splunk
diff --git a/‎Gopkg.lock‎
Lines changed: 21 additions & 10 deletions b/‎Gopkg.lock‎
Lines changed: 21 additions & 10 deletions
diff --git a/‎README.md‎
Lines changed: 32 additions & 1 deletion b/‎README.md‎
Lines changed: 32 additions & 1 deletion
diff --git a/‎backend.go‎
Lines changed: 71 additions & 39 deletions b/‎backend.go‎
Lines changed: 71 additions & 39 deletions
diff --git a/‎clients/splunk/splunk.go‎
Lines changed: 7 additions & 0 deletions b/‎clients/splunk/splunk.go‎
Lines changed: 7 additions & 0 deletions
@@ -1,7 +1,7 @@
 vault-plugin-splunk
 -------------------
 
-### Building from source
+# Building from source
 
 ```shell
 mkdir -p 
@@ -11,11 +11,42 @@ make install  # installs dep, golint etc.
 make
 ```
 
+# Testing
 
 
+## Vault Setup
 
+```shell
+export VAULT_ADDR="https://localhost:8200"
+vault server -log-level debug -dev -dev-root-token-id="root" -config=vault.hcl
+vault auth root
+```
+
+## Loading Plugin
 
+```shell
+make build;
+mv ~/go/bin/vault-plugin-splunk /tmp/vault-plugins/;
+SHASUM=$(shasum -a 256 "/tmp/vault-plugins/vault-plugin-splunk" | cut -d " " -f1);
+vault write sys/plugins/catalog/secret/vault-plugin-splunk sha_256="$SHASUM" command="vault-plugin-splunk";
+curl -vk -H "X-Vault-Token: $(cat ~/.vault-token)" $VAULT_ADDR/v1/sys/plugins/reload/backend -XPUT -d '{"plugin":"vault-plugin-splunk"}'
+```
 
 
+# TODO
+* check expiring Splunk API session tokens (renew)
+* WAL?
+* TLS certs, timeouts config
+* comment strings: caps, punctuation
+* Full name
+* metrics?
+
+* tests
+** TTLs roundtrip
+** externally deleted user
+** externally revoked admin access
+** not in allowed_roles
+** updating roles, connections with partial params
+** creating conns first, then roles, and vice versa
 
 
@@ -3,13 +3,12 @@ package splunk
 import (
 	"context"
 	"crypto/tls"
-	"fmt"
 	"net/http"
+	"reflect"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"github.com/splunk/vault-plugin-splunk/clients/splunk"
@@ -25,80 +24,77 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 }
 
 func newBackend() logical.Backend {
-	var b backend
+	b := backend{}
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 		PathsSpecial: &logical.Paths{
 			SealWrapStorage: []string{
-				"config/root",
+				"config/*",
 			},
 		},
 		Paths: []*framework.Path{
-			b.pathConfigRoot(),
-			b.pathConfigRotateRoot(),
+			b.pathConfigConnection(),
+			b.pathConnectionsList(),
+			b.pathResetConnection(),
+			b.pathRotateRoot(),
+			b.pathRolesList(),
 			b.pathRoles(),
-			b.pathListRoles(),
 			b.pathCredsCreate(),
 		},
 		Secrets: []*framework.Secret{
 			b.pathSecretCreds(),
 		},
+		// Clean: XXXX
+		// Invalidate: XXXX
 		BackendType: logical.TypeLogical,
 	}
+	b.connections = make(map[string]*splunk.API)
 	return &b
 }
 
 type backend struct {
 	*framework.Backend
-
 	// Mutex to protect access to Splunk clients and client configs
-	clientMutex sync.RWMutex
-	splunkAPI   *splunk.API
+	sync.RWMutex
+	connections map[string]*splunk.API
 }
 
-func (b *backend) splunkClient(ctx context.Context, s logical.Storage) (*splunk.API, error) {
-	b.clientMutex.RLock()
-	if b.splunkAPI != nil {
-		b.clientMutex.RUnlock()
-		return b.splunkAPI, nil
+// XXXX ensureConnection
+func (b *backend) GetConnection(ctx context.Context, s logical.Storage, name string) (*splunk.API, error) {
+	b.RLock()
+	if conn, ok := b.connections[name]; ok {
+		b.RUnlock()
+		return conn, nil
 	}
 
 	// Upgrade the lock for writing
-	b.clientMutex.RUnlock()
-	b.clientMutex.Lock()
-	defer b.clientMutex.Unlock()
-
-	// check client again, in the event that a client was being created while we
-	// waited for Lock()
-	if b.splunkAPI != nil {
-		return b.splunkAPI, nil
+	b.RUnlock()
+	b.Lock()
+	defer b.Unlock()
+
+	return b.connectionUnlocked(ctx, s, name)
+}
+
+func (b *backend) connectionUnlocked(ctx context.Context, s logical.Storage, name string) (*splunk.API, error) {
+	if conn, ok := b.connections[name]; ok {
+		return conn, nil
 	}
 
-	rawRootConfig, err := s.Get(ctx, "config/root")
+	// create connection
+	config, err := b.connectionConfig(ctx, s, name)
 	if err != nil {
 		return nil, err
 	}
-	if rawRootConfig == nil {
-		return nil, fmt.Errorf("no configuration found for config/root")
-	}
-	var config rootConfig
-	if err := rawRootConfig.DecodeJSON(&config); err != nil {
-		return nil, errwrap.Wrapf("error reading root configuration: {{err}}", err)
-	}
-
-	if config.Username == "" || config.BaseURL == "" {
-		return nil, fmt.Errorf("empty username or BaseURL")
-	}
 
 	p := &splunk.APIParams{
-		BaseURL: config.BaseURL,
+		BaseURL: config.URL,
 		Config: oauth2.Config{
 			ClientID:     config.Username,
 			ClientSecret: config.Password,
 		},
 	}
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // XXX
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // XXXX
 	}
 	// client is the underlying transport for API calls, including Login (for obtaining session token)
 	client := &http.Client{
@@ -107,8 +103,44 @@ func (b *backend) splunkClient(ctx context.Context, s logical.Storage) (*splunk.
 	}
 	ctx = context.WithValue(context.Background(), oauth2.HTTPClient, client)
 
-	b.splunkAPI = p.NewAPI(ctx)
-	return b.splunkAPI, nil
+	b.connections[name] = p.NewAPI(ctx)
+	return b.connections[name], nil
+}
+
+// ClearConnection closes the connection and
+// removes it from the b.connections map.
+func (b *backend) ClearConnection(name string) error {
+	b.Lock()
+	defer b.Unlock()
+	return b.clearConnectionUnlocked(name)
+}
+
+func (b *backend) clearConnectionUnlocked(name string) error {
+	_, ok := b.connections[name]
+	if ok {
+		delete(b.connections, name)
+	}
+	return nil
+}
+
+func getValue(data *framework.FieldData, op logical.Operation, key string) (interface{}, bool) {
+	if raw, ok := data.GetOk(key); ok {
+		return raw, true
+	}
+	if op == logical.CreateOperation {
+		return data.Get(key), true
+	}
+	return nil, false
+}
+
+func decodeValue(data *framework.FieldData, op logical.Operation, key string, v interface{}) error {
+	raw, ok := getValue(data, op, key)
+	if ok {
+		rraw := reflect.ValueOf(raw)
+		rv := reflect.ValueOf(v)
+		rv.Elem().Set(rraw)
+	}
+	return nil
 }
 
 const backendHelp = `
 
@@ -15,16 +15,23 @@ var jsonOutputMode = outputMode{"json"}
 
 // API https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog
 type API struct {
+	params        *APIParams
 	client        *Client
 	Introspection *IntrospectionService
 	AccessControl *AccessControlService
 	// XXX ...
 }
 
+func (api *API) Params() *APIParams {
+	return api.params
+}
+
 func (params *APIParams) NewAPI(ctx context.Context) *API {
 	client := params.NewClient(ctx)
+	paramsCopy := *params
 
 	return &API{
+		params:        &paramsCopy,
 		client:        client.Path("services/"),
 		Introspection: newIntrospectionService(client.New()),
 		AccessControl: newAccessControlService(client.New()),