9 files changed, 149 insertions, 14 deletions

diff --git a/README.md b/README.md
index b4f356d..bf2e5fc 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ For any option that takes a file path as a parameter (e.g. SSH signing key, TLS
 - `tls_key` : string. Path to the TLS key. See the [note](#a-note-on-files) on files above.
 - `tls_cert` : string. Path to the TLS cert. See the [note](#a-note-on-files) on files above.
 - `letsencrypt_servername`: string. If set will request a certificate from LetsEncrypt. This should match the expected FQDN of the server.
-- `letsencrypt_cachedir`: string. Directory to cache the LetsEncrypt certificate.
+- `letsencrypt_cachedir`: string. Directory to cache the LetsEncrypt certificate. See the [note](#a-note-on-files) on files above.
 - `address` : string. IP address to listen on. If unset the server listens on all addresses.
 - `port` : int. Port to listen on.
 - `user` : string. User to which the server drops privileges to.
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index fb67a36..83627ad 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -25,6 +25,7 @@ import (
 	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
+	wkfscache "github.com/nsheridan/autocert-wkfs-cache"
 	"github.com/nsheridan/cashier/lib"
 	"github.com/nsheridan/cashier/server/auth"
 	"github.com/nsheridan/cashier/server/auth/github"
@@ -352,7 +353,7 @@ func main() {
 		if conf.Server.LetsEncryptServername != "" {
 			m := autocert.Manager{
 				Prompt:     autocert.AcceptTOS,
-				Cache:      autocert.DirCache(conf.Server.LetsEncryptCache),
+				Cache:      wkfscache.Cache(conf.Server.LetsEncryptCache),
 				HostPolicy: autocert.HostWhitelist(conf.Server.LetsEncryptServername),
 			}
 			tlsConfig.GetCertificate = m.GetCertificate
diff --git a/server/helpers/vault/vault.go b/server/helpers/vault/vault.go
index bec18b9..e522d51 100644
--- a/server/helpers/vault/vault.go
+++ b/server/helpers/vault/vault.go
@@ -53,3 +53,10 @@ func (c *Client) Read(value string) (string, error) {
 	}
 	return secret.(string), nil
 }
+
+// Delete deletes the secret from vault.
+func (c *Client) Delete(value string) error {
+	p, _ := parseName(value)
+	_, err := c.vault.Logical().Delete(p)
+	return err
+}
diff --git a/server/wkfs/vaultfs/vault.go b/server/wkfs/vaultfs/vault.go
index f7c1360..dcefd54 100644
--- a/server/wkfs/vaultfs/vault.go
+++ b/server/wkfs/vaultfs/vault.go
@@ -69,6 +69,10 @@ func (fs *vaultFS) OpenFile(name string, flag int, perm os.FileMode) (wkfs.FileW
 	return nil, errors.New("not implemented")
 }
 
+func (fs *vaultFS) Remove(path string) error {
+	return fs.client.Delete(path)
+}
+
 type statInfo struct {
 	name    string
 	size    int64
diff --git a/vendor/github.com/nsheridan/autocert-wkfs-cache/cache.go b/vendor/github.com/nsheridan/autocert-wkfs-cache/cache.go
new file mode 100644
index 0000000..e829ef2
--- /dev/null
+++ b/vendor/github.com/nsheridan/autocert-wkfs-cache/cache.go
@@ -0,0 +1,85 @@
+package wkfscache
+
+import (
+	"os"
+	"path/filepath"
+
+	"go4.org/wkfs"
+
+	"golang.org/x/crypto/acme/autocert"
+	"golang.org/x/net/context"
+)
+
+type Cache string
+
+// Get reads a certificate data from the specified file name.
+func (d Cache) Get(ctx context.Context, name string) ([]byte, error) {
+	name = filepath.Join(string(d), name)
+	var (
+		data []byte
+		err  error
+		done = make(chan struct{})
+	)
+	go func() {
+		data, err = wkfs.ReadFile(name)
+		close(done)
+	}()
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case <-done:
+	}
+	if os.IsNotExist(err) {
+		return nil, autocert.ErrCacheMiss
+	}
+	return data, err
+}
+
+// Put writes the certificate data to the specified file name.
+// The file will be created with 0600 permissions.
+func (d Cache) Put(ctx context.Context, name string, data []byte) error {
+	if err := wkfs.MkdirAll(string(d), 0700); err != nil {
+		return err
+	}
+
+	done := make(chan struct{})
+	var err error
+	go func() {
+		defer close(done)
+		if err := wkfs.WriteFile(filepath.Join(string(d), name), data, 0600); err != nil {
+			return
+		}
+		// prevent overwriting the file if the context was cancelled
+		if ctx.Err() != nil {
+			return // no need to set err
+		}
+	}()
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-done:
+	}
+	return err
+}
+
+// Delete removes the specified file name.
+func (d Cache) Delete(ctx context.Context, name string) error {
+	name = filepath.Join(string(d), name)
+	var (
+		err  error
+		done = make(chan struct{})
+	)
+	go func() {
+		err = wkfs.Remove(name)
+		close(done)
+	}()
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-done:
+	}
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	return nil
+}
diff --git a/vendor/github.com/nsheridan/wkfs/s3/s3.go b/vendor/github.com/nsheridan/wkfs/s3/s3.go
index 19e72a9..de44f93 100644
--- a/vendor/github.com/nsheridan/wkfs/s3/s3.go
+++ b/vendor/github.com/nsheridan/wkfs/s3/s3.go
@@ -28,6 +28,8 @@ type Options struct {
 	SecretKey string
 }
 
+var _ wkfs.FileSystem = (*s3FS)(nil)
+
 // Register the /s3/ filesystem as a well-known filesystem.
 func Register(opts *Options) {
 	if opts == nil {
@@ -91,6 +93,12 @@ func (fs *s3FS) Open(name string) (wkfs.File, error) {
 		Key:    &fileName,
 	})
 	if err != nil {
+		if aerr, ok := err.(awserr.Error); ok {
+			switch aerr.Code() {
+			case "NoSuchKey", "NoSuchBucket":
+				return nil, os.ErrNotExist
+			}
+		}
 		return nil, err
 	}
 	defer obj.Body.Close()
@@ -131,7 +139,7 @@ func (fs *s3FS) Lstat(name string) (os.FileInfo, error) {
 }
 
 func (fs *s3FS) MkdirAll(path string, perm os.FileMode) error {
-	_, err := fs.OpenFile(fmt.Sprintf("%s/", filepath.Clean(path)), os.O_CREATE, perm)
+	_, err := fs.OpenFile(fmt.Sprintf("%s/", filepath.Clean(path)), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
 	return err
 }
 
@@ -154,6 +162,19 @@ func (fs *s3FS) OpenFile(name string, flag int, perm os.FileMode) (wkfs.FileWrit
 	return NewS3file(bucket, filename, fs.sc)
 }
 
+func (fs *s3FS) Remove(name string) error {
+	var err error
+	bucket, filename, err := fs.parseName(name)
+	if err != nil {
+		return err
+	}
+	_, err = fs.sc.DeleteObject(&s3.DeleteObjectInput{
+		Bucket: aws.String(bucket),
+		Key:    aws.String(filename),
+	})
+	return err
+}
+
 type statInfo struct {
 	name    string
 	size    int64
diff --git a/vendor/go4.org/wkfs/gcs/gcs.go b/vendor/go4.org/wkfs/gcs/gcs.go
index a970c75..d768824 100644
--- a/vendor/go4.org/wkfs/gcs/gcs.go
+++ b/vendor/go4.org/wkfs/gcs/gcs.go
@@ -165,6 +165,14 @@ func (fs *gcsFS) OpenFile(name string, flag int, perm os.FileMode) (wkfs.FileWri
 	return fs.sc.Bucket(bucket).Object(fileName).NewWriter(fs.ctx), nil
 }
 
+func (fs *gcsFS) Remove(name string) error {
+	bucket, fileName, err := fs.parseName(name)
+	if err != nil {
+		return err
+	}
+	return fs.sc.Bucket(bucket).Object(fileName).Delete(fs.ctx)
+}
+
 type statInfo struct {
 	name    string
 	size    int64
diff --git a/vendor/go4.org/wkfs/wkfs.go b/vendor/go4.org/wkfs/wkfs.go
index f4df062..08c8786 100644
--- a/vendor/go4.org/wkfs/wkfs.go
+++ b/vendor/go4.org/wkfs/wkfs.go
@@ -55,6 +55,7 @@ func MkdirAll(path string, perm os.FileMode) error { return fs(path).MkdirAll(pa
 func OpenFile(name string, flag int, perm os.FileMode) (FileWriter, error) {
 	return fs(name).OpenFile(name, flag, perm)
 }
+func Remove(name string) error { return fs(name).Remove(name) }
 func Create(name string) (FileWriter, error) {
 	// like os.Create but WRONLY instead of RDWR because we don't
 	// expose a Reader here.
@@ -79,6 +80,7 @@ func (osFS) MkdirAll(path string, perm os.FileMode) error { return os.MkdirAll(p
 func (osFS) OpenFile(name string, flag int, perm os.FileMode) (FileWriter, error) {
 	return os.OpenFile(name, flag, perm)
 }
+func (osFS) Remove(name string) error { return os.Remove(name) }
 
 type FileSystem interface {
 	Open(name string) (File, error)
@@ -86,6 +88,7 @@ type FileSystem interface {
 	Stat(name string) (os.FileInfo, error)
 	Lstat(name string) (os.FileInfo, error)
 	MkdirAll(path string, perm os.FileMode) error
+	Remove(name string) error
 }
 
 // well-known filesystems
diff --git a/vendor/vendor.json b/vendor/vendor.json
index 27fa85e..48a6e98 100644
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -393,10 +393,16 @@
 			"revisionTime": "2016-12-11T22:23:15Z"
 		},
 		{
-			"checksumSHA1": "Ywe06VqOCpwDNjipGTMO0oOG/Yg=",
+			"checksumSHA1": "hTzdsWWDTWFpX1FcF77fKgR0tEM=",
+			"path": "github.com/nsheridan/autocert-wkfs-cache",
+			"revision": "fafece944e938451c2e901fdc355b75f675562f1",
+			"revisionTime": "2017-01-13T00:09:44Z"
+		},
+		{
+			"checksumSHA1": "4YKc2c3W7KOIkhSg/InVVbQjqDk=",
 			"path": "github.com/nsheridan/wkfs/s3",
-			"revision": "60e6f1760f59568e4ce95080d08cd4a90c3c50c7",
-			"revisionTime": "2016-12-29T20:48:42Z"
+			"revision": "7e8499ec8b00669d3a0a262273b9342d3c63cb1c",
+			"revisionTime": "2017-01-12T23:56:57Z"
 		},
 		{
 			"checksumSHA1": "8Y05Pz7onrQPcVWW6JStSsYRh6E=",
@@ -495,16 +501,16 @@
 			"revisionTime": "2016-07-21T22:16:07Z"
 		},
 		{
-			"checksumSHA1": "BS9oue0y6JjMzz3spKlMTVmxZxo=",
+			"checksumSHA1": "RBe0HvUoZ1JL4XXPxslcvt+E6AI=",
 			"path": "go4.org/wkfs",
-			"revision": "09d86de304dc27e636298361bbfee4ac6ab04f21",
-			"revisionTime": "2016-11-18T21:00:15Z"
+			"revision": "0d03c2721aeea5277882f764f9ac7dd19fdfe4ac",
+			"revisionTime": "2017-01-01T02:01:48Z"
 		},
 		{
-			"checksumSHA1": "VcZWSieqrSxETQY2EP97rg4kLAw=",
+			"checksumSHA1": "soMi4lOier3JilXADBSxqyNAg2g=",
 			"path": "go4.org/wkfs/gcs",
-			"revision": "09d86de304dc27e636298361bbfee4ac6ab04f21",
-			"revisionTime": "2016-11-18T21:00:15Z"
+			"revision": "0d03c2721aeea5277882f764f9ac7dd19fdfe4ac",
+			"revisionTime": "2017-01-01T02:01:48Z"
 		},
 		{
 			"checksumSHA1": "TK1Yr8BbwionaaAvM+77lwAAx/8=",
@@ -551,8 +557,8 @@
 		{
 			"checksumSHA1": "9jjO5GjLa0XF/nfWihF02RoH4qc=",
 			"path": "golang.org/x/net/context",
-			"revision": "45e771701b814666a7eb299e6c7a57d0b1799e91",
-			"revisionTime": "2016-12-15T19:42:18Z"
+			"revision": "60c41d1de8da134c05b7b40154a9a82bf5b7edb9",
+			"revisionTime": "2017-01-10T03:16:11Z"
 		},
 		{
 			"checksumSHA1": "WHc3uByvGaMcnSoI21fhzYgbOgg=",