secretstore

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2021 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	VaultToken             = "X-Vault-Token"
	TokenCreatorPolicyName = "privileged-token-creator"

	// This is an admin token policy that allow for creation of
	// per-service tokens and policies
	TokenCreatorPolicy = `` /* 394-byte string literal not displayed */

)
View Source 
const OneShotProvider = "oneshot"

Variables

This section is empty.

Functions

func Main 

func Main(ctx context.Context, cancel context.CancelFunc, _ *mux.Router, _ chan<- bool)

Types

type Bootstrap 

type Bootstrap struct {
	// contains filtered or unexported fields
}

func NewBootstrap 

func NewBootstrap(insecureSkipVerify bool, vaultInterval int) *Bootstrap

func (*Bootstrap) BootstrapHandler 

func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ startup.Timer, dic *di.Container) bool

BootstrapHandler fulfills the BootstrapHandler contract and performs initialization needed by the data service.

type CertCollect 

type CertCollect struct {
	Pair CertPair `json:"data"`
}

type CertPair 

type CertPair struct {
	Cert string `json:"cert,omitempty"`
	Key  string `json:"key,omitempty"`
}

type Certs 

type Certs struct {
	// contains filtered or unexported fields
}

func NewCerts 

func NewCerts(
	caller internal.HttpCaller,
	certPath string,
	rootToken string,
	secretServiceBaseURL string,
	lc logger.LoggingClient) Certs

func (*Certs) AlreadyinStore 

func (cs *Certs) AlreadyinStore() (bool, error)

func (*Certs) ReadFrom 

func (cs *Certs) ReadFrom(certPath string, keyPath string) (*CertPair, error)

func (*Certs) UploadToStore 

func (cs *Certs) UploadToStore(cp *CertPair) error

type CmdRunner 

type CmdRunner interface {
	Start() error
	Wait() error
}

CmdRunner is mockable interface for golang's exec.Cmd

type Cred 

type Cred struct {
	// contains filtered or unexported fields
}

func NewCred 

func NewCred(
	caller internal.HttpCaller,
	rootToken string,
	generator CredentialGenerator,
	secretServiceBaseURL string,
	lc logger.LoggingClient) Cred

func (*Cred) AlreadyInStore 

func (cr *Cred) AlreadyInStore(path string) (bool, error)

func (*Cred) GeneratePassword 

func (cr *Cred) GeneratePassword(ctx context.Context) (string, error)

GeneratePassword is a pass-through to the password generator

func (*Cred) UploadToStore 

func (cr *Cred) UploadToStore(pair *UserPasswordPair, path string) error

type CredCollect 

type CredCollect struct {
	Pair UserPasswordPair `json:"data"`
}

type CredentialGenerator 

type CredentialGenerator interface {
	Generate(ctx context.Context) (string, error)
}

CredentialGenerator is the interface for pluggable password generators

func NewDefaultCredentialGenerator 

func NewDefaultCredentialGenerator() CredentialGenerator

NewDefaultCredentialGenerator generates random passwords as base64-encoded strings

func NewPasswordGenerator 

func NewPasswordGenerator(lc logger.LoggingClient, passwordProvider string, passwordProviderArgs []string) CredentialGenerator

NewPasswordGenerator wires up a pluggable password generator or defaults to a built-in implementation if the pluggable configuration is missing

type ExecRunner 

type ExecRunner interface {
	SetStdout(stdout io.Writer)
	LookPath(file string) (string, error)
	CommandContext(ctx context.Context, name string, arg ...string) CmdRunner
}

ExecRunner is mockable interface for wrapping os/exec functionality

func NewDefaultExecRunner 

func NewDefaultExecRunner() ExecRunner

NewDefaultExecRunner creates an os/exec wrapper that joins subprocesses' stdout and stderr with the caller's

type PasswordProvider 

type PasswordProvider struct {
	// contains filtered or unexported fields
}

func NewPasswordProvider 

func NewPasswordProvider(lc logger.LoggingClient, execRunner ExecRunner) *PasswordProvider

NewPasswordProvider creates a new PasswordProvider

func (*PasswordProvider) Generate 

func (p *PasswordProvider) Generate(ctx context.Context) (string, error)

Generate retrives the password from the tool

func (*PasswordProvider) SetConfiguration 

func (p *PasswordProvider) SetConfiguration(passwordProvider string, passwordProviderArgs []string) error

SetConfiguration parses token provider configuration and resolves paths specified therein

type RevokeFunc 

type RevokeFunc func()

type TokenMaintenance 

type TokenMaintenance struct {
	// contains filtered or unexported fields
}

func NewTokenMaintenance 

func NewTokenMaintenance(logging logger.LoggingClient, secretClient secretstoreclient.SecretStoreClient) *TokenMaintenance

NewTokenMaintenance creates a new TokenProvider

func (*TokenMaintenance) CreateTokenIssuingToken 

func (tm *TokenMaintenance) CreateTokenIssuingToken(rootToken string) (map[string]interface{}, RevokeFunc, error)

CreateTokenIssuingToken creates an admin token that allows the holder to create per-service tokens an policies. Requires a root token, returns a function that, if called, with revoke the token

func (*TokenMaintenance) RevokeNonRootTokens 

func (tm *TokenMaintenance) RevokeNonRootTokens(privilegedToken string) error

RevokeNonRootTokens revokes non-root tokens that may have been issued in previous EdgeX runs. Should be called with a high-privileged token.

func (*TokenMaintenance) RevokeRootTokens 

func (tm *TokenMaintenance) RevokeRootTokens(privilegedToken string) error

RevokeRootTokens revokes any root tokens found in the secret store. Should be called with a high-privileged token.

type TokenProvider 

type TokenProvider struct {
	// contains filtered or unexported fields
}

func NewTokenProvider 

func NewTokenProvider(ctx context.Context, lc logger.LoggingClient, execRunner ExecRunner) *TokenProvider

NewTokenProvider creates a new TokenProvider

func (*TokenProvider) Launch 

func (p *TokenProvider) Launch() error

Launch spawns the token provider function

func (*TokenProvider) SetConfiguration 

func (p *TokenProvider) SetConfiguration(config secretstoreclient.SecretServiceInfo) error

SetConfiguration parses token provider configuration and resolves paths specified therein

type UserPasswordPair 

type UserPasswordPair struct {
	User     string `json:"username,omitempty"`
	Password string `json:"password,omitempty"`
}

type VMKEncryption 

type VMKEncryption struct {
	// contains filtered or unexported fields
}

func NewVMKEncryption 

func NewVMKEncryption(fileOpener fileioperformer.FileIoPerformer,
	pipedHexReader pipedhexreader.PipedHexReader,
	kdf kdf.KeyDeriver) *VMKEncryption

NewVMKEncryption - constructor

func (*VMKEncryption) DecryptInitResponse 

func (v *VMKEncryption) DecryptInitResponse(initResp *secretstoreclient.InitResponse) error

DecryptInitResponse processes the InitResponse and decrypts the key shares in the end, EncryptedKeys and Nonces are removed and replaced with Keys and KeysBase64 in the resulting JSON like the init response was originally Root token is left untouched

func (*VMKEncryption) EncryptInitResponse 

func (v *VMKEncryption) EncryptInitResponse(initResp *secretstoreclient.InitResponse) error

EncryptInitResponse processes the InitResponse and encrypts the key shares in the end, Keys and KeysBase64 are removed and replaced with EncryptedKeys and Nonces in the resulting JSON Root token is left untouched

func (*VMKEncryption) IsEncrypting 

func (v *VMKEncryption) IsEncrypting() bool

IsEncrypting scrubs the input key material from memory

func (*VMKEncryption) LoadIKM 

func (v *VMKEncryption) LoadIKM(ikmBinPath string) error

LoadIKM loads input key material from the specified path

func (*VMKEncryption) WipeIKM 

func (v *VMKEncryption) WipeIKM()

WipeIKM scrubs the input key material from memory

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.