vault

package
v3.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 6, 2023 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// NamespaceHeader specifies the header name to use when including Namespace information in a request.
	NamespaceHeader = "X-Vault-Namespace"
	AuthTypeHeader  = "X-Vault-Token"

	HealthAPI              = "/v1/sys/health"
	InitAPI                = "/v1/sys/init"
	UnsealAPI              = "/v1/sys/unseal"
	CreatePolicyPath       = "/v1/sys/policies/acl/%s"
	CreateTokenAPI         = "/v1/auth/token/create"    // nolint: gosec
	ListAccessorsAPI       = "/v1/auth/token/accessors" // nolint: gosec
	RevokeAccessorAPI      = "/v1/auth/token/revoke-accessor"
	LookupAccessorAPI      = "/v1/auth/token/lookup-accessor"
	LookupSelfAPI          = "/v1/auth/token/lookup-self"
	RevokeSelfAPI          = "/v1/auth/token/revoke-self"
	RootTokenControlAPI    = "/v1/sys/generate-root/attempt" // nolint: gosec
	RootTokenRetrievalAPI  = "/v1/sys/generate-root/update"  // nolint: gosec
	MountsAPI              = "/v1/sys/mounts"
	GenerateConsulTokenAPI = "/v1/consul/creds/%s" // nolint: gosec

)
View Source 
const (
	KeyValue                   = "kv"
	Consul                     = "consul"
	UsernamePasswordAuthMethod = "userpass"
)

Variables

This section is empty.

Functions

func GetMockTokenServer 

func GetMockTokenServer(tokenDataMap *sync.Map) *httptest.Server

GetMockTokenServer returns a stub http test server for dealing with token lookup-self and renew-self API calls

Types

type Accessor 

type Accessor struct {
	Accessor string `json:"accessor"`
}

Accessor

type Client 

type Client struct {
	Config     types.SecretConfig
	HttpCaller pkg.Caller
	// contains filtered or unexported fields
}

Client defines the behavior for interacting with the Vault REST secret key/value store via HTTP(S).

func NewClient 

func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error)

NewClient constructs a Vault *Client which communicates with Vault via HTTP(S) lc is any logging client that implements the loggingClient interface; today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation

func NewSecretsClient 

func NewSecretsClient(ctx context.Context, config types.SecretConfig, lc logger.LoggingClient, callback pkg.TokenExpiredCallback) (*Client, error)

NewSecretsClient constructs a Vault *Client which communicates with Vault via HTTP(S) for basic usage of secrets

func (*Client) BindUserToIdentity 

func (c *Client) BindUserToIdentity(token string, identityId string, authHandle string, username string) error

func (*Client) CheckAuthMethodEnabled 

func (c *Client) CheckAuthMethodEnabled(token string, mountPoint string, authType string) (bool, error)

func (*Client) CheckIdentityKeyExists 

func (c *Client) CheckIdentityKeyExists(token string, keyName string) (bool, error)

func (*Client) CheckSecretEngineInstalled 

func (c *Client) CheckSecretEngineInstalled(token string, mountPoint string, engine string) (bool, error)

func (*Client) ConfigureConsulAccess 

func (c *Client) ConfigureConsulAccess(secretStoreToken string, bootstrapACLToken string, consulHost string, consulPort int) error

ConfigureConsulAccess is to enable the Consul config access to the SecretStore via consul/config/access API see the reference: https://www.vaultproject.io/api-docs/secret/consul#configure-access

func (*Client) CreateNamedIdentityKey 

func (c *Client) CreateNamedIdentityKey(token string, keyName string, algorithm string) error

func (*Client) CreateOrUpdateIdentity 

func (c *Client) CreateOrUpdateIdentity(secretStoreToken string, name string, metadata map[string]string, policies []string) (string, error)

func (*Client) CreateOrUpdateIdentityRole 

func (c *Client) CreateOrUpdateIdentityRole(token string, roleName string, keyName string, template string, audience string, jwtTTL string) error

func (*Client) CreateOrUpdateUser 

func (c *Client) CreateOrUpdateUser(token string, mountPoint string, username string, password string, tokenTTL string, tokenPolicies []string) error

func (*Client) CreateRole 

func (c *Client) CreateRole(secretStoreToken string, consulRole types.ConsulRole) error

CreateRole creates a Consul role that can be used to generate Consul tokens and part of elements for the role ties up with the Consul policies in which it dictates the permission of accesses to the Consul kv store or agent etc.

func (*Client) CreateToken 

func (c *Client) CreateToken(token string, parameters map[string]interface{}) (map[string]interface{}, error)

func (*Client) DeleteIdentity 

func (c *Client) DeleteIdentity(secretStoreToken string, name string) error

func (*Client) DeleteUser 

func (c *Client) DeleteUser(token string, mountPoint string, username string) error

func (*Client) EnableConsulSecretEngine 

func (c *Client) EnableConsulSecretEngine(token string, mountPoint string, defaultLeaseTTL string) error

func (*Client) EnableKVSecretEngine 

func (c *Client) EnableKVSecretEngine(token string, mountPoint string, kvVersion string) error

func (*Client) EnablePasswordAuth 

func (c *Client) EnablePasswordAuth(token string, mountPoint string) error

func (*Client) GenerateConsulToken 

func (c *Client) GenerateConsulToken(serviceKey string) (string, error)

GenerateConsulToken generates a new Consul token using serviceKey as role name to call secret store's consul/creds API the serviceKey is used in the part of secret store's URL as role name and should be accessible to the API

func (*Client) GetSecret 

func (c *Client) GetSecret(secretName string, keys ...string) (map[string]string, error)

GetSecret retrieves the secret at the provided secretName that matches the specified keys.

func (*Client) GetSecretNames 

func (c *Client) GetSecretNames() ([]string, error)

GetSecretNames retrieves the secret names currently in service's secret store.

func (*Client) GetSelfJWT 

func (c *Client) GetSelfJWT(serviceKey string) (string, error)

GetSelfJWT returns an encoded JWT for the current identity-based secret store token

func (*Client) HealthCheck 

func (c *Client) HealthCheck() (int, error)

func (*Client) Init 

func (c *Client) Init(secretThreshold int, secretShares int) (types.InitResponse, error)

func (*Client) InstallPolicy 

func (c *Client) InstallPolicy(token string, policyName string, policyDocument string) error

func (*Client) InternalServiceLogin 

func (c *Client) InternalServiceLogin(token string, authEngine string, username string, password string) (map[string]interface{}, error)

func (*Client) IsJWTValid 

func (c *Client) IsJWTValid(jwt string) (bool, error)

IsJWTValid evaluates a given JWT and returns a true/false if the JWT is valid (i.e. belongs to us and current) or not

func (*Client) ListTokenAccessors 

func (c *Client) ListTokenAccessors(token string) ([]string, error)

func (*Client) LookupAuthHandle 

func (c *Client) LookupAuthHandle(token string, mountPoint string) (string, error)

func (*Client) LookupIdentity 

func (c *Client) LookupIdentity(secretStoreToken string, name string) (string, error)

func (*Client) LookupToken 

func (c *Client) LookupToken(token string) (types.TokenMetadata, error)

func (*Client) LookupTokenAccessor 

func (c *Client) LookupTokenAccessor(token string, accessor string) (types.TokenMetadata, error)

func (*Client) RegenRootToken 

func (c *Client) RegenRootToken(keys []string) (string, error)

func (*Client) RevokeToken 

func (c *Client) RevokeToken(token string) error

func (*Client) RevokeTokenAccessor 

func (c *Client) RevokeTokenAccessor(token string, accessor string) error

func (*Client) SetAuthToken 

func (c *Client) SetAuthToken(ctx context.Context, newToken string) error

func (*Client) StoreSecret 

func (c *Client) StoreSecret(secretName string, secrets map[string]string) error

StoreSecret stores the secret at the provided secret name for the specified keys.

func (*Client) Unseal 

func (c *Client) Unseal(keysBase64 []string) error

type CreateEntityAliasRequest 

type CreateEntityAliasRequest struct {
	// Name is the username in the authenticator
	Name string `json:"name"`
	// CanonicalID is the entity ID
	CanonicalID string `json:"canonical_id"`
	// MountAccessor is the id if the auth engine to use
	MountAccessor string `json:"mount_accessor"`
}

CreateEntityAliasRequest is used to bind an authenticator to an identity

type CreateNamedKeyRequest 

type CreateNamedKeyRequest struct {
	AllowedClientIDs []string `json:"allowed_client_ids"`
	Algorithm        string   `json:"algorithm"`
}

CreateNamedKeyRequest is the request to POST /v1/identity/oidc/key/:name:

type CreateOrUpdateIdentityRoleRequest 

type CreateOrUpdateIdentityRoleRequest struct {
	ClientID string  `json:"client_id,omitempty"`
	Key      string  `json:"key"`
	Template *string `json:"template,omitempty"`
	TokenTTL string  `json:"ttl"`
}

CreateOrUpdateIdentityRoleRequest is the request to POST /v1/identity/oidc/role/:name

type CreateOrUpdateUserRequest 

type CreateOrUpdateUserRequest struct {
	Password      string   `json:"password"`
	TokenPeriod   string   `json:"token_period"`
	TokenPolicies []string `json:"token_policies"`
}

CreateOrUpdateUserRequest is used to create a vault login

type CreateOrUpdateUserResponse 

type CreateOrUpdateUserResponse struct {
	Data JsonID `json:"data"`
}

CreateOrUpdateUserResponse is the response to get entity by name

type CreateUpdateEntityRequest 

type CreateUpdateEntityRequest struct {
	Metadata map[string]string `json:"metadata"`
	Policies []string          `json:"policies"`
}

CreateUpdateEntityRequest enables or updates a Vault Identity

type CreateUpdateEntityResponse 

type CreateUpdateEntityResponse struct {
	Data JsonID `json:"data"`
}

CreateUpdateEntityResponse is the response to CreateUpdateEntityRequest

type EnableAuthMethodRequest 

type EnableAuthMethodRequest struct {
	Type string `json:"type"`
}

EnableAuthMethodRequest enables a Vault Identity authentication method

type EnableSecretsEngineRequest 

type EnableSecretsEngineRequest struct {
	Type        string                `json:"type"`
	Description string                `json:"description"`
	Options     *SecretsEngineOptions `json:"options,omitempty"`
	Config      *SecretsEngineConfig  `json:"config,omitempty"`
}

EnableSecretsEngineRequest is the POST request to /v1/sys/mounts

type ErrCaRootCert 

type ErrCaRootCert struct {
	// contains filtered or unexported fields
}

ErrCaRootCert error when the provided CA Root certificate is invalid.

func (ErrCaRootCert) Error 

func (e ErrCaRootCert) Error() string

type ErrHTTPResponse 

type ErrHTTPResponse struct {
	StatusCode int
	ErrMsg     string
}

func (ErrHTTPResponse) Error 

func (err ErrHTTPResponse) Error() string

type InitRequest 

type InitRequest struct {
	SecretShares    int `json:"secret_shares"`
	SecretThreshold int `json:"secret_threshold"`
}

InitRequest contains a Vault init request regarding the Shamir Secret Sharing (SSS) parameters

type JsonID 

type JsonID struct {
	ID string `json:"id"`
}

JsonID

type ListAuthMethodsResponse 

type ListAuthMethodsResponse struct {
	Data map[string]Accessor `json:"data"`
}

ListAuthMethodsResponse is used to look up the accessor ID of an auth method

type ListNamedKeysResponse 

type ListNamedKeysResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListNamedKeysResponse is the response to LIST /v1/identity/oidc/key

type ListSecretEnginesResponse 

type ListSecretEnginesResponse struct {
	Data map[string]struct {
		Type string `json:"type"`
	} `json:"data"`
}

ListSecretEnginesResponse is the response to GET /v1/sys/mounts (and /v1/sys/auth)

type ListTokenAccessorsResponse 

type ListTokenAccessorsResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListTokenAccessorsResponse is the response to the list accessors API

type LookupAccessorRequest 

type LookupAccessorRequest struct {
	Accessor string `json:"accessor"`
}

LookupAccessorRequest is used by accessor lookup API

type ReadEntityByNameResponse 

type ReadEntityByNameResponse struct {
	Data JsonID `json:"data"`
}

ReadEntityByNameResponse is the response to get entity by name

type RequestArgs 

type RequestArgs struct {
	// Authentication token
	AuthToken string
	// HTTP method
	Method string
	// URL path
	Path string
	// If non-nil, passed to JSON serializer and included in request
	JSONObject interface{}
	// Included in HTTP request if JSONObject is nil
	BodyReader io.Reader
	// Description of the operation being performed included in log messages
	OperationDescription string
	// Expected status code to be returned from HTTP request
	ExpectedStatusCode int
	// If non-nil and request succeeded, response body will be serialized here (must be a pointer)
	ResponseObject interface{}
}

parameters structure for request method

type RevokeTokenAccessorRequest 

type RevokeTokenAccessorRequest struct {
	Accessor string `json:"accessor"`
}

RevokeTokenAccessorRequest is the input to the revoke token by accessor API

type RootTokenControlResponse 

type RootTokenControlResponse struct {
	Complete bool   `json:"complete"`
	Nonce    string `json:"nonce"`
	Otp      string `json:"otp"`
}

RootTokenControlResponse is the response to /v1/sys/generate-root/attempt

type RootTokenRetrievalRequest 

type RootTokenRetrievalRequest struct {
	Key   string `json:"key"`
	Nonce string `json:"nonce"`
}

RootTokenRetrievalRequest is the request to /v1/sys/generate-root/update

type RootTokenRetrievalResponse 

type RootTokenRetrievalResponse struct {
	Complete     bool   `json:"complete"`
	EncodedToken string `json:"encoded_token"`
}

RootTokenRetrievalResponse is the response to /v1/sys/generate-root/update

type SecretsEngineConfig 

type SecretsEngineConfig struct {
	DefaultLeaseTTLDuration string `json:"default_lease_ttl"`
}

SecretsEngineConfig is config for /v1/sys/mounts

type SecretsEngineOptions 

type SecretsEngineOptions struct {
	Version string `json:"version"`
}

type TokenLookupResponse 

type TokenLookupResponse struct {
	Data types.TokenMetadata
}

type UnsealRequest 

type UnsealRequest struct {
	Key   string `json:"key"`
	Reset bool   `json:"reset"`
}

UnsealRequest contains a Vault unseal request

type UnsealResponse 

type UnsealResponse struct {
	Sealed   bool `json:"sealed"`
	T        int  `json:"t"`
	N        int  `json:"n"`
	Progress int  `json:"progress"`
}

UnsealResponse contains a Vault unseal response

type UpdateACLPolicyRequest 

type UpdateACLPolicyRequest struct {
	Policy string `json:"policy"`
}

UpdateACLPolicyRequest contains a ACL policy create/update request

type UserPassLoginRequest 

type UserPassLoginRequest struct {
	Password string `json:"password"`
}

UserPassLoginRequest is used to to log in an identity with the userpass auth engine

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.