vault_client

package module
v1.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 10, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

README

vault-client

go.dev reference Generated via Bootstrap Coverage Status

Go Client for Vault

Contributing

Please read the CONTRIBUTING.md document for guidelines on developing and contributing changes.

High-level Overview

Go Client for Vault

Documentation

Overview

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions to interact with basic /auth endpoints

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions to interact with basic /auth/approle endpoints

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Authentication method for using a token file that stores a Vault token

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions to interact with basic /auth/token endpoints

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Implements a http.Transport for authentication

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions to interact with basic kv2 engines

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions/types for options on the Vault client

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions to interact with basic /sys endpoints

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: Stores functions to interact with basic /sys/policy endpoints

Copyright 2021 Outreach Corporation. All Rights Reserved.

Description: This file is the entrypoint for the vault-client library.

Package vault_client implements a Vault client for use with Vault

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewTransport 

func NewTransport(tr http.RoundTripper, am AuthMethod) http.RoundTripper

New returns a Transport that automatically refreshes Vault authentication and includes it.

The provided tr http.RoundTripper should be shared between multiple clients to ensure reuse of underlying TCP connections.

The returned Transport's RoundTrip method is safe to be used concurrently. nolint:gocritic // Why: We want to ensure the credentials aren't modified

func WithEnv 

func WithEnv(opts *Options)

WithEnv reads configuration from environment variables and returns an Options based off of the values

Types

type ApproleAuthMethod 

type ApproleAuthMethod struct {
	// contains filtered or unexported fields
}

ApproleAuthMethod implements a AuthMethod backed by an approle

func NewApproleAuthMethod 

func NewApproleAuthMethod(roleID, secretID cfg.SecretData) *ApproleAuthMethod

NewApproleAuthMethod returns a new ApproleAuthMethod based on the provided roleID and secretID.

func (*ApproleAuthMethod) GetToken 

func (a *ApproleAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error)

GetToken returns a token for the current approle

func (*ApproleAuthMethod) Options 

func (a *ApproleAuthMethod) Options(o *Options)

type ApproleLoginResponse 

type ApproleLoginResponse struct {
	Auth struct {
		// LeaseDuration is how long this token lives for in seconds
		LeaseDuration int `json:"lease_duration"`

		// Accessor is an accessor that can be used to lookup this token
		Accessor string `json:"accessor"`

		// ClientToken is the actual token
		ClientToken cfg.SecretData `json:"client_token"`

		// TokenPolicies is a list of policies that are attached to this token
		TokenPolicies []string `json:"token_policies"`
	} `json:"auth"`
}

ApproleLoginResponse is a response returned by ApproleLogin

type AuthMethod 

type AuthMethod interface {
	// GetToken returns the token to use when talking to Vault
	GetToken(ctx context.Context) (token cfg.SecretData, expiresAt time.Time, err error)

	// Options provides the current client options, useful for auth methods
	// that need an underlying vault client to function.
	Options(*Options)
}

AuthMethod is an authentication method that can be used by a Vault client.

func NewTokenFileAuthMethod 

func NewTokenFileAuthMethod(file *string) AuthMethod

NewTokenFileAuthMethod returns a new TokenAuthMethod that uses a file as the backing for a TokenAuthMethod. If the file is not provided the default vault token file is used.

Note: The token is re-read from the file on expiration but currently there is mothing in place to actually renew the token for you.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is a Vault client

func New 

func New(optFns ...Opts) *Client

New creates a new Vault client. By default it is non-functional. Most likely it will be consumed like so: 

vault_client.New(vault_client.WithEnv)

func (*Client) ApproleLogin 

func (c *Client) ApproleLogin(ctx context.Context, roleID, secretID cfg.SecretData) (*ApproleLoginResponse, error)

ApproleLogin creates a new VAULT_TOKEN using the provided approle credentials

func (*Client) CreateApprole 

func (c *Client) CreateApprole(ctx context.Context, opts *CreateApproleOptions) error

CreateApprole creates a new approle in Vault

func (*Client) CreateApproleSecretID 

func (c *Client) CreateApproleSecretID(ctx context.Context, name string) (*CreateApproleSecretIDResponse, error)

CreateApproleSecretID creates a new secret_id for a given approle

func (*Client) CreateAuthMethod 

func (c *Client) CreateAuthMethod(ctx context.Context, opts *CreateAuthMethodOptions) error

CreateAuthMethod creates a new auth method on the given path

func (*Client) CreateEngine 

func (c *Client) CreateEngine(ctx context.Context, mountPath string, opts *CreateEngineOptions) error

CreatEngine creates a new engine (mount) in Vault

func (*Client) CreateKV2Secret 

func (c *Client) CreateKV2Secret(ctx context.Context, engine, keyPath string,
	secretData map[string]interface{}) error

CreateKV2Secret creates a new KV2Secret or updates it if it already exists.

func (*Client) CreatePolicy 

func (c *Client) CreatePolicy(ctx context.Context, name, policy string) error

CreatePolicy creates a new policy

func (*Client) GetApproleRoleID 

func (c *Client) GetApproleRoleID(ctx context.Context, name string) (cfg.SecretData, error)

GetApproleRoleID returns the role-id for a given approle

func (*Client) GetKV2Secret 

func (c *Client) GetKV2Secret(ctx context.Context, engine, keyPath string) (*KV2Secret, error)

GetKV2Secret returns a KV2 Secret. 

// To get the path `deploy/my/cool/secret`
c.GetKV2Secret("deploy", "my/cool/secret")

func (*Client) Health 

func (c *Client) Health(ctx context.Context) (*HealthResponse, error)

Health returns the current health, or "status", of a Vault cluster

func (*Client) Initialize 

func (c *Client) Initialize(ctx context.Context, opts *InitializeOptions) (*InitializeResponse, error)

Initialize initializes a Vault cluster

func (*Client) ListKV2Secrets added in v1.10.0 

func (c *Client) ListKV2Secrets(ctx context.Context, engine, keyPath string) ([]string, error)

ListKV2Secrets lists all keys in a KV2 engine

func (*Client) LookupCurrentToken 

func (c *Client) LookupCurrentToken(ctx context.Context) (*LookupTokenResponse, error)

LookupCurrentToken lookups the current active token (self) and returns information about it.

func (*Client) LookupToken 

func (c *Client) LookupToken(ctx context.Context, token cfg.SecretData) (*LookupTokenResponse, error)

LookupToken looks up the provided token and returns information about it

func (*Client) TransitBatchDecrypt added in v1.8.0 

func (c *Client) TransitBatchDecrypt(ctx context.Context, key string, in []string) ([][]byte, error)

TransitBatchDecrypt takes in an array of cyphertext data to be decrypted and returns the corresponding array of plaintext

func (*Client) TransitDecrypt added in v1.8.0 

func (c *Client) TransitDecrypt(ctx context.Context, key string, in []byte) ([]byte, error)

TransitDecrypt takes ciphertext data to be decrypted and returns the corresponding plaintext.

func (*Client) TransitEncrypt added in v1.8.0 

func (c *Client) TransitEncrypt(ctx context.Context, key string, in []byte) ([]byte, error)

TransitEncrypt takes plaintext data to be encrypted and returns the corresponding ciphertext.

func (*Client) UpdateKV2Secret 

func (c *Client) UpdateKV2Secret(ctx context.Context, engine, keyPath string,
	secretData map[string]interface{}) error

UpdateKV2Secret is an alias to CreateKV2Secret

type CreateApproleOptions 

type CreateApproleOptions struct {
	// Name is the name of the approle to create
	Name string `json:"-"`

	TokenTTL      string   `json:"token_ttl,omitempty"`
	TokenMaxTTL   string   `json:"token_max_ttl,omitempty"`
	TokenPolicies []string `json:"token_policies,omitempty"`
	Period        int      `json:"period,omitempty"`
	BindSecretID  bool     `json:"bind_secret_id,omitempty"`
}

CreateApproleOptions are options to provide to CreateApprole, docs: https://www.vaultproject.io/api/auth/approle#parameters

type CreateApproleSecretIDResponse 

type CreateApproleSecretIDResponse struct {
	SecretIDAccessor string         `json:"secret_id_accessor"`
	SecretID         cfg.SecretData `json:"secret_id"`
	SecretIDTTL      int            `json:"secret_id_ttl"`
}

CreateApproleSecretIDResponse is a new secret_id created by CreateApproleSecretID. See docs here: https://www.vaultproject.io/api/auth/approle#sample-response-4

type CreateAuthMethodOptions 

type CreateAuthMethodOptions struct {
	// Path is the path that this auth method should be mounted on.
	// If not set, type is used.
	Path string `json:"-"`

	// Description is an optional description of this auth method, for humans
	Description string `json:"description,omitempty"`

	// Type is the type of auth method to create. Required.
	// Options: https://www.vaultproject.io/api-docs/system/auth#type
	Type string `json:"type,omitempty"`

	// Config is auth method specific options, see: https://www.vaultproject.io/api-docs/system/auth#config
	Config map[string]interface{} `json:"config,omitempty"`
}

CreateAuthMethodOptions are options for creating an auth method with CreateAuthMethod

type CreateEngineOptions 

type CreateEngineOptions struct {
	// Description is an optional description of this auth method, for humans
	Description string `json:"description,omitempty"`

	// Type is the type of engine to create. Required.
	// Options: https://www.vaultproject.io/api-docs/system/mounts#type
	Type string `json:"type,omitempty"`

	// Config is auth method specific options, see: https://www.vaultproject.io/api-docs/system/mounts#config
	Config map[string]interface{} `json:"config,omitempty"`

	// Options are options specific to the given engine, see: https://www.vaultproject.io/api-docs/system/mounts#options
	Options map[string]interface{} `json:"options,omitempty"`
}

CreateEngineOptions are options to use when creating a new engine (sometimes called a mount)

type ErrorResponse 

type ErrorResponse struct {
	// Errors is a list of errors that were encountered when Vault tried
	// to process this request.
	Errors []string `json:"errors"`
}

ErrorResponse is returned when an error occurs

type HealthResponse 

type HealthResponse struct {
	Initialized         bool   `json:"initialized"`
	Sealed              bool   `json:"sealed"`
	Standby             bool   `json:"standby"`
	PerformanceStandby  bool   `json:"performance_standby"`
	ReplicationPerfMode string `json:"replication_perf_mode"`
	ReplicationDrMode   string `json:"replication_dr_mode"`
	ServerTimeUtc       int    `json:"server_time_utc"`
	Version             string `json:"version"`
	ClusterName         string `json:"cluster_name"`
	ClusterID           string `json:"cluster_id"`
}

HealthResponse is a response returned by Health. Docs: https://www.vaultproject.io/api/system/health#sample-response

type InitializeOptions 

type InitializeOptions struct {
	// SecretShares are how many secret shares to break the unseal key into
	SecretShares int `json:"secret_shares"`

	// SecretThreshold is how many of the secret shares should be provided
	// to be able to unseal the Vault. This must not be more than SecretShares.
	SecretThreshold int `json:"secret_threshold"`

	// RecoveryShares are how many recovery shares to split the recovery key into
	// This is only required when Vault is in autounseal mode.
	RecoveryShares int `json:"recovery_shares,omitempty"`
	// RecoveryThreshold is how many of the recovery shares should be provided for
	// an operation that requires the recovery key.
	RecoveryThreshold int `json:"recovery_threshold,omitempty"`
}

InitializeOptions are the options to be provided to Initialize()

type InitializeResponse 

type InitializeResponse struct {
	// Keys are the keys returned by the initialization call
	Keys []string `json:"keys"`

	// RecoveryKeys are the recovery keys returned by initialization.
	// These are only present when the underlying Vault configuration is
	// setup to be auto-unsealed.
	RecoveryKeys []string `json:"recovery_keys"`

	// RootToken is the Vault root token returned by the initialization call
	RootToken string `json:"root_token"`
}

InitializeResponse is the response from Initialize()

type KV2Secret 

type KV2Secret struct {
	Metadata struct {
		// CreatedTime is when this secret was created
		CreatedTime string `json:"created_time"`

		// DeletionTime is when this secret was destroyed
		DeletionTime string `json:"deletion_time"`

		// Destroyed denotes if this secret was destroyed or not
		Destroyed bool `json:"destroyed"`

		// Version is the current version (revision) of this secret
		Version int `json:"version"`
	} `json:"metadata"`

	// Data contains the data that makes up this secret
	Data map[string]interface{} `json:"data"`
}

KV2Secret is a secret from a KV2 engine

type LookupTokenResponse 

type LookupTokenResponse struct {
	Accessor         string    `json:"accessor"`
	CreationTime     int       `json:"creation_time"`
	CreationTTL      int       `json:"creation_ttl"`
	DisplayName      string    `json:"display_name"`
	EntityID         string    `json:"entity_id"`
	ExpireTime       time.Time `json:"expire_time"`
	ExplicitMaxTTL   int       `json:"explicit_max_ttl"`
	ID               string    `json:"id"`
	IdentityPolicies []string  `json:"identity_policies"`
	IssueTime        string    `json:"issue_time"`
	Meta             struct {
		Username string `json:"username"`
	} `json:"meta"`
	NumUses   int      `json:"num_uses"`
	Orphan    bool     `json:"orphan"`
	Path      string   `json:"path"`
	Policies  []string `json:"policies"`
	Renewable bool     `json:"renewable"`
	TTL       int      `json:"ttl"`
}

LookupTokenResponse is the response returned by LookupToken, docs: https://www.vaultproject.io/api/auth/token#sample-response-2

type Options 

type Options struct {

	// Host is the host of the Vault instance
	Host string
	// contains filtered or unexported fields
}

Options are options associated with a Vault client

type Opts 

type Opts func(*Options)

Opts is an functional option for use with New()

func WithAddress 

func WithAddress(hostname string) Opts

WithAddress sets the host to use when talking to Vault on a Client

func WithApproleAuth 

func WithApproleAuth(roleID, secretID cfg.SecretData) Opts

WithApproleAuth sets up approle authentication on a Client

func WithOptions 

func WithOptions(oldO *Options) Opts

WithOptions combines a provided options with the client's

func WithTokenAuth 

func WithTokenAuth(token cfg.SecretData) Opts

WithTokenAuth sets up token authentication on a Client

func WithTokenFileAuth 

func WithTokenFileAuth(path *string) Opts

WithTokenFileAuth sets up token file auth on a Client

type TokenAuthMethod 

type TokenAuthMethod struct {
	// contains filtered or unexported fields
}

TokenAuthMethod implements a AuthMethod backed by a static authentication token

func NewTokenAuthMethod 

func NewTokenAuthMethod(token cfg.SecretData) *TokenAuthMethod

NewTokenAuthMethod returns a new TokenAuthMethod with the given token

func (*TokenAuthMethod) GetToken 

func (a *TokenAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error)

GetToken returns the static token while implementing AuthMethod.GetToken()

func (*TokenAuthMethod) Options 

func (*TokenAuthMethod) Options(*Options)

type TokenFileAuthMethod 

type TokenFileAuthMethod struct {
	// contains filtered or unexported fields
}

TokenFileAuthMethod implements a AuthMethod backed by a static authentication token

func (*TokenFileAuthMethod) GetToken 

func (a *TokenFileAuthMethod) GetToken(ctx context.Context) (cfg.SecretData, time.Time, error)

GetToken returns the static token while implementing AuthMethod.GetToken()

func (*TokenFileAuthMethod) Options 

func (*TokenFileAuthMethod) Options(*Options)

Source Files

View all Source files

Directories

Path Synopsis
Package cli implements a way to log into vault for CLIs
 Package cli implements a way to log into vault for CLIs
pkg
vaulttest

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.