vault

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 30, 2024 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// NamespaceHeader specifies the header name to use when including Namespace information in a request.
	NamespaceHeader = "X-Vault-Namespace"
	AuthTypeHeader  = "X-Vault-Token"

	HealthAPI              = "/v1/sys/health"
	InitAPI                = "/v1/sys/init"
	UnsealAPI              = "/v1/sys/unseal"
	CreatePolicyPath       = "/v1/sys/policies/acl/%s"
	CreateTokenAPI         = "/v1/auth/token/create"    // nolint: gosec
	ListAccessorsAPI       = "/v1/auth/token/accessors" // nolint: gosec
	RevokeAccessorAPI      = "/v1/auth/token/revoke-accessor"
	LookupAccessorAPI      = "/v1/auth/token/lookup-accessor"
	LookupSelfAPI          = "/v1/auth/token/lookup-self"
	RevokeSelfAPI          = "/v1/auth/token/revoke-self"
	RootTokenControlAPI    = "/v1/sys/generate-root/attempt" // nolint: gosec
	RootTokenRetrievalAPI  = "/v1/sys/generate-root/update"  // nolint: gosec
	MountsAPI              = "/v1/sys/mounts"
	GenerateConsulTokenAPI = "/v1/consul/creds/%s" // nolint: gosec

)
View Source
const (
	KeyValue                   = "kv"
	Consul                     = "consul"
	UsernamePasswordAuthMethod = "userpass"
)

Variables

This section is empty.

Functions

func GetMockTokenServer

func GetMockTokenServer(tokenDataMap *sync.Map) *httptest.Server

GetMockTokenServer returns a stub http test server for dealing with token lookup-self and renew-self API calls

Types

type Accessor

type Accessor struct {
	Accessor string `json:"accessor"`
}

Accessor

type Client

type Client struct {
	Config     types.SecretConfig
	HttpCaller pkg.Caller
	// contains filtered or unexported fields
}

Client defines the behavior for interacting with the Vault REST secret key/value store via HTTP(S).

func NewClient

func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error)

NewClient constructs a Vault *Client which communicates with Vault via HTTP(S) lc is any logging client that implements the loggingClient interface; today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation

func NewSecretsClient

func NewSecretsClient(ctx context.Context, config types.SecretConfig, lc logger.LoggingClient, callback pkg.TokenExpiredCallback) (*Client, error)

NewSecretsClient constructs a Vault *Client which communicates with Vault via HTTP(S) for basic usage of secrets

func (*Client) BindUserToIdentity

func (c *Client) BindUserToIdentity(token string, identityId string, authHandle string, username string) error

func (*Client) CheckAuthMethodEnabled

func (c *Client) CheckAuthMethodEnabled(token string, mountPoint string, authType string) (bool, error)

func (*Client) CheckIdentityKeyExists

func (c *Client) CheckIdentityKeyExists(token string, keyName string) (bool, error)

func (*Client) CheckSecretEngineInstalled

func (c *Client) CheckSecretEngineInstalled(token string, mountPoint string, engine string) (bool, error)

func (*Client) ConfigureConsulAccess

func (c *Client) ConfigureConsulAccess(secretStoreToken string, bootstrapACLToken string, consulHost string, consulPort int) error

ConfigureConsulAccess is to enable the Consul config access to the SecretStore via consul/config/access API see the reference: https://www.vaultproject.io/api-docs/secret/consul#configure-access

func (*Client) CreateNamedIdentityKey

func (c *Client) CreateNamedIdentityKey(token string, keyName string, algorithm string) error

func (*Client) CreateOrUpdateIdentity

func (c *Client) CreateOrUpdateIdentity(secretStoreToken string, name string, metadata map[string]string, policies []string) (string, error)

func (*Client) CreateOrUpdateIdentityRole

func (c *Client) CreateOrUpdateIdentityRole(token string, roleName string, keyName string, template string, audience string, jwtTTL string) error

func (*Client) CreateOrUpdateUser

func (c *Client) CreateOrUpdateUser(token string, mountPoint string, username string, password string, tokenTTL string, tokenPolicies []string) error

func (*Client) CreateRole

func (c *Client) CreateRole(secretStoreToken string, consulRole types.ConsulRole) error

CreateRole creates a Consul role that can be used to generate Consul tokens and part of elements for the role ties up with the Consul policies in which it dictates the permission of accesses to the Consul kv store or agent etc.

func (*Client) CreateToken

func (c *Client) CreateToken(token string, parameters map[string]interface{}) (map[string]interface{}, error)

func (*Client) DeleteIdentity

func (c *Client) DeleteIdentity(secretStoreToken string, name string) error

func (*Client) DeleteUser

func (c *Client) DeleteUser(token string, mountPoint string, username string) error

func (*Client) EnableConsulSecretEngine

func (c *Client) EnableConsulSecretEngine(token string, mountPoint string, defaultLeaseTTL string) error

func (*Client) EnableKVSecretEngine

func (c *Client) EnableKVSecretEngine(token string, mountPoint string, kvVersion string) error

func (*Client) EnablePasswordAuth

func (c *Client) EnablePasswordAuth(token string, mountPoint string) error

func (*Client) GenerateConsulToken

func (c *Client) GenerateConsulToken(serviceKey string) (string, error)

GenerateConsulToken generates a new Consul token using serviceKey as role name to call secret store's consul/creds API the serviceKey is used in the part of secret store's URL as role name and should be accessible to the API

func (*Client) GetSecret

func (c *Client) GetSecret(secretName string, keys ...string) (map[string]string, error)

GetSecret retrieves the secret at the provided secretName that matches the specified keys.

func (*Client) GetSecretNames

func (c *Client) GetSecretNames() ([]string, error)

GetSecretNames retrieves the secret names currently in service's secret store.

func (*Client) GetSelfJWT

func (c *Client) GetSelfJWT(serviceKey string) (string, error)

GetSelfJWT returns an encoded JWT for the current identity-based secret store token

func (*Client) HealthCheck

func (c *Client) HealthCheck() (int, error)

func (*Client) Init

func (c *Client) Init(secretThreshold int, secretShares int) (types.InitResponse, error)

func (*Client) InstallPolicy

func (c *Client) InstallPolicy(token string, policyName string, policyDocument string) error

func (*Client) InternalServiceLogin

func (c *Client) InternalServiceLogin(token string, authEngine string, username string, password string) (map[string]interface{}, error)

func (*Client) IsJWTValid

func (c *Client) IsJWTValid(jwt string) (bool, error)

IsJWTValid evaluates a given JWT and returns a true/false if the JWT is valid (i.e. belongs to us and current) or not

func (*Client) ListTokenAccessors

func (c *Client) ListTokenAccessors(token string) ([]string, error)

func (*Client) LookupAuthHandle

func (c *Client) LookupAuthHandle(token string, mountPoint string) (string, error)

func (*Client) LookupIdentity

func (c *Client) LookupIdentity(secretStoreToken string, name string) (string, error)

func (*Client) LookupToken

func (c *Client) LookupToken(token string) (types.TokenMetadata, error)

func (*Client) LookupTokenAccessor

func (c *Client) LookupTokenAccessor(token string, accessor string) (types.TokenMetadata, error)

func (*Client) RegenRootToken

func (c *Client) RegenRootToken(keys []string) (string, error)

func (*Client) RevokeToken

func (c *Client) RevokeToken(token string) error

func (*Client) RevokeTokenAccessor

func (c *Client) RevokeTokenAccessor(token string, accessor string) error

func (*Client) SetAuthToken

func (c *Client) SetAuthToken(ctx context.Context, newToken string) error

func (*Client) StoreSecret

func (c *Client) StoreSecret(secretName string, secrets map[string]string) error

StoreSecret stores the secret at the provided secret name for the specified keys.

func (*Client) Unseal

func (c *Client) Unseal(keysBase64 []string) error

type CreateEntityAliasRequest

type CreateEntityAliasRequest struct {
	// Name is the username in the authenticator
	Name string `json:"name"`
	// CanonicalID is the entity ID
	CanonicalID string `json:"canonical_id"`
	// MountAccessor is the id if the auth engine to use
	MountAccessor string `json:"mount_accessor"`
}

CreateEntityAliasRequest is used to bind an authenticator to an identity

type CreateNamedKeyRequest

type CreateNamedKeyRequest struct {
	AllowedClientIDs []string `json:"allowed_client_ids"`
	Algorithm        string   `json:"algorithm"`
}

CreateNamedKeyRequest is the request to POST /v1/identity/oidc/key/:name:

type CreateOrUpdateIdentityRoleRequest

type CreateOrUpdateIdentityRoleRequest struct {
	ClientID string  `json:"client_id,omitempty"`
	Key      string  `json:"key"`
	Template *string `json:"template,omitempty"`
	TokenTTL string  `json:"ttl"`
}

CreateOrUpdateIdentityRoleRequest is the request to POST /v1/identity/oidc/role/:name

type CreateOrUpdateUserRequest

type CreateOrUpdateUserRequest struct {
	Password      string   `json:"password"`
	TokenPeriod   string   `json:"token_period"`
	TokenPolicies []string `json:"token_policies"`
}

CreateOrUpdateUserRequest is used to create a vault login

type CreateOrUpdateUserResponse

type CreateOrUpdateUserResponse struct {
	Data JsonID `json:"data"`
}

CreateOrUpdateUserResponse is the response to get entity by name

type CreateUpdateEntityRequest

type CreateUpdateEntityRequest struct {
	Metadata map[string]string `json:"metadata"`
	Policies []string          `json:"policies"`
}

CreateUpdateEntityRequest enables or updates a Vault Identity

type CreateUpdateEntityResponse

type CreateUpdateEntityResponse struct {
	Data JsonID `json:"data"`
}

CreateUpdateEntityResponse is the response to CreateUpdateEntityRequest

type EnableAuthMethodRequest

type EnableAuthMethodRequest struct {
	Type string `json:"type"`
}

EnableAuthMethodRequest enables a Vault Identity authentication method

type EnableSecretsEngineRequest

type EnableSecretsEngineRequest struct {
	Type        string                `json:"type"`
	Description string                `json:"description"`
	Options     *SecretsEngineOptions `json:"options,omitempty"`
	Config      *SecretsEngineConfig  `json:"config,omitempty"`
}

EnableSecretsEngineRequest is the POST request to /v1/sys/mounts

type ErrCaRootCert

type ErrCaRootCert struct {
	// contains filtered or unexported fields
}

ErrCaRootCert error when the provided CA Root certificate is invalid.

func (ErrCaRootCert) Error

func (e ErrCaRootCert) Error() string

type ErrHTTPResponse

type ErrHTTPResponse struct {
	StatusCode int
	ErrMsg     string
}

func (ErrHTTPResponse) Error

func (err ErrHTTPResponse) Error() string

type InitRequest

type InitRequest struct {
	SecretShares    int `json:"secret_shares"`
	SecretThreshold int `json:"secret_threshold"`
}

InitRequest contains a Vault init request regarding the Shamir Secret Sharing (SSS) parameters

type JsonID

type JsonID struct {
	ID string `json:"id"`
}

JsonID

type ListAuthMethodsResponse

type ListAuthMethodsResponse struct {
	Data map[string]Accessor `json:"data"`
}

ListAuthMethodsResponse is used to look up the accessor ID of an auth method

type ListNamedKeysResponse

type ListNamedKeysResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListNamedKeysResponse is the response to LIST /v1/identity/oidc/key

type ListSecretEnginesResponse

type ListSecretEnginesResponse struct {
	Data map[string]struct {
		Type string `json:"type"`
	} `json:"data"`
}

ListSecretEnginesResponse is the response to GET /v1/sys/mounts (and /v1/sys/auth)

type ListTokenAccessorsResponse

type ListTokenAccessorsResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListTokenAccessorsResponse is the response to the list accessors API

type LookupAccessorRequest

type LookupAccessorRequest struct {
	Accessor string `json:"accessor"`
}

LookupAccessorRequest is used by accessor lookup API

type ReadEntityByNameResponse

type ReadEntityByNameResponse struct {
	Data JsonID `json:"data"`
}

ReadEntityByNameResponse is the response to get entity by name

type RequestArgs

type RequestArgs struct {
	// Authentication token
	AuthToken string
	// HTTP method
	Method string
	// URL path
	Path string
	// If non-nil, passed to JSON serializer and included in request
	JSONObject interface{}
	// Included in HTTP request if JSONObject is nil
	BodyReader io.Reader
	// Description of the operation being performed included in log messages
	OperationDescription string
	// Expected status code to be returned from HTTP request
	ExpectedStatusCode int
	// If non-nil and request succeeded, response body will be serialized here (must be a pointer)
	ResponseObject interface{}
}

parameters structure for request method

type RevokeTokenAccessorRequest

type RevokeTokenAccessorRequest struct {
	Accessor string `json:"accessor"`
}

RevokeTokenAccessorRequest is the input to the revoke token by accessor API

type RootTokenControlResponse

type RootTokenControlResponse struct {
	Complete bool   `json:"complete"`
	Nonce    string `json:"nonce"`
	Otp      string `json:"otp"`
}

RootTokenControlResponse is the response to /v1/sys/generate-root/attempt

type RootTokenRetrievalRequest

type RootTokenRetrievalRequest struct {
	Key   string `json:"key"`
	Nonce string `json:"nonce"`
}

RootTokenRetrievalRequest is the request to /v1/sys/generate-root/update

type RootTokenRetrievalResponse

type RootTokenRetrievalResponse struct {
	Complete     bool   `json:"complete"`
	EncodedToken string `json:"encoded_token"`
}

RootTokenRetrievalResponse is the response to /v1/sys/generate-root/update

type SecretsEngineConfig

type SecretsEngineConfig struct {
	DefaultLeaseTTLDuration string `json:"default_lease_ttl"`
}

SecretsEngineConfig is config for /v1/sys/mounts

type SecretsEngineOptions

type SecretsEngineOptions struct {
	Version string `json:"version"`
}

type TokenLookupResponse

type TokenLookupResponse struct {
	Data types.TokenMetadata
}

type UnsealRequest

type UnsealRequest struct {
	Key   string `json:"key"`
	Reset bool   `json:"reset"`
}

UnsealRequest contains a Vault unseal request

type UnsealResponse

type UnsealResponse struct {
	Sealed   bool `json:"sealed"`
	T        int  `json:"t"`
	N        int  `json:"n"`
	Progress int  `json:"progress"`
}

UnsealResponse contains a Vault unseal response

type UpdateACLPolicyRequest

type UpdateACLPolicyRequest struct {
	Policy string `json:"policy"`
}

UpdateACLPolicyRequest contains a ACL policy create/update request

type UserPassLoginRequest

type UserPassLoginRequest struct {
	Password string `json:"password"`
}

UserPassLoginRequest is used to to log in an identity with the userpass auth engine

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL