vault

package
v2.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 2, 2022 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// NamespaceHeader specifies the header name to use when including Namespace information in a request.
	NamespaceHeader = "X-Vault-Namespace"
	AuthTypeHeader  = "X-Vault-Token"

	HealthAPI              = "/v1/sys/health"
	InitAPI                = "/v1/sys/init"
	UnsealAPI              = "/v1/sys/unseal"
	CreatePolicyPath       = "/v1/sys/policies/acl/%s"
	CreateTokenAPI         = "/v1/auth/token/create"    // nolint: gosec
	ListAccessorsAPI       = "/v1/auth/token/accessors" // nolint: gosec
	RevokeAccessorAPI      = "/v1/auth/token/revoke-accessor"
	LookupAccessorAPI      = "/v1/auth/token/lookup-accessor"
	LookupSelfAPI          = "/v1/auth/token/lookup-self"
	RevokeSelfAPI          = "/v1/auth/token/revoke-self"
	RootTokenControlAPI    = "/v1/sys/generate-root/attempt" // nolint: gosec
	RootTokenRetrievalAPI  = "/v1/sys/generate-root/update"  // nolint: gosec
	MountsAPI              = "/v1/sys/mounts"
	GenerateConsulTokenAPI = "/v1/consul/creds/%s" // nolint: gosec

)
View Source 
const (
	KeyValue = "kv"
	Consul   = "consul"
)

Variables

This section is empty.

Functions

func GetMockTokenServer 

func GetMockTokenServer(tokenDataMap *sync.Map) *httptest.Server

GetMockTokenServer returns a stub http test server for dealing with token lookup-self and renew-self API calls

Types

type Client 

type Client struct {
	Config     types.SecretConfig
	HttpCaller pkg.Caller
	// contains filtered or unexported fields
}

Client defines the behavior for interacting with the Vault REST secret key/value store via HTTP(S).

func NewClient 

func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error)

NewClient constructs a Vault *Client which communicates with Vault via HTTP(S) lc is any logging client that implements the loggingClient interface; today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation

func NewSecretsClient 

func NewSecretsClient(ctx context.Context, config types.SecretConfig, lc logger.LoggingClient, callback pkg.TokenExpiredCallback) (*Client, error)

NewSecretsClient constructs a Vault *Client which communicates with Vault via HTTP(S) for basic usage of secrets

func (*Client) CheckSecretEngineInstalled 

func (c *Client) CheckSecretEngineInstalled(token string, mountPoint string, engine string) (bool, error)

func (*Client) ConfigureConsulAccess added in v2.3.0 

func (c *Client) ConfigureConsulAccess(secretStoreToken string, bootstrapACLToken string, consulHost string, consulPort int) error

ConfigureConsulAccess is to enable the Consul config access to the SecretStore via consul/config/access API see the reference: https://www.vaultproject.io/api-docs/secret/consul#configure-access

func (*Client) CreateRole added in v2.3.0 

func (c *Client) CreateRole(secretStoreToken string, consulRole types.ConsulRole) error

CreateRole creates a Consul role that can be used to generate Consul tokens and part of elements for the role ties up with the Consul policies in which it dictates the permission of accesses to the Consul kv store or agent etc.

func (*Client) CreateToken 

func (c *Client) CreateToken(token string, parameters map[string]interface{}) (map[string]interface{}, error)

func (*Client) EnableConsulSecretEngine 

func (c *Client) EnableConsulSecretEngine(token string, mountPoint string, defaultLeaseTTL string) error

func (*Client) EnableKVSecretEngine 

func (c *Client) EnableKVSecretEngine(token string, mountPoint string, kvVersion string) error

func (*Client) GenerateConsulToken 

func (c *Client) GenerateConsulToken(serviceKey string) (string, error)

GenerateConsulToken generates a new Consul token using serviceKey as role name to call secret store's consul/creds API the serviceKey is used in the part of secret store's URL as role name and should be accessible to the API

func (*Client) GetKeys added in v2.3.0 

func (c *Client) GetKeys(subPath string) ([]string, error)

GetKeys retrieves the keys at the provided sub-path. Secret Store returns an array of keys for a given path when retrieving a list of keys, versus a k/v map when retrieving secrets.

func (*Client) GetSecrets 

func (c *Client) GetSecrets(subPath string, keys ...string) (map[string]string, error)

GetSecrets retrieves the secrets at the provided sub-path that matches the specified keys.

func (*Client) HealthCheck 

func (c *Client) HealthCheck() (int, error)

func (*Client) Init 

func (c *Client) Init(secretThreshold int, secretShares int) (types.InitResponse, error)

func (*Client) InstallPolicy 

func (c *Client) InstallPolicy(token string, policyName string, policyDocument string) error

func (*Client) ListTokenAccessors 

func (c *Client) ListTokenAccessors(token string) ([]string, error)

func (*Client) LookupToken 

func (c *Client) LookupToken(token string) (types.TokenMetadata, error)

func (*Client) LookupTokenAccessor 

func (c *Client) LookupTokenAccessor(token string, accessor string) (types.TokenMetadata, error)

func (*Client) RegenRootToken 

func (c *Client) RegenRootToken(keys []string) (string, error)

func (*Client) RevokeToken 

func (c *Client) RevokeToken(token string) error

func (*Client) RevokeTokenAccessor 

func (c *Client) RevokeTokenAccessor(token string, accessor string) error

func (*Client) SetAuthToken added in v2.1.0 

func (c *Client) SetAuthToken(ctx context.Context, newToken string) error

func (*Client) StoreSecrets 

func (c *Client) StoreSecrets(subPath string, secrets map[string]string) error

StoreSecrets stores the secrets at the provided sub-path for the specified keys.

func (*Client) Unseal 

func (c *Client) Unseal(keysBase64 []string) error

type EnableSecretsEngineRequest 

type EnableSecretsEngineRequest struct {
	Type        string                `json:"type"`
	Description string                `json:"description"`
	Options     *SecretsEngineOptions `json:"options,omitempty"`
	Config      *SecretsEngineConfig  `json:"config,omitempty"`
}

EnableSecretsEngineRequest is the POST request to /v1/sys/mounts

type ErrCaRootCert 

type ErrCaRootCert struct {
	// contains filtered or unexported fields
}

ErrCaRootCert error when the provided CA Root certificate is invalid.

func (ErrCaRootCert) Error 

func (e ErrCaRootCert) Error() string

type ErrHTTPResponse 

type ErrHTTPResponse struct {
	StatusCode int
	ErrMsg     string
}

func (ErrHTTPResponse) Error 

func (err ErrHTTPResponse) Error() string

type InitRequest 

type InitRequest struct {
	SecretShares    int `json:"secret_shares"`
	SecretThreshold int `json:"secret_threshold"`
}

InitRequest contains a Vault init request regarding the Shamir Secret Sharing (SSS) parameters

type ListSecretEnginesResponse 

type ListSecretEnginesResponse struct {
	Data map[string]struct {
		Type string `json:"type"`
	} `json:"data"`
}

ListSecretEnginesResponse is the response to GET /v1/sys/mounts

type ListTokenAccessorsResponse 

type ListTokenAccessorsResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListTokenAccessorsResponse is the response to the list accessors API

type LookupAccessorRequest 

type LookupAccessorRequest struct {
	Accessor string `json:"accessor"`
}

LookupAccessorRequest is used by accessor lookup API

type RequestArgs 

type RequestArgs struct {
	// Authentication token
	AuthToken string
	// HTTP method
	Method string
	// URL path
	Path string
	// If non-nil, passed to JSON serializer and included in request
	JSONObject interface{}
	// Included in HTTP request if JSONObject is nil
	BodyReader io.Reader
	// Description of the operation being performed included in log messages
	OperationDescription string
	// Expected status code to be returned from HTTP request
	ExpectedStatusCode int
	// If non-nil and request succeeded, response body will be serialized here (must be a pointer)
	ResponseObject interface{}
}

parameters structure for request method

type RevokeTokenAccessorRequest 

type RevokeTokenAccessorRequest struct {
	Accessor string `json:"accessor"`
}

RevokeTokenAccessorRequest is the input to the revoke token by accessor API

type RootTokenControlResponse 

type RootTokenControlResponse struct {
	Complete bool   `json:"complete"`
	Nonce    string `json:"nonce"`
	Otp      string `json:"otp"`
}

RootTokenControlResponse is the response to /v1/sys/generate-root/attempt

type RootTokenRetrievalRequest 

type RootTokenRetrievalRequest struct {
	Key   string `json:"key"`
	Nonce string `json:"nonce"`
}

RootTokenRetrievalRequest is the request to /v1/sys/generate-root/update

type RootTokenRetrievalResponse 

type RootTokenRetrievalResponse struct {
	Complete     bool   `json:"complete"`
	EncodedToken string `json:"encoded_token"`
}

RootTokenRetrievalResponse is the response to /v1/sys/generate-root/update

type SecretsEngineConfig 

type SecretsEngineConfig struct {
	DefaultLeaseTTLDuration string `json:"default_lease_ttl"`
}

SecretsEngineConfig is config for /v1/sys/mounts

type SecretsEngineOptions 

type SecretsEngineOptions struct {
	Version string `json:"version"`
}

type TokenLookupResponse 

type TokenLookupResponse struct {
	Data types.TokenMetadata
}

type UnsealRequest 

type UnsealRequest struct {
	Key   string `json:"key"`
	Reset bool   `json:"reset"`
}

UnsealRequest contains a Vault unseal request

type UnsealResponse 

type UnsealResponse struct {
	Sealed   bool `json:"sealed"`
	T        int  `json:"t"`
	N        int  `json:"n"`
	Progress int  `json:"progress"`
}

UnsealResponse contains a Vault unseal response

type UpdateACLPolicyRequest 

type UpdateACLPolicyRequest struct {
	Policy string `json:"policy"`
}

UpdateACLPolicyRequest contains a ACL policy create/update request

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.