minor refactoring

app/init_container/cmd/main.go

@@ -34,8 +34,7 @@ func main() {
  // Wait for a specified duration before exiting the init container.
  // This can be useful when you want things to reconcile before
  // starting the main container.
- d := env.WaitBeforeExitForInitContainer()
- go startup.Watch(d)
+ go startup.Watch(env.WaitBeforeExitForInitContainer())
 
  // Block the process from exiting, but also be graceful and honor the
  // termination signals that may come from the orchestrator.

app/inspector/cmd/main.go

@@ -33,6 +33,6 @@ func main() {
  return
  }
 
- // d.Data is a collection of VSecM secrets.
+ // d.Data is a serialized collection of VSecM secrets.
  fmt.Println(d.Data)
 }

app/safe/internal/bootstrap/bootstrap.go

@@ -18,13 +18,11 @@ import (
 
  "github.com/spiffe/go-spiffe/v2/workloadapi"
 
- "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/queue"
  "github.com/vmware-tanzu/secrets-manager/core/constants/key"
  "github.com/vmware-tanzu/secrets-manager/core/constants/val"
  "github.com/vmware-tanzu/secrets-manager/core/crypto"
  "github.com/vmware-tanzu/secrets-manager/core/env"
  log "github.com/vmware-tanzu/secrets-manager/core/log/std"
- "github.com/vmware-tanzu/secrets-manager/core/probe"
  "github.com/vmware-tanzu/secrets-manager/core/validation"
 )
 
@@ -83,16 +81,7 @@ func Monitor(
  correlationId,
  "remaining operations before ready:", counter)
  if counter == 0 {
- queue.Initialize()
- log.DebugLn(
- correlationId,
- "Creating readiness probe.")
-
- <-probe.CreateReadiness()
-
- log.AuditLn(
- correlationId,
- "VSecM Safe is ready to serve.")
+ completeInitialization(correlationId)
  }
  // Updated the root key:
  case <-channels.UpdatedSecret:
@@ -102,16 +91,7 @@ func Monitor(
  correlationId,
  "remaining operations before ready:", counter)
  if counter == 0 {
- queue.Initialize()
- log.DebugLn(
- correlationId,
- "Creating readiness probe.")
-
- <-probe.CreateReadiness()
-
- log.AuditLn(
- correlationId,
- "VSecM Safe is ready to serve.")
+ completeInitialization(correlationId)
  }
  // VSecM Safe REST API is ready to serve:
  case <-channels.ServerStarted:
@@ -121,17 +101,7 @@ func Monitor(
  correlationId,
  "remaining operations before ready:", counter)
  if counter == 0 {
- // Start all background jobs.
- queue.Initialize()
- log.DebugLn(
- correlationId,
- "Creating readiness probe.")
-
- <-probe.CreateReadiness()
-
- log.AuditLn(
- correlationId,
- "VSecM Safe is ready to serve.")
+ completeInitialization(correlationId)
  }
  // Things didn't start in a timely manner:
  case <-timedOut:

app/safe/internal/bootstrap/init.go

@@ -0,0 +1,26 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets... secret
+>/
+<>/' Copyright 2023-present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package bootstrap
+
+import (
+ "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/queue"
+ log "github.com/vmware-tanzu/secrets-manager/core/log/std"
+ "github.com/vmware-tanzu/secrets-manager/core/probe"
+)
+
+func completeInitialization(correlationId *string) {
+ queue.Initialize()
+ log.DebugLn(correlationId, "Creating readiness probe.")
+
+ <-probe.CreateReadiness()
+
+ log.AuditLn(correlationId, "VSecM Safe is ready to serve.")
+}

app/safe/internal/bootstrap/init_test.go

@@ -0,0 +1,11 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets... secret
+>/
+<>/' Copyright 2023-present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package bootstrap

app/safe/internal/server/handle/handle.go

@@ -11,6 +11,7 @@
 package handle
 
 import (
+ routeFallback "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fallback"
  "net/http"
 
  "github.com/spiffe/go-spiffe/v2/workloadapi"
@@ -40,9 +41,10 @@ func InitializeRoutes(source *workloadapi.X509Source) {
  id, err := s.IdFromRequest(r)
 
  if err != nil {
- log.WarnLn(
- &cid,
- "Handler: blocking insecure svid", id, err)
+ log.WarnLn(&cid, "Handler: blocking insecure svid", id, err)
+
+ routeFallback.Fallback(cid, r, w)
+
  return
  }
 
@@ -54,34 +56,6 @@ func InitializeRoutes(source *workloadapi.X509Source) {
  &cid,
  "Handler: got svid:", sid, "path", p, "method", m)
 
- switch {
- case routeSentinelGetKeystone(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelGetKeystone")
- return
- case routeSentinelGetSecrets(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelGetSecrets")
- return
- case routeSentinelGetSecretsReveal(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelGetSecretsReveal")
- return
- case routeSentinelPostSecrets(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelPostSecrets")
- return
- case routeSentinelDeleteSecrets(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelDeleteSecrets")
- return
- case routeSentinelPostKeys(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelPostKeys")
- return
- case routeWorkloadGetSecrets(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeWorkloadGetSecrets")
- return
- case routeWorkloadPostSecrets(cid, r, w):
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeWorkloadPostSecrets")
- return
- }
-
- log.TraceLn(&cid, "InitializeRoutes:Handler:routeFallback")
- routeFallback(cid, r, w)
+ route(cid, r, w)
  })
 }

app/safe/internal/server/handle/route.go

@@ -11,7 +11,7 @@
 package handle
 
 import (
- "io"
+ routeFallback "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fallback"
  "net/http"
 
  routeDelete "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/delete"
@@ -21,155 +21,42 @@ import (
  routeReceive "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/receive"
  routeSecret "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/secret"
  "github.com/vmware-tanzu/secrets-manager/core/constants/url"
- log "github.com/vmware-tanzu/secrets-manager/core/log/std"
 )
 
-func routeSentinelGetKeystone(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
-
- // Return the current state of the Keystone secret.
- // Either "initialized", or "pending"
- if m == http.MethodGet && p == url.SentinelKeystone {
- log.DebugLn(&cid, "Handler:routeSentinelGetKeystone")
- routeKeystone.Status(cid, w, r)
-
- return true
- }
-
- return false
-}
-
-func routeSentinelGetSecrets(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
-
- // Route to list secrets.
- // Only VSecM Sentinel is allowed to call this API endpoint.
- // Calling it from anywhere else will error out.
- if m == http.MethodGet && p == url.SentinelSecrets {
- log.DebugLn(&cid, "Handler:routeSentinelGetSecrets")
- routeList.Masked(cid, w, r)
-
- return true
- }
-
- return false
-}
-
-func routeSentinelGetSecretsReveal(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
-
- if m == http.MethodGet && p == url.SentinelSecretsWithReveal {
- log.DebugLn(&cid, "Handler:routeSentinelGetSecretsReveal")
- routeList.Encrypted(cid, w, r)
-
- return true
- }
-
- return false
-}
-
-func routeSentinelPostSecrets(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
-
- // Route to add secrets to VSecM Safe.
- // Only VSecM Sentinel is allowed to call this API endpoint.
- // Calling it from anywhere else will error out.
- if m == http.MethodPost && p == url.SentinelSecrets {
- log.DebugLn(&cid, "Handler:routeSentinelPostSecrets")
- routeSecret.Secret(cid, w, r)
-
- return true
- }
-
- return false
-}
-
-func routeSentinelDeleteSecrets(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
+type handler func(string, *http.Request, http.ResponseWriter)
 
+func factory(p, m string) handler {
+ switch {
+ case m == http.MethodGet && p == url.SentinelKeystone:
+ return routeKeystone.Status
+ case m == http.MethodGet && p == url.SentinelSecretsWithReveal:
+ return routeList.Encrypted
+ case m == http.MethodPost && p == url.SentinelSecrets:
+ return routeSecret.Secret
  // Route to delete secrets from VSecM Safe.
  // Only VSecM Sentinel is allowed to call this API endpoint.
  // Calling it from anywhere else will error out.
- if m == http.MethodDelete && p == url.SentinelSecrets {
- log.DebugLn(&cid, "Handler:routeSentinelDeleteSecrets")
- routeDelete.Delete(cid, w, r)
-
- return true
- }
-
- return false
-}
-
-func routeSentinelPostKeys(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
-
+ case m == http.MethodDelete && p == url.SentinelSecrets:
+ return routeDelete.Delete
  // Route to define the root key.
  // Only VSecM Sentinel is allowed to call this API endpoint.
- if m == http.MethodPost && p == url.SentinelKeys {
- log.DebugLn(&cid, "Handler:routeSentinelPostKeys")
- routeReceive.Keys(cid, w, r)
-
- return true
- }
-
- return false
-}
-
-func routeWorkloadGetSecrets(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- p := r.URL.Path
- m := r.Method
-
+ case m == http.MethodPost && p == url.SentinelKeys:
+ return routeReceive.Keys
  // Route to fetch secrets.
  // Only a VSecM-nominated workload is allowed to
  // call this API endpoint. Calling it from anywhere else will
  // error out.
- if m == http.MethodGet && p == url.WorkloadSecrets {
- log.DebugLn(&cid, "Handler:routeWorkloadGetSecrets")
- routeFetch.Fetch(cid, w, r)
-
- return true
+ case m == http.MethodGet && p == url.WorkloadSecrets:
+ return routeFetch.Fetch
+ case m == http.MethodPost && p == url.WorkloadSecrets:
+ panic("routeWorkloadPostSecrets not implemented")
+ default:
+ return routeFallback.Fallback
  }
-
- return false
 }
 
-func routeWorkloadPostSecrets(
- cid string, r *http.Request, w http.ResponseWriter,
-) bool {
- log.DebugLn(&cid,
- "Handler:routeWorkloadPostSecrets: will post", r.Method, r.URL.Path)
-
- panic("routeWorkloadPostSecrets not implemented")
-}
-
-func routeFallback(
+func route(
  cid string, r *http.Request, w http.ResponseWriter,
 ) {
- log.DebugLn(&cid, "Handler: route mismatch:", r.RequestURI)
-
- w.WriteHeader(http.StatusBadRequest)
- _, err := io.WriteString(w, "")
- if err != nil {
- log.WarnLn(&cid, "Problem writing response:", err.Error())
- }
+ factory(r.URL.Path, r.Method)(cid, r, w)
 }

app/safe/internal/server/route/delete/delete.go

@@ -39,7 +39,7 @@ import (
 // - spiffeid: A string representing the SPIFFE ID of the client making the
 // request.
 func Delete(
- cid string, w http.ResponseWriter, r *http.Request,
+ cid string, r *http.Request, w http.ResponseWriter,
 ) {
  spiffeid := s.IdAsString(r)