vault: github.com/hashicorp/vault/api Index | Files

package api

import "github.com/hashicorp/vault/api"

Index

Package Files

auth.go auth_token.go client.go help.go logical.go output_string.go plugin_helpers.go renewer.go request.go response.go secret.go ssh.go ssh_agent.go sys.go sys_audit.go sys_auth.go sys_capabilities.go sys_config_cors.go sys_generate_root.go sys_health.go sys_init.go sys_leader.go sys_leases.go sys_mounts.go sys_plugins.go sys_policy.go sys_raft.go sys_rekey.go sys_rotate.go sys_seal.go sys_stepdown.go

Constants

const (
    // SSHHelperDefaultMountPoint is the default path at which SSH backend will be
    // mounted in the Vault server.
    SSHHelperDefaultMountPoint = "ssh"

    // VerifyEchoRequest is the echo request message sent as OTP by the helper.
    VerifyEchoRequest = "verify-echo-request"

    // VerifyEchoResponse is the echo response message sent as a response to OTP
    // matching echo request.
    VerifyEchoResponse = "verify-echo-response"
)
const EnvRateLimit = "VAULT_RATE_LIMIT"
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultAgentAddr = "VAULT_AGENT_ADDR"
const EnvVaultAgentAddress = "VAULT_AGENT_ADDR"

Deprecated values

const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
const EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
const EnvVaultMFA = "VAULT_MFA"
const EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
const EnvVaultNamespace = "VAULT_NAMESPACE"
const EnvVaultSkipVerify = "VAULT_SKIP_VERIFY"
const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
const EnvVaultToken = "VAULT_TOKEN"
const EnvVaultWrapTTL = "VAULT_WRAP_TTL"
const (
    ErrOutputStringRequest = "output a string, please"
)

Variables

var (
    // The default TTL that will be used with `sys/wrapping/wrap`, can be
    // changed
    DefaultWrappingTTL = "5m"

    // The default function used if no other function is set, which honors the
    // env var and wraps `sys/wrapping/wrap`
    DefaultWrappingLookupFunc = func(operation, path string) string {
        if os.Getenv(EnvVaultWrapTTL) != "" {
            return os.Getenv(EnvVaultWrapTTL)
        }

        if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" {
            return DefaultWrappingTTL
        }

        return ""
    }
)
var (
    // PluginMetadataModeEnv is an ENV name used to disable TLS communication
    // to bootstrap mounting plugins.
    PluginMetadataModeEnv = "VAULT_PLUGIN_METADATA_MODE"

    // PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
    // plugin.
    PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
)
var (
    ErrRenewerMissingInput  = errors.New("missing input to renewer")
    ErrRenewerMissingSecret = errors.New("missing secret to renew")
    ErrRenewerNotRenewable  = errors.New("secret is not renewable")
    ErrRenewerNoSecretData  = errors.New("returned empty secret data")

    // DefaultRenewerRenewBuffer is the default size of the buffer for renew
    // messages on the channel.
    DefaultRenewerRenewBuffer = 5
)

func VaultPluginTLSProvider Uses

func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)

VaultPluginTLSProvider is run inside a plugin and retrieves the response wrapped TLS certificate from vault. It returns a configured TLS Config.

type Audit Uses

type Audit struct {
    Type        string            `json:"type" mapstructure:"type"`
    Description string            `json:"description" mapstructure:"description"`
    Options     map[string]string `json:"options" mapstructure:"options"`
    Local       bool              `json:"local" mapstructure:"local"`
    Path        string            `json:"path" mapstructure:"path"`
}

type Auth Uses

type Auth struct {
    // contains filtered or unexported fields
}

Auth is used to perform credential backend related operations.

func (*Auth) Token Uses

func (a *Auth) Token() *TokenAuth

Token is used to return the client for token-backend API calls

type AuthConfigInput Uses

type AuthConfigInput = MountConfigInput

type AuthConfigOutput Uses

type AuthConfigOutput = MountConfigOutput

type AuthMount Uses

type AuthMount = MountOutput

type CORSRequest Uses

type CORSRequest struct {
    AllowedOrigins string `json:"allowed_origins" mapstructure:"allowed_origins"`
    Enabled        bool   `json:"enabled" mapstructure:"enabled"`
}

type CORSResponse Uses

type CORSResponse struct {
    AllowedOrigins string `json:"allowed_origins" mapstructure:"allowed_origins"`
    Enabled        bool   `json:"enabled" mapstructure:"enabled"`
}

type Client Uses

type Client struct {
    // contains filtered or unexported fields
}

Client is the client to the Vault API. Create a client with NewClient.

func NewClient Uses

func NewClient(c *Config) (*Client, error)

NewClient returns a new client for the given configuration.

If the configuration is nil, Vault will use configuration from DefaultConfig(), which is the recommended starting configuration.

If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.

func (*Client) Address Uses

func (c *Client) Address() string

Address returns the Vault URL the client is configured to connect to

func (*Client) Auth Uses

func (c *Client) Auth() *Auth

Auth is used to return the client for credential-backend API calls.

func (*Client) ClearToken Uses

func (c *Client) ClearToken()

ClearToken deletes the token if it is set or does nothing otherwise.

func (*Client) Clone Uses

func (c *Client) Clone() (*Client, error)

Clone creates a new client with the same configuration. Note that the same underlying http.Client is used; modifying the client from more than one goroutine at once may not be safe, so modify the client as needed and then clone.

Also, only the client's config is currently copied; this means items not in the api.Config struct, such as policy override and wrapping function behavior, must currently then be set as desired on the new client.

func (*Client) CurrentWrappingLookupFunc Uses

func (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc

CurrentWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path

func (*Client) Headers Uses

func (c *Client) Headers() http.Header

Headers gets the current set of headers used for requests. This returns a copy; to modify it make modifications locally and use SetHeaders.

func (*Client) Help Uses

func (c *Client) Help(path string) (*Help, error)

Help reads the help information for the given path.

func (*Client) Logical Uses

func (c *Client) Logical() *Logical

Logical is used to return the client for logical-backend API calls.

func (*Client) NewRenewer Uses

func (c *Client) NewRenewer(i *RenewerInput) (*Renewer, error)

NewRenewer creates a new renewer from the given input.

func (*Client) NewRequest Uses

func (c *Client) NewRequest(method, requestPath string) *Request

NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.

func (*Client) OutputCurlString Uses

func (c *Client) OutputCurlString() bool

func (*Client) RawRequest Uses

func (c *Client) RawRequest(r *Request) (*Response, error)

RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

func (*Client) RawRequestWithContext Uses

func (c *Client) RawRequestWithContext(ctx context.Context, r *Request) (*Response, error)

RawRequestWithContext performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

func (*Client) SSH Uses

func (c *Client) SSH() *SSH

SSH returns the client for logical-backend API calls.

func (*Client) SSHHelper Uses

func (c *Client) SSHHelper() *SSHHelper

SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend mounted at default path ("ssh").

func (*Client) SSHHelperWithMountPoint Uses

func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper

SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend mounted at a specific mount point.

func (*Client) SSHWithMountPoint Uses

func (c *Client) SSHWithMountPoint(mountPoint string) *SSH

SSHWithMountPoint returns the client with specific SSH mount point.

func (*Client) SetAddress Uses

func (c *Client) SetAddress(addr string) error

Sets the address of Vault in the client. The format of address should be "<Scheme>://<Host>:<Port>". Setting this on a client will override the value of VAULT_ADDR environment variable.

func (*Client) SetBackoff Uses

func (c *Client) SetBackoff(backoff retryablehttp.Backoff)

SetBackoff sets the backoff function to be used for future requests.

func (*Client) SetClientTimeout Uses

func (c *Client) SetClientTimeout(timeout time.Duration)

SetClientTimeout sets the client request timeout

func (*Client) SetHeaders Uses

func (c *Client) SetHeaders(headers http.Header)

SetHeaders sets the headers to be used for future requests.

func (*Client) SetLimiter Uses

func (c *Client) SetLimiter(rateLimit float64, burst int)

SetLimiter will set the rate limiter for this client. This method is thread-safe. rateLimit and burst are specified according to https://godoc.org/golang.org/x/time/rate#NewLimiter

func (*Client) SetMFACreds Uses

func (c *Client) SetMFACreds(creds []string)

SetMFACreds sets the MFA credentials supplied either via the environment variable or via the command line.

func (*Client) SetMaxRetries Uses

func (c *Client) SetMaxRetries(retries int)

SetMaxRetries sets the number of retries that will be used in the case of certain errors

func (*Client) SetNamespace Uses

func (c *Client) SetNamespace(namespace string)

SetNamespace sets the namespace supplied either via the environment variable or via the command line.

func (*Client) SetOutputCurlString Uses

func (c *Client) SetOutputCurlString(curl bool)

func (*Client) SetPolicyOverride Uses

func (c *Client) SetPolicyOverride(override bool)

SetPolicyOverride sets whether requests should be sent with the policy override flag to request overriding soft-mandatory Sentinel policies (both RGPs and EGPs)

func (*Client) SetToken Uses

func (c *Client) SetToken(v string)

SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.

func (*Client) SetWrappingLookupFunc Uses

func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)

SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path

func (*Client) Sys Uses

func (c *Client) Sys() *Sys

Sys is used to return the client for sys-related API calls.

func (*Client) Token Uses

func (c *Client) Token() string

Token returns the access token being used by this client. It will return the empty string if there is no token set.

type Config Uses

type Config struct {

    // Address is the address of the Vault server. This should be a complete
    // URL such as "http://vault.example.com". If you need a custom SSL
    // cert or want to enable insecure mode, you need to specify a custom
    // HttpClient.
    Address string

    // AgentAddress is the address of the local Vault agent. This should be a
    // complete URL such as "http://vault.example.com".
    AgentAddress string

    // HttpClient is the HTTP client to use. Vault sets sane defaults for the
    // http.Client and its associated http.Transport created in DefaultConfig.
    // If you must modify Vault's defaults, it is suggested that you start with
    // that client and modify as needed rather than start with an empty client
    // (or http.DefaultClient).
    HttpClient *http.Client

    // MaxRetries controls the maximum number of times to retry when a 5xx
    // error occurs. Set to 0 to disable retrying. Defaults to 2 (for a total
    // of three tries).
    MaxRetries int

    // Timeout is for setting custom timeout parameter in the HttpClient
    Timeout time.Duration

    // If there is an error when creating the configuration, this will be the
    // error
    Error error

    // The Backoff function to use; a default is used if not provided
    Backoff retryablehttp.Backoff

    // Limiter is the rate limiter used by the client.
    // If this pointer is nil, then there will be no limit set.
    // In contrast, if this pointer is set, even to an empty struct,
    // then that limiter will be used. Note that an empty Limiter
    // is equivalent blocking all events.
    Limiter *rate.Limiter

    // OutputCurlString causes the actual request to return an error of type
    // *OutputStringError. Type asserting the error message will allow
    // fetching a cURL-compatible string for the operation.
    //
    // Note: It is not thread-safe to set this and make concurrent requests
    // with the same client. Cloning a client will not clone this value.
    OutputCurlString bool
    // contains filtered or unexported fields
}

Config is used to configure the creation of the client.

func DefaultConfig Uses

func DefaultConfig() *Config

DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

If an error is encountered, this will return nil.

func (*Config) ConfigureTLS Uses

func (c *Config) ConfigureTLS(t *TLSConfig) error

ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client.

func (*Config) ReadEnvironment Uses

func (c *Config) ReadEnvironment() error

ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.

type DeregisterPluginInput Uses

type DeregisterPluginInput struct {
    // Name is the name of the plugin. Required.
    Name string `json:"-"`

    // Type of the plugin. Required.
    Type consts.PluginType `json:"type"`
}

DeregisterPluginInput is used as input to the DeregisterPlugin function.

type EnableAuditOptions Uses

type EnableAuditOptions struct {
    Type        string            `json:"type" mapstructure:"type"`
    Description string            `json:"description" mapstructure:"description"`
    Options     map[string]string `json:"options" mapstructure:"options"`
    Local       bool              `json:"local" mapstructure:"local"`
}

type EnableAuthOptions Uses

type EnableAuthOptions = MountInput

Rather than duplicate, we can use modern Go's type aliasing

type ErrorResponse Uses

type ErrorResponse struct {
    Errors []string
}

ErrorResponse is the raw structure of errors when they're returned by the HTTP API.

type GenerateRootStatusResponse Uses

type GenerateRootStatusResponse struct {
    Nonce            string `json:"nonce"`
    Started          bool   `json:"started"`
    Progress         int    `json:"progress"`
    Required         int    `json:"required"`
    Complete         bool   `json:"complete"`
    EncodedToken     string `json:"encoded_token"`
    EncodedRootToken string `json:"encoded_root_token"`
    PGPFingerprint   string `json:"pgp_fingerprint"`
    OTP              string `json:"otp"`
    OTPLength        int    `json:"otp_length"`
}

type GetPluginInput Uses

type GetPluginInput struct {
    Name string `json:"-"`

    // Type of the plugin. Required.
    Type consts.PluginType `json:"type"`
}

GetPluginInput is used as input to the GetPlugin function.

type GetPluginResponse Uses

type GetPluginResponse struct {
    Args    []string `json:"args"`
    Builtin bool     `json:"builtin"`
    Command string   `json:"command"`
    Name    string   `json:"name"`
    SHA256  string   `json:"sha256"`
}

GetPluginResponse is the response from the GetPlugin call.

type HealthResponse Uses

type HealthResponse struct {
    Initialized                bool   `json:"initialized"`
    Sealed                     bool   `json:"sealed"`
    Standby                    bool   `json:"standby"`
    PerformanceStandby         bool   `json:"performance_standby"`
    ReplicationPerformanceMode string `json:"replication_performance_mode"`
    ReplicationDRMode          string `json:"replication_dr_mode"`
    ServerTimeUTC              int64  `json:"server_time_utc"`
    Version                    string `json:"version"`
    ClusterName                string `json:"cluster_name,omitempty"`
    ClusterID                  string `json:"cluster_id,omitempty"`
    LastWAL                    uint64 `json:"last_wal,omitempty"`
}

type Help Uses

type Help struct {
    Help    string                 `json:"help"`
    SeeAlso []string               `json:"see_also"`
    OpenAPI map[string]interface{} `json:"openapi"`
}

type InitRequest Uses

type InitRequest struct {
    SecretShares      int      `json:"secret_shares"`
    SecretThreshold   int      `json:"secret_threshold"`
    StoredShares      int      `json:"stored_shares"`
    PGPKeys           []string `json:"pgp_keys"`
    RecoveryShares    int      `json:"recovery_shares"`
    RecoveryThreshold int      `json:"recovery_threshold"`
    RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
    RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse Uses

type InitResponse struct {
    Keys            []string `json:"keys"`
    KeysB64         []string `json:"keys_base64"`
    RecoveryKeys    []string `json:"recovery_keys"`
    RecoveryKeysB64 []string `json:"recovery_keys_base64"`
    RootToken       string   `json:"root_token"`
}

type InitStatusResponse Uses

type InitStatusResponse struct {
    Initialized bool
}

type KeyStatus Uses

type KeyStatus struct {
    Term        int       `json:"term"`
    InstallTime time.Time `json:"install_time"`
}

type LeaderResponse Uses

type LeaderResponse struct {
    HAEnabled                bool   `json:"ha_enabled"`
    IsSelf                   bool   `json:"is_self"`
    LeaderAddress            string `json:"leader_address"`
    LeaderClusterAddress     string `json:"leader_cluster_address"`
    PerfStandby              bool   `json:"performance_standby"`
    PerfStandbyLastRemoteWAL uint64 `json:"performance_standby_last_remote_wal"`
    LastWAL                  uint64 `json:"last_wal"`
}

type ListPluginsInput Uses

type ListPluginsInput struct {
    // Type of the plugin. Required.
    Type consts.PluginType `json:"type"`
}

ListPluginsInput is used as input to the ListPlugins function.

type ListPluginsResponse Uses

type ListPluginsResponse struct {
    // PluginsByType is the list of plugins by type.
    PluginsByType map[consts.PluginType][]string `json:"types"`

    // Names is the list of names of the plugins.
    //
    // Deprecated: Newer server responses should be returning PluginsByType (json:
    // "types") instead.
    Names []string `json:"names"`
}

ListPluginsResponse is the response from the ListPlugins call.

type Logical Uses

type Logical struct {
    // contains filtered or unexported fields
}

Logical is used to perform logical backend operations on Vault.

func (*Logical) Delete Uses

func (c *Logical) Delete(path string) (*Secret, error)

func (*Logical) DeleteWithData Uses

func (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error)

func (*Logical) List Uses

func (c *Logical) List(path string) (*Secret, error)

func (*Logical) Read Uses

func (c *Logical) Read(path string) (*Secret, error)

func (*Logical) ReadWithData Uses

func (c *Logical) ReadWithData(path string, data map[string][]string) (*Secret, error)

func (*Logical) Unwrap Uses

func (c *Logical) Unwrap(wrappingToken string) (*Secret, error)

func (*Logical) Write Uses

func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)

type MountConfigInput Uses

type MountConfigInput struct {
    Options                   map[string]string `json:"options" mapstructure:"options"`
    DefaultLeaseTTL           string            `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
    Description               *string           `json:"description,omitempty" mapstructure:"description"`
    MaxLeaseTTL               string            `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
    ForceNoCache              bool              `json:"force_no_cache" mapstructure:"force_no_cache"`
    AuditNonHMACRequestKeys   []string          `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
    AuditNonHMACResponseKeys  []string          `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
    ListingVisibility         string            `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
    PassthroughRequestHeaders []string          `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
    AllowedResponseHeaders    []string          `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
    TokenType                 string            `json:"token_type,omitempty" mapstructure:"token_type"`

    // Deprecated: This field will always be blank for newer server responses.
    PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type MountConfigOutput Uses

type MountConfigOutput struct {
    DefaultLeaseTTL           int      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
    MaxLeaseTTL               int      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
    ForceNoCache              bool     `json:"force_no_cache" mapstructure:"force_no_cache"`
    AuditNonHMACRequestKeys   []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
    AuditNonHMACResponseKeys  []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
    ListingVisibility         string   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
    PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
    AllowedResponseHeaders    []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
    TokenType                 string   `json:"token_type,omitempty" mapstructure:"token_type"`

    // Deprecated: This field will always be blank for newer server responses.
    PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type MountInput Uses

type MountInput struct {
    Type        string            `json:"type"`
    Description string            `json:"description"`
    Config      MountConfigInput  `json:"config"`
    Local       bool              `json:"local"`
    SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
    Options     map[string]string `json:"options"`

    // Deprecated: Newer server responses should be returning this information in the
    // Type field (json: "type") instead.
    PluginName string `json:"plugin_name,omitempty"`
}

type MountOutput Uses

type MountOutput struct {
    UUID        string            `json:"uuid"`
    Type        string            `json:"type"`
    Description string            `json:"description"`
    Accessor    string            `json:"accessor"`
    Config      MountConfigOutput `json:"config"`
    Options     map[string]string `json:"options"`
    Local       bool              `json:"local"`
    SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
}

type OutputStringError Uses

type OutputStringError struct {
    *retryablehttp.Request
    // contains filtered or unexported fields
}
var (
    LastOutputStringError *OutputStringError
)

func (*OutputStringError) CurlString Uses

func (d *OutputStringError) CurlString() string

func (*OutputStringError) Error Uses

func (d *OutputStringError) Error() string

type PluginAPIClientMeta Uses

type PluginAPIClientMeta struct {
    // contains filtered or unexported fields
}

PluginAPIClientMeta is a helper that plugins can use to configure TLS connections back to Vault.

func (*PluginAPIClientMeta) FlagSet Uses

func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet

FlagSet returns the flag set for configuring the TLS connection

func (*PluginAPIClientMeta) GetTLSConfig Uses

func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig

GetTLSConfig will return a TLSConfig based off the values from the flags

type RaftJoinRequest Uses

type RaftJoinRequest struct {
    LeaderAPIAddr    string `json:"leader_api_addr"`
    LeaderCACert     string `json:"leader_ca_cert":`
    LeaderClientCert string `json:"leader_client_cert"`
    LeaderClientKey  string `json:"leader_client_key"`
    Retry            bool   `json:"retry"`
}

RaftJoinRequest represents the parameters consumed by the raft join API

type RaftJoinResponse Uses

type RaftJoinResponse struct {
    Joined bool `json:"joined"`
}

RaftJoinResponse represents the response of the raft join API

type RegisterPluginInput Uses

type RegisterPluginInput struct {
    // Name is the name of the plugin. Required.
    Name string `json:"-"`

    // Type of the plugin. Required.
    Type consts.PluginType `json:"type"`

    // Args is the list of args to spawn the process with.
    Args []string `json:"args,omitempty"`

    // Command is the command to run.
    Command string `json:"command,omitempty"`

    // SHA256 is the shasum of the plugin.
    SHA256 string `json:"sha256,omitempty"`
}

RegisterPluginInput is used as input to the RegisterPlugin function.

type RekeyInitRequest Uses

type RekeyInitRequest struct {
    SecretShares        int      `json:"secret_shares"`
    SecretThreshold     int      `json:"secret_threshold"`
    StoredShares        int      `json:"stored_shares"`
    PGPKeys             []string `json:"pgp_keys"`
    Backup              bool
    RequireVerification bool `json:"require_verification"`
}

type RekeyRetrieveResponse Uses

type RekeyRetrieveResponse struct {
    Nonce   string              `json:"nonce" mapstructure:"nonce"`
    Keys    map[string][]string `json:"keys" mapstructure:"keys"`
    KeysB64 map[string][]string `json:"keys_base64" mapstructure:"keys_base64"`
}

type RekeyStatusResponse Uses

type RekeyStatusResponse struct {
    Nonce                string   `json:"nonce"`
    Started              bool     `json:"started"`
    T                    int      `json:"t"`
    N                    int      `json:"n"`
    Progress             int      `json:"progress"`
    Required             int      `json:"required"`
    PGPFingerprints      []string `json:"pgp_fingerprints"`
    Backup               bool     `json:"backup"`
    VerificationRequired bool     `json:"verification_required"`
    VerificationNonce    string   `json:"verification_nonce"`
}

type RekeyUpdateResponse Uses

type RekeyUpdateResponse struct {
    Nonce                string   `json:"nonce"`
    Complete             bool     `json:"complete"`
    Keys                 []string `json:"keys"`
    KeysB64              []string `json:"keys_base64"`
    PGPFingerprints      []string `json:"pgp_fingerprints"`
    Backup               bool     `json:"backup"`
    VerificationRequired bool     `json:"verification_required"`
    VerificationNonce    string   `json:"verification_nonce,omitempty"`
}

type RekeyVerificationStatusResponse Uses

type RekeyVerificationStatusResponse struct {
    Nonce    string `json:"nonce"`
    Started  bool   `json:"started"`
    T        int    `json:"t"`
    N        int    `json:"n"`
    Progress int    `json:"progress"`
}

type RekeyVerificationUpdateResponse Uses

type RekeyVerificationUpdateResponse struct {
    Nonce    string `json:"nonce"`
    Complete bool   `json:"complete"`
}

type RenewOutput Uses

type RenewOutput struct {
    // RenewedAt is the timestamp when the renewal took place (UTC).
    RenewedAt time.Time

    // Secret is the underlying renewal data. It's the same struct as all data
    // that is returned from Vault, but since this is renewal data, it will not
    // usually include the secret itself.
    Secret *Secret
}

RenewOutput is the metadata returned to the client (if it's listening) to renew messages.

type Renewer Uses

type Renewer struct {
    // contains filtered or unexported fields
}

Renewer is a process for renewing a secret.

renewer, err := client.NewRenewer(&RenewerInput{
	Secret: mySecret,
})
go renewer.Renew()
defer renewer.Stop()

for {
	select {
	case err := <-renewer.DoneCh():
		if err != nil {
			log.Fatal(err)
		}

		// Renewal is now over
	case renewal := <-renewer.RenewCh():
		log.Printf("Successfully renewed: %#v", renewal)
	}
}

The `DoneCh` will return if renewal fails or if the remaining lease duration after a renewal is less than or equal to the grace (in number of seconds). In both cases, the caller should attempt a re-read of the secret. Clients should check the return value of the channel to see if renewal was successful.

func (*Renewer) DoneCh Uses

func (r *Renewer) DoneCh() <-chan error

DoneCh returns the channel where the renewer will publish when renewal stops. If there is an error, this will be an error.

func (*Renewer) Renew Uses

func (r *Renewer) Renew()

Renew starts a background process for renewing this secret. When the secret has auth data, this attempts to renew the auth (token). When the secret has a lease, this attempts to renew the lease.

func (*Renewer) RenewCh Uses

func (r *Renewer) RenewCh() <-chan *RenewOutput

RenewCh is a channel that receives a message when a successful renewal takes place and includes metadata about the renewal.

func (*Renewer) Stop Uses

func (r *Renewer) Stop()

Stop stops the renewer.

type RenewerInput Uses

type RenewerInput struct {
    // Secret is the secret to renew
    Secret *Secret

    // DEPRECATED: this does not do anything.
    Grace time.Duration

    // Rand is the randomizer to use for underlying randomization. If not
    // provided, one will be generated and seeded automatically. If provided, it
    // is assumed to have already been seeded.
    Rand *rand.Rand

    // RenewBuffer is the size of the buffered channel where renew messages are
    // dispatched.
    RenewBuffer int

    // The new TTL, in seconds, that should be set on the lease. The TTL set
    // here may or may not be honored by the vault server, based on Vault
    // configuration or any associated max TTL values.
    Increment int
}

RenewerInput is used as input to the renew function.

type Request Uses

type Request struct {
    Method        string
    URL           *url.URL
    Params        url.Values
    Headers       http.Header
    ClientToken   string
    MFAHeaderVals []string
    WrapTTL       string
    Obj           interface{}

    // When possible, use BodyBytes as it is more efficient due to how the
    // retry logic works
    BodyBytes []byte

    // Fallback
    Body     io.Reader
    BodySize int64

    // Whether to request overriding soft-mandatory Sentinel policies (RGPs and
    // EGPs). If set, the override flag will take effect for all policies
    // evaluated during the request.
    PolicyOverride bool
}

Request is a raw request configuration structure used to initiate API requests to the Vault server.

func (*Request) ResetJSONBody Uses

func (r *Request) ResetJSONBody() error

ResetJSONBody is used to reset the body for a redirect

func (*Request) SetJSONBody Uses

func (r *Request) SetJSONBody(val interface{}) error

SetJSONBody is used to set a request body that is a JSON-encoded value.

func (*Request) ToHTTP Uses

func (r *Request) ToHTTP() (*http.Request, error)

DEPRECATED: ToHTTP turns this request into a valid *http.Request for use with the net/http package.

type Response Uses

type Response struct {
    *http.Response
}

Response is a raw response that wraps an HTTP response.

func (*Response) DecodeJSON Uses

func (r *Response) DecodeJSON(out interface{}) error

DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.

func (*Response) Error Uses

func (r *Response) Error() error

Error returns an error response if there is one. If there is an error, this will fully consume the response body, but will not close it. The body must still be closed manually.

type ResponseError Uses

type ResponseError struct {
    // HTTPMethod is the HTTP method for the request (PUT, GET, etc).
    HTTPMethod string

    // URL is the URL of the request.
    URL string

    // StatusCode is the HTTP status code.
    StatusCode int

    // RawError marks that the underlying error messages returned by Vault were
    // not parsable. The Errors slice will contain the raw response body as the
    // first and only error string if this value is set to true.
    RawError bool

    // Errors are the underlying errors returned by Vault.
    Errors []string
}

ResponseError is the error returned when Vault responds with an error or non-success HTTP status code. If a request to Vault fails because of a network error a different error message will be returned. ResponseError gives access to the underlying errors and status code.

func (*ResponseError) Error Uses

func (r *ResponseError) Error() string

Error returns a human-readable error string for the response error.

type RevokeOptions Uses

type RevokeOptions struct {
    LeaseID string
    Force   bool
    Prefix  bool
    Sync    bool
}

type SSH Uses

type SSH struct {
    MountPoint string
    // contains filtered or unexported fields
}

SSH is used to return a client to invoke operations on SSH backend.

func (*SSH) Credential Uses

func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error)

Credential invokes the SSH backend API to create a credential to establish an SSH session.

func (*SSH) SignKey Uses

func (c *SSH) SignKey(role string, data map[string]interface{}) (*Secret, error)

SignKey signs the given public key and returns a signed public key to pass along with the SSH request.

type SSHHelper Uses

type SSHHelper struct {
    MountPoint string
    // contains filtered or unexported fields
}

SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.

func (*SSHHelper) Verify Uses

func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error)

Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by ssh-helper to verify if its configured correctly.

type SSHHelperConfig Uses

type SSHHelperConfig struct {
    VaultAddr       string `hcl:"vault_addr"`
    SSHMountPoint   string `hcl:"ssh_mount_point"`
    CACert          string `hcl:"ca_cert"`
    CAPath          string `hcl:"ca_path"`
    AllowedCidrList string `hcl:"allowed_cidr_list"`
    AllowedRoles    string `hcl:"allowed_roles"`
    TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
    TLSServerName   string `hcl:"tls_server_name"`
}

SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.

func LoadSSHHelperConfig Uses

func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error)

LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding in-memory structure.

Vault address is a required parameter. Mount point defaults to "ssh".

func ParseSSHHelperConfig Uses

func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error)

ParseSSHHelperConfig parses the given contents as a string for the SSHHelper configuration.

func (*SSHHelperConfig) NewClient Uses

func (c *SSHHelperConfig) NewClient() (*Client, error)

NewClient returns a new client for the configuration. This client will be used by the vault-ssh-helper to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.

func (*SSHHelperConfig) SetTLSParameters Uses

func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)

SetTLSParameters sets the TLS parameters for this SSH agent.

type SSHVerifyResponse Uses

type SSHVerifyResponse struct {
    // Usually empty. If the request OTP is echo request message, this will
    // be set to the corresponding echo response message.
    Message string `json:"message" mapstructure:"message"`

    // Username associated with the OTP
    Username string `json:"username" mapstructure:"username"`

    // IP associated with the OTP
    IP  string `json:"ip" mapstructure:"ip"`

    // Name of the role against which the OTP was issued
    RoleName string `json:"role_name" mapstructure:"role_name"`
}

SSHVerifyResponse is a structure representing the fields in Vault server's response.

type SealStatusResponse Uses

type SealStatusResponse struct {
    Type         string `json:"type"`
    Initialized  bool   `json:"initialized"`
    Sealed       bool   `json:"sealed"`
    T            int    `json:"t"`
    N            int    `json:"n"`
    Progress     int    `json:"progress"`
    Nonce        string `json:"nonce"`
    Version      string `json:"version"`
    Migration    bool   `json:"migration"`
    ClusterName  string `json:"cluster_name,omitempty"`
    ClusterID    string `json:"cluster_id,omitempty"`
    RecoverySeal bool   `json:"recovery_seal"`
    StorageType  string `json:"storage_type,omitempty"`
}

type Secret Uses

type Secret struct {
    // The request ID that generated this response
    RequestID string `json:"request_id"`

    LeaseID       string `json:"lease_id"`
    LeaseDuration int    `json:"lease_duration"`
    Renewable     bool   `json:"renewable"`

    // Data is the actual contents of the secret. The format of the data
    // is arbitrary and up to the secret backend.
    Data map[string]interface{} `json:"data"`

    // Warnings contains any warnings related to the operation. These
    // are not issues that caused the command to fail, but that the
    // client should be aware of.
    Warnings []string `json:"warnings"`

    // Auth, if non-nil, means that there was authentication information
    // attached to this response.
    Auth *SecretAuth `json:"auth,omitempty"`

    // WrapInfo, if non-nil, means that the initial response was wrapped in the
    // cubbyhole of the given token (which has a TTL of the given number of
    // seconds)
    WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}

Secret is the structure returned for every secret within Vault.

func ParseSecret Uses

func ParseSecret(r io.Reader) (*Secret, error)

ParseSecret is used to parse a secret value from JSON from an io.Reader.

func (*Secret) TokenAccessor Uses

func (s *Secret) TokenAccessor() (string, error)

TokenAccessor returns the standardized token accessor for the given secret. If the secret is nil or does not contain an accessor, this returns the empty string.

func (*Secret) TokenID Uses

func (s *Secret) TokenID() (string, error)

TokenID returns the standardized token ID (token) for the given secret.

func (*Secret) TokenIsRenewable Uses

func (s *Secret) TokenIsRenewable() (bool, error)

TokenIsRenewable returns the standardized token renewability for the given secret. If the secret is nil or does not contain the "renewable" key, this returns false.

func (*Secret) TokenMetadata Uses

func (s *Secret) TokenMetadata() (map[string]string, error)

TokenMetadata returns the map of metadata associated with this token, if any exists. If the secret is nil or does not contain the "metadata" key, this returns nil.

func (*Secret) TokenPolicies Uses

func (s *Secret) TokenPolicies() ([]string, error)

TokenPolicies returns the standardized list of policies for the given secret. If the secret is nil or does not contain any policies, this returns nil. It also populates the secret's Auth info with identity/token policy info.

func (*Secret) TokenRemainingUses Uses

func (s *Secret) TokenRemainingUses() (int, error)

TokenRemainingUses returns the standardized remaining uses for the given secret. If the secret is nil or does not contain the "num_uses", this returns -1. On error, this will return -1 and a non-nil error.

func (*Secret) TokenTTL Uses

func (s *Secret) TokenTTL() (time.Duration, error)

TokenTTL returns the standardized remaining token TTL for the given secret. If the secret is nil or does not contain a TTL, this returns 0.

type SecretAuth Uses

type SecretAuth struct {
    ClientToken      string            `json:"client_token"`
    Accessor         string            `json:"accessor"`
    Policies         []string          `json:"policies"`
    TokenPolicies    []string          `json:"token_policies"`
    IdentityPolicies []string          `json:"identity_policies"`
    Metadata         map[string]string `json:"metadata"`
    Orphan           bool              `json:"orphan"`
    EntityID         string            `json:"entity_id"`

    LeaseDuration int  `json:"lease_duration"`
    Renewable     bool `json:"renewable"`
}

SecretAuth is the structure containing auth information if we have it.

type SecretWrapInfo Uses

type SecretWrapInfo struct {
    Token           string    `json:"token"`
    Accessor        string    `json:"accessor"`
    TTL             int       `json:"ttl"`
    CreationTime    time.Time `json:"creation_time"`
    CreationPath    string    `json:"creation_path"`
    WrappedAccessor string    `json:"wrapped_accessor"`
}

SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.

type Sys Uses

type Sys struct {
    // contains filtered or unexported fields
}

Sys is used to perform system-related operations on Vault.

func (*Sys) AuditHash Uses

func (c *Sys) AuditHash(path string, input string) (string, error)

func (*Sys) CORSStatus Uses

func (c *Sys) CORSStatus() (*CORSResponse, error)

func (*Sys) Capabilities Uses

func (c *Sys) Capabilities(token, path string) ([]string, error)

func (*Sys) CapabilitiesSelf Uses

func (c *Sys) CapabilitiesSelf(path string) ([]string, error)

func (*Sys) ConfigureCORS Uses

func (c *Sys) ConfigureCORS(req *CORSRequest) (*CORSResponse, error)

func (*Sys) DeletePolicy Uses

func (c *Sys) DeletePolicy(name string) error

func (*Sys) DeregisterPlugin Uses

func (c *Sys) DeregisterPlugin(i *DeregisterPluginInput) error

DeregisterPlugin removes the plugin with the given name from the plugin catalog.

func (*Sys) DisableAudit Uses

func (c *Sys) DisableAudit(path string) error

func (*Sys) DisableAuth Uses

func (c *Sys) DisableAuth(path string) error

func (*Sys) DisableCORS Uses

func (c *Sys) DisableCORS() (*CORSResponse, error)

func (*Sys) EnableAudit Uses

func (c *Sys) EnableAudit(
    path string, auditType string, desc string, opts map[string]string) error

DEPRECATED: Use EnableAuditWithOptions instead

func (*Sys) EnableAuditWithOptions Uses

func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error

func (*Sys) EnableAuth Uses

func (c *Sys) EnableAuth(path, authType, desc string) error

DEPRECATED: Use EnableAuthWithOptions instead

func (*Sys) EnableAuthWithOptions Uses

func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error

func (*Sys) GenerateDROperationTokenCancel Uses

func (c *Sys) GenerateDROperationTokenCancel() error

func (*Sys) GenerateDROperationTokenInit Uses

func (c *Sys) GenerateDROperationTokenInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenStatus Uses

func (c *Sys) GenerateDROperationTokenStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateDROperationTokenUpdate Uses

func (c *Sys) GenerateDROperationTokenUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootCancel Uses

func (c *Sys) GenerateRootCancel() error

func (*Sys) GenerateRootInit Uses

func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootStatus Uses

func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootUpdate Uses

func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GetPlugin Uses

func (c *Sys) GetPlugin(i *GetPluginInput) (*GetPluginResponse, error)

GetPlugin retrieves information about the plugin.

func (*Sys) GetPolicy Uses

func (c *Sys) GetPolicy(name string) (string, error)

func (*Sys) Health Uses

func (c *Sys) Health() (*HealthResponse, error)

func (*Sys) Init Uses

func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)

func (*Sys) InitStatus Uses

func (c *Sys) InitStatus() (bool, error)

func (*Sys) KeyStatus Uses

func (c *Sys) KeyStatus() (*KeyStatus, error)

func (*Sys) Leader Uses

func (c *Sys) Leader() (*LeaderResponse, error)

func (*Sys) ListAudit Uses

func (c *Sys) ListAudit() (map[string]*Audit, error)

func (*Sys) ListAuth Uses

func (c *Sys) ListAuth() (map[string]*AuthMount, error)

func (*Sys) ListMounts Uses

func (c *Sys) ListMounts() (map[string]*MountOutput, error)

func (*Sys) ListPlugins Uses

func (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error)

ListPlugins lists all plugins in the catalog and returns their names as a list of strings.

func (*Sys) ListPolicies Uses

func (c *Sys) ListPolicies() ([]string, error)

func (*Sys) Mount Uses

func (c *Sys) Mount(path string, mountInfo *MountInput) error

func (*Sys) MountConfig Uses

func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)

func (*Sys) PutPolicy Uses

func (c *Sys) PutPolicy(name, rules string) error

func (*Sys) RaftJoin Uses

func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error)

RaftJoin adds the node from which this call is invoked from to the raft cluster represented by the leader address in the parameter.

func (*Sys) RaftSnapshot Uses

func (c *Sys) RaftSnapshot(snapWriter io.Writer) error

RaftSnapshot invokes the API that takes the snapshot of the raft cluster and writes it to the supplied io.Writer.

func (*Sys) RaftSnapshotRestore Uses

func (c *Sys) RaftSnapshotRestore(snapReader io.Reader, force bool) error

RaftSnapshotRestore reads the snapshot from the io.Reader and installs that snapshot, returning the cluster to the state defined by it.

func (*Sys) RegisterPlugin Uses

func (c *Sys) RegisterPlugin(i *RegisterPluginInput) error

RegisterPlugin registers the plugin with the given information.

func (*Sys) RekeyCancel Uses

func (c *Sys) RekeyCancel() error

func (*Sys) RekeyDeleteBackup Uses

func (c *Sys) RekeyDeleteBackup() error

func (*Sys) RekeyDeleteRecoveryBackup Uses

func (c *Sys) RekeyDeleteRecoveryBackup() error

func (*Sys) RekeyInit Uses

func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyCancel Uses

func (c *Sys) RekeyRecoveryKeyCancel() error

func (*Sys) RekeyRecoveryKeyInit Uses

func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyStatus Uses

func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyUpdate Uses

func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyRecoveryKeyVerificationCancel Uses

func (c *Sys) RekeyRecoveryKeyVerificationCancel() error

func (*Sys) RekeyRecoveryKeyVerificationStatus Uses

func (c *Sys) RekeyRecoveryKeyVerificationStatus() (*RekeyVerificationStatusResponse, error)

func (*Sys) RekeyRecoveryKeyVerificationUpdate Uses

func (c *Sys) RekeyRecoveryKeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)

func (*Sys) RekeyRetrieveBackup Uses

func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyRetrieveRecoveryBackup Uses

func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyStatus Uses

func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyUpdate Uses

func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyVerificationCancel Uses

func (c *Sys) RekeyVerificationCancel() error

func (*Sys) RekeyVerificationStatus Uses

func (c *Sys) RekeyVerificationStatus() (*RekeyVerificationStatusResponse, error)

func (*Sys) RekeyVerificationUpdate Uses

func (c *Sys) RekeyVerificationUpdate(shard, nonce string) (*RekeyVerificationUpdateResponse, error)

func (*Sys) Remount Uses

func (c *Sys) Remount(from, to string) error

func (*Sys) Renew Uses

func (c *Sys) Renew(id string, increment int) (*Secret, error)

func (*Sys) ResetUnsealProcess Uses

func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)

func (*Sys) Revoke Uses

func (c *Sys) Revoke(id string) error

func (*Sys) RevokeForce Uses

func (c *Sys) RevokeForce(id string) error

func (*Sys) RevokePrefix Uses

func (c *Sys) RevokePrefix(id string) error

func (*Sys) RevokeWithOptions Uses

func (c *Sys) RevokeWithOptions(opts *RevokeOptions) error

func (*Sys) Rotate Uses

func (c *Sys) Rotate() error

func (*Sys) Seal Uses

func (c *Sys) Seal() error

func (*Sys) SealStatus Uses

func (c *Sys) SealStatus() (*SealStatusResponse, error)

func (*Sys) StepDown Uses

func (c *Sys) StepDown() error

func (*Sys) TuneMount Uses

func (c *Sys) TuneMount(path string, config MountConfigInput) error

func (*Sys) Unmount Uses

func (c *Sys) Unmount(path string) error

func (*Sys) Unseal Uses

func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)

func (*Sys) UnsealWithOptions Uses

func (c *Sys) UnsealWithOptions(opts *UnsealOpts) (*SealStatusResponse, error)

type TLSConfig Uses

type TLSConfig struct {
    // CACert is the path to a PEM-encoded CA cert file to use to verify the
    // Vault server SSL certificate.
    CACert string

    // CAPath is the path to a directory of PEM-encoded CA cert files to verify
    // the Vault server SSL certificate.
    CAPath string

    // ClientCert is the path to the certificate for Vault communication
    ClientCert string

    // ClientKey is the path to the private key for Vault communication
    ClientKey string

    // TLSServerName, if set, is used to set the SNI host when connecting via
    // TLS.
    TLSServerName string

    // Insecure enables or disables SSL verification
    Insecure bool
}

TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.

type TokenAuth Uses

type TokenAuth struct {
    // contains filtered or unexported fields
}

TokenAuth is used to perform token backend operations on Vault

func (*TokenAuth) Create Uses

func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateOrphan Uses

func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateWithRole Uses

func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)

func (*TokenAuth) Lookup Uses

func (c *TokenAuth) Lookup(token string) (*Secret, error)

func (*TokenAuth) LookupAccessor Uses

func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error)

func (*TokenAuth) LookupSelf Uses

func (c *TokenAuth) LookupSelf() (*Secret, error)

func (*TokenAuth) Renew Uses

func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)

func (*TokenAuth) RenewSelf Uses

func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)

func (*TokenAuth) RenewTokenAsSelf Uses

func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error)

RenewTokenAsSelf behaves like renew-self, but authenticates using a provided token instead of the token attached to the client.

func (*TokenAuth) RevokeAccessor Uses

func (c *TokenAuth) RevokeAccessor(accessor string) error

RevokeAccessor revokes a token associated with the given accessor along with all the child tokens.

func (*TokenAuth) RevokeOrphan Uses

func (c *TokenAuth) RevokeOrphan(token string) error

RevokeOrphan revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)

func (*TokenAuth) RevokeSelf Uses

func (c *TokenAuth) RevokeSelf(token string) error

RevokeSelf revokes the token making the call. The `token` parameter is kept for backwards compatibility but is ignored; only the client's set token has an effect.

func (*TokenAuth) RevokeTree Uses

func (c *TokenAuth) RevokeTree(token string) error

RevokeTree is the "normal" revoke operation that revokes the given token and the entire tree underneath -- all of its child tokens, their child tokens, etc.

type TokenCreateRequest Uses

type TokenCreateRequest struct {
    ID              string            `json:"id,omitempty"`
    Policies        []string          `json:"policies,omitempty"`
    Metadata        map[string]string `json:"meta,omitempty"`
    Lease           string            `json:"lease,omitempty"`
    TTL             string            `json:"ttl,omitempty"`
    ExplicitMaxTTL  string            `json:"explicit_max_ttl,omitempty"`
    Period          string            `json:"period,omitempty"`
    NoParent        bool              `json:"no_parent,omitempty"`
    NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
    DisplayName     string            `json:"display_name"`
    NumUses         int               `json:"num_uses"`
    Renewable       *bool             `json:"renewable,omitempty"`
    Type            string            `json:"type"`
    EntityAlias     string            `json:"entity_alias"`
}

TokenCreateRequest is the options structure for creating a token.

type UnsealOpts Uses

type UnsealOpts struct {
    Key     string `json:"key"`
    Reset   bool   `json:"reset"`
    Migrate bool   `json:"migrate"`
}

type WrappingLookupFunc Uses

type WrappingLookupFunc func(operation, path string) string

WrappingLookupFunc is a function that, given an HTTP verb and a path, returns an optional string duration to be used for response wrapping (e.g. "15s", or simply "15"). The path will not begin with "/v1/" or "v1/" or "/", however, end-of-path forward slashes are not trimmed, so must match your called path precisely.

Package api imports 37 packages (graph) and is imported by 697 packages. Updated 2019-09-19. Refresh now. Tools for package owners.