keymaster

package
v0.0.0-...-dd50932 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2024 License: MIT Imports: 18 Imported by: 0

Documentation

Overview

These functions manage auth configs for instantiating Roles in K8S.

Each Auth Role will enable a number of policies.

It is expected that the consumer of the secret will know, and ask for the role they need.

These functions manage auth configs for instantiating Roles in Vault via TLS Certs.

Each Auth Role will enable a number of policies.

It is expected that the consumer of the secret will know, and ask for the Role they need.

Index

Constants

View Source 
const ERR_BAD_GENERATOR = "unable to create generator"
View Source 
const ERR_CLUSTER_DATA_LOAD = "failed to load data in supplied config"
View Source 
const ERR_MISSING_ENVIRONMENTS = "no environments list found in config"
View Source 
const ERR_MISSING_GENERATOR = "missing generator in secret"
View Source 
const ERR_MISSING_SECRET = "missing secret in role"
View Source 
const ERR_NAMELESS_ROLE = "nameless roles are not supported"
View Source 
const ERR_NAMELESS_SECRET = "nameless secrets are not supported"
View Source 
const ERR_NAMELESS_TEAM = "nameless teams are not supported"
View Source 
const ERR_REALMLESS_ROLE = "realmless roles are not supported"
View Source 
const ERR_SLASH_IN_ROLE_NAME = "role names cannot contain slashes"
View Source 
const ERR_SLASH_IN_TEAM_NAME = "team names cannot contain slashes"
View Source 
const ERR_TEAM_DATA_LOAD = "failed to load team data in supplied config"
View Source 
const ERR_UNKNOWN_GENERATOR = "unknown generator"
View Source 
const ERR_UNSUPPORTED_REALM = "unsupported realm"
View Source 
const EXTERNAL = "external"
View Source 
const IAM = "iam"
View Source 
const K8S = "k8s"
View Source 
const TLS = "tls"
View Source 
const VERSION = "0.3.0"

Variables

View Source 
var RealmTypes = []string{
	IAM,
	K8S,
	TLS,
	EXTERNAL,
}

Functions

func AnonymizeStringArray 

func AnonymizeStringArray(input []string) (output []interface{})

AnonymizeStringArray turns an []string into []interface{} so that we can use reflect.DeepEqual() to compare.

func LoadSecretYamls 

func LoadSecretYamls(files []string, verbose bool) (data [][]byte, err error)

func MapDiff 

func MapDiff(expected map[string]interface{}, actual map[string]interface{}) (err error)

MapDiff compares two maps, and returns the first place they differ

func PartialMatch 

func PartialMatch(matchKeys []string, expected map[string]interface{}, actual map[string]interface{}) (err error)

PartialMatch compares two maps, and returns true if the keys you care about match. Other keys are ignored

Types

type AlphaGenerator 

type AlphaGenerator struct {
	Type   string
	Length int
}

Alphanumerics AlphaGenerator generates alphanumeric strings of any length given

func NewAlphaGenerator 

func NewAlphaGenerator(options GeneratorData) (generator AlphaGenerator, err error)

NewAlphaGenerator produces a new AlphaGenerator from the provided options

func (AlphaGenerator) Generate 

func (g AlphaGenerator) Generate() (string, error)

Generate produces the required string of the length indicated

type CHBSGenerator 

type CHBSGenerator struct {
	Type  string
	Words int
}

Correct Horse Battery Staple Secrets CHBSGenerator a Correct Horse Battery Staple passphrase generator

func (CHBSGenerator) Generate 

func (g CHBSGenerator) Generate() (string, error)

Generate produces a random word list separated by hyphens

type Cluster 

type Cluster struct {
	Name         string `yaml:"name"`
	ApiServerUrl string `yaml:"apiserver"`
	CACert       string `yaml:"ca_cert"`
	EnvName      string `yaml:"environment"`
	Environment  string
	BoundCidrs   []string `yaml:"bound_cidrs"`
}

type Generator 

type Generator interface {
	Generate() (value string, err error)
}

Generator an interface for a function that creates a string according to a pattern. E. g.

func NewCHBSGenerator 

func NewCHBSGenerator(options GeneratorData) (generator Generator, err error)

NewCHBSGenerator creates a CHBSGenerator from the provided options

func NewRSAGenerator 

func NewRSAGenerator(options GeneratorData) (generator Generator, err error)

NewRSAGenerrator makes an RSAGenerator from the options provided

func NewStaticGenerator 

func NewStaticGenerator() (generator Generator, err error)

NewStaticGenerrator makes an StaticGenerator

func NewTlsGenerator 

func NewTlsGenerator(vaultClient *api.Client, options GeneratorData) (generator Generator, err error)

NewTlsGenerator produces a new TlSGenerator from the options indicated

func NewUUIDGenerator 

func NewUUIDGenerator(options GeneratorData) (generator Generator, err error)

NewUUIDGenerator produces a UUIDGenerator from the provided options

type GeneratorData 

type GeneratorData map[string]interface{}

GeneratorData Generic data map for configuring a Generator

type GeneratorType 

type GeneratorType int

type HexGenerator 

type HexGenerator struct {
	Type   string
	Length int
}

Hex strings HexGenerator generates hecadecimal strings

func NewHexGenerator 

func NewHexGenerator(options GeneratorData) (generator HexGenerator, err error)

NewHexGenerator creates a new HexGenerator from the options given

func (HexGenerator) Generate 

func (g HexGenerator) Generate() (string, error)

Generate creates a random hex string of the length indicated

type KeyMaster 

type KeyMaster struct {
	VaultClient       *api.Client
	IpRestrictTlsAuth bool
	IpRestrictK8sAuth bool
	TlsAuthCaCert     string
	K8sClusters       []*Cluster
	K8sClustersByName map[string]*Cluster
}

KeyMaster The KeyMaster Interface

func NewKeyMaster 

func NewKeyMaster(vaultClient *api.Client) (km *KeyMaster)

NewKeyMaster Creates a new KeyMaster with the vault client supplied.

func (*KeyMaster) AddPolicyToIamRole 

func (km *KeyMaster) AddPolicyToIamRole(role *Role, realm *Realm, policy VaultPolicy) (err error)

AddPolicyToIamRole Add a policy to an IAM auth role

func (*KeyMaster) AddPolicyToK8sRole 

func (km *KeyMaster) AddPolicyToK8sRole(cluster *Cluster, role *Role, realm *Realm, policy VaultPolicy) (err error)

func (*KeyMaster) AddPolicyToTlsRole 

func (km *KeyMaster) AddPolicyToTlsRole(role *Role, env string, policy VaultPolicy) (err error)

func (*KeyMaster) CertPath 

func (km *KeyMaster) CertPath(team string, name string, env string) (path string, err error)

CertPath Given a Name, Team, and Environment, returns the proper path in Vault where that Cert Secret is stored.

func (*KeyMaster) ConfigureTeam 

func (km *KeyMaster) ConfigureTeam(team *Team, verbose bool) (err error)

ConfigureTeam The grand unified config loader that, after the yaml file is read into memory, applies it to Vault.

func (*KeyMaster) DeleteIamAuth 

func (km *KeyMaster) DeleteIamAuth(role *Role) (err error)

DeleteIamAuth deletes an IAM Auth role

func (*KeyMaster) DeleteK8sAuth 

func (km *KeyMaster) DeleteK8sAuth(cluster *Cluster, role *Role) (err error)

DeleteK8sAuth Delete a Vault K8s Auth config.

func (*KeyMaster) DeletePolicyFromVault 

func (km *KeyMaster) DeletePolicyFromVault(path string) (err error)

DeletePolicyFromVault deletes a policy from vault. It only deletes the policy, it doesn't do anything about the auth method or the secrets.

func (*KeyMaster) DeleteTlsAuth 

func (km *KeyMaster) DeleteTlsAuth(role *Role, env string) (err error)

DeleteTlsAuth Delete a Tls auth config for a Role.

func (*KeyMaster) GrantedPoliciesForIamRole 

func (km *KeyMaster) GrantedPoliciesForIamRole(role *Role) (policies []string, err error)

GrantedPoliciesForIamRole

func (*KeyMaster) GrantedPoliciesForK8sRole 

func (km *KeyMaster) GrantedPoliciesForK8sRole(cluster *Cluster, role *Role) (policies []string, err error)

func (*KeyMaster) GrantedPoliciesForTlsRole 

func (km *KeyMaster) GrantedPoliciesForTlsRole(role *Role, env string) (policies []string, err error)

func (*KeyMaster) IamAuthPath 

func (km *KeyMaster) IamAuthPath(role *Role) (path string, err error)

IamAuthPath constructs an auth path in a predictable fashion

func (*KeyMaster) K8sAuthPath 

func (km *KeyMaster) K8sAuthPath(cluster *Cluster, role *Role) (path string, err error)
func (km *KeyMaster) NewCluster(data []byte, verbose bool) (cluster Cluster, err error) {
	err = yaml.Unmarshal(data, &cluster)
	if err != nil {
		err = errors.Wrap(err, ERR_CLUSTER_DATA_LOAD)
		return cluster, err
	}

	return cluster, err
}

K8sAuthPath constructs the auth path in a regular fashion.

func (*KeyMaster) MakePolicyPayload 

func (km *KeyMaster) MakePolicyPayload(role *Role, env string) (policy map[string]interface{}, err error)

MakePolicyPayload is the access policy to a specific secret path. Policy Payloads give access to a single path, wildcards are not supported. 

example policy:  We will only ever set 'read'.

{
  "path": {  # alphabetical by key
    "service/sign/cert-issuer": {
      "capabilities": [
        "read"
      ]
    }
  }
}

func (*KeyMaster) NewGenerator 

func (km *KeyMaster) NewGenerator(options GeneratorData) (generator Generator, err error)

NewGenerator creates a new generator from the options given

func (*KeyMaster) NewPolicy 

func (km *KeyMaster) NewPolicy(role *Role, env string) (policy VaultPolicy, err error)

NewPolicy creates a new Policy object for a given Role and Environment

func (*KeyMaster) NewTeam 

func (km *KeyMaster) NewTeam(data []byte, verbose bool) (team *Team, err error)

NewTeam Create a new Team from the data provided.

func (*KeyMaster) PolicyName 

func (km *KeyMaster) PolicyName(team string, role string, env string) (name string, err error)

PolicyName constructs the policy name form the inputs in a regular fashion. Note: team names like 'core-platform' will make policy names with embedded hyphens. This could be a problem if we ever need to split the policy name to reconstruct the inputs.

func (*KeyMaster) PolicyPath 

func (km *KeyMaster) PolicyPath(team string, role string, env string) (path string, err error)

PolicyPath constructs the path to the policy for the role

func (*KeyMaster) ReadIamAuth 

func (km *KeyMaster) ReadIamAuth(role *Role) (data map[string]interface{}, err error)

ReadIamAuth read an IAM role out of vault

func (*KeyMaster) ReadK8sAuth 

func (km *KeyMaster) ReadK8sAuth(cluster *Cluster, role *Role) (data map[string]interface{}, err error)

ReadK8sAuth Reach into Vault and get the Auth config for the Role given.

func (*KeyMaster) ReadPolicyFromVault 

func (km *KeyMaster) ReadPolicyFromVault(path string) (policy VaultPolicy, err error)

ReadPolicyFromVault fetches a policy from vault and converts it back to a VaultPolicy object

func (*KeyMaster) ReadTlsAuth 

func (km *KeyMaster) ReadTlsAuth(role *Role, env string) (data map[string]interface{}, err error)

Read TlsAuth path and return it's data

func (*KeyMaster) RemovePolicyFromIamRole 

func (km *KeyMaster) RemovePolicyFromIamRole(role *Role, realm *Realm, policy VaultPolicy) (err error)

RemovePolicyFromIamRole removes a policy from an IAM Role

func (*KeyMaster) RemovePolicyFromK8sRole 

func (km *KeyMaster) RemovePolicyFromK8sRole(cluster *Cluster, role *Role, realm *Realm, policy VaultPolicy) (err error)

func (*KeyMaster) RemovePolicyFromTlsRole 

func (km *KeyMaster) RemovePolicyFromTlsRole(role *Role, env string, policy VaultPolicy) (err error)

func (*KeyMaster) SecretPath 

func (km *KeyMaster) SecretPath(team string, name string, env string) (path string, err error)

SecretPath Given a Name, Team, and Environment, returns the proper path in Vault where that secret is stored.

func (*KeyMaster) SetIpRestrictK8sAuth 

func (km *KeyMaster) SetIpRestrictK8sAuth(enabled bool)

func (*KeyMaster) SetIpRestrictTlsAuth 

func (km *KeyMaster) SetIpRestrictTlsAuth(enabled bool)

func (*KeyMaster) SetK8sClusters 

func (km *KeyMaster) SetK8sClusters(clusters []*Cluster)

func (*KeyMaster) SetTlsAuthCaCert 

func (km *KeyMaster) SetTlsAuthCaCert(certificate string)

func (*KeyMaster) TlsAuthPath 

func (km *KeyMaster) TlsAuthPath(role *Role, env string) (path string, err error)

TlsAuthPath constructs the auth path in a regular fashion.

func (*KeyMaster) WriteIamAuth 

func (km *KeyMaster) WriteIamAuth(role *Role, realm *Realm, policies []string) (err error)

WriteIamAuth writes an AWS IAM auth role to vault

func (*KeyMaster) WriteK8sAuth 

func (km *KeyMaster) WriteK8sAuth(cluster *Cluster, role *Role, realm *Realm, policies []string) (err error)

WriteK8sAuth Writes the Vault Auth definition for the Role.

func (*KeyMaster) WritePolicyToVault 

func (km *KeyMaster) WritePolicyToVault(policy VaultPolicy, verbose bool) (err error)

WritePolicyToVault does just that. It takes a vault client and the policy and takes care of the asshattery that is the vault api for policies.

func (*KeyMaster) WriteSecretForEnv 

func (km *KeyMaster) WriteSecretForEnv(secret *Secret, secretPath string, env string) (err error)

func (*KeyMaster) WriteSecretIfBlank 

func (km *KeyMaster) WriteSecretIfBlank(secret *Secret, verbose bool) (err error)

WriteSecretIfBlank writes a secret to each environment, but only if there's not already a value there.

func (*KeyMaster) WriteTlsAuth 

func (km *KeyMaster) WriteTlsAuth(role *Role, env string, policies []string) (err error)

WriteTlsAuth writes the auth config to vault

type RSAGenerator 

type RSAGenerator struct {
	Type      string
	Blocksize int
}

RSA Keys RSAGenerator generates RSA Keys

func (RSAGenerator) Generate 

func (g RSAGenerator) Generate() (string, error)

Generate produces new RSA keys

type Realm 

type Realm struct {
	Type        string   `yaml:"type"`        // k8s iam sl
	Identifiers []string `yaml:"identifiers"` // cluster names for k8s, hostnames for TLS, meaningless for IAM unless account number?
	Principals  []string `yaml:"principals"`  // namespaces for k8s, ARN's for IAM
	Environment string   `yaml:"environment"` // Environment the realm occupies
}

type Role 

type Role struct {
	Name       string    `yaml:"name"`
	Secrets    []*Secret `yaml:"secrets"`
	SecretsMap map[string]*Secret
	Realms     []*Realm `yaml:"realms"`
	Team       string   `yaml:"team"`
}

Role A named set of Secrets that is instantiated as an Auth endpoint in Vault for each computing realm.

func (*Role) SetTeam 

func (r *Role) SetTeam(team string)

type Secret 

type Secret struct {
	Name          string        `yaml:"name"`
	Team          string        `yaml:"team"`
	GeneratorData GeneratorData `yaml:"generator"`
	Generator     Generator     `yaml:"-"`
	Environments  []string      `yaml:"-"`
}

Secret a set of information describing a string value in Vault that is protected from unauthorized access, and varies by business environment.

func (*Secret) SetEnvironments 

func (s *Secret) SetEnvironments(environments []string)

func (*Secret) SetGenerator 

func (s *Secret) SetGenerator(generator Generator)

SetGenerator What else? Set's the generator on the Secret.

func (*Secret) SetTeam 

func (s *Secret) SetTeam(team string)

type StaticGenerator 

type StaticGenerator struct {
	Type string
}

Static Secrets Static Secrets don't change, hence this just creates an empty bucket

func (StaticGenerator) Generate 

func (g StaticGenerator) Generate() (string, error)

Generate produces.... nothing.

type TLSGenerator 

type TLSGenerator struct {
	Type        string
	CommonName  string
	Sans        []string
	IPSans      []string
	CA          string
	TTL         string
	VaultClient *api.Client
}

TLS Certs TLSGenerator generates TLS certs

func (TLSGenerator) Generate 

func (g TLSGenerator) Generate() (string, error)

Generate Hits Vault to generate TLS certs

type Team 

type Team struct {
	Name         string    `yaml:"name"`
	Roles        []*Role   `yaml:"roles"`
	Secrets      []*Secret `yaml:"secrets"`
	Environments []string  `yaml:"environments"`
	SecretsMap   map[string]*Secret
	RolesMap     map[string]*Role
}

Team Group of humans who control their own destiny in regard to secrets

type UUIDGenerator 

type UUIDGenerator struct {
	Type string
}

UUID's UUIDGenerator produces random UUIDs

func (UUIDGenerator) Generate 

func (g UUIDGenerator) Generate() (string, error)

Generate produces a random UUID string

type VaultCert 

type VaultCert struct {
	Chain      []string `json:"ca_chain"`
	Cert       string   `json:"certificate"`
	Expiration int      `json:"expiration"`
	CA         string   `json:"issuing_ca"`
	Key        string   `json:"private_key"`
	Type       string   `json:"private_key_type"`
	Serial     string   `json:"serial_number"`
}

VaultCert a struct representing what Vault returns when you create a cert in one shot.

type VaultPolicy 

type VaultPolicy struct {
	Name    string
	Path    string
	Payload map[string]interface{}
}

VaultPolicy Vault Policy that allows a Role access to a Secret

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.