logical

type ACMEBillingSystemView interface {
	CreateActivityCountEventForIdentifiers(ctx context.Context, identifiers []string) error
}

type Alias struct {

	// MountType is the backend mount's type to which this identity belongs
	MountType string `protobuf:"bytes,1,opt,name=mount_type,json=mountType,proto3" json:"mount_type,omitempty"`
	// MountAccessor is the identifier of the mount entry to which this
	// identity belongs
	MountAccessor string `protobuf:"bytes,2,opt,name=mount_accessor,json=mountAccessor,proto3" json:"mount_accessor,omitempty"`
	// Name is the identifier of this identity in its authentication source
	Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
	// Metadata represents the custom data tied to this alias. Fields added
	// to it should have a low rate of change (or no change) because each
	// change incurs a storage write, so quickly-changing fields can have
	// a significant performance impact at scale. See the SDK's
	// "aliasmetadata" package for a helper that eases and standardizes
	// using this safely.
	Metadata map[string]string `` /* 157-byte string literal not displayed */
	// ID is the unique identifier for the alias
	ID string `protobuf:"bytes,5,opt,name=ID,proto3" json:"ID,omitempty"`
	// NamespaceID is the identifier of the namespace to which this alias
	// belongs.
	NamespaceID string `protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"`
	// Custom Metadata represents the custom data tied to this alias
	CustomMetadata map[string]string `` /* 191-byte string literal not displayed */
	// Local indicates if the alias only belongs to the cluster where it was
	// created. If true, the alias will be stored in a location that are ignored
	// by the performance replication subsystem.
	Local bool `protobuf:"varint,8,opt,name=local,proto3" json:"local,omitempty"`
	// contains filtered or unexported fields
}

type Auditor interface {
	AuditRequest(ctx context.Context, input *LogInput) error
	AuditResponse(ctx context.Context, input *LogInput) error
}

type Auth struct {
	LeaseOptions

	// InternalData is JSON-encodable data that is stored with the auth struct.
	// This will be sent back during a Renew/Revoke for storing internal data
	// used for those operations.
	InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"`

	// DisplayName is a non-security sensitive identifier that is
	// applicable to this Auth. It is used for logging and prefixing
	// of dynamic secrets. For example, DisplayName may be "armon" for
	// the github credential backend. If the client token is used to
	// generate a SQL credential, the user may be "github-armon-uuid".
	// This is to help identify the source without using audit tables.
	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`

	// Policies is the list of policies that the authenticated user
	// is associated with.
	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`

	// TokenPolicies and IdentityPolicies break down the list in Policies to
	// help determine where a policy was sourced
	TokenPolicies    []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"`
	IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"`

	// ExternalNamespacePolicies represent the policies authorized from
	// different namespaces indexed by respective namespace identifiers
	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"`

	// Indicates that the default policy should not be added by core when
	// creating a token. The default policy will still be added if it's
	// explicitly defined.
	NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"`

	// Metadata is used to attach arbitrary string-type metadata to
	// an authenticated user. This metadata will be outputted into the
	// audit log.
	Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"`

	// ClientToken is the token that is generated for the authentication.
	// This will be filled in by Vault core when an auth structure is
	// returned. Setting this manually will have no effect.
	ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"`

	// Accessor is the identifier for the ClientToken. This can be used
	// to perform management functionalities (especially revocation) when
	// ClientToken in the audit logs are obfuscated. Accessor can be used
	// to revoke a ClientToken and to lookup the capabilities of the ClientToken,
	// both without actually knowing the ClientToken.
	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"`

	// Period indicates that the token generated using this Auth object
	// should never expire. The token should be renewed within the duration
	// specified by this period.
	Period time.Duration `json:"period" mapstructure:"period" structs:"period"`

	// ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal
	// tokens, this value is constrained by the configured max ttl.
	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`

	// Number of allowed uses of the issued token
	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`

	// EntityID is the identifier of the entity in identity store to which the
	// identity of the authenticating client belongs to.
	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`

	// Alias is the information about the authenticated client returned by
	// the auth backend
	Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"`

	// GroupAliases are the informational mappings of external groups which an
	// authenticated user belongs to. This is used to check if there are
	// mappings groups for the group aliases in identity store. For all the
	// matching groups, the entity ID of the user will be added.
	GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"`

	// The set of CIDRs that this token can be used with
	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"`

	// CreationPath is a path that the backend can return to use in the lease.
	// This is currently only supported for the token store where roles may
	// change the perceived path of the lease, even though they don't change
	// the request path itself.
	CreationPath string `json:"creation_path"`

	// TokenType is the type of token being requested
	TokenType TokenType `json:"token_type"`

	// Orphan is set if the token does not have a parent
	Orphan bool `json:"orphan"`

	// PolicyResults is the set of policies that grant the token access to the
	// requesting path.
	PolicyResults *PolicyResults `json:"policy_results"`

	// MFARequirement
	MFARequirement *MFARequirement `json:"mfa_requirement"`

	// EntityCreated is set to true if an entity is created as part of a login request
	EntityCreated bool `json:"entity_created"`
}

type Authz struct {
	Token             string    `json:"token"`
	AuthorizationTime time.Time `json:"authorization_time"`
}

type Backend interface {
	// Initialize is used to initialize a plugin after it has been mounted.
	Initialize(context.Context, *InitializationRequest) error

	// HandleRequest is used to handle a request and generate a response.
	// The backends must check the operation type and handle appropriately.
	HandleRequest(context.Context, *Request) (*Response, error)

	// SpecialPaths is a list of paths that are special in some way.
	// See PathType for the types of special paths. The key is the type
	// of the special path, and the value is a list of paths for this type.
	// This is not a regular expression but is an exact match. If the path
	// ends in '*' then it is a prefix-based match. The '*' can only appear
	// at the end.
	SpecialPaths() *Paths

	// System provides an interface to access certain system configuration
	// information, such as globally configured default and max lease TTLs.
	System() SystemView

	// Logger provides an interface to access the underlying logger. This
	// is useful when a struct embeds a Backend-implemented struct that
	// contains a private instance of logger.
	Logger() log.Logger

	// HandleExistenceCheck is used to handle a request and generate a response
	// indicating whether the given path exists or not; this is used to
	// understand whether the request must have a Create or Update capability
	// ACL applied. The first bool indicates whether an existence check
	// function was found for the backend; the second indicates whether, if an
	// existence check function was found, the item exists or not.
	HandleExistenceCheck(context.Context, *Request) (bool, bool, error)

	// Cleanup is invoked during an unmount of a backend to allow it to
	// handle any cleanup like connection closing or releasing of file handles.
	Cleanup(context.Context)

	// InvalidateKey may be invoked when an object is modified that belongs
	// to the backend. The backend can use this to clear any caches or reset
	// internal state as needed.
	InvalidateKey(context.Context, string)

	// Setup is used to set up the backend based on the provided backend
	// configuration.
	Setup(context.Context, *BackendConfig) error

	// Type returns the BackendType for the particular backend
	Type() BackendType
}

type BackendConfig struct {
	// View should not be stored, and should only be used for initialization
	StorageView Storage

	// The backend should use this logger. The log should not contain any secrets.
	Logger log.Logger

	// System provides a view into a subset of safe system information that
	// is useful for backends, such as the default/max lease TTLs
	System SystemView

	// BackendUUID is a unique identifier provided to this backend. It's useful
	// when a backend needs a consistent and unique string without using storage.
	BackendUUID string

	// Config is the opaque user configuration provided when mounting
	Config map[string]string

	// EventsSender provides a mechanism to interact with Vault events.
	EventsSender EventSender
}

type BackendType uint32

type ClearableView interface {
	List(context.Context, string) ([]string, error)
	Delete(context.Context, string) error
}

type ClientTokenSource uint32

type Connection struct {
	// RemoteAddr is the network address that sent the request.
	RemoteAddr string `json:"remote_addr"`

	// RemotePort is the network port that sent the request.
	RemotePort int `json:"remote_port"`

	// ConnState is the TLS connection state if applicable.
	ConnState *tls.ConnectionState `sentinel:""`
}

type ControlGroup struct {
	Authorizations []*Authz  `json:"authorizations"`
	RequestTime    time.Time `json:"request_time"`
	Approved       bool      `json:"approved"`
	NamespaceID    string    `json:"namespace_id"`
}

type CtxKeyDisableRequestLimiter struct{}

type CtxKeyInFlightRequestID struct{}

type CtxKeyRequestRole struct{}

type CustomHeader struct {
	Name  string
	Value string
}

type DelegatedAuthErrorHandler func(ctx context.Context, initiatingRequest, authRequest *Request, authResponse *Response, err error) (*Response, error)

type Empty struct {
	// contains filtered or unexported fields
}

type Entity struct {

	// ID is the unique identifier for the entity
	ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
	// Name is the human-friendly unique identifier for the entity
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
	// Aliases contains thhe alias mappings for the given entity
	Aliases []*Alias `protobuf:"bytes,3,rep,name=aliases,proto3" json:"aliases,omitempty"`
	// Metadata represents the custom data tied to this entity
	Metadata map[string]string `` /* 157-byte string literal not displayed */
	// Disabled is true if the entity is disabled.
	Disabled bool `protobuf:"varint,5,opt,name=disabled,proto3" json:"disabled,omitempty"`
	// NamespaceID is the identifier of the namespace to which this entity
	// belongs to.
	NamespaceID string `protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"`
	// contains filtered or unexported fields
}

type EventData struct {

	// ID identifies the event. It is required. The combination of
	// CloudEvents Source (i.e., Vault cluster) + ID must be unique.
	// Events with the same Source + ID can be assumed to be duplicates
	// by consumers.
	// Be careful when setting this manually that the ID contains enough
	// entropy to be unique, or possibly that it is idempotent, such
	// as a hash of other fields with sufficient uniqueness.
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Arbitrary non-secret data. Optional.
	Metadata *structpb.Struct `protobuf:"bytes,2,opt,name=metadata,proto3" json:"metadata,omitempty"`
	// Any IDs that the event relates to, i.e., UUIDs, paths.
	EntityIds []string `protobuf:"bytes,3,rep,name=entity_ids,json=entityIds,proto3" json:"entity_ids,omitempty"`
	// Human-readable note.
	Note string `protobuf:"bytes,4,opt,name=note,proto3" json:"note,omitempty"`
	// contains filtered or unexported fields
}

type EventPluginInfo struct {

	// The type of plugin this event originated from, i.e., "auth" or "secrets.
	MountClass string `protobuf:"bytes,1,opt,name=mount_class,json=mountClass,proto3" json:"mount_class,omitempty"`
	// Unique ID of the mount entry, e.g., "kv_957bb7d8"
	MountAccessor string `protobuf:"bytes,2,opt,name=mount_accessor,json=mountAccessor,proto3" json:"mount_accessor,omitempty"`
	// Mount path of the plugin this event originated from, e.g., "secret/"
	MountPath string `protobuf:"bytes,3,opt,name=mount_path,json=mountPath,proto3" json:"mount_path,omitempty"`
	// Plugin name that this event originated from, e.g., "kv"
	Plugin string `protobuf:"bytes,4,opt,name=plugin,proto3" json:"plugin,omitempty"`
	// Plugin version of the plugin this event originated from, e.g., "v0.13.3+builtin"
	PluginVersion string `protobuf:"bytes,5,opt,name=plugin_version,json=pluginVersion,proto3" json:"plugin_version,omitempty"`
	// Mount version that this event originated from, i.e., if KVv2, then "2". Usually empty.
	Version string `protobuf:"bytes,6,opt,name=version,proto3" json:"version,omitempty"`
	// contains filtered or unexported fields
}

type EventReceived struct {
	Event *EventData `protobuf:"bytes,1,opt,name=event,proto3" json:"event,omitempty"`
	// namespace path
	Namespace  string           `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
	EventType  string           `protobuf:"bytes,3,opt,name=event_type,json=eventType,proto3" json:"event_type,omitempty"`
	PluginInfo *EventPluginInfo `protobuf:"bytes,4,opt,name=plugin_info,json=pluginInfo,proto3" json:"plugin_info,omitempty"`
	// contains filtered or unexported fields
}

type EventReceivedBexpr struct {
	EventType         string `bexpr:"event_type"`
	Operation         string `bexpr:"operation"`
	SourcePluginMount string `bexpr:"source_plugin_mount"`
	DataPath          string `bexpr:"data_path"`
	Namespace         string `bexpr:"namespace"`
}

type EventSender interface {
	SendEvent(ctx context.Context, eventType EventType, event *EventData) error
}

type EventType string

type ExtendedSystemView interface {
	WellKnownSystemView

	Auditor() Auditor
	ForwardGenericRequest(context.Context, *Request) (*Response, error)

	// APILockShouldBlockRequest returns whether a namespace for the requested
	// mount is locked and should be blocked
	APILockShouldBlockRequest() (bool, error)

	// GetPinnedPluginVersion returns the pinned version for the given plugin, if any.
	GetPinnedPluginVersion(ctx context.Context, pluginType consts.PluginType, pluginName string) (*pluginutil.PinnedVersion, error)
}

type Factory func(context.Context, *BackendConfig) (Backend, error)

type Group struct {

	// ID is the unique identifier for the group
	ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
	// Name is the human-friendly unique identifier for the group
	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
	// Metadata represents the custom data tied to this group
	Metadata map[string]string `` /* 157-byte string literal not displayed */
	// NamespaceID is the identifier of the namespace to which this group
	// belongs to.
	NamespaceID string `protobuf:"bytes,4,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"`
	// contains filtered or unexported fields
}

type HTTPAuth struct {
	ClientToken      string            `json:"client_token"`
	Accessor         string            `json:"accessor"`
	Policies         []string          `json:"policies"`
	TokenPolicies    []string          `json:"token_policies,omitempty"`
	IdentityPolicies []string          `json:"identity_policies,omitempty"`
	Metadata         map[string]string `json:"metadata"`
	LeaseDuration    int               `json:"lease_duration"`
	Renewable        bool              `json:"renewable"`
	EntityID         string            `json:"entity_id"`
	TokenType        string            `json:"token_type"`
	Orphan           bool              `json:"orphan"`
	MFARequirement   *MFARequirement   `json:"mfa_requirement"`
	NumUses          int               `json:"num_uses"`
}

type HTTPCodedError interface {
	Error() string
	Code() int
}

type HTTPResponse struct {
	RequestID     string                 `json:"request_id"`
	LeaseID       string                 `json:"lease_id"`
	Renewable     bool                   `json:"renewable"`
	LeaseDuration int                    `json:"lease_duration"`
	Data          map[string]interface{} `json:"data"`
	WrapInfo      *HTTPWrapInfo          `json:"wrap_info"`
	Warnings      []string               `json:"warnings"`
	Headers       map[string][]string    `json:"-"`
	Auth          *HTTPAuth              `json:"auth"`
	MountType     string                 `json:"mount_type"`
}

type HTTPResponseWriter struct {
	http.ResponseWriter
	// contains filtered or unexported fields
}

type HTTPSysInjector struct {
	Response *HTTPResponse
}

type HTTPWrapInfo struct {
	Token           string `json:"token"`
	Accessor        string `json:"accessor"`
	TTL             int    `json:"ttl"`
	CreationTime    string `json:"creation_time"`
	CreationPath    string `json:"creation_path"`
	WrappedAccessor string `json:"wrapped_accessor,omitempty"`
}

type InitializationRequest struct {
	// Storage can be used to durably store and retrieve state.
	Storage Storage
}

type InmemStorage struct {
	// contains filtered or unexported fields
}

type KeyNotFoundError struct {
	Err error
}

type KeyUsage int

type LeaseOptions struct {
	// TTL is the duration that this secret is valid for. Vault
	// will automatically revoke it after the duration.
	TTL time.Duration `json:"lease"`

	// MaxTTL is the maximum duration that this secret is valid for.
	MaxTTL time.Duration `json:"max_ttl"`

	// Renewable, if true, means that this secret can be renewed.
	Renewable bool `json:"renewable"`

	// Increment will be the lease increment that the user requested.
	// This is only available on a Renew operation and has no effect
	// when returning a response.
	Increment time.Duration `json:"-"`

	// IssueTime is the time of issue for the original lease. This is
	// only available on Renew and Revoke operations and has no effect when returning
	// a response. It can be used to enforce maximum lease periods by
	// a logical backend.
	IssueTime time.Time `json:"-"`
}

type LogInput struct {
	Type                string
	Auth                *Auth
	Request             *Request
	Response            *Response
	OuterErr            error
	NonHMACReqDataKeys  []string
	NonHMACRespDataKeys []string
}

type LogInputBexpr struct {
	MountPoint string `bexpr:"mount_point"`
	MountType  string `bexpr:"mount_type"`
	Namespace  string `bexpr:"namespace"`
	Operation  string `bexpr:"operation"`
	Path       string `bexpr:"path"`
}

type LogicalStorage struct {
	// contains filtered or unexported fields
}

type MFAConstraintAny struct {
	Any []*MFAMethodID `protobuf:"bytes,1,rep,name=any,proto3" json:"any,omitempty"`
	// contains filtered or unexported fields
}

type MFACreds map[string][]string

type MFAMethodID struct {
	Type         string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
	ID           string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
	UsesPasscode bool   `protobuf:"varint,3,opt,name=uses_passcode,json=usesPasscode,proto3" json:"uses_passcode,omitempty"`
	Name         string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

type MFARequirement struct {
	MFARequestID   string                       `protobuf:"bytes,1,opt,name=mfa_request_id,json=mfaRequestId,proto3" json:"mfa_request_id,omitempty"`
	MFAConstraints map[string]*MFAConstraintAny `` /* 191-byte string literal not displayed */
	// contains filtered or unexported fields
}

type ManagedAsymmetricKey interface {
	ManagedKey
	GetPublicKey(ctx context.Context) (crypto.PublicKey, error)
}

type ManagedEncryptingKey interface {
	ManagedKey
	Encrypt(ctx context.Context, plaintext []byte, options ...wrapping.Option) ([]byte, error)
	Decrypt(ctx context.Context, ciphertext []byte, options ...wrapping.Option) ([]byte, error)
}

type ManagedEncryptingKeyConsumer func(context.Context, ManagedEncryptingKey) error

type ManagedKey interface {
	// Name is a human-readable identifier for a managed key that may change/renamed. Use Uuid if a
	// long term consistent identifier is needed.
	Name() string
	// UUID is a unique identifier for a managed key that is guaranteed to remain
	// consistent even if a key is migrated or renamed.
	UUID() string
	// Present returns true if the key is established in the KMS.  This may return false if for example
	// an HSM library is not configured on all cluster nodes.
	Present(ctx context.Context) (bool, error)

	// AllowsAll returns true if all the requested usages are supported by the managed key.
	AllowsAll(usages []KeyUsage) bool
}

type ManagedKeyConsumer func(context.Context, ManagedKey) error

type ManagedKeyLifecycle interface {
	// GenerateKey generates a key in the KMS if it didn't yet exist, returning the id.
	// If it already existed, returns the existing id.  KMSKey's key material is ignored if present.
	GenerateKey(ctx context.Context) (string, error)
}

type ManagedKeyRandomSource interface {
	ManagedKey

	// GetRandomBytes returns a number (specified by the count parameter) of random bytes sourced from the target managed key.
	GetRandomBytes(count int) ([]byte, error)
}

type ManagedKeyRandomSourceConsumer func(context.Context, ManagedKeyRandomSource) error

type ManagedKeySystemView interface {
	// WithManagedKeyByName retrieves an instantiated managed key for consumption by the given function.  The
	// provided key can only be used within the scope of that function call
	WithManagedKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedKeyConsumer) error
	// WithManagedKeyByUUID retrieves an instantiated managed key for consumption by the given function.  The
	// provided key can only be used within the scope of that function call
	WithManagedKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedKeyConsumer) error

	// WithManagedSigningKeyByName retrieves an instantiated managed signing key for consumption by the given function,
	// with the same semantics as WithManagedKeyByName
	WithManagedSigningKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedSigningKeyConsumer) error
	// WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function,
	// with the same semantics as WithManagedKeyByUUID
	WithManagedSigningKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedSigningKeyConsumer) error
	// WithManagedSigningKeyByName retrieves an instantiated managed signing key for consumption by the given function,
	// with the same semantics as WithManagedKeyByName
	WithManagedEncryptingKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedEncryptingKeyConsumer) error
	// WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function,
	// with the same semantics as WithManagedKeyByUUID
	WithManagedEncryptingKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedEncryptingKeyConsumer) error
	// WithManagedMACKeyByName retrieves an instantiated managed MAC key by name for consumption by the given function,
	// with the same semantics as WithManagedKeyByName.
	WithManagedMACKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedMACKeyConsumer) error
	// WithManagedMACKeyByUUID retrieves an instantiated managed MAC key by UUID for consumption by the given function,
	// with the same semantics as WithManagedKeyByUUID.
	WithManagedMACKeyByUUID(ctx context.Context, keyUUID, backendUUID string, f ManagedMACKeyConsumer) error
}

type ManagedMACKey interface {
	ManagedKey

	// MAC generates a MAC tag using the provided algorithm for the provided value.
	MAC(ctx context.Context, algorithm string, data []byte) ([]byte, error)
}

type ManagedMACKeyConsumer func(context.Context, ManagedMACKey) error

type ManagedSigningKey interface {
	ManagedAsymmetricKey

	// Sign returns a digital signature of the provided value.  The SignerOpts param must provide the hash function
	// that generated the value (if any).
	// The optional randomSource specifies the source of random values and may be ignored by the implementation
	// (such as on HSMs with their own internal RNG)
	Sign(ctx context.Context, value []byte, randomSource io.Reader, opts crypto.SignerOpts) ([]byte, error)

	// Verify verifies the provided signature against the value.  The SignerOpts param must provide the hash function
	// that generated the value (if any).
	// If true is returned the signature is correct, false otherwise.
	Verify(ctx context.Context, signature, value []byte, opts crypto.SignerOpts) (bool, error)

	// GetSigner returns an implementation of crypto.Signer backed by the managed key.  This should be called
	// as needed so as to use per request contexts.
	GetSigner(context.Context) (crypto.Signer, error)
}

type ManagedSigningKeyConsumer func(context.Context, ManagedSigningKey) error

type MarshalOptions struct {
	ValueHasher func(string) string
}

type MockEvent struct {
	Type  EventType
	Event *EventData
}

type MockEventSender struct {
	sync.Mutex
	Events  []MockEvent
	Stopped bool
}

type Operation string

type OptMarshaler interface {
	MarshalJSONWithOptions(*MarshalOptions) ([]byte, error)
}

type PasswordGenerator func() (password string, err error)

type PasswordPolicy interface {
	// Generate a random password
	Generate(context.Context, io.Reader) (string, error)
}

type Paths struct {
	// Root are the API paths that require a root token to access
	Root []string

	// Unauthenticated are the API paths that can be accessed without any auth.
	// These can't be regular expressions, it is either exact match, a prefix
	// match and/or a wildcard match. For prefix match, append '*' as a suffix.
	// For a wildcard match, use '+' in the segment to match any identifier
	// (e.g. 'foo/+/bar'). Note that '+' can't be adjacent to a non-slash.
	Unauthenticated []string

	// LocalStorage are storage paths (prefixes) that are local to this cluster;
	// this indicates that these paths should not be replicated across performance clusters
	// (DR replication is unaffected).
	LocalStorage []string

	// SealWrapStorage are storage paths that, when using a capable seal,
	// should be seal wrapped with extra encryption. It is exact matching
	// unless it ends with '/' in which case it will be treated as a prefix.
	SealWrapStorage []string

	// WriteForwardedStorage are storage paths that, when running on a PR
	// Secondary cluster, cause a GRPC call up to the PR Primary cluster's
	// active node to handle storage.Put(...) and storage.Delete(...) events.
	// These paths MUST include a {{clusterId}} literal, which the write layer
	// will resolve to this cluster's UUID ("replication set" identifier).
	// storage.List(...) and storage.Get(...) operations occur from the
	// locally replicated data set, but can use path template expansion to be
	// identifier agnostic.
	//
	// These paths require careful considerations by developers to use. In
	// particular, writes on secondary clusters will not appear (when a
	// corresponding read is issued immediately after a write) until the
	// replication from primary->secondary has occurred. This replication
	// triggers an InvalidateKey(...) call on the secondary, which can be
	// used to detect the write has finished syncing. However, this will
	// likely occur after the request has finished, so it is important to
	// not block on this occurring.
	//
	// On standby nodes, like all storage write operations, this will trigger
	// an ErrReadOnly return.
	WriteForwardedStorage []string

	// Binary paths are those whose request bodies should not be assumed to
	// be JSON encoded, and for which the backend will decode values for auditing
	Binary []string

	// Limited paths are storage paths that require special-cased request
	// limiting.
	//
	// This was initially added to separate limiting of "write" requests
	// (limits.WriteLimiter) from limiting for CPU-bound pki/issue requests
	// (limits.SpecialPathLimiter). Other plugins might also choose to mark
	// paths if they don't follow a typical resource usage pattern.
	//
	// For more details, consult limits/registry.go.
	Limited []string
}

type PluginEnvironment struct {

	// VaultVersion is the version of the Vault server
	VaultVersion string `protobuf:"bytes,1,opt,name=vault_version,json=vaultVersion,proto3" json:"vault_version,omitempty"`
	// VaultVersionPrerelease is the prerelease information of the Vault server
	VaultVersionPrerelease string `` /* 129-byte string literal not displayed */
	// VaultVersionMetadata is the version metadata of the Vault server
	VaultVersionMetadata string `protobuf:"bytes,3,opt,name=vault_version_metadata,json=vaultVersionMetadata,proto3" json:"vault_version_metadata,omitempty"`
	// contains filtered or unexported fields
}

type PluginVersion struct {
	Version string
}

type PluginVersionClient interface {
	// Version returns version information for the plugin.
	Version(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*VersionReply, error)
}

type PluginVersionServer interface {
	// Version returns version information for the plugin.
	Version(context.Context, *Empty) (*VersionReply, error)
	// contains filtered or unexported methods
}

type PluginVersioner interface {
	// PluginVersion returns the version for the backend
	PluginVersion() PluginVersion
}

type PolicyInfo struct {
	Name          string `json:"name"`
	NamespaceId   string `json:"namespace_id"`
	NamespacePath string `json:"namespace_path"`
	Type          string `json:"type"`
}

type PolicyResults struct {
	Allowed          bool         `json:"allowed"`
	GrantingPolicies []PolicyInfo `json:"granting_policies"`
}

type ReplicationCodedError struct {
	Msg  string
	Code int
}

type Request struct {
	// Id is the uuid associated with each request
	ID string `json:"id" structs:"id" mapstructure:"id" sentinel:""`

	// If set, the name given to the replication secondary where this request
	// originated
	ReplicationCluster string `json:"replication_cluster" structs:"replication_cluster" mapstructure:"replication_cluster" sentinel:""`

	// Operation is the requested operation type
	Operation Operation `json:"operation" structs:"operation" mapstructure:"operation"`

	// Path is the full path of the request
	Path string `json:"path" structs:"path" mapstructure:"path" sentinel:""`

	// Request data is an opaque map that must have string keys.
	Data map[string]interface{} `json:"map" structs:"data" mapstructure:"data"`

	// Storage can be used to durably store and retrieve state.
	Storage Storage `json:"-" sentinel:""`

	// Secret will be non-nil only for Revoke and Renew operations
	// to represent the secret that was returned prior.
	Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret" sentinel:""`

	// Auth will be non-nil only for Renew operations
	// to represent the auth that was returned prior.
	Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth" sentinel:""`

	// Headers will contain the http headers from the request. This value will
	// be used in the audit broker to ensure we are auditing only the allowed
	// headers.
	Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers" sentinel:""`

	// Connection will be non-nil only for credential providers to
	// inspect the connection information and potentially use it for
	// authentication/protection.
	Connection *Connection `json:"connection" structs:"connection" mapstructure:"connection"`

	// ClientToken is provided to the core so that the identity
	// can be verified and ACLs applied. This value is passed
	// through to the logical backends but after being salted and
	// hashed.
	ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""`

	// ClientTokenAccessor is provided to the core so that the it can get
	// logged as part of request audit logging.
	ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor" sentinel:""`

	// DisplayName is provided to the logical backend to help associate
	// dynamic secrets with the source entity. This is not a sensitive
	// name, but is useful for operators.
	DisplayName string `json:"display_name" structs:"display_name" mapstructure:"display_name" sentinel:""`

	// MountPoint is provided so that a logical backend can generate
	// paths relative to itself. The `Path` is effectively the client
	// request path with the MountPoint trimmed off.
	MountPoint string `json:"mount_point" structs:"mount_point" mapstructure:"mount_point" sentinel:""`

	// MountType is provided so that a logical backend can make decisions
	// based on the specific mount type (e.g., if a mount type has different
	// aliases, generating different defaults depending on the alias)
	MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type" sentinel:""`

	// MountAccessor is provided so that identities returned by the authentication
	// backends can be tied to the mount it belongs to.
	MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor" sentinel:""`

	// WrapInfo contains requested response wrapping parameters
	WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info" sentinel:""`

	// ClientTokenRemainingUses represents the allowed number of uses left on the
	// token supplied
	ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"`

	// EntityID is the identity of the caller extracted out of the token used
	// to make this request
	EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""`

	// PolicyOverride indicates that the requestor wishes to override
	// soft-mandatory Sentinel policies
	PolicyOverride bool `json:"policy_override" structs:"policy_override" mapstructure:"policy_override"`

	// Whether the request is unauthenticated, as in, had no client token
	// attached. Useful in some situations where the client token is not made
	// accessible.
	Unauthenticated bool `json:"unauthenticated" structs:"unauthenticated" mapstructure:"unauthenticated"`

	// PathLimited indicates that the request path is marked for special-case
	// request limiting.
	PathLimited bool `json:"path_limited" structs:"path_limited" mapstructure:"path_limited"`

	// MFACreds holds the parsed MFA information supplied over the API as part of
	// X-Vault-MFA header
	MFACreds MFACreds `json:"mfa_creds" structs:"mfa_creds" mapstructure:"mfa_creds" sentinel:""`

	// ControlGroup holds the authorizations that have happened on this
	// request
	ControlGroup *ControlGroup `json:"control_group" structs:"control_group" mapstructure:"control_group" sentinel:""`

	// ClientTokenSource tells us where the client token was sourced from, so
	// we can delete it before sending off to plugins
	ClientTokenSource ClientTokenSource

	// HTTPRequest, if set, can be used to access fields from the HTTP request
	// that generated this logical.Request object, such as the request body.
	HTTPRequest *http.Request `json:"-" sentinel:""`

	// ResponseWriter if set can be used to stream a response value to the http
	// request that generated this logical.Request object.
	ResponseWriter *HTTPResponseWriter `json:"-" sentinel:""`

	// ClientID is the identity of the caller. If the token is associated with an
	// entity, it will be the same as the EntityID . If the token has no entity,
	// this will be the sha256(sorted policies + namespace) associated with the
	// client token.
	ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""`

	// InboundSSCToken is the token that arrives on an inbound request, supplied
	// by the vault user.
	InboundSSCToken string

	// When a request has been forwarded, contains information of the host the request was forwarded 'from'
	ForwardedFrom string `json:"forwarded_from,omitempty"`

	// Name of the chroot namespace for the listener that the request was made against
	ChrootNamespace string `json:"chroot_namespace,omitempty"`

	// RequestLimiterDisabled tells whether the request context has Request Limiter applied.
	RequestLimiterDisabled bool `json:"request_limiter_disabled,omitempty"`
	// contains filtered or unexported fields
}

type RequestDelegatedAuthError struct {
	// contains filtered or unexported fields
}

type RequestWrapInfo struct {
	// Setting to non-zero specifies that the response should be wrapped.
	// Specifies the desired TTL of the wrapping token.
	TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl" sentinel:""`

	// The format to use for the wrapped response; if not specified it's a bare
	// token
	Format string `json:"format" structs:"format" mapstructure:"format" sentinel:""`

	// A flag to conforming backends that data for a given request should be
	// seal wrapped
	SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap" sentinel:""`
}

type Response struct {
	// Secret, if not nil, denotes that this response represents a secret.
	Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret"`

	// Auth, if not nil, contains the authentication information for
	// this response. This is only checked and means something for
	// credential backends.
	Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth"`

	// Response data is an opaque map that must have string keys. For
	// secrets, this data is sent down to the user as-is. To store internal
	// data that you don't want the user to see, store it in
	// Secret.InternalData.
	Data map[string]interface{} `json:"data" structs:"data" mapstructure:"data"`

	// Redirect is an HTTP URL to redirect to for further authentication.
	// This is only valid for credential backends. This will be blanked
	// for any logical backend and ignored.
	Redirect string `json:"redirect" structs:"redirect" mapstructure:"redirect"`

	// Warnings allow operations or backends to return warnings in response
	// to user actions without failing the action outright.
	Warnings []string `json:"warnings" structs:"warnings" mapstructure:"warnings"`

	// Information for wrapping the response in a cubbyhole
	WrapInfo *wrapping.ResponseWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info"`

	// Headers will contain the http headers from the plugin that it wishes to
	// have as part of the output
	Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers"`

	// MountType, if non-empty, provides some information about what kind
	// of mount this secret came from.
	MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type"`
}

type Secret struct {
	LeaseOptions

	// InternalData is JSON-encodable data that is stored with the secret.
	// This will be sent back during a Renew/Revoke for storing internal data
	// used for those operations.
	InternalData map[string]interface{} `json:"internal_data" sentinel:""`

	// LeaseID is the ID returned to the user to manage this secret.
	// This is generated by Vault core. Any set value will be ignored.
	// For requests, this will always be blank.
	LeaseID string `sentinel:""`
}

type StaticSystemView struct {
	DefaultLeaseTTLVal           time.Duration
	MaxLeaseTTLVal               time.Duration
	SudoPrivilegeVal             bool
	TaintedVal                   bool
	CachingDisabledVal           bool
	Primary                      bool
	EnableMlock                  bool
	LocalMountVal                bool
	ReplicationStateVal          consts.ReplicationState
	EntityVal                    *Entity
	GroupsVal                    []*Group
	Features                     license.Features
	PluginEnvironment            *PluginEnvironment
	PasswordPolicies             map[string]PasswordGenerator
	VersionString                string
	ClusterUUID                  string
	APILockShouldBlockRequestVal bool
}

type StatusBadRequest struct {
	Err string
}

type StatusHeaderResponseWriter struct {
	StatusCode int
	// contains filtered or unexported fields
}

type Storage interface {
	List(context.Context, string) ([]string, error)
	Get(context.Context, string) (*StorageEntry, error)
	Put(context.Context, *StorageEntry) error
	Delete(context.Context, string) error
}

type StorageEntry struct {
	Key      string
	Value    []byte
	SealWrap bool
}

type StorageView struct {
	// contains filtered or unexported fields
}

type SystemView interface {
	// DefaultLeaseTTL returns the default lease TTL set in Vault configuration
	DefaultLeaseTTL() time.Duration

	// MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend
	// authors should take care not to issue credentials that last longer than
	// this value, as Vault will revoke them
	MaxLeaseTTL() time.Duration

	// Returns true if the mount is tainted. A mount is tainted if it is in the
	// process of being unmounted. This should only be used in special
	// circumstances; a primary use-case is as a guard in revocation functions.
	// If revocation of a backend's leases fails it can keep the unmounting
	// process from being successful. If the reason for this failure is not
	// relevant when the mount is tainted (for instance, saving a CRL to disk
	// when the stored CRL will be removed during the unmounting process
	// anyways), we can ignore the errors to allow unmounting to complete.
	Tainted() bool

	// Returns true if caching is disabled. If true, no caches should be used,
	// despite known slowdowns.
	CachingDisabled() bool

	// When run from a system view attached to a request, indicates whether the
	// request is affecting a local mount or not
	LocalMount() bool

	// ReplicationState indicates the state of cluster replication
	ReplicationState() consts.ReplicationState

	// HasFeature returns true if the feature is currently enabled
	HasFeature(feature license.Features) bool

	// ResponseWrapData wraps the given data in a cubbyhole and returns the
	// token used to unwrap.
	ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)

	// LookupPlugin looks into the plugin catalog for a plugin with the given
	// name. Returns a PluginRunner or an error if a plugin can not be found.
	LookupPlugin(ctx context.Context, pluginName string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error)

	// LookupPluginVersion looks into the plugin catalog for a plugin with the given
	// name and version. Returns a PluginRunner or an error if a plugin can not be found.
	LookupPluginVersion(ctx context.Context, pluginName string, pluginType consts.PluginType, version string) (*pluginutil.PluginRunner, error)

	// ListVersionedPlugins returns information about all plugins of a certain
	// type in the catalog, including any versioning information stored for them.
	ListVersionedPlugins(ctx context.Context, pluginType consts.PluginType) ([]pluginutil.VersionedPlugin, error)

	// NewPluginClient returns a client for managing the lifecycle of plugin
	// processes
	NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error)

	// MlockEnabled returns the configuration setting for enabling mlock on
	// plugins.
	MlockEnabled() bool

	// EntityInfo returns a subset of information related to the identity entity
	// for the given entity id
	EntityInfo(entityID string) (*Entity, error)

	// GroupsForEntity returns the group membership information for the provided
	// entity id
	GroupsForEntity(entityID string) ([]*Group, error)

	// PluginEnv returns Vault environment information used by plugins
	PluginEnv(context.Context) (*PluginEnvironment, error)

	// VaultVersion returns the version string for the currently running Vault.
	VaultVersion(context.Context) (string, error)

	// GeneratePasswordFromPolicy generates a password from the policy referenced.
	// If the policy does not exist, this will return an error.
	GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)

	// ClusterID returns the replication ClusterID, for use with path-based
	// write forwarding (WriteForwardedPaths). This value will be templated
	// in for the {{cluterId}} sentinel.
	ClusterID(ctx context.Context) (string, error)

	// GenerateIdentityToken returns an identity token for the requesting plugin.
	GenerateIdentityToken(ctx context.Context, req *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error)
}

type TokenEntry struct {
	Type TokenType `json:"type" mapstructure:"type" structs:"type" sentinel:""`

	// ID of this entry, generally a random UUID
	ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""`

	// ExternalID is the ID of a newly created service
	// token that will be returned to a user
	ExternalID string `json:"-"`

	// Accessor for this token, a random UUID
	Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""`

	// Parent token, used for revocation trees
	Parent string `json:"parent" mapstructure:"parent" structs:"parent" sentinel:""`

	// Which named policies should be used
	Policies []string `json:"policies" mapstructure:"policies" structs:"policies"`

	// InlinePolicy specifies ACL rules to be applied to this token entry.
	InlinePolicy string `json:"inline_policy" mapstructure:"inline_policy" structs:"inline_policy"`

	// Used for audit trails, this is something like "auth/user/login"
	Path string `json:"path" mapstructure:"path" structs:"path"`

	// Used for auditing. This could include things like "source", "user", "ip"
	Meta map[string]string `json:"meta" mapstructure:"meta" structs:"meta" sentinel:"meta"`

	// InternalMeta is used to store internal metadata. This metadata will not be audit logged or returned from lookup APIs.
	InternalMeta map[string]string `json:"internal_meta" mapstructure:"internal_meta" structs:"internal_meta"`

	// Used for operators to be able to associate with the source
	DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"`

	// Used to restrict the number of uses (zero is unlimited). This is to
	// support one-time-tokens (generalized). There are a few special values:
	// if it's -1 it has run through its use counts and is executing its final
	// use; if it's -2 it is tainted, which means revocation is currently
	// running on it; and if it's -3 it's also tainted but revocation
	// previously ran and failed, so this hints the tidy function to try it
	// again.
	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`

	// Time of token creation
	CreationTime int64 `json:"creation_time" mapstructure:"creation_time" structs:"creation_time" sentinel:""`

	// Duration set when token was created
	TTL time.Duration `json:"ttl" mapstructure:"ttl" structs:"ttl" sentinel:""`

	// Explicit maximum TTL on the token
	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl" sentinel:""`

	// If set, the role that was used for parameters at creation time
	Role string `json:"role" mapstructure:"role" structs:"role"`

	// If set, the period of the token. This is only used when created directly
	// through the create endpoint; periods managed by roles or other auth
	// backends are subject to those renewal rules.
	Period time.Duration `json:"period" mapstructure:"period" structs:"period" sentinel:""`

	// These are the deprecated fields
	DisplayNameDeprecated    string        `json:"DisplayName" mapstructure:"DisplayName" structs:"DisplayName" sentinel:""`
	NumUsesDeprecated        int           `json:"NumUses" mapstructure:"NumUses" structs:"NumUses" sentinel:""`
	CreationTimeDeprecated   int64         `json:"CreationTime" mapstructure:"CreationTime" structs:"CreationTime" sentinel:""`
	ExplicitMaxTTLDeprecated time.Duration `json:"ExplicitMaxTTL" mapstructure:"ExplicitMaxTTL" structs:"ExplicitMaxTTL" sentinel:""`

	// EntityID is the ID of the entity associated with this token.
	EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"`

	// If NoIdentityPolicies is true, the token will not inherit
	// identity policies from the associated EntityID.
	NoIdentityPolicies bool `json:"no_identity_policies" mapstructure:"no_identity_policies" structs:"no_identity_policies"`

	// The set of CIDRs that this token can be used with
	BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs" sentinel:""`

	// NamespaceID is the identifier of the namespace to which this token is
	// confined to. Do not return this value over the API when the token is
	// being looked up.
	NamespaceID string `json:"namespace_id" mapstructure:"namespace_id" structs:"namespace_id" sentinel:""`

	// CubbyholeID is the identifier of the cubbyhole storage belonging to this
	// token
	CubbyholeID string `json:"cubbyhole_id" mapstructure:"cubbyhole_id" structs:"cubbyhole_id" sentinel:""`
}

type TokenType uint8

type UnimplementedPluginVersionServer struct {
}

type UnsafePluginVersionServer interface {
	// contains filtered or unexported methods
}

type VersionReply struct {
	PluginVersion string `protobuf:"bytes,1,opt,name=plugin_version,json=pluginVersion,proto3" json:"plugin_version,omitempty"`
	// contains filtered or unexported fields
}

type WALState struct {
	ClusterID       string
	LocalIndex      uint64
	ReplicatedIndex uint64
}

type WellKnownSystemView interface {
	// RequestWellKnownRedirect registers a redirect from .well-known/src
	// to dest, where dest is a sub-path of the mount. An error
	// is returned if that source path is already taken
	RequestWellKnownRedirect(ctx context.Context, src, dest string) error

	// DeregisterWellKnownRedirect unregisters a specific redirect. Returns
	// true if that redirect source was found
	DeregisterWellKnownRedirect(ctx context.Context, src string) bool
}

type WrappingResponseWriter interface {
	http.ResponseWriter
	Wrapped() http.ResponseWriter
}