Documentation ¶
Index ¶
- func CutVaultPrefix(sig string) string
- func UnmarshalSecret(secret *api.Secret, output interface{}, kv2style bool) error
- type CRLConfiguration
- type Certificate
- type CertificateRequest
- type Client
- func (c *Client) GetAPIClient() *api.Client
- func (c *Client) KV(path string, enableKV2 bool, createIfDoesntExist bool) (*KV, error)
- func (c *Client) PKI(mountPath string, createIfDoesntExist bool) (*PKI, error)
- func (c *Client) SSH(mountPath string, createIfDoesntExist bool) (*SSH, error)
- func (c *Client) Transit(path, keyName string, createIfDoesntExist bool) (*Transit, error)
- type Encrypted
- type HMACInput
- type HMACOutput
- type KV
- type Key
- type KeySpec
- type ListOutput
- type PKI
- type PKIConfig
- type PKIRole
- type PKIUrls
- type SSH
- type SSHInit
- type SSHKeyOutput
- type SSHRole
- type SignInput
- type SignOutput
- type SigningMethodVault
- type Transit
- func (t *Transit) DecryptToBytes(ciphertext string) ([]byte, error)
- func (t *Transit) EncryptBytes(plaintext []byte) (string, error)
- func (t *Transit) GetPublicKey() (string, error)
- func (t *Transit) HMAC(data string) (string, error)
- func (t *Transit) KeyType() string
- func (t *Transit) Sign(data string) (string, error)
- func (t *Transit) VerifyHMAC(data, hmac string) error
- func (t *Transit) VerifySignature(data, signature string) error
- type Unencrypted
- type VerifyHMACInput
- type VerifyOutput
- type VerifySignInput
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CutVaultPrefix ¶
CutVaultPrefix is used to remove `vault:v2:` from either signatures and hmac
Types ¶
type CRLConfiguration ¶
type CRLConfiguration struct { Expiry string `mapstructure:"expiry"` Disable string `mapstructure:"disable"` }
CRLConfiguration is used to configure the CA CRL configurations
type Certificate ¶
type Certificate struct { Certificate string `mapstructure:"certificate"` PrivateKey string `mapstructure:"private_key"` SerialNumber string `mapstructure:"serial_number"` PrivateKeyType string `mapstructure:"private_key_type"` IssuingCA string `mapstructure:"issuing_ca"` CaChain []string `mapstructure:"ca_chain"` Expiration string `mapstructure:"expiration"` }
Certificate is the representation of a certificate as coming out of vault
type CertificateRequest ¶
type CertificateRequest struct { CommonName string `mapstructure:"common_name"` IPs string `mapstructure:"ip_sans"` AlternativesNames string `mapstructure:"alt_names"` TTL string `mapstructure:"ttl"` Format string `mapstructure:"pem"` PrivateKeyFormat string `mapstructure:"der"` }
CertificateRequest is used to
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is a simple yet minimal abstraction over the default api.Client from the original library
func NewClient ¶
NewClient is in charge of creating a connection and validating that connection on the start before even starting to attemp anythign
func (*Client) GetAPIClient ¶
GetAPIClient returns the vault api.Client form the original sdk
type Encrypted ¶
type Encrypted struct {
Ciphertext string `mapstructure:"ciphertext"`
}
Encrypted is used to unmarshal ouput from the Encrypt or input for the Decrypt function
type HMACInput ¶
type HMACInput struct {
Input string `mapstructure:"input"`
}
HMACInput are the required paramethers to compute the HMAC of data
type HMACOutput ¶
type HMACOutput struct {
HMAC string `mapstructure:"hmac"`
}
HMACOutput is the result of the HMAC function in vault
type KV ¶
type KV struct {
// contains filtered or unexported fields
}
KV represents the KV store in vault
type Key ¶
type Key struct { AllowPlaintextBackup bool `mapstructure:"allow_plaintext_backup"` Name string `mapstructure:"name"` DeletionAllowed bool `mapstructure:"deletion_allowed"` Derived bool `mapstructure:"derived"` Exportable bool `mapstructure:"exportable"` Keys map[string]KeySpec `mapstructure:"keys"` LatestVersion int `mapstructure:"latest_version"` MinAvailableVersion int `mapstructure:"min_available_version"` MinDecryptionVersion int `mapstructure:"min_decryption_version"` MinEncryptionVersion int `mapstructure:"min_encryption_version"` SupportsDecryption bool `mapstructure:"supports_decryption"` SupportsDerivation bool `mapstructure:"supports_derivation"` SupportsEncryption bool `mapstructure:"supports_encryption"` SupportsSigning bool `mapstructure:"supports_signing"` Type string `mapstructure:"type"` }
Key is how a new key is created/configured/exported in vault
type KeySpec ¶
type KeySpec struct { CreationTime string `mapstructure:"creation_time"` Name string `mapstructure:"name"` PublicKey string `mapstructure:"public_key"` }
KeySpec represents the key specification for a specific version
type ListOutput ¶
type ListOutput struct {
Keys []string `mapstructure:"keys"`
}
ListOutput represent the kind of secret you get after a list operation
type PKI ¶
type PKI struct {
// contains filtered or unexported fields
}
PKI identifies a new PKI (one PKI with CA)
func (*PKI) CreateDefaultRoles ¶
CreateDefaultRoles creates common used roles (server, client, peer)
func (*PKI) CreateRole ¶
CreateRole adds a role to a given PKI secret backend
type PKIConfig ¶
type PKIConfig struct { CommonName string `mapstructure:"common_name"` Organization string `mapstructure:"organization"` OU string `mapstructure:"ou"` StreetAddress string `mapstructure:"street_address"` Locality string `mapstructure:"locality"` Province string `mapstructure:"province"` PostalCode string `mapstructure:"postal_code"` Country string `mapstructure:"country"` TTL string `mapstructure:"ttl"` PrivateKeyFormat string `mapstructure:"private_key_format"` Format string `mapstructure:"format"` KeyType string `mapstructure:"key_type"` KeyBits string `mapstructure:"key_bits"` }
PKIConfig represents the configuration of a CA: Distinguished name and key specifications
type PKIRole ¶
type PKIRole struct { TTL string `mapstructure:"ttl"` MaxTTL string `mapstructure:"max_ttl"` CodeSigningFlag bool `mapstructure:"code_signing_flag"` EmailProtectionFlag bool `mapstructure:"email_protection_flag"` KeyUsage []string `mapstructure:"key_usage"` AllowLocalhost bool `mapstructure:"allow_localhost"` AllowGlobDomains bool `mapstructure:"allow_glob_domains"` AllowIPSans bool `mapstructure:"allow_ip_sans"` RequireCN bool `mapstructure:"require_cn"` NonCA bool `mapstructure:"basic_constraints_valid_for_non_ca"` AllowAnyName bool `mapstructure:"allow_any_name"` AllowSubdomains bool `mapstructure:"allow_subdomains"` AllowBareDomains bool `mapstructure:"allow_bare_domains"` AllowedDomains []string `mapstructure:"allowed_domains"` ServerFlag bool `mapstructure:"server_flag"` ClientFlag bool `mapstructure:"client_flag"` ExtKeyUsage []string `mapstructure:"ext_key_usage"` GenerateLease bool `mapstructure:"generate_lease"` OU string `mapstructure:"ou"` Organization string `mapstructure:"organization"` EnforceHostnames bool `mapstructure:"enforce_hostnames"` }
PKIRole is used to create and manage roles in vault PKI backend
func DefaultRoleConfiguration ¶
DefaultRoleConfiguration creates sane default for configurations
type PKIUrls ¶
type PKIUrls struct { IssuingCertificates string `mapstructure:"issuing_certificates"` CRLDistributionPoint string `mapstructure:"crl_distribution_points"` }
PKIUrls is used to configure the CA defaults
type SSH ¶
type SSH struct {
// contains filtered or unexported fields
}
SSH identifies a new SSH secret engine
func (*SSH) GetPublicKey ¶
type SSHInit ¶
type SSHInit struct {
GenerateSigningKey bool `mapstructure:"generate_signing_key"`
}
SSHInit is used to initialize a SSH secret backend with CA key_type
type SSHKeyOutput ¶
type SSHKeyOutput struct {
PublicKey string `mapstructure:"public_key"`
}
type SSHRole ¶
type SSHRole struct { AllowUserCertificates bool `mapstructure:"allow_user_certificates"` AllowedUsers string `mapstructure:"allowed_users"` DefaultExtensions map[string]string `mapstructure:"default_extensions"` AllowedExtenstion string `mapstructure:"allowed_extensions"` KeyType string `mapstructure:"key_type"` DefaultUser string `mapstructure:"default_user"` TTL string `mapstructure:"ttl"` MaxTTL string `mapstructure:"max_ttl"` }
SSHRole is used to create a new role for ssh CA key_type
type SignInput ¶
type SignInput struct { Input string `mapstructure:"input"` MarshalingAlgorithm string `mapstructure:"marshaling_algorithm"` SignatureAlgorithm string `mapstructure:"signature_algorithm"` Prehashed bool `mapstructure:"prehashed"` }
SignInput are the paramethers necessary to get a signature of data
type SignOutput ¶
type SignOutput struct {
Signature string `mapstructure:"signature"`
}
SignOutput is the actual signature of the previously passed data
type SigningMethodVault ¶
type SigningMethodVault struct {
// contains filtered or unexported fields
}
SigningMethodVault is the type that implements the SigningMethod interface (https://godoc.org/github.com/dgrijalva/jwt-go#SigningMethod)
var ( // SigningMethodVaultRS256 implements the SigningMethod interface with alg RS256 SigningMethodVaultRS256 *SigningMethodVault // SigningMethodVaultES256 implements the SigningMethod interface with alg ES256 SigningMethodVaultES256 *SigningMethodVault )
func (*SigningMethodVault) Alg ¶
func (r *SigningMethodVault) Alg() string
Alg will return the JWT header algorithm identifier this method is configured for
func (*SigningMethodVault) Sign ¶
func (r *SigningMethodVault) Sign(signingString string, key interface{}) (string, error)
Sign implements the Sign method from jwt.SigningMethod. Key must be of type libvault.Transit with the right alg key configured (rsa-2048/4096 for RS256 or edcsa-p256 for ES256)
func (*SigningMethodVault) Verify ¶
func (r *SigningMethodVault) Verify(signingString, signature string, key interface{}) error
Verify implements the Verify method from jwt.SigningMethod. Key must be of type libvault.Transit with the right alg key configured (rsa-2048/4096 for RS256 or edcsa-p256 for ES256)
type Transit ¶
type Transit struct {
// contains filtered or unexported fields
}
Transit represents the transit secret backend in vault
func (*Transit) DecryptToBytes ¶
DecryptToBytes is used to encrypt data that is already serialized
func (*Transit) EncryptBytes ¶
EncryptBytes is used to encrypt data that is already serialized
func (*Transit) GetPublicKey ¶
GetPublicKey obtains the public key for the specified key
func (*Transit) VerifyHMAC ¶
VerifyHMAC is used to verify a signature previously created with vault
func (*Transit) VerifySignature ¶
VerifySignature is used to verify a signature previously created with vault: signature is of type "vault:v1:abcdefg..."
type Unencrypted ¶
type Unencrypted struct {
Plaintext string `mapstructure:"plaintext"`
}
Unencrypted is the plaintext side!
type VerifyHMACInput ¶
type VerifyHMACInput struct { Input string `mapstructure:"input"` HMAC string `mapstructure:"hmac"` MarshalingAlgorithm string `mapstructure:"marshaling_algorithm"` SignatureAlgorithm string `mapstructure:"signature_algorithm"` Prehashed bool `mapstructure:"prehashed"` }
VerifyHMACInput are the necessary parametheus to verify an HMAC obtained with vault
type VerifyOutput ¶
type VerifyOutput struct {
Valid bool `mapstructure:"valid"`
}
VerifyOutput is the outcome of a verification call
type VerifySignInput ¶
type VerifySignInput struct { Input string `mapstructure:"input"` Signature string `mapstructure:"signature"` MarshalingAlgorithm string `mapstructure:"marshaling_algorithm"` SignatureAlgorithm string `mapstructure:"signature_algorithm"` Prehashed bool `mapstructure:"prehashed"` }
VerifySignInput are the necessary parametheus to verify a signature obtained with vault