Peripli · dpanayotov · Aug 16, 2018 · Aug 7, 2018 · Aug 7, 2018 · Aug 7, 2018
diff --git a/config/config.go b/config/config.go
@@ -17,7 +17,7 @@
 package config
 
 import (
-  "time"
+ "time"
 
  "github.com/Peripli/service-manager/api"
  "github.com/Peripli/service-manager/pkg/env"

diff --git a/pkg/sm/sm.go b/pkg/sm/sm.go
@@ -155,6 +155,9 @@ func (smb *ServiceManagerBuilder) Build() *ServiceManager {
 }
 
 func initializeSecureStorage(secureStorage storage.Security) error {
+ if err := secureStorage.Lock(); err != nil {
+ return err
+ }
  keyFetcher := secureStorage.Fetcher()
  encryptionKey, err := keyFetcher.GetEncryptionKey()
  if err != nil {
@@ -172,7 +175,7 @@ func initializeSecureStorage(secureStorage storage.Security) error {
  }
  logrus.Debug("Successfully generated new encryption key")
  }
- return nil
+ return secureStorage.Unlock()
 }
 
 func handleInterrupts(ctx context.Context, cancelFunc context.CancelFunc) {

diff --git a/storage/interfaces.go b/storage/interfaces.go
@@ -107,9 +107,14 @@ type Credentials interface {
 }
 
 // Security interface for encryption key operations
-type Security interface{
+type Security interface {
+ // Lock locks the storage so that only one process can manipulate the encryption key.
+ // Returns an error if the process has already acquired the lock
+ Lock() error
+ // Unlock releases the acquired lock.
+ Unlock() error
  // Fetcher provides means to obtain the encryption key
  Fetcher() security.KeyFetcher
  // Setter provides means to change the encryption key
  Setter() security.KeySetter
-}
+}
diff --git a/storage/postgres/security.go b/storage/postgres/security.go
@@ -25,9 +25,40 @@ import (
  "github.com/sirupsen/logrus"
 )
 
+const securityLockIndex = 111
+
 type securityStorage struct {
  db *sqlx.DB
  encryptionKey []byte
+ isLocked bool
+}
+
+// Lock acquires a database lock so that only one process can manipulate the encryption key.
+// Returns an error if the process has already acquired the lock
+func (s *securityStorage) Lock() error {
+ if s.isLocked {
+ return fmt.Errorf("Lock is already acquired")
+ }
+ _, err := s.db.Exec("SELECT pg_advisory_lock($1)", securityLockIndex)
+ if err != nil {
+ return err
+ }
+ s.isLocked = true
+ return nil
+}
+
+// Unlock releases the database lock.
+func (s *securityStorage) Unlock() error {
+ if !s.isLocked {
+ return nil
+ }
+
+ _, err := s.db.Exec("SELECT pg_advisory_unlock($1)", securityLockIndex)
+ if err != nil {
+ return err
+ }
+ s.isLocked = false
+ return nil
 }
 
 // Fetcher returns a KeyFetcher configured to fetch a key from the database

diff --git a/storage/postgres/security_test.go b/storage/postgres/security_test.go
@@ -20,14 +20,20 @@ import (
  "crypto/rand"
  "database/sql"
  "fmt"
- "time"
+ "testing"
+ "time"
 
  "github.com/DATA-DOG/go-sqlmock"
  "github.com/Peripli/service-manager/security"
  "github.com/jmoiron/sqlx"
  . "github.com/onsi/ginkgo"
  . "github.com/onsi/gomega"
 )
+func TestAPostgresStorage(t *testing.T) {
+ RegisterFailHandler(Fail)
+ RunSpecs(t, "Postgres Storage Suite")
+}
+
 
 var _ = Describe("Security", func() {
 
@@ -159,4 +165,72 @@ var _ = Describe("Security", func() {
  })
  })
  })
+
+ Describe("Locking", func() {
+ var mockdb *sql.DB
+ var mock sqlmock.Sqlmock
+ var storage *securityStorage
+ envEncryptionKey := make([]byte, 32)
+
+ JustBeforeEach(func() {
+ storage = &securityStorage{
+ db: sqlx.NewDb(mockdb, "sqlmock"),
+ encryptionKey: envEncryptionKey,
+ isLocked: false,
+ }
+ })
+ BeforeEach(func() {
+ mockdb, mock, _ = sqlmock.New()
+ rand.Read(envEncryptionKey)
+ })
+ AfterEach(func() {
+ mockdb.Close()
+ })
+
+ Describe("Lock", func() {
+
+ Context("When lock is already acquired", func() {
+ It("Should return an error", func() {
+ storage.isLocked = true
+ err := storage.Lock()
+ Expect(err).ToNot(BeNil())
+ })
+ })
+
+ Context("When lock is not yet acquired", func() {
+ AfterEach(func() {
+ storage.Unlock()
+ })
+ BeforeEach(func() {
+ mock.ExpectExec("SELECT").WillReturnResult(sqlmock.NewResult(int64(1), int64(1)))
+ })
+ It("Should acquire lock", func() {
+ err := storage.Lock()
+ Expect(err).To(BeNil())
+ Expect(storage.isLocked).To(Equal(true))
+ })
+ })
+ })
+
+ Describe("Unlock", func() {
+ Context("When lock is not acquired", func() {
+ It("Should return nil", func() {
+ storage.isLocked = false
+ err := storage.Unlock()
+ Expect(err).To(BeNil())
+ })
+ })
+ Context("When lock is acquired", func() {
+ BeforeEach(func() {
+ mock.ExpectExec("SELECT").WillReturnResult(sqlmock.NewResult(int64(1), int64(1)))
+ })
+ It("Should release lock", func() {
+ storage.isLocked = true
+ err := storage.Unlock()
+ Expect(err).To(BeNil())
+ Expect(storage.isLocked).To(Equal(false))
+ })
+ })
+ })
+ })
 })
diff --git a/storage/postgres/storage.go b/storage/postgres/storage.go
@@ -74,7 +74,7 @@ func (storage *postgresStorage) Credentials() storage.Credentials {
 
 func (storage *postgresStorage) Security() storage.Security{
  storage.checkOpen()
- return &securityStorage{storage.db, storage.encryptionKey}
+ return &securityStorage{storage.db, storage.encryptionKey, false}
 }
 
 func (storage *postgresStorage) Open(uri string, encryptionKey []byte) error {