Merge pull request #3699 from Crypt-iQ/macaroon_store_race_1109
macaroons: add encKeyMtx to prevent race condition
This commit is contained in:
commit
e1dd2a88e3
@ -5,6 +5,7 @@ import (
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"io"
|
||||
"sync"
|
||||
|
||||
"github.com/coreos/bbolt"
|
||||
|
||||
@ -47,6 +48,7 @@ var (
|
||||
type RootKeyStorage struct {
|
||||
*bbolt.DB
|
||||
|
||||
encKeyMtx sync.RWMutex
|
||||
encKey *snacl.SecretKey
|
||||
}
|
||||
|
||||
@ -63,12 +65,15 @@ func NewRootKeyStorage(db *bbolt.DB) (*RootKeyStorage, error) {
|
||||
}
|
||||
|
||||
// Return the DB wrapped in a RootKeyStorage object.
|
||||
return &RootKeyStorage{db, nil}, nil
|
||||
return &RootKeyStorage{DB: db, encKey: nil}, nil
|
||||
}
|
||||
|
||||
// CreateUnlock sets an encryption key if one is not already set, otherwise it
|
||||
// checks if the password is correct for the stored encryption key.
|
||||
func (r *RootKeyStorage) CreateUnlock(password *[]byte) error {
|
||||
r.encKeyMtx.Lock()
|
||||
defer r.encKeyMtx.Unlock()
|
||||
|
||||
// Check if we've already unlocked the store; return an error if so.
|
||||
if r.encKey != nil {
|
||||
return ErrAlreadyUnlocked
|
||||
@ -119,6 +124,9 @@ func (r *RootKeyStorage) CreateUnlock(password *[]byte) error {
|
||||
|
||||
// Get implements the Get method for the bakery.RootKeyStorage interface.
|
||||
func (r *RootKeyStorage) Get(_ context.Context, id []byte) ([]byte, error) {
|
||||
r.encKeyMtx.RLock()
|
||||
defer r.encKeyMtx.RUnlock()
|
||||
|
||||
if r.encKey == nil {
|
||||
return nil, ErrStoreLocked
|
||||
}
|
||||
@ -150,6 +158,9 @@ func (r *RootKeyStorage) Get(_ context.Context, id []byte) ([]byte, error) {
|
||||
// interface.
|
||||
// TODO(aakselrod): Add support for key rotation.
|
||||
func (r *RootKeyStorage) RootKey(_ context.Context) ([]byte, []byte, error) {
|
||||
r.encKeyMtx.RLock()
|
||||
defer r.encKeyMtx.RUnlock()
|
||||
|
||||
if r.encKey == nil {
|
||||
return nil, nil, ErrStoreLocked
|
||||
}
|
||||
@ -195,6 +206,9 @@ func (r *RootKeyStorage) RootKey(_ context.Context) ([]byte, []byte, error) {
|
||||
// Close closes the underlying database and zeroes the encryption key stored
|
||||
// in memory.
|
||||
func (r *RootKeyStorage) Close() error {
|
||||
r.encKeyMtx.Lock()
|
||||
defer r.encKeyMtx.Unlock()
|
||||
|
||||
if r.encKey != nil {
|
||||
r.encKey.Zero()
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user