vault

package
v1.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2023 License: MIT Imports: 47 Imported by: 4

Documentation

Index

Constants

View Source 
const (
	SecretStateAlive uint = iota
	SecretStateDeleted
	SecretStateDestroyed
)

Variables

This section is empty.

Functions

func Canonicalize added in v0.4.1 

func Canonicalize(p string) string

func CategorizeSANs added in v1.5.9 

func CategorizeSANs(in []string) (ips []net.IP, domains, emails []string)

func DecodeErrorResponse added in v0.0.22 

func DecodeErrorResponse(body []byte) error

func EncodePath added in v1.0.0 

func EncodePath(path, key string, version uint64) string

EncodePath creates a safe-friendly canonical path for the given arguments

func EscapePathSegment added in v1.8.0 

func EscapePathSegment(segment string) string

EscapePathSegment is the reverse of ParsePath for an output secret or key segment; whereas that function unescapes colons and carets, this function reescapes them so that they can be run through that function again.

func HandleJointKeyUsages added in v1.5.3 

func HandleJointKeyUsages(usages []string) (ku x509.KeyUsage, eku []x509.ExtKeyUsage, err error)

func IsKeyNotFound added in v0.1.5 

func IsKeyNotFound(err error) bool

IsKeyNotFound returns true if the given error was created with NewKeyNotFoundError(). False otherwise.

func IsNotFound added in v0.0.26 

func IsNotFound(err error) bool

IsNotFound returns true if the given error is a SecretNotFound error 

or a KeyNotFound error. Returns false otherwise.

func IsSecretNotFound added in v0.1.5 

func IsSecretNotFound(err error) bool

IsSecretNotFound returns true if the given error was created with NewSecretNotFoundError(). False otherwise.

func NewKeyNotFoundError added in v0.0.26 

func NewKeyNotFoundError(path, key string) error

NewKeyNotFoundError returns an error object describing the key that could not be located within the secret it was searched for in. Returning a KeyNotFound error should semantically mean that the secret it would've been contained in was located in the vault.

func NewSecretNotFoundError added in v0.0.26 

func NewSecretNotFoundError(path string) error

NewSecretNotFoundError returns an error with a message descibing the path which could not be found in the secret backend.

func ParsePath added in v0.0.26 

func ParsePath(path string) (secret, key string, version uint64)

ParsePath splits the given path string into its respective secret path and contained key parts

func ParseSubject added in v1.5.9 

func ParseSubject(subj string) (pkix.Name, error)

func PathHasKey added in v0.1.5 

func PathHasKey(path string) bool

PathHasKey returns true if the given path has a key specified in its syntax. False otherwise.

func PathHasVersion added in v1.5.9 

func PathHasVersion(path string) bool

PathHasVersion returns true if the given path has a version specified in its syntax. False otherwise.

func PathLessThan added in v1.0.0 

func PathLessThan(left, right string) bool

func StartSOCKS5Server added in v1.3.0 

func StartSOCKS5Server(dialFn func(string, string) (net.Conn, error)) (string, error)

StartSOCKS5SSH makes an SSH connection according to the given config, starts a local SOCKS5 server on a random port, and then returns the proxy address if the connection was successful and an error if it was unsuccessful.

func StartSSHTunnel added in v1.3.0 

func StartSSHTunnel(conf SOCKS5SSHConfig) (*ssh.Client, error)

StartSSHTunnel makes an SSH connection according to the given config. It returns an SSH client if it was successful and an error otherwise.

func StrongboxURL added in v1.4.0 

func StrongboxURL(vaultURL *url.URL) string

func TranslateSignatureAlgorithm added in v0.9.7 

func TranslateSignatureAlgorithm(signatureAlgorithm string) (sigAlgo x509.SignatureAlgorithm, err error)

Types

type CertOptions added in v0.0.22 

type CertOptions struct {
	CN                string `json:"common_name"`
	TTL               string `json:"ttl,omitempty"`
	AltNames          string `json:"alt_names,omitempty"`
	IPSans            string `json:"ip_sans,omitempty"`
	ExcludeCNFromSans bool   `json:"exclude_cn_from_sans,omitempty"`
}

type DeleteOpts added in v1.0.0 

type DeleteOpts struct {
	Destroy bool
	All     bool
}

type MoveCopyOpts added in v1.0.0 

type MoveCopyOpts struct {
	SkipIfExists bool
	Quiet        bool
	//Deep copies all versions and overwrites all versions at the target location
	Deep bool
	//DeletedVersions undeletes, reads, and redeletes the deleted keys
	// It also puts in dummy destroyed keys to dest to match destroyed keys from src
	//Makes no sense without Deep
	DeletedVersions bool
}

type ProxyRouter added in v1.3.0 

type ProxyRouter struct {
	ProxyConf httpproxy.Config
}

func NewProxyRouter added in v1.3.0 

func NewProxyRouter() (*ProxyRouter, error)

func (ProxyRouter) Proxy added in v1.3.0 

func (n ProxyRouter) Proxy(req *http.Request) (*url.URL, error)

type SOCKS5SSHConfig added in v1.3.0 

type SOCKS5SSHConfig struct {
	Host                  string
	User                  string
	PrivateKey            []byte
	KnownHostsFile        string
	SkipHostKeyValidation bool
}

SOCKS5SSHConfig contains configuration variables for setting up a SOCKS5 proxy to be tunneled through an SSH connection.

type Secret 

type Secret struct {
	// contains filtered or unexported fields
}

A Secret contains a set of key/value pairs that store anything you want, including passwords, RSAKey keys, usernames, etc.

func NewSecret 

func NewSecret() *Secret

func (*Secret) DHParam added in v0.0.23 

func (s *Secret) DHParam(length int, skipIfExists bool) error

func (*Secret) Delete added in v0.1.5 

func (s *Secret) Delete(key string) bool

Delete removes the entry with the given key from the Secret. Returns true if there was a matching object to delete. False otherwise.

func (*Secret) Empty added in v0.1.5 

func (s *Secret) Empty() bool

Empty returns true if there are no key-value pairs in this Secret object. False otherwise.

func (*Secret) Format added in v0.0.14 

func (s *Secret) Format(oldKey, newKey, fmtType string, skipIfExists bool) error

func (*Secret) Get 

func (s *Secret) Get(key string) string

Get retrieves the value of the given key, or "" if no such key exists.

func (*Secret) Has 

func (s *Secret) Has(key string) bool

Has returns true if the Secret has defined the given key.

func (*Secret) JSON 

func (s *Secret) JSON() string

JSON converts a Secret to its JSON representation and returns it as a string. Returns an empty string if there were any errors.

func (*Secret) Keys added in v0.1.8 

func (s *Secret) Keys() []string

func (Secret) MarshalJSON added in v0.0.3 

func (s Secret) MarshalJSON() ([]byte, error)

func (*Secret) Password 

func (s *Secret) Password(key string, length int, policy string, skipIfExists bool) error

Password creates and stores a new randomized password.

func (*Secret) RSAKey 

func (s *Secret) RSAKey(bits int, skipIfExists bool) error

RSAKey generates a new public/private keypair, and stores it in the secret, under the 'public' and 'private' keys.

func (*Secret) SSHKey 

func (s *Secret) SSHKey(bits int, skipIfExists bool) error

SSHKey generates a new public/private keypair, and stores it in the secret, under the 'public' and 'private' keys.

func (*Secret) Set 

func (s *Secret) Set(key, value string, skipIfExists bool) error

Set stores a value in the Secret, under the given key.

func (*Secret) SingleValue added in v0.0.26 

func (s *Secret) SingleValue() (string, error)

SingleValue converts a secret to a string representing the value extracted. Returns an error if there are not exactly one results in the secret object

func (*Secret) UnmarshalJSON added in v0.0.3 

func (s *Secret) UnmarshalJSON(b []byte) error

func (Secret) X509 added in v0.1.4 

func (s Secret) X509(requireKey bool) (*X509, error)

func (*Secret) YAML 

func (s *Secret) YAML() string

YAML converts a Secret to its YAML representation and returns it as a string. Returns an empty string if there were any errors.

type SecretEntry added in v1.0.0 

type SecretEntry struct {
	Path     string
	Versions []SecretVersion
}

func (SecretEntry) Basename added in v1.0.0 

func (s SecretEntry) Basename() string

func (SecretEntry) Copy added in v1.0.0 

func (s SecretEntry) Copy(v *Vault, dst string, opts TreeCopyOpts) error

type SecretVersion added in v1.0.0 

type SecretVersion struct {
	Data   *Secret
	Number uint
	State  uint
}

type Secrets added in v1.0.0 

type Secrets []SecretEntry

func (*Secrets) Append added in v1.0.0 

func (s *Secrets) Append(e SecretEntry)

func (Secrets) Draw added in v1.0.0 

func (s Secrets) Draw(root string, color, secrets bool) string

func (Secrets) Merge added in v1.1.0 

func (s1 Secrets) Merge(s2 Secrets) Secrets

func (Secrets) Paths added in v1.0.0 

func (s Secrets) Paths() []string

func (Secrets) Sort added in v1.0.0 

func (s Secrets) Sort()

type TreeCopyOpts added in v1.0.0 

type TreeCopyOpts struct {
	//Clear will wipe the secret in place
	Clear bool
	//Pad will insert dummy versions that have been truncated by Vault
	Pad bool
}

type TreeOpts added in v1.0.0 

type TreeOpts struct {
	//For tree/paths --keys
	FetchKeys bool
	//v2 backends show deleted secrets in the list by default
	//Leaving this unset will cause entries with the latest
	//version deleted to be purged
	//Ignored by constructTree. Just used by ConstructSecrets
	AllowDeletedSecrets bool
	//Overridden by FetchKeys
	SkipVersionInfo bool
	//Whether to get all versions of keys in the tree
	FetchAllVersions bool
	//GetDeletedVersions tells the workers to temporarily undelete deleted
	// keys to fetch their value, then delete them again
	GetDeletedVersions bool
	//Only perform gets. If the target is not a secret, then an error is returned
	GetOnly bool
}

type Vault 

type Vault struct {
	// contains filtered or unexported fields
}

func NewVault 

func NewVault(conf VaultConfig) (*Vault, error)

NewVault creates a new Vault object. If an empty token is specified, the current user's token is read from ~/.vault-token.

func (*Vault) AddMount added in v1.2.0 

func (v *Vault) AddMount(path string, version int) error

func (*Vault) CheckPKIBackend added in v0.1.3 

func (v *Vault) CheckPKIBackend(backend string) error

func (*Vault) Client added in v0.0.2 

func (v *Vault) Client() *vaultkv.KV

func (*Vault) ConstructSecrets added in v1.0.0 

func (v *Vault) ConstructSecrets(path string, opts TreeOpts) (s Secrets, err error)

func (*Vault) Copy 

func (v *Vault) Copy(oldpath, newpath string, opts MoveCopyOpts) error

Copy copies secrets from one path to another. With a secret:key specified: key -> key is good. key -> no-key is okay - we assume to keep old key name no-key -> key is bad. That makes no sense and the user should feel bad. Returns KeyNotFoundError if there is no such specified key in the secret at oldpath

func (*Vault) CreateSignedCertificate added in v0.0.22 

func (v *Vault) CreateSignedCertificate(backend, role, path string, params CertOptions, skipIfExists bool) error

func (*Vault) Curl added in v0.0.22 

func (v *Vault) Curl(method string, path string, body []byte) (*http.Response, error)

func (*Vault) Delete 

func (v *Vault) Delete(path string, opts DeleteOpts) error

Delete removes the secret or key stored at the specified path. If destroy is true and the mount is v2, the latest version is destroyed instead

func (*Vault) DeleteTree added in v0.0.21 

func (v *Vault) DeleteTree(root string, opts DeleteOpts) error

DeleteTree recursively deletes the leaf nodes beneath the given root until the root has no children, and then deletes that.

func (*Vault) DeleteVersions added in v1.0.0 

func (v *Vault) DeleteVersions(path string, versions []uint) error

DeleteVersions marks the given versions of the given secret as deleted for a v2 backend or actually deletes it for a v1 backend.

func (*Vault) DestroyVersions added in v1.0.0 

func (v *Vault) DestroyVersions(path string, versions []uint) error

DestroyVersions irrevocably destroys the given versions of the given secret

func (*Vault) FindSigningCA added in v0.8.0 

func (v *Vault) FindSigningCA(cert *X509, certPath string, signPath string) (*X509, string, error)

func (*Vault) Init added in v0.6.0 

func (v *Vault) Init(nkeys, threshold int) ([]string, string, error)

func (*Vault) IsMounted added in v0.0.26 

func (v *Vault) IsMounted(typ, path string) (bool, error)

func (*Vault) List added in v0.0.3 

func (v *Vault) List(path string) (paths []string, err error)

List returns the set of (relative) paths that are directly underneath the given path. Intermediate path nodes are suffixed with a single "/", whereas leaf nodes (the secrets themselves) are not.

func (*Vault) ListMounts added in v1.2.0 

func (v *Vault) ListMounts() (mounts []string, err error)

func (*Vault) Mount added in v0.0.26 

func (v *Vault) Mount(typ, path string, params map[string]interface{}) error

func (*Vault) MountExists added in v1.2.0 

func (v *Vault) MountExists(path string) (bool, error)

func (*Vault) MountVersion added in v1.0.0 

func (v *Vault) MountVersion(path string) (uint, error)

func (*Vault) Mounts added in v0.4.3 

func (v *Vault) Mounts(typ string) ([]string, error)

func (*Vault) Move 

func (v *Vault) Move(oldpath, newpath string, opts MoveCopyOpts) error

Move moves secrets from one path to another. A move is semantically a copy and then a deletion of the original item. For more information on the behavior of Move pertaining to keys, look at Copy.

func (*Vault) MoveCopyTree added in v0.0.21 

func (v *Vault) MoveCopyTree(oldRoot, newRoot string, f func(string, string, MoveCopyOpts) error, opts MoveCopyOpts) error

MoveCopyTree will recursively copy all nodes from the root to the new location. This function will get confused about 'secret:key' syntax, so don't let those get routed here - they don't make sense for a recursion anyway.

func (*Vault) NewRootToken added in v0.7.0 

func (v *Vault) NewRootToken(keys []string) (string, error)

func (*Vault) ReKey added in v0.3.0 

func (v *Vault) ReKey(unsealKeyCount, numToUnseal int, pgpKeys []string) ([]string, error)

func (*Vault) Read 

func (v *Vault) Read(path string) (secret *Secret, err error)

Read checks the Vault for a Secret at the specified path, and returns it. If there is nothing at that path, a nil *Secret will be returned, with no error.

func (*Vault) RenewLease added in v0.6.0 

func (v *Vault) RenewLease() error

func (*Vault) RetrievePem added in v0.0.22 

func (v *Vault) RetrievePem(backend, path string) ([]byte, error)

func (*Vault) RevokeCertificate added in v0.0.22 

func (v *Vault) RevokeCertificate(backend, serial string) error

func (*Vault) SaveSealKeys added in v0.8.1 

func (v *Vault) SaveSealKeys(keys []string)

func (*Vault) Seal added in v0.0.28 

func (v *Vault) Seal() (bool, error)

func (*Vault) SealKeys added in v0.0.28 

func (v *Vault) SealKeys() (int, error)

SealKeys returns the threshold for unsealing the vault

func (*Vault) Sealed added in v1.4.0 

func (v *Vault) Sealed() (bool, error)

func (*Vault) SetURL added in v0.9.7 

func (v *Vault) SetURL(u string)

func (*Vault) Strongbox added in v0.0.28 

func (v *Vault) Strongbox() (map[string]string, error)

func (*Vault) Undelete added in v1.0.0 

func (v *Vault) Undelete(path string) error

func (*Vault) Unseal added in v0.0.28 

func (v *Vault) Unseal(keys []string) error

func (*Vault) Versions added in v1.0.0 

func (v *Vault) Versions(path string) ([]vaultkv.KVVersion, error)

func (*Vault) Write 

func (v *Vault) Write(path string, s *Secret) error

Write takes a Secret and writes it to the Vault at the specified path.

type VaultConfig added in v1.4.0 

type VaultConfig struct {
	URL        string
	Token      string
	Namespace  string
	CACerts    *x509.CertPool
	SkipVerify bool
}

type X509 added in v0.1.4 

type X509 struct {
	Intermediaries []*x509.Certificate
	Certificate    *x509.Certificate
	PrivateKey     *rsa.PrivateKey
	Serial         *big.Int
	CRL            *pkix.CertificateList

	KeyUsage    x509.KeyUsage
	ExtKeyUsage []x509.ExtKeyUsage
}

func NewCertificate added in v0.1.4 

func NewCertificate(subj string, names, keyUsage []string, signatureAlgorithm string, bits int) (*X509, error)

func (X509) CheckStrength added in v0.1.4 

func (x X509) CheckStrength(bits ...int) error

func (X509) Expired added in v0.1.4 

func (x X509) Expired() bool

func (*X509) ExpiryString added in v1.5.2 

func (c *X509) ExpiryString() string

func (*X509) FormatSerial added in v1.4.0 

func (c *X509) FormatSerial() string

func (*X509) HasRevoked added in v0.1.4 

func (ca *X509) HasRevoked(cert *X509) bool

func (*X509) IntermediarySubject added in v0.9.3 

func (x *X509) IntermediarySubject(n int) string

func (X509) IsCA added in v0.1.4 

func (x X509) IsCA() bool

func (*X509) Issuer added in v0.2.0 

func (x *X509) Issuer() string

func (*X509) MakeCA added in v0.1.4 

func (x *X509) MakeCA()

func (*X509) Revoke added in v0.1.4 

func (ca *X509) Revoke(cert *X509)

func (*X509) SaveTo added in v0.8.0 

func (ca *X509) SaveTo(v *Vault, path string, skipIfExists bool) error

func (X509) Secret added in v0.1.4 

func (x X509) Secret(skipIfExists bool) (*Secret, error)

func (*X509) Sign added in v0.1.4 

func (ca *X509) Sign(x *X509, ttl time.Duration) error

func (*X509) Subject added in v0.2.0 

func (x *X509) Subject() string

func (X509) ValidFor added in v0.1.4 

func (x X509) ValidFor(names ...string) (bool, error)

func (X509) ValidForDomain added in v0.1.4 

func (x X509) ValidForDomain(domain string) bool

func (X509) ValidForEmail added in v0.1.4 

func (x X509) ValidForEmail(email string) bool

func (X509) ValidForIP added in v0.1.4 

func (x X509) ValidForIP(ip net.IP) bool

func (X509) Validate added in v0.1.4 

func (x X509) Validate() error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.