Add ability to remove applied profile

This lets profiles be removed (mostly by removing mounts so far), allowing them to be reapplied from a fresh state. Signed-off-by: Alexander Scheel <[email protected]>
openbao · Feb 29, 2024 · 9b0696c · 9b0696c
1 parent 15724c5
commit 9b0696c
Show file tree

Hide file tree

Showing 4 changed files with 86 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -46,11 +46,15 @@ interest!
    - [x] List profiles
    - [x] Transit Unseal profile
    - [x] PKI profile
-   - [ ] Undo profiles
+   - [ ] Userpass profile
+   - [x] Remove profiles
    - [ ] Make profiles configurable
  - [ ] Clusters
    - [ ] Transit Auto-Unseal key cluster + target cluster
    - [ ] OSS HA cluster
+    - [ ] Start fresh 3-node cluster
+    - [ ] Add HA from existing node
+    - [ ] Add node
  - [ ] benchmark-vault integration
  - [ ] Auto-fetch release binaries
  - [ ] Ecosystem integrations

diff --git a/cmd/devbao/profile.go b/cmd/devbao/profile.go
@@ -13,6 +13,7 @@ func BuildProfileCommand() *cli.Command {
 
 	c.Subcommands = append(c.Subcommands, BuildProfileApplyCommand())
 	c.Subcommands = append(c.Subcommands, BuildProfileListCommand())
+	c.Subcommands = append(c.Subcommands, BuildProfileRemoveCommand())
 
 	return c
 }
diff --git a/cmd/devbao/profile_remove.go b/cmd/devbao/profile_remove.go
@@ -0,0 +1,49 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/cipherboy/devbao/pkg/bao"
+
+	"github.com/urfave/cli/v2"
+)
+
+func BuildProfileRemoveCommand() *cli.Command {
+	c := &cli.Command{
+		Name:      "remove",
+		Aliases:   []string{"r"},
+		ArgsUsage: "<name> <profile>",
+		Usage:     "remove a profile from the given instance",
+
+		Action: RunProfileRemoveCommand,
+	}
+
+	return c
+}
+
+func RunProfileRemoveCommand(cCtx *cli.Context) error {
+	if len(cCtx.Args().Slice()) != 2 {
+		return fmt.Errorf("missing required positional argument: instance name and policy\nUsage: devbao policy remove <name> <profile>")
+	}
+
+	name := cCtx.Args().First()
+	policy := cCtx.Args().Get(1)
+
+	node, err := bao.LoadNode(name)
+	if err != nil {
+		return fmt.Errorf("failed to load node: %w", err)
+	}
+
+	client, err := node.GetClient()
+	if err != nil {
+		return fmt.Errorf("failed to get client for node %v: %w", name, err)
+	}
+
+	warnings, err := bao.PolicyRemove(client, policy)
+	for index, warning := range warnings {
+		fmt.Fprintf(os.Stderr, " - [warning %d]: %v\n", index, warning)
+	}
+
+	return err
+}
diff --git a/pkg/bao/profile.go b/pkg/bao/profile.go
@@ -26,6 +26,17 @@ func PolicySetup(client *api.Client, policy string) ([]string, error) {
 	}
 }
 
+func PolicyRemove(client *api.Client, policy string) ([]string, error) {
+	switch strings.ToLower(policy) {
+	case "pki":
+		return PolicyPKISealMountRemove(client)
+	case "transit":
+		return PolicyTransitSealMountRemove(client)
+	default:
+		return nil, fmt.Errorf("unknown policy to apply: %v", policy)
+	}
+}
+
 func PolicyTransitSealMountSetup(client *api.Client) ([]string, error) {
 	if err := client.Sys().Mount("transit", &api.MountInput{
 		Type: "transit",
@@ -43,6 +54,14 @@ func PolicyTransitSealMountSetup(client *api.Client) ([]string, error) {
 	return resp.Warnings, nil
 }
 
+func PolicyTransitSealMountRemove(client *api.Client) ([]string, error) {
+	if err := client.Sys().Unmount("transit"); err != nil {
+		return nil, fmt.Errorf("failed to remove transit mount: %w", err)
+	}
+
+	return nil, nil
+}
+
 func PolicyPKISealMountSetup(client *api.Client) ([]string, error) {
 	var warnings []string
 
@@ -277,3 +296,15 @@ func PolicyPKISealMountSetup(client *api.Client) ([]string, error) {
 
 	return warnings, nil
 }
+
+func PolicyPKISealMountRemove(client *api.Client) ([]string, error) {
+	if err := client.Sys().Unmount("pki-int"); err != nil {
+		return nil, fmt.Errorf("failed to remove intermediate CA mount: %w", err)
+	}
+
+	if err := client.Sys().Unmount("pki-root"); err != nil {
+		return nil, fmt.Errorf("failed to remove root CA mount: %w", err)
+	}
+
+	return nil, nil
+}