Merge pull request #1429 from hashicorp/locked-non-locked

aws-auth: naming of the locked and non-locked methods.

builtin/credential/aws/backend.go

@@ -114,7 +114,7 @@ func (b *backend) periodicFunc(req *logical.Request) error {
 	if b.nextTidyTime.IsZero() || !time.Now().UTC().Before(b.nextTidyTime) {
 		// safety_buffer defaults to 180 days for roletag blacklist
 		safety_buffer := 15552000
-		tidyBlacklistConfigEntry, err := b.configTidyRoleTags(req.Storage)
+		tidyBlacklistConfigEntry, err := b.lockedConfigTidyRoleTags(req.Storage)
 		if err != nil {
 			return err
 		}
@@ -135,7 +135,7 @@ func (b *backend) periodicFunc(req *logical.Request) error {
 
 		// reset the safety_buffer to 72h
 		safety_buffer = 259200
-		tidyWhitelistConfigEntry, err := b.configTidyIdentities(req.Storage)
+		tidyWhitelistConfigEntry, err := b.lockedConfigTidyIdentities(req.Storage)
 		if err != nil {
 			return err
 		}

builtin/credential/aws/backend_test.go

@@ -98,7 +98,7 @@ func TestBackend_CreateParseVerifyRoleTag(t *testing.T) {
 	}
 
 	// read the created role entry
-	roleEntry, err := b.awsRole(storage, "abcd-123")
+	roleEntry, err := b.lockedAWSRole(storage, "abcd-123")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -165,7 +165,7 @@ func TestBackend_CreateParseVerifyRoleTag(t *testing.T) {
 	}
 
 	// get the entry of the newly created role entry
-	roleEntry2, err := b.awsRole(storage, "ami-6789")
+	roleEntry2, err := b.lockedAWSRole(storage, "ami-6789")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1098,7 +1098,7 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) {
 	}
 
 	// try to read the deleted entry
-	tagEntry, err := b.blacklistRoleTagEntry(storage, tag)
+	tagEntry, err := b.lockedBlacklistRoleTagEntry(storage, tag)
 	if err != nil {
 		t.Fatal(err)
 	}

builtin/credential/aws/client.go

@@ -24,7 +24,7 @@ func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config
 	}
 
 	// Read the configured secret key and access key
-	config, err := b.clientConfigEntryInternal(s)
+	config, err := b.nonLockedClientConfigEntry(s)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_config_certificate.go

@@ -96,7 +96,7 @@ func (b *backend) pathConfigCertificateExistenceCheck(req *logical.Request, data
 		return false, fmt.Errorf("missing cert_name")
 	}
 
-	entry, err := b.awsPublicCertificateEntry(req.Storage, certName)
+	entry, err := b.lockedAWSPublicCertificateEntry(req.Storage, certName)
 	if err != nil {
 		return false, err
 	}
@@ -161,7 +161,7 @@ func (b *backend) awsPublicCertificates(s logical.Storage) ([]*x509.Certificate,
 
 	// Iterate through each certificate, parse and append it to a slice.
 	for _, cert := range registeredCerts {
-		certEntry, err := b.awsPublicCertificateEntryInternal(s, cert)
+		certEntry, err := b.nonLockedAWSPublicCertificateEntry(s, cert)
 		if err != nil {
 			return nil, err
 		}
@@ -180,15 +180,15 @@ func (b *backend) awsPublicCertificates(s logical.Storage) ([]*x509.Certificate,
 
 // awsPublicCertificate is used to get the configured AWS Public Key that is used
 // to verify the PKCS#7 signature of the instance identity document.
-func (b *backend) awsPublicCertificateEntry(s logical.Storage, certName string) (*awsPublicCert, error) {
+func (b *backend) lockedAWSPublicCertificateEntry(s logical.Storage, certName string) (*awsPublicCert, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
-	return b.awsPublicCertificateEntryInternal(s, certName)
+	return b.nonLockedAWSPublicCertificateEntry(s, certName)
 }
 
 // Internal version of the above that does no locking
-func (b *backend) awsPublicCertificateEntryInternal(s logical.Storage, certName string) (*awsPublicCert, error) {
+func (b *backend) nonLockedAWSPublicCertificateEntry(s logical.Storage, certName string) (*awsPublicCert, error) {
 	entry, err := s.Get("config/certificate/" + certName)
 	if err != nil {
 		return nil, err
@@ -227,7 +227,7 @@ func (b *backend) pathConfigCertificateRead(
 		return logical.ErrorResponse("missing cert_name"), nil
 	}
 
-	certificateEntry, err := b.awsPublicCertificateEntry(req.Storage, certName)
+	certificateEntry, err := b.lockedAWSPublicCertificateEntry(req.Storage, certName)
 	if err != nil {
 		return nil, err
 	}
@@ -253,7 +253,7 @@ func (b *backend) pathConfigCertificateCreateUpdate(
 	defer b.configMutex.Unlock()
 
 	// Check if there is already a certificate entry registered.
-	certEntry, err := b.awsPublicCertificateEntryInternal(req.Storage, certName)
+	certEntry, err := b.nonLockedAWSPublicCertificateEntry(req.Storage, certName)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_config_client.go

@@ -48,23 +48,23 @@ func pathConfigClient(b *backend) *framework.Path {
 func (b *backend) pathConfigClientExistenceCheck(
 	req *logical.Request, data *framework.FieldData) (bool, error) {
 
-	entry, err := b.clientConfigEntry(req.Storage)
+	entry, err := b.lockedClientConfigEntry(req.Storage)
 	if err != nil {
 		return false, err
 	}
 	return entry != nil, nil
 }
 
-// Fetch the client configuration required to access the AWS API.
+// Fetch the client configuration required to access the AWS API, after acquiring an exclusive lock.
-func (b *backend) clientConfigEntry(s logical.Storage) (*clientConfig, error) {
+func (b *backend) lockedClientConfigEntry(s logical.Storage) (*clientConfig, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
-	return b.clientConfigEntryInternal(s)
+	return b.nonLockedClientConfigEntry(s)
 }
 
-// Internal version that does no locking
+// Fetch the client configuration required to access the AWS API.
-func (b *backend) clientConfigEntryInternal(s logical.Storage) (*clientConfig, error) {
+func (b *backend) nonLockedClientConfigEntry(s logical.Storage) (*clientConfig, error) {
 	entry, err := s.Get("config/client")
 	if err != nil {
 		return nil, err
@@ -82,7 +82,7 @@ func (b *backend) clientConfigEntryInternal(s logical.Storage) (*clientConfig, e
 
 func (b *backend) pathConfigClientRead(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	clientConfig, err := b.clientConfigEntry(req.Storage)
+	clientConfig, err := b.lockedClientConfigEntry(req.Storage)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +118,7 @@ func (b *backend) pathConfigClientCreateUpdate(
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 
-	configEntry, err := b.clientConfigEntryInternal(req.Storage)
+	configEntry, err := b.nonLockedClientConfigEntry(req.Storage)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_config_tidy_identity_whitelist.go

@@ -44,21 +44,21 @@ expiration, before it is removed from the backend storage.`,
 }
 
 func (b *backend) pathConfigTidyIdentityWhitelistExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
-	entry, err := b.configTidyIdentities(req.Storage)
+	entry, err := b.lockedConfigTidyIdentities(req.Storage)
 	if err != nil {
 		return false, err
 	}
 	return entry != nil, nil
 }
 
-func (b *backend) configTidyIdentities(s logical.Storage) (*tidyWhitelistIdentityConfig, error) {
+func (b *backend) lockedConfigTidyIdentities(s logical.Storage) (*tidyWhitelistIdentityConfig, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
-	return b.configTidyIdentitiesInternal(s)
+	return b.nonLockedConfigTidyIdentities(s)
 }
 
-func (b *backend) configTidyIdentitiesInternal(s logical.Storage) (*tidyWhitelistIdentityConfig, error) {
+func (b *backend) nonLockedConfigTidyIdentities(s logical.Storage) (*tidyWhitelistIdentityConfig, error) {
 	entry, err := s.Get(identityWhitelistConfigPath)
 	if err != nil {
 		return nil, err
@@ -78,7 +78,7 @@ func (b *backend) pathConfigTidyIdentityWhitelistCreateUpdate(req *logical.Reque
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 
-	configEntry, err := b.configTidyIdentitiesInternal(req.Storage)
+	configEntry, err := b.nonLockedConfigTidyIdentities(req.Storage)
 	if err != nil {
 		return nil, err
 	}
@@ -113,7 +113,7 @@ func (b *backend) pathConfigTidyIdentityWhitelistCreateUpdate(req *logical.Reque
 }
 
 func (b *backend) pathConfigTidyIdentityWhitelistRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	clientConfig, err := b.configTidyIdentities(req.Storage)
+	clientConfig, err := b.lockedConfigTidyIdentities(req.Storage)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_config_tidy_roletag_blacklist.go

@@ -46,21 +46,21 @@ Defaults to 4320h (180 days).`,
 }
 
 func (b *backend) pathConfigTidyRoletagBlacklistExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
-	entry, err := b.configTidyRoleTags(req.Storage)
+	entry, err := b.lockedConfigTidyRoleTags(req.Storage)
 	if err != nil {
 		return false, err
 	}
 	return entry != nil, nil
 }
 
-func (b *backend) configTidyRoleTags(s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
+func (b *backend) lockedConfigTidyRoleTags(s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
-	return b.configTidyRoleTagsInternal(s)
+	return b.nonLockedConfigTidyRoleTags(s)
 }
 
-func (b *backend) configTidyRoleTagsInternal(s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
+func (b *backend) nonLockedConfigTidyRoleTags(s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
 	entry, err := s.Get(roletagBlacklistConfigPath)
 	if err != nil {
 		return nil, err
@@ -81,7 +81,7 @@ func (b *backend) pathConfigTidyRoletagBlacklistCreateUpdate(req *logical.Reques
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 
-	configEntry, err := b.configTidyRoleTagsInternal(req.Storage)
+	configEntry, err := b.nonLockedConfigTidyRoleTags(req.Storage)
 	if err != nil {
 		return nil, err
 	}
@@ -114,7 +114,7 @@ func (b *backend) pathConfigTidyRoletagBlacklistCreateUpdate(req *logical.Reques
 }
 
 func (b *backend) pathConfigTidyRoletagBlacklistRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	clientConfig, err := b.configTidyRoleTags(req.Storage)
+	clientConfig, err := b.lockedConfigTidyRoleTags(req.Storage)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_login.go

@@ -236,7 +236,7 @@ func (b *backend) pathLoginUpdate(
 	}
 
 	// Get the entry for the role used by the instance.
-	roleEntry, err := b.awsRole(req.Storage, roleName)
+	roleEntry, err := b.lockedAWSRole(req.Storage, roleName)
 	if err != nil {
 		return nil, err
 	}
@@ -442,7 +442,7 @@ func (b *backend) handleRoleTagLogin(s logical.Storage, identityDoc *identityDoc
 	}
 
 	// Check if the role tag is blacklisted.
-	blacklistEntry, err := b.blacklistRoleTagEntry(s, rTagValue)
+	blacklistEntry, err := b.lockedBlacklistRoleTagEntry(s, rTagValue)
 	if err != nil {
 		return nil, err
 	}
@@ -487,7 +487,7 @@ func (b *backend) pathLoginRenew(
 	}
 
 	// Ensure that role entry is not deleted.
-	roleEntry, err := b.awsRole(req.Storage, storedIdentity.Role)
+	roleEntry, err := b.lockedAWSRole(req.Storage, storedIdentity.Role)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_role.go

@@ -101,7 +101,7 @@ func pathListRoles(b *backend) *framework.Path {
 // Establishes dichotomy of request operation between CreateOperation and UpdateOperation.
 // Returning 'true' forces an UpdateOperation, CreateOperation otherwise.
 func (b *backend) pathRoleExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
-	entry, err := b.awsRole(req.Storage, strings.ToLower(data.Get("role").(string)))
+	entry, err := b.lockedAWSRole(req.Storage, strings.ToLower(data.Get("role").(string)))
 	if err != nil {
 		return false, err
 	}
@@ -109,14 +109,14 @@ func (b *backend) pathRoleExistenceCheck(req *logical.Request, data *framework.F
 }
 
 // awsRole is used to get the information registered for the given AMI ID.
-func (b *backend) awsRole(s logical.Storage, role string) (*awsRoleEntry, error) {
+func (b *backend) lockedAWSRole(s logical.Storage, role string) (*awsRoleEntry, error) {
 	b.roleMutex.RLock()
 	defer b.roleMutex.RUnlock()
 
-	return b.awsRoleInternal(s, role)
+	return b.nonLockedAWSRole(s, role)
 }
 
-func (b *backend) awsRoleInternal(s logical.Storage, role string) (*awsRoleEntry, error) {
+func (b *backend) nonLockedAWSRole(s logical.Storage, role string) (*awsRoleEntry, error) {
 	entry, err := s.Get("role/" + strings.ToLower(role))
 	if err != nil {
 		return nil, err
@@ -162,7 +162,7 @@ func (b *backend) pathRoleList(
 // pathRoleRead is used to view the information registered for a given AMI ID.
 func (b *backend) pathRoleRead(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	roleEntry, err := b.awsRole(req.Storage, strings.ToLower(data.Get("role").(string)))
+	roleEntry, err := b.lockedAWSRole(req.Storage, strings.ToLower(data.Get("role").(string)))
 	if err != nil {
 		return nil, err
 	}
@@ -196,7 +196,7 @@ func (b *backend) pathRoleCreateUpdate(
 	b.roleMutex.Lock()
 	defer b.roleMutex.Unlock()
 
-	roleEntry, err := b.awsRoleInternal(req.Storage, roleName)
+	roleEntry, err := b.nonLockedAWSRole(req.Storage, roleName)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_role_tag.go

@@ -78,7 +78,7 @@ func (b *backend) pathRoleTagUpdate(
 	}
 
 	// Fetch the role entry
-	roleEntry, err := b.awsRole(req.Storage, roleName)
+	roleEntry, err := b.lockedAWSRole(req.Storage, roleName)
 	if err != nil {
 		return nil, err
 	}
@@ -346,7 +346,7 @@ func (b *backend) parseAndVerifyRoleTagValue(s logical.Storage, tag string) (*ro
 		return nil, fmt.Errorf("missing role name")
 	}
 
-	roleEntry, err := b.awsRole(s, rTag.Role)
+	roleEntry, err := b.lockedAWSRole(s, rTag.Role)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_roletag_blacklist.go

@@ -72,14 +72,14 @@ func (b *backend) pathRoletagBlacklistsList(
 
 // Fetch an entry from the role tag blacklist for a given tag.
 // This method takes a role tag in its original form and not a base64 encoded form.
-func (b *backend) blacklistRoleTagEntry(s logical.Storage, tag string) (*roleTagBlacklistEntry, error) {
+func (b *backend) lockedBlacklistRoleTagEntry(s logical.Storage, tag string) (*roleTagBlacklistEntry, error) {
 	b.blacklistMutex.RLock()
 	defer b.blacklistMutex.RUnlock()
 
-	return b.blacklistRoleTagEntryInternal(s, tag)
+	return b.nonLockedBlacklistRoleTagEntry(s, tag)
 }
 
-func (b *backend) blacklistRoleTagEntryInternal(s logical.Storage, tag string) (*roleTagBlacklistEntry, error) {
+func (b *backend) nonLockedBlacklistRoleTagEntry(s logical.Storage, tag string) (*roleTagBlacklistEntry, error) {
 	entry, err := s.Get("blacklist/roletag/" + base64.StdEncoding.EncodeToString([]byte(tag)))
 	if err != nil {
 		return nil, err
@@ -119,7 +119,7 @@ func (b *backend) pathRoletagBlacklistRead(
 		return logical.ErrorResponse("missing role_tag"), nil
 	}
 
-	entry, err := b.blacklistRoleTagEntry(req.Storage, tag)
+	entry, err := b.lockedBlacklistRoleTagEntry(req.Storage, tag)
 	if err != nil {
 		return nil, err
 	}
@@ -166,7 +166,7 @@ func (b *backend) pathRoletagBlacklistUpdate(
 	}
 
 	// Get the entry for the role mentioned in the role tag.
-	roleEntry, err := b.awsRole(req.Storage, rTag.Role)
+	roleEntry, err := b.lockedAWSRole(req.Storage, rTag.Role)
 	if err != nil {
 		return nil, err
 	}
@@ -178,7 +178,7 @@ func (b *backend) pathRoletagBlacklistUpdate(
 	defer b.blacklistMutex.Unlock()
 
 	// Check if the role tag is already blacklisted. If yes, update it.
-	blEntry, err := b.blacklistRoleTagEntryInternal(req.Storage, tag)
+	blEntry, err := b.nonLockedBlacklistRoleTagEntry(req.Storage, tag)
 	if err != nil {
 		return nil, err
 	}