From eb1ef69cfbc2f510457ab32007ed786aa51db37a Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Wed, 2 Dec 2020 21:26:08 +0100
Subject: [PATCH] util: allow updating settings of vaultConnection

Make it possible to calle initConnection() multiple times. This enables
the VaultTokensKMS type to override global settings with options from a
per-tenant configuration.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 internal/util/vault.go | 67 +++++++++++++++++++++++++++++-------------
 1 file changed, 47 insertions(+), 20 deletions(-)

diff --git a/internal/util/vault.go b/internal/util/vault.go
index fd43c88c8..a9b91e9fe 100644
--- a/internal/util/vault.go
+++ b/internal/util/vault.go
@@ -112,36 +112,52 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
 
 	vc.EncryptionKMSID = kmsID
 
-	vaultAddress := ""
+	firstInit := (vc.vaultConfig == nil)
+
+	vaultAddress := "" // required
 	err := setConfigString(&vaultAddress, config, "vaultAddress")
-	if err != nil {
+	switch {
+	case errors.Is(err, errConfigOptionInvalid):
 		return err
+	case firstInit && errors.Is(err, errConfigOptionMissing):
+		return err
+	case !errors.Is(err, errConfigOptionMissing):
+		vaultConfig[api.EnvVaultAddress] = vaultAddress
 	}
-	vaultConfig[api.EnvVaultAddress] = vaultAddress
+	// default: !firstInit
 
-	vaultNamespace := vaultDefaultNamespace
+	vaultNamespace := vaultDefaultNamespace // optional
 	err = setConfigString(&vaultNamespace, config, "vaultNamespace")
-	if err != nil {
+	if errors.Is(err, errConfigOptionInvalid) {
 		return err
 	}
-	vaultConfig[api.EnvVaultNamespace] = vaultNamespace
-	keyContext[loss.KeyVaultNamespace] = vaultNamespace
+	// set the option if the value was not invalid
+	if firstInit || !errors.Is(err, errConfigOptionMissing) {
+		vaultConfig[api.EnvVaultNamespace] = vaultNamespace
+		keyContext[loss.KeyVaultNamespace] = vaultNamespace
+	}
 
-	verifyCA := vaultDefaultCAVerify
+	verifyCA := vaultDefaultCAVerify // optional
 	err = setConfigString(&verifyCA, config, "vaultCAVerify")
-	if err != nil {
+	if errors.Is(err, errConfigOptionInvalid) {
 		return err
 	}
-
-	vaultCAVerify, err := strconv.ParseBool(verifyCA)
-	if err != nil {
-		return fmt.Errorf("failed to parse 'vaultCAVerify': %w", err)
+	if firstInit || !errors.Is(err, errConfigOptionMissing) {
+		vaultCAVerify := false
+		vaultCAVerify, err = strconv.ParseBool(verifyCA)
+		if err != nil {
+			return fmt.Errorf("failed to parse 'vaultCAVerify': %w", err)
+		}
+		vaultConfig[api.EnvVaultInsecure] = !vaultCAVerify
 	}
-	vaultConfig[api.EnvVaultInsecure] = !vaultCAVerify
 
-	vaultCAFromSecret := ""
+	vaultCAFromSecret := "" // optional
 	err = setConfigString(&vaultCAFromSecret, config, "vaultCAFromSecret")
-	if err == nil && vaultCAFromSecret != "" {
+	if errors.Is(err, errConfigOptionInvalid) {
+		return err
+	}
+	// ignore errConfigOptionMissing, no default was set
+	if vaultCAFromSecret != "" {
 		caPEM, ok := secrets[vaultCAFromSecret]
 		if !ok {
 			return fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret)
@@ -152,12 +168,23 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
 			return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
 		}
 		// TODO: delete f.Name() when vaultConnection is destroyed
-	} else if !errors.Is(err, errConfigOptionMissing) {
-		return err
 	}
 
-	vc.keyContext = keyContext
-	vc.vaultConfig = vaultConfig
+	// update the existing config only if no config is available yet
+	if vc.keyContext != nil {
+		for key, value := range keyContext {
+			vc.keyContext[key] = value
+		}
+	} else {
+		vc.keyContext = keyContext
+	}
+	if vc.vaultConfig != nil {
+		for key, value := range vaultConfig {
+			vc.vaultConfig[key] = value
+		}
+	} else {
+		vc.vaultConfig = vaultConfig
+	}
 
 	return nil
 }