Documentation
¶
Index ¶
- Constants
- func Builder(ctx context.Context, c any) (secrets.Keeper, error)
- func ValidAcceptance(a string, inheritAllowed bool) bool
- func Validate(ctx context.Context, c any) error
- type Acceptance
- type Config
- type Match
- type MatchConfig
- type MatchRule
- type MatchRuleConfig
- type Policy
- func (p *Policy) AddRule(r *MatchRule)
- func (p *Policy) CopySecret(ctx context.Context, id string, location string) (secrets.Secret, error)
- func (p *Policy) DeleteSecret(ctx context.Context, id string) error
- func (p *Policy) EnforceGlobally(ctx context.Context) error
- func (p *Policy) EnforceOne(ctx context.Context, sec secrets.Secret) error
- func (p *Policy) GetSecret(ctx context.Context, id string) (secrets.Secret, error)
- func (p *Policy) GetSecretsByName(ctx context.Context, name string) ([]secrets.Secret, error)
- func (p *Policy) ListLocations(ctx context.Context) ([]string, error)
- func (p *Policy) ListSecrets(ctx context.Context, location string) ([]string, error)
- func (p *Policy) MoveSecret(ctx context.Context, id string, location string) (secrets.Secret, error)
- func (p *Policy) SetDefaultAcceptance(a Acceptance)
- func (p *Policy) SetDefaultLifetime(l time.Duration)
- func (p *Policy) SetSecret(ctx context.Context, secret secrets.Secret) (secrets.Secret, error)
- type Rule
- type RuleConfig
Constants ¶
const ConfigType = "policy"
ConfigType is the name of the config type for the policy secret keeper.
Variables ¶
This section is empty.
Functions ¶
func ValidAcceptance ¶
ValidAcceptance returns true if the acceptance string is valid. The values "allow" and "deny" are always allowed. The value "inherit" is allowed when inheritAllowed is true.
Types ¶
type Acceptance ¶
type Acceptance int
const ( Deny Acceptance = iota // secret is not accessible Allow // secret is accessible InheritAcceptance // secret inherits the policy default )
type Config ¶
type Config struct {
// Keeper is the name of the keeper to wrap.
Keeper string `mapstructure:"keeper" yaml:"keeper"`
// DefaultRule configures the default rule for the keeper.
DefaultRule RuleConfig `mapstructure:",squash" yaml:",inline"`
// Rules configures the match rules for the keeper.
Rules []MatchRuleConfig `mapstructure:"rules" yaml:"rules"`
}
Config is the configuration for the policy secret keeper.
type MatchConfig ¶
type MatchConfig struct {
// LocationMatch is a matches a rule by location by exact match, glob, or
// regular expression.
LocationMatch string `mapstructure:"location" yaml:"location"`
// NameMatch is a matches a rule by name by exact match, glob, or regular
// expression.
NameMatch string `mapstructure:"name" yaml:"name"`
// UsernameMatch is a matches a rule by username by exact match, glob, or
// regular expression.
UsernameMatch string `mapstructure:"username" yaml:"username"`
// TypeMatch is a matches a rule by secret type by exact match, glob, or
// regular expression.
TypeMatch string `mapstructure:"secret_type" yaml:"secret_type"`
// UrlMatch is a matches a rule by URL by exact match, glob, or regular
// expression.
UrlMatch string `mapstructure:"url" yaml:"url"`
}
MatchConfig configures the matchers for a rule.
type MatchRuleConfig ¶
type MatchRuleConfig struct {
// MatchConfig configures the matchers for a rule.
MatchConfig `mapstructure:",squash" yaml:",inline"`
// RuleConfig configures the action to apply with a rule.
RuleConfig `mapstructure:",squash" yaml:",inline"`
}
MatchRuleConfig configures a rule with matchers.
type Policy ¶
Policy is a secret keeper that wraps another secret keeper and applies policy rules to the secrets in the nested keeper.
func (*Policy) CopySecret ¶
func (p *Policy) CopySecret(ctx context.Context, id string, location string) (secrets.Secret, error)
CopySecret copies the identified secret to the given location in the nested keeper if it is accessible by the policy.
func (*Policy) DeleteSecret ¶
DeleteSecret deletes the identified secret from the nested keeper if it is accessible by the policy.
func (*Policy) EnforceGlobally ¶
EnforceGlobally iterates through all the secrets in the nested keeper and applies the lifetime policy against those secrets.
func (*Policy) EnforceOne ¶
EnforceOne enforces the lifetime policy against a single secret.
func (*Policy) GetSecret ¶
GetSecret retrieves the identified secret from the nested keeper if it is accessible by the policy.
func (*Policy) GetSecretsByName ¶
GetSecretsByName retrieves all secrets with the given name that are accessible by the policy.
func (*Policy) ListLocations ¶
ListLocations lists the locations in the nested keeper that are accessible to the policy.
func (*Policy) ListSecrets ¶
ListSecrets lists the secrets in the nested keeper that are accessible to the policy.
func (*Policy) MoveSecret ¶
func (p *Policy) MoveSecret(ctx context.Context, id string, location string) (secrets.Secret, error)
MoveSecret moves the identified secret to the given location in the nested keeper if it is accessible by the policy.
func (*Policy) SetDefaultAcceptance ¶
func (p *Policy) SetDefaultAcceptance(a Acceptance)
SetDefaultAcceptance sets the default acceptance policy for the policy.
func (*Policy) SetDefaultLifetime ¶
SetDefaultLifetime sets the default lifetime for the policy.
type Rule ¶
type Rule struct {
// contains filtered or unexported fields
}
Rule is a policy rule that applies to secrets.
func NewAcceptanceRule ¶
func NewAcceptanceRule(a Acceptance) *Rule
NewAcceptanceRule creates a new rule with the given acceptance and no lifetime.
func NewLifetimeRule ¶
NewRule creates a new rule with the given lifetime and inherit acceptance.
type RuleConfig ¶
type RuleConfig struct {
// Lifetime is the maximum lifetime of a secret in the keeper.
Lifetime time.Duration `mapstructure:"lifetime" yaml:"lifetime"`
// Acceptance determines whether access to the secret is allowed or denied.
Acceptance string `mapstructure:"acceptance" yaml:"acceptance"`
}
RuleConfig configures the action to apply with a rule.
Source Files