move |_| {
                                // Spawn a new task which does this all again
                                remote.spawn(move |handle| {
                                    keep_secret_up_to_date(
                                        handle.remote(),
                                        secret,
                                        client,
                                        timer,
                                        &cache_path,
                                        token,
                                    )
                                });
                                Ok(())
                            }
                        })
                }
            }),
    )
}