vault

package

v0.4.1 Latest Latest Go to latest Published: Nov 22, 2019 License: MIT Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dhoelle/redactr

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Client
type Redacter
- func NewRedacter(client Client) *Redacter
- func (r *Redacter) Redact(secretDeclaration string) (string, error)
- func (r *Redacter) Unredact(secretDeclaration string) (string, error)
type StandardClientWrapper
- func (w *StandardClientWrapper) ReadSecret(path, key string) (interface{}, error)
- func (w *StandardClientWrapper) WriteSecret(path, key, value string) error
type TokenWrapper
- func (w *TokenWrapper) WrapToken(token, originalPayload, originalEnvelope string) string

Constants ¶

This section is empty.

Variables ¶

View Source

var RedactedRE = regexp.MustCompile(`` +

	`~~redacted-vault:` +

	`(` +

	`[^#\s]+` +

	`#` +

	`[^#\s]+` +

	`)` +

	`~~`)

RedactedRE matches redacted secret tokens, like:

~~redacted-vault:path/to/kv/secret#my_key~~

A match must be isolated by word boundaries on both ends.

The payload (capturing group) is the secret location (in the example above, "path/to/kv/secret#my_key")

View Source

var UnredactedRE = regexp.MustCompile(`` +

	`~~redact-vault:` +

	`(` +

	`[^#\s]+` +

	`#` +

	`[^#\s]+` +

	`#` +

	`[^#\s]+` +

	`)` +

	`~~`)

UnredactedRE matches unredacted secret tokens, like:

~~redact-vault:path/to/kv/secret#my_key#my_value~~

A match must be isolated by word boundaries on both ends.

The payload (capturing group) is the secret path+key+value (in the example above, "path/to/kv/secret#my_key#my_value")

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client interface {
	ReadSecret(path, key string) (interface{}, error)
	WriteSecret(path, key, value string) error
}

A Client can get secrets from a Hashicorp Vault instance

type Redacter ¶

type Redacter struct {
	// contains filtered or unexported fields
}

A Redacter redacts secrets by storing them in a Hashicorp Vault

func NewRedacter ¶

func NewRedacter(client Client) *Redacter

NewRedacter creates a new Redacter

func (*Redacter) Redact ¶

func (r *Redacter) Redact(secretDeclaration string) (string, error)

Redact inserts a declared secret into Vault

It expects an input like:

path/to/secret#key#value

func (*Redacter) Unredact ¶

func (r *Redacter) Unredact(secretDeclaration string) (string, error)

Unredact replaces a Vault secret declaration with the target secret.

It expects an input like:

path/to/secret#secret_key

type StandardClientWrapper ¶

type StandardClientWrapper struct {
	Client *api.Client
}

StandardClientWrapper wraps the standard Vault client into a Client

func (*StandardClientWrapper) ReadSecret ¶

func (w *StandardClientWrapper) ReadSecret(path, key string) (interface{}, error)

ReadSecret reads a secret using the standard Vault client

func (*StandardClientWrapper) WriteSecret ¶

func (w *StandardClientWrapper) WriteSecret(path, key, value string) error

WriteSecret writes a secret using the standard Vault client TODO(dhoelle): this is failing if the secret does not already exist

type TokenWrapper ¶

type TokenWrapper struct {
	Before string
	After  string
}

TokenWrapper wraps a vault token by putting the original payload in front of it

func (*TokenWrapper) WrapToken ¶

func (w *TokenWrapper) WrapToken(token, originalPayload, originalEnvelope string) string

WrapToken wraps the string with Before and After

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL