import "github.com/hashicorp/vault/sdk/framework"
backend.go field_data.go field_type.go filter.go identity.go lease.go openapi.go path.go path_map.go path_struct.go policy_map.go secret.go template.go testing.go wal.go
const OASVersion = "3.0.2"OpenAPI specification (OAS): https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md
const WALPrefix = "wal/"WALPrefix is the prefix within Storage where WAL entries will be written.
var OASStdRespNoContent = &OASResponse{ Description: "empty body", }
var OASStdRespOK = &OASResponse{ Description: "OK", }
func CalculateTTL(sysView logical.SystemView, increment, backendTTL, period, backendMaxTTL, explicitMaxTTL time.Duration, startTime time.Time) (ttl time.Duration, warnings []string, errors error)
CalculateTTL takes all the user-specified, backend, and system inputs and calculates a TTL for a lease
DeleteWAL commits the WAL entry with the given ID. Once committed, it is assumed that the operation was a success and doesn't need to be rolled back.
Helper which returns a generic regex string for creating endpoint patterns that are identified by the given name in the backends
GenericNameWithAtRegex returns a generic regex that allows alphanumeric characters along with -, . and @.
ListWAL lists all the entries in the WAL.
Helper which returns a regex string for capturing an entire endpoint path as the given name.
Helper which returns a regex string for optionally accepting the a field from the API URL
func PopulateIdentityTemplate(tpl string, entityID string, sysView logical.SystemView) (string, error)
PopulateIdentityTemplate takes a template string, an entity ID, and an instance of system view. It will query system view for information about the entity and use the resulting identity information to populate the template string.
PutWAL writes some data to the WAL.
The kind parameter is used by the framework to allow users to store multiple kinds of WAL data and to easily disambiguate what data they're expecting.
Data within the WAL that is uncommitted (CommitWAL hasn't be called) will be given to the rollback callback when an rollback operation is received, allowing the backend to clean up some partial states.
The data must be JSON encodable.
This returns a unique ID that can be used to reference this WAL data. WAL data cannot be modified. You can only add to the WAL and commit existing WAL entries.
TestBackendRoutes is a helper to test that all the given routes will route properly in the backend.
ValidateIdentityTemplate takes a template string and returns if the string is a valid identity template.
type Backend struct {
// Help is the help text that is shown when a help request is made
// on the root of this resource. The root help is special since we
// show all the paths that can be requested.
Help string
// Paths are the various routes that the backend responds to.
// This cannot be modified after construction (i.e. dynamically changing
// paths, including adding or removing, is not allowed once the
// backend is in use).
//
// PathsSpecial is the list of path patterns that denote the
// paths above that require special privileges. These can't be
// regular expressions, it is either exact match or prefix match.
// For prefix match, append '*' as a suffix.
Paths []*Path
PathsSpecial *logical.Paths
// Secrets is the list of secret types that this backend can
// return. It is used to automatically generate proper responses,
// and ease specifying callbacks for revocation, renewal, etc.
Secrets []*Secret
// InitializeFunc is the callback, which if set, will be invoked via
// Initialize() just after a plugin has been mounted.
InitializeFunc InitializeFunc
// PeriodicFunc is the callback, which if set, will be invoked when the
// periodic timer of RollbackManager ticks. This can be used by
// backends to do anything it wishes to do periodically.
//
// PeriodicFunc can be invoked to, say to periodically delete stale
// entries in backend's storage, while the backend is still being used.
// (Note the different of this action from what `Clean` does, which is
// invoked just before the backend is unmounted).
PeriodicFunc periodicFunc
// WALRollback is called when a WAL entry (see wal.go) has to be rolled
// back. It is called with the data from the entry.
//
// WALRollbackMinAge is the minimum age of a WAL entry before it is attempted
// to be rolled back. This should be longer than the maximum time it takes
// to successfully create a secret.
WALRollback WALRollbackFunc
WALRollbackMinAge time.Duration
// Clean is called on unload to clean up e.g any existing connections
// to the backend, if required.
Clean CleanupFunc
// Invalidate is called when a keys is modified if required
Invalidate InvalidateFunc
// AuthRenew is the callback to call when a RenewRequest for an
// authentication comes in. By default, renewal won't be allowed.
// See the built-in AuthRenew helpers in lease.go for common callbacks.
AuthRenew OperationFunc
// Type is the logical.BackendType for the backend implementation
BackendType logical.BackendType
// contains filtered or unexported fields
}Backend is an implementation of logical.Backend that allows the implementer to code a backend using a much more programmer-friendly framework that handles a lot of the routing and validation for you.
This is recommended over implementing logical.Backend directly.
Cleanup is used to release resources and prepare to stop the backend
GetRandomReader returns an io.Reader to use for generating key material in backends. If the backend has access to an external entropy source it will return that, otherwise it returns crypto/rand.Reader.
func (b *Backend) HandleExistenceCheck(ctx context.Context, req *logical.Request) (checkFound bool, exists bool, err error)
HandleExistenceCheck is the logical.Backend implementation.
func (b *Backend) HandleRequest(ctx context.Context, req *logical.Request) (*logical.Response, error)
HandleRequest is the logical.Backend implementation.
Initialize is the logical.Backend implementation.
InvalidateKey is used to clear caches and reset internal state on key changes
Logger can be used to get the logger. If no logger has been set, the logs will be discarded.
Route looks up the path that would be used for a given path string.
Secret is used to look up the secret with the given type.
Setup is used to initialize the backend with the initial backend configuration
SpecialPaths is the logical.Backend implementation.
func (b *Backend) System() logical.SystemView
System returns the backend's system view.
func (b *Backend) Type() logical.BackendType
Type returns the backend type
CleanupFunc is the callback for backend unload.
type DisplayAttributes struct {
// Name is the name of the field suitable as a label or documentation heading.
Name string `json:"name,omitempty"`
// Value is a sample value to display for this field. This may be used
// to indicate a default value, but it is for display only and completely separate
// from any Default member handling.
Value interface{} `json:"value,omitempty"`
// Sensitive indicates that the value should be masked by default in the UI.
Sensitive bool `json:"sensitive,omitempty"`
// Navigation indicates that the path should be available as a navigation tab
bool `json:"navigation,omitempty"`
// ItemType is the type of item this path operates on
ItemType string `json:"itemType,omitempty"`
// Group is the suggested UI group to place this field in.
Group string `json:"group,omitempty"`
// Action is the verb to use for the operation.
Action string `json:"action,omitempty"`
// EditType is the optional type of form field needed for a property
// This is only necessary for a "textarea" or "file"
EditType string `json:"editType,omitempty"`
}ExistenceFunc is the callback called for an existence check on a path.
type FieldData struct {
Raw map[string]interface{}
Schema map[string]*FieldSchema
}FieldData is the structure passed to the callback to handle a path containing the populated parameters for fields. This should be used instead of the raw (*vault.Request).Data to access data in a type-safe way.
Get gets the value for the given field. If the key is an invalid field, FieldData will panic. If you want a safer version of this method, use GetOk. If the field k is not set, the default value (if set) will be returned, otherwise the zero value will be returned.
GetDefaultOrZero gets the default value set on the schema for the given field. If there is no default value set, the zero value of the type will be returned.
GetFirst gets the value for the given field names, in order from first to last. This can be useful for fields with a current name, and one or more deprecated names. The second return value will be false if the keys are invalid or the keys are not set at all.
GetOk gets the value for the given field. The second return value will be false if the key is invalid or the key is not set at all. If the field k is set and the decoded value is nil, the default or zero value will be returned instead.
GetOkErr is the most conservative of all the Get methods. It returns whether key is set or not, but also an error value. The error value is non-nil if the field doesn't exist or there was an error parsing the field value.
Validate cycles through raw data and validate conversions in the schema, so we don't get an error/panic later when trying to get data out. Data not in the schema is not an error at this point, so we don't worry about it.
type FieldSchema struct {
Type FieldType
Default interface{}
Description string
Required bool
Deprecated bool
// Query indicates this field will be sent as a query parameter:
//
// /v1/foo/bar?some_param=some_value
//
// It doesn't affect handling of the value, but may be used for documentation.
Query bool
// AllowedValues is an optional list of permitted values for this field.
// This constraint is not (yet) enforced by the framework, but the list is
// output as part of OpenAPI generation and may effect documentation and
// dynamic UI generation.
AllowedValues []interface{}
// DisplayAttrs provides hints for UI and documentation generators. They
// will be included in OpenAPI output if set.
DisplayAttrs *DisplayAttributes
}FieldSchema is a basic schema to describe the format of a path field.
func (s *FieldSchema) DefaultOrZero() interface{}
DefaultOrZero returns the default value if it is set, or otherwise the zero value of the type.
FieldType is the enum of types that a field can be.
const (
TypeInvalid FieldType = 0
TypeString FieldType = iota
TypeInt
TypeBool
TypeMap
// TypeDurationSecond represent as seconds, this can be either an
// integer or go duration format string (e.g. 24h)
TypeDurationSecond
// TypeSignedDurationSecond represents a positive or negative duration
// as seconds, this can be either an integer or go duration format
// string (e.g. 24h).
TypeSignedDurationSecond
// TypeSlice represents a slice of any type
TypeSlice
// TypeStringSlice is a helper for TypeSlice that returns a sanitized
// slice of strings
TypeStringSlice
// TypeCommaStringSlice is a helper for TypeSlice that returns a sanitized
// slice of strings and also supports parsing a comma-separated list in
// a string field
TypeCommaStringSlice
// TypeLowerCaseString is a helper for TypeString that returns a lowercase
// version of the provided string
TypeLowerCaseString
// TypeNameString represents a name that is URI safe and follows specific
// rules. These rules include start and end with an alphanumeric
// character and characters in the middle can be alphanumeric or . or -.
TypeNameString
// TypeKVPairs allows you to represent the data as a map or a list of
// equal sign delimited key pairs
TypeKVPairs
// TypeCommaIntSlice is a helper for TypeSlice that returns a sanitized
// slice of Ints
TypeCommaIntSlice
// TypeHeader is a helper for sending request headers through to Vault.
// For instance, the AWS and AliCloud credential plugins both act as a
// benevolent MITM for a request, and the headers are sent through and
// parsed.
TypeHeader
// TypeFloat parses both float32 and float64 values
TypeFloat
// TypeTime represents absolute time. It accepts an RFC3999-formatted
// string (with or without fractional seconds), or an epoch timestamp
// formatted as a string or a number. The resulting time.Time
// is converted to UTC.
TypeTime
)Zero returns the correct zero-value for a specific FieldType
InitializeFunc is the callback, which if set, will be invoked via Initialize() just after a plugin has been mounted.
InvalidateFunc is the callback for backend key invalidation.
type OASContent map[string]*OASMediaTypeObject
type OASDocument struct {
Version string `json:"openapi" mapstructure:"openapi"`
Info OASInfo `json:"info"`
Paths map[string]*OASPathItem `json:"paths"`
}func NewOASDocument() *OASDocument
NewOASDocument returns an empty OpenAPI document.
func NewOASDocumentFromMap(input map[string]interface{}) (*OASDocument, error)
NewOASDocumentFromMap builds an OASDocument from an existing map version of a document. If a document has been decoded from JSON or received from a plugin, it will be as a map[string]interface{} and needs special handling beyond the default mapstructure decoding.
func (d *OASDocument) CreateOperationIDs(context string)
CreateOperationIDs generates unique operationIds for all paths/methods. The transform will convert path/method into camelcase. e.g.:
/sys/tools/random/{urlbytes} -> postSysToolsRandomUrlbytes
In the unlikely case of a duplicate ids, a numeric suffix is added:
postSysToolsRandomUrlbytes_2
An optional user-provided suffix ("context") may also be appended.
type OASInfo struct {
Title string `json:"title"`
Description string `json:"description"`
Version string `json:"version"`
License OASLicense `json:"license"`
}type OASOperation struct {
Summary string `json:"summary,omitempty"`
Description string `json:"description,omitempty"`
OperationID string `json:"operationId,omitempty"`
Tags []string `json:"tags,omitempty"`
Parameters []OASParameter `json:"parameters,omitempty"`
RequestBody *OASRequestBody `json:"requestBody,omitempty"`
Responses map[int]*OASResponse `json:"responses"`
Deprecated bool `json:"deprecated,omitempty"`
}func NewOASOperation() *OASOperation
NewOASOperation creates an empty OpenAPI Operations object.
type OASParameter struct {
Name string `json:"name"`
Description string `json:"description,omitempty"`
In string `json:"in"`
Schema *OASSchema `json:"schema,omitempty"`
Required bool `json:"required,omitempty"`
Deprecated bool `json:"deprecated,omitempty"`
}type OASPathItem struct {
Description string `json:"description,omitempty"`
Parameters []OASParameter `json:"parameters,omitempty"`
Sudo bool `json:"x-vault-sudo,omitempty" mapstructure:"x-vault-sudo"`
Unauthenticated bool `json:"x-vault-unauthenticated,omitempty" mapstructure:"x-vault-unauthenticated"`
CreateSupported bool `json:"x-vault-createSupported,omitempty" mapstructure:"x-vault-createSupported"`
bool `json:"x-vault-displayNavigation,omitempty" mapstructure:"x-vault-displayNavigation"`
DisplayAttrs *DisplayAttributes `json:"x-vault-displayAttrs,omitempty" mapstructure:"x-vault-displayAttrs"`
Get *OASOperation `json:"get,omitempty"`
Post *OASOperation `json:"post,omitempty"`
Delete *OASOperation `json:"delete,omitempty"`
}type OASRequestBody struct {
Description string `json:"description,omitempty"`
Content OASContent `json:"content,omitempty"`
}type OASResponse struct {
Description string `json:"description"`
Content OASContent `json:"content,omitempty"`
}type OASSchema struct {
Type string `json:"type,omitempty"`
Description string `json:"description,omitempty"`
Properties map[string]*OASSchema `json:"properties,omitempty"`
// Required is a list of keys in Properties that are required to be present. This is a different
// approach than OASParameter (unfortunately), but is how JSONSchema handles 'required'.
Required []string `json:"required,omitempty"`
Items *OASSchema `json:"items,omitempty"`
Format string `json:"format,omitempty"`
Pattern string `json:"pattern,omitempty"`
Enum []interface{} `json:"enum,omitempty"`
Default interface{} `json:"default,omitempty"`
Example interface{} `json:"example,omitempty"`
Deprecated bool `json:"deprecated,omitempty"`
//DisplayName string `json:"x-vault-displayName,omitempty" mapstructure:"x-vault-displayName,omitempty"`
DisplayValue interface{} `json:"x-vault-displayValue,omitempty" mapstructure:"x-vault-displayValue,omitempty"`
DisplaySensitive bool `json:"x-vault-displaySensitive,omitempty" mapstructure:"x-vault-displaySensitive,omitempty"`
DisplayGroup string `json:"x-vault-displayGroup,omitempty" mapstructure:"x-vault-displayGroup,omitempty"`
DisplayAttrs *DisplayAttributes `json:"x-vault-displayAttrs,omitempty" mapstructure:"x-vault-displayAttrs,omitempty"`
}OperationFunc is the callback called for an operation on a path.
func GlobListFilter(fieldName string, callback OperationFunc) OperationFunc
GlobListFilter wraps an OperationFunc with an optional filter which excludes listed entries which don't match a glob style pattern
func LeaseExtend(backendIncrement, backendMax time.Duration, systemView logical.SystemView) OperationFunc
LeaseExtend is left for backwards compatibility for plugins. This function now just passes back the data that was passed into it to be processed in core. DEPRECATED
type OperationHandler interface {
Handler() OperationFunc
Properties() OperationProperties
}OperationHandler defines and describes a specific operation handler.
type OperationProperties struct {
// Summary is a brief (usually one line) description of the operation.
Summary string
// Description is extended documentation of the operation and may contain
// Markdown-formatted text markup.
Description string
// Examples provides samples of the expected request data. The most
// relevant example should be first in the list, as it will be shown in
// documentation that supports only a single example.
Examples []RequestExample
// Responses provides a list of response description for a given response
// code. The most relevant response should be first in the list, as it will
// be shown in documentation that only allows a single example.
Responses map[int][]Response
// Unpublished indicates that this operation should not appear in public
// documentation or help text. The operation may still have documentation
// attached that can be used internally.
Unpublished bool
// Deprecated indicates that this operation should be avoided.
Deprecated bool
// The ForwardPerformance* parameters tell the router to unconditionally forward requests
// to this path if the processing node is a performance secondary/standby. This is generally
// *not* needed as there is already handling in place to automatically forward requests
// that try to write to storage. But there are a few cases where explicit forwarding is needed,
// for example:
//
// * The handler makes requests to other systems (e.g. an external API, database, ...) that
// change external state somehow, and subsequently writes to storage. In this case the
// default forwarding logic could result in multiple mutative calls to the external system.
//
// * The operation spans multiple requests (e.g. an OIDC callback), in-memory caching used,
// and the same node (and therefore cache) should process both steps.
//
// If explicit forwarding is needed, it is usually true that forwarding from both performance
// standbys and performance secondaries should be enabled.
//
// ForwardPerformanceStandby indicates that this path should not be processed
// on a performance standby node, and should be forwarded to the active node instead.
ForwardPerformanceStandby bool
// ForwardPerformanceSecondary indicates that this path should not be processed
// on a performance secondary node, and should be forwarded to the active node instead.
ForwardPerformanceSecondary bool
// DisplayAttrs provides hints for UI and documentation generators. They
// will be included in OpenAPI output if set.
DisplayAttrs *DisplayAttributes
}OperationProperties describes an operation for documentation, help text, and other clients. A Summary should always be provided, whereas other fields can be populated as needed.
type Path struct {
// Pattern is the pattern of the URL that matches this path.
//
// This should be a valid regular expression. Named captures will be
// exposed as fields that should map to a schema in Fields. If a named
// capture is not a field in the Fields map, then it will be ignored.
Pattern string
// Fields is the mapping of data fields to a schema describing that
// field. Named captures in the Pattern also map to fields. If a named
// capture name matches a PUT body name, the named capture takes
// priority.
//
// Note that only named capture fields are available in every operation,
// whereas all fields are available in the Write operation.
Fields map[string]*FieldSchema
// Operations is the set of operations supported and the associated OperationsHandler.
//
// If both Create and Update operations are present, documentation and examples from
// the Update definition will be used. Similarly if both Read and List are present,
// Read will be used for documentation.
Operations map[logical.Operation]OperationHandler
// Callbacks are the set of callbacks that are called for a given
// operation. If a callback for a specific operation is not present,
// then logical.ErrUnsupportedOperation is automatically generated.
//
// The help operation is the only operation that the Path will
// automatically handle if the Help field is set. If both the Help
// field is set and there is a callback registered here, then the
// callback will be called.
//
// Deprecated: Operations should be used instead and will take priority if present.
Callbacks map[logical.Operation]OperationFunc
// ExistenceCheck, if implemented, is used to query whether a given
// resource exists or not. This is used for ACL purposes: if an Update
// action is specified, and the existence check returns false, the action
// is not allowed since the resource must first be created. The reverse is
// also true. If not specified, the Update action is forced and the user
// must have UpdateCapability on the path.
ExistenceCheck ExistenceFunc
// FeatureRequired, if implemented, will validate if the given feature is
// enabled for the set of paths
FeatureRequired license.Features
// Deprecated denotes that this path is considered deprecated. This may
// be reflected in help and documentation.
Deprecated bool
// Help is text describing how to use this path. This will be used
// to auto-generate the help operation. The Path will automatically
// generate a parameter listing and URL structure based on the
// regular expression, so the help text should just contain a description
// of what happens.
//
// HelpSynopsis is a one-sentence description of the path. This will
// be automatically line-wrapped at 80 characters.
//
// HelpDescription is a long-form description of the path. This will
// be automatically line-wrapped at 80 characters.
HelpSynopsis string
HelpDescription string
// DisplayAttrs provides hints for UI and documentation generators. They
// will be included in OpenAPI output if set.
DisplayAttrs *DisplayAttributes
}Path is a single path that the backend responds to.
PathAppend is a helper for appending lists of paths into a single list.
type PathMap struct {
Prefix string
Name string
Schema map[string]*FieldSchema
CaseSensitive bool
Salt *saltpkg.Salt
SaltFunc func(context.Context) (*saltpkg.Salt, error)
// contains filtered or unexported fields
}DEPRECATED: Don't use this. It's too inflexible, nearly impossible to use with some modern Vault features, and imposes specific API designs.
PathMap can be used to generate a path that stores mappings in the storage. It is a structure that also exports functions for querying the mappings.
The primary use case for this is for credential providers to do their mapping to policies.
Delete removes a value from the mapping
func (p *PathMap) Get(ctx context.Context, s logical.Storage, k string) (map[string]interface{}, error)
Get reads a value out of the mapping
List reads the keys under a given path
Paths are the paths to append to the Backend paths.
func (p *PathMap) Put(ctx context.Context, s logical.Storage, k string, v map[string]interface{}) error
Put writes a value into the mapping
type PathOperation struct {
Callback OperationFunc
Summary string
Description string
Examples []RequestExample
Responses map[int][]Response
Unpublished bool
Deprecated bool
ForwardPerformanceSecondary bool
ForwardPerformanceStandby bool
}PathOperation is a concrete implementation of OperationHandler.
func (p *PathOperation) Handler() OperationFunc
func (p *PathOperation) Properties() OperationProperties
type PathStruct struct {
Name string
Path string
Schema map[string]*FieldSchema
HelpSynopsis string
HelpDescription string
Read bool
}PathStruct can be used to generate a path that stores a struct in the storage. This structure is a map[string]interface{} but the types are set according to the schema in this structure.
Delete removes the structure.
Get reads the structure.
func (p *PathStruct) Paths() []*Path
Paths are the paths to append to the Backend paths.
Put writes the structure.
DEPRECATED: Don't use this. It's too inflexible, nearly impossible to use with some modern Vault features, and imposes specific API designs.
PolicyMap is a specialization of PathMap that expects the values to be lists of policies. This assists in querying and loading policies from the PathMap.
func (p *PolicyMap) Policies(ctx context.Context, s logical.Storage, names ...string) ([]string, error)
type RequestExample struct {
Description string // optional description of the request
Data map[string]interface{} // map version of sample JSON request data
// Optional example response to the sample request. This approach is considered
// provisional for now, and this field may be changed or removed.
Response *Response
}RequestExample is example of request data.
type Response struct {
Description string // summary of the the response and should always be provided
MediaType string // media type of the response, defaulting to "application/json" if empty
Example *logical.Response // example response data
}Response describes and optional demonstrations an operation response.
type Secret struct {
// Type is the name of this secret type. This is used to setup the
// vault ID and to look up the proper secret structure when revocation/
// renewal happens. Once this is set this should not be changed.
//
// The format of this must match (case insensitive): ^a-Z0-9_$
Type string
// Fields is the mapping of data fields and schema that comprise
// the structure of this secret.
Fields map[string]*FieldSchema
// DefaultDuration is the default value for the duration of the lease for
// this secret. This can be manually overwritten with the result of
// Response().
//
// If these aren't set, Vault core will set a default lease period which
// may come from a mount tuning.
DefaultDuration time.Duration
// Renew is the callback called to renew this secret. If Renew is
// not specified then renewable is set to false in the secret.
// See lease.go for helpers for this value.
Renew OperationFunc
// Revoke is the callback called to revoke this secret. This is required.
Revoke OperationFunc
}Secret is a type of secret that can be returned from a backend.
HandleRenew is the request handler for renewing this secret.
func (s *Secret) HandleRevoke(ctx context.Context, req *logical.Request) (*logical.Response, error)
HandleRevoke is the request handler for revoking this secret.
type WALEntry struct {
ID string `json:"-"`
Kind string `json:"type"`
Data interface{} `json:"data"`
CreatedAt int64 `json:"created_at"`
}GetWAL reads a specific entry from the WAL. If the entry doesn't exist, then nil value is returned.
The kind, value, and error are returned.
WALRollbackFunc is the callback for rollbacks.
Package framework imports 39 packages (graph) and is imported by 101 packages. Updated 2020-09-16. Refresh now. Tools for package owners.