authenticator

package
v0.0.0-...-f2684bc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2024 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const CLIENT_TIMEOUT = 700 * time.Millisecond

Time out for all AWS Metadata endpoint reads. Half a second seems to work. Unknown if there's an expected latency, or how close this falls to the average case. Because AWS is preferred, this value becomes minimum overhead for non-aws authentication.

View Source 
const DEFAULT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
View Source 
const DEFAULT_VAULT_TOKEN_FILE = ".vault-token"
View Source 
const VAULT_AUTH_FAIL = "vault login fail.  It didn't blow up, but also didn't return a token, either."

VAULT_AUTH_FAIL Canned error message for vault login failure.

View Source 
const VAULT_TOKEN_ENV_VAR = "VAULT_TOKEN"

VAULT_TOKEN_ENV_VAR The default env var for vault tokens - i.e. VAULT_TOKEN

Variables

View Source 
var RSASecretKeys = []string{
	"unimplemented",
}
View Source 
var TLSSecretBase64 = map[string]bool{
	"private_key":      true,
	"certificate":      true,
	"issuing_ca":       true,
	"serial_number":    false,
	"ca_chain":         true,
	"private_key_type": false,
	"expiration":       false,
}
View Source 
var TLSSecretKeyAbbrev = map[string]string{
	"private_key":      "key",
	"certificate":      "crt",
	"issuing_ca":       "ca",
	"serial_number":    "serial",
	"ca_chain":         "chain",
	"private_key_type": "type",
	"expiration":       "expiration",
}
View Source 
var TLSSecretKeys = []string{
	"private_key",
	"certificate",
	"issuing_ca",
	"serial_number",
	"ca_chain",
	"private_key_type",
	"expiration",
}

TLSSecretKeys

Functions

func ApiConfig 

func ApiConfig(address string, cacert string) (config *api.Config, err error)

ApiConfig creates a vault api config in a standard fashion

func CopySecret 

func CopySecret(client *api.Client, oldpath string, newpath string) (err error)

CopySecret copies a secret from path A to path B

func DeleteSecrets 

func DeleteSecrets(client *api.Client, path string) (err error)

DeleteSecrets Deletes secrets at path given

func DetectAws 

func DetectAws(c chan bool, verbose bool)

DetectAWS See if we can find the AWS metadata service necessary for IAM auth

func EditSecret 

func EditSecret(client *api.Client, path string) (err error)

EditSecret pulls the secret from the path given, and pops open $EDITOR to edit said secret. When you save and close $EDITOR the secret is written back to vault.

func Exec 

func Exec(args []string, data map[string]interface{}, clean bool) (err error)

Exec runs the provided shell command with secrets from the path given exported into it's environment.

func GetAwsRegion 

func GetAwsRegion(verbose bool) (region string)

GetAwsRegion Attempts to find the Availability Zone for the running instance, and derives the Region by truncating the trailing letters off that AZ. i.e. 'us-east-2a' becomes 'us-east-2'. There doesn't appear to be an official means to get the Region, which is required by the STS signing request, but the AZ appears to be of a fairly constant form.

func GetAzEc2 

func GetAzEc2(c chan string, verbose bool)

GetAwsRegionEc2 gets the AZ from the metadata service and returns it

func GetAzEcs 

func GetAzEcs(c chan string, verbose bool)

GetAwsRegionEcs Hits the Task metadata endpoint for ECS and returns the AvailabilityZone.

func GetAzFargate 

func GetAzFargate(c chan string, verbose bool)

GetAwsRegionFargate Attempts to get the AZ info from the url listed in the ENV var ECS_CONTAINER_METADATA_URI.

func GetSecret 

func GetSecret(client *api.Client, path string) (secret *api.Secret, err error)

GetSecret returns a secret from the given path

func GetSecrets 

func GetSecrets(client *api.Client, paths []string) (secrets []*api.Secret, err error)

GetSecrets gets all secrets at a given path. Similar to ListSecrets, but returns the secret objects below path.

func HasKeys 

func HasKeys(typename string, keys []string, data map[string]interface{}, verbose bool) bool

func IAMLogin 

func IAMLogin(authenticator *Authenticator) (client *api.Client, err error)

IAMLogin actually performs the AWS IAM login to vault, and returns a logged in vault client

func K8sLogin 

func K8sLogin(authenticator *Authenticator) (client *api.Client, err error)

K8sLogin Login to Vault from a K8s pod.

func LDAPLogin 

func LDAPLogin(authenticator *Authenticator) (client *api.Client, err error)

LDAPLogin logs the user into vault via LDAP and obtains a token. (Really only intended for user usage)

func ListSecrets 

func ListSecrets(client *api.Client, path string) (secret *api.Secret, err error)

ListSecrets runs a list on the path given.

func MoveSecret 

func MoveSecret(client *api.Client, oldpath string, newpath string) (err error)

MoveSecret moves a secret from path A to path B

func PutSecret 

func PutSecret(client *api.Client, path string, data map[string]interface{}) (err error)

PutSecret writes a secret to a path

func RenewTokenIfStale 

func RenewTokenIfStale(client *api.Client, verbose bool) (err error)

RenewTokenIfStale renews a Vault token if it happens to be near expiration.

func SecretsForRole 

func SecretsForRole(client *api.Client, role string, env string, verbose bool) (data map[string]interface{}, err error)

SecretsForRole takes a role name and gets all secrets for that role in the current environment.

func TLSLogin 

func TLSLogin(authenticator *Authenticator) (client *api.Client, err error)

TLSLogin logs a host into Vault via it's certificates. Intended for hosts, not users

func UseFSToken 

func UseFSToken(client *api.Client, verbose bool) (ok bool, err error)

UseFSToken Attempts to use a Vault Token found on the filesystem.

Types

type Authenticator 

type Authenticator struct {
	Address          string
	CACertificate    string
	Prompt           bool
	Verbose          bool
	AuthMethods      []string
	Identifier       string
	Role             string
	UsernameFunc     func() (username string, err error)
	TlsClientKeyPath string
	TlsClientCrtPath string
}

Authenticator What handles the authentication to Vault- by whatever supported methods you configure. Authenticator will try them in order and return the first one that is successful.

func NewAuthenticator 

func NewAuthenticator() (authenticator *Authenticator)

NewAuthenticator creates a new Authenticator object

func (*Authenticator) Auth 

func (a *Authenticator) Auth() (client *api.Client, err error)

VaultAuth Authenticates to Vault by a number of methods. AWS IAM is preferred, but if that fails, it tries K8s, TLS, and finally LDAP

func (*Authenticator) SetAddress 

func (a *Authenticator) SetAddress(address string)

func (*Authenticator) SetAuthMethods 

func (a *Authenticator) SetAuthMethods(methods []string)

func (*Authenticator) SetCACertificate 

func (a *Authenticator) SetCACertificate(certificate string)

func (*Authenticator) SetIdentifier 

func (a *Authenticator) SetIdentifier(identifier string)

func (*Authenticator) SetPrompt 

func (a *Authenticator) SetPrompt(prompt bool)

func (*Authenticator) SetRole 

func (a *Authenticator) SetRole(role string)

func (*Authenticator) SetTlsClientCrtPath 

func (a *Authenticator) SetTlsClientCrtPath(path string)

func (*Authenticator) SetTlsClientKeyPath 

func (a *Authenticator) SetTlsClientKeyPath(path string)

func (*Authenticator) SetUsernameFunc 

func (a *Authenticator) SetUsernameFunc(function func() (username string, err error))

func (*Authenticator) SetVerbose 

func (a *Authenticator) SetVerbose(verbose bool)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.