Documentation ¶
Index ¶
- Constants
- func GetMockTokenServer(tokenDataMap *sync.Map) *httptest.Server
- type Accessor
- type Client
- func (c *Client) BindUserToIdentity(token string, identityId string, authHandle string, username string) error
- func (c *Client) CheckAuthMethodEnabled(token string, mountPoint string, authType string) (bool, error)
- func (c *Client) CheckIdentityKeyExists(token string, keyName string) (bool, error)
- func (c *Client) CheckSecretEngineInstalled(token string, mountPoint string, engine string) (bool, error)
- func (c *Client) ConfigureConsulAccess(secretStoreToken string, bootstrapACLToken string, consulHost string, ...) error
- func (c *Client) CreateNamedIdentityKey(token string, keyName string, algorithm string) error
- func (c *Client) CreateOrUpdateIdentity(secretStoreToken string, name string, metadata map[string]string, ...) (string, error)
- func (c *Client) CreateOrUpdateIdentityRole(token string, roleName string, keyName string, template string, ...) error
- func (c *Client) CreateOrUpdateUser(token string, mountPoint string, username string, password string, ...) error
- func (c *Client) CreateRole(secretStoreToken string, consulRole types.ConsulRole) error
- func (c *Client) CreateToken(token string, parameters map[string]interface{}) (map[string]interface{}, error)
- func (c *Client) DeleteIdentity(secretStoreToken string, name string) error
- func (c *Client) DeleteUser(token string, mountPoint string, username string) error
- func (c *Client) EnableConsulSecretEngine(token string, mountPoint string, defaultLeaseTTL string) error
- func (c *Client) EnableKVSecretEngine(token string, mountPoint string, kvVersion string) error
- func (c *Client) EnablePasswordAuth(token string, mountPoint string) error
- func (c *Client) GenerateConsulToken(serviceKey string) (string, error)
- func (c *Client) GetSecret(secretName string, keys ...string) (map[string]string, error)
- func (c *Client) GetSecretNames() ([]string, error)
- func (c *Client) GetSelfJWT(serviceKey string) (string, error)
- func (c *Client) HealthCheck() (int, error)
- func (c *Client) Init(secretThreshold int, secretShares int) (types.InitResponse, error)
- func (c *Client) InstallPolicy(token string, policyName string, policyDocument string) error
- func (c *Client) InternalServiceLogin(token string, authEngine string, username string, password string) (map[string]interface{}, error)
- func (c *Client) IsJWTValid(jwt string) (bool, error)
- func (c *Client) ListTokenAccessors(token string) ([]string, error)
- func (c *Client) LookupAuthHandle(token string, mountPoint string) (string, error)
- func (c *Client) LookupIdentity(secretStoreToken string, name string) (string, error)
- func (c *Client) LookupToken(token string) (types.TokenMetadata, error)
- func (c *Client) LookupTokenAccessor(token string, accessor string) (types.TokenMetadata, error)
- func (c *Client) RegenRootToken(keys []string) (string, error)
- func (c *Client) RevokeToken(token string) error
- func (c *Client) RevokeTokenAccessor(token string, accessor string) error
- func (c *Client) SetAuthToken(ctx context.Context, newToken string) error
- func (c *Client) StoreSecret(secretName string, secrets map[string]string) error
- func (c *Client) Unseal(keysBase64 []string) error
- type CreateEntityAliasRequest
- type CreateNamedKeyRequest
- type CreateOrUpdateIdentityRoleRequest
- type CreateOrUpdateUserRequest
- type CreateOrUpdateUserResponse
- type CreateUpdateEntityRequest
- type CreateUpdateEntityResponse
- type EnableAuthMethodRequest
- type EnableSecretsEngineRequest
- type ErrCaRootCert
- type ErrHTTPResponse
- type InitRequest
- type JsonID
- type ListAuthMethodsResponse
- type ListNamedKeysResponse
- type ListSecretEnginesResponse
- type ListTokenAccessorsResponse
- type LookupAccessorRequest
- type ReadEntityByNameResponse
- type RequestArgs
- type RevokeTokenAccessorRequest
- type RootTokenControlResponse
- type RootTokenRetrievalRequest
- type RootTokenRetrievalResponse
- type SecretsEngineConfig
- type SecretsEngineOptions
- type TokenLookupResponse
- type UnsealRequest
- type UnsealResponse
- type UpdateACLPolicyRequest
- type UserPassLoginRequest
Constants ¶
const ( // NamespaceHeader specifies the header name to use when including Namespace information in a request. NamespaceHeader = "X-Vault-Namespace" AuthTypeHeader = "X-Vault-Token" HealthAPI = "/v1/sys/health" InitAPI = "/v1/sys/init" UnsealAPI = "/v1/sys/unseal" CreatePolicyPath = "/v1/sys/policies/acl/%s" CreateTokenAPI = "/v1/auth/token/create" // nolint: gosec ListAccessorsAPI = "/v1/auth/token/accessors" // nolint: gosec RevokeAccessorAPI = "/v1/auth/token/revoke-accessor" LookupAccessorAPI = "/v1/auth/token/lookup-accessor" LookupSelfAPI = "/v1/auth/token/lookup-self" RevokeSelfAPI = "/v1/auth/token/revoke-self" RootTokenControlAPI = "/v1/sys/generate-root/attempt" // nolint: gosec RootTokenRetrievalAPI = "/v1/sys/generate-root/update" // nolint: gosec MountsAPI = "/v1/sys/mounts" GenerateConsulTokenAPI = "/v1/consul/creds/%s" // nolint: gosec )
const ( KeyValue = "kv" Consul = "consul" UsernamePasswordAuthMethod = "userpass" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Client ¶
type Client struct { Config types.SecretConfig HttpCaller pkg.Caller // contains filtered or unexported fields }
Client defines the behavior for interacting with the Vault REST secret key/value store via HTTP(S).
func NewClient ¶
func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error)
NewClient constructs a Vault *Client which communicates with Vault via HTTP(S) lc is any logging client that implements the loggingClient interface; today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation
func NewSecretsClient ¶
func NewSecretsClient(ctx context.Context, config types.SecretConfig, lc logger.LoggingClient, callback pkg.TokenExpiredCallback) (*Client, error)
NewSecretsClient constructs a Vault *Client which communicates with Vault via HTTP(S) for basic usage of secrets
func (*Client) BindUserToIdentity ¶
func (*Client) CheckAuthMethodEnabled ¶
func (*Client) CheckIdentityKeyExists ¶
func (*Client) CheckSecretEngineInstalled ¶
func (*Client) ConfigureConsulAccess ¶
func (c *Client) ConfigureConsulAccess(secretStoreToken string, bootstrapACLToken string, consulHost string, consulPort int) error
ConfigureConsulAccess is to enable the Consul config access to the SecretStore via consul/config/access API see the reference: https://www.vaultproject.io/api-docs/secret/consul#configure-access
func (*Client) CreateNamedIdentityKey ¶
func (*Client) CreateOrUpdateIdentity ¶
func (*Client) CreateOrUpdateIdentityRole ¶
func (*Client) CreateOrUpdateUser ¶
func (*Client) CreateRole ¶
func (c *Client) CreateRole(secretStoreToken string, consulRole types.ConsulRole) error
CreateRole creates a Consul role that can be used to generate Consul tokens and part of elements for the role ties up with the Consul policies in which it dictates the permission of accesses to the Consul kv store or agent etc.
func (*Client) CreateToken ¶
func (*Client) DeleteIdentity ¶
func (*Client) DeleteUser ¶
func (*Client) EnableConsulSecretEngine ¶
func (*Client) EnableKVSecretEngine ¶
func (*Client) EnablePasswordAuth ¶
func (*Client) GenerateConsulToken ¶
GenerateConsulToken generates a new Consul token using serviceKey as role name to call secret store's consul/creds API the serviceKey is used in the part of secret store's URL as role name and should be accessible to the API
func (*Client) GetSecret ¶
GetSecret retrieves the secret at the provided secretName that matches the specified keys.
func (*Client) GetSecretNames ¶
GetSecretNames retrieves the secret names currently in service's secret store.
func (*Client) GetSelfJWT ¶
GetSelfJWT returns an encoded JWT for the current identity-based secret store token
func (*Client) Init ¶
func (*Client) InstallPolicy ¶
func (*Client) InternalServiceLogin ¶
func (*Client) IsJWTValid ¶
IsJWTValid evaluates a given JWT and returns a true/false if the JWT is valid (i.e. belongs to us and current) or not
func (*Client) ListTokenAccessors ¶
func (*Client) LookupAuthHandle ¶
func (*Client) LookupIdentity ¶
func (*Client) LookupToken ¶
func (c *Client) LookupToken(token string) (types.TokenMetadata, error)
func (*Client) LookupTokenAccessor ¶
func (*Client) RevokeTokenAccessor ¶
func (*Client) SetAuthToken ¶
func (*Client) StoreSecret ¶
StoreSecret stores the secret at the provided secret name for the specified keys.
type CreateEntityAliasRequest ¶
type CreateEntityAliasRequest struct { // Name is the username in the authenticator Name string `json:"name"` // CanonicalID is the entity ID CanonicalID string `json:"canonical_id"` // MountAccessor is the id if the auth engine to use MountAccessor string `json:"mount_accessor"` }
CreateEntityAliasRequest is used to bind an authenticator to an identity
type CreateNamedKeyRequest ¶
type CreateNamedKeyRequest struct { AllowedClientIDs []string `json:"allowed_client_ids"` Algorithm string `json:"algorithm"` }
CreateNamedKeyRequest is the request to POST /v1/identity/oidc/key/:name:
type CreateOrUpdateIdentityRoleRequest ¶
type CreateOrUpdateIdentityRoleRequest struct { ClientID string `json:"client_id,omitempty"` Key string `json:"key"` Template *string `json:"template,omitempty"` TokenTTL string `json:"ttl"` }
CreateOrUpdateIdentityRoleRequest is the request to POST /v1/identity/oidc/role/:name
type CreateOrUpdateUserRequest ¶
type CreateOrUpdateUserRequest struct { Password string `json:"password"` TokenPeriod string `json:"token_period"` TokenPolicies []string `json:"token_policies"` }
CreateOrUpdateUserRequest is used to create a vault login
type CreateOrUpdateUserResponse ¶
type CreateOrUpdateUserResponse struct {
Data JsonID `json:"data"`
}
CreateOrUpdateUserResponse is the response to get entity by name
type CreateUpdateEntityRequest ¶
type CreateUpdateEntityRequest struct { Metadata map[string]string `json:"metadata"` Policies []string `json:"policies"` }
CreateUpdateEntityRequest enables or updates a Vault Identity
type CreateUpdateEntityResponse ¶
type CreateUpdateEntityResponse struct {
Data JsonID `json:"data"`
}
CreateUpdateEntityResponse is the response to CreateUpdateEntityRequest
type EnableAuthMethodRequest ¶
type EnableAuthMethodRequest struct {
Type string `json:"type"`
}
EnableAuthMethodRequest enables a Vault Identity authentication method
type EnableSecretsEngineRequest ¶
type EnableSecretsEngineRequest struct { Type string `json:"type"` Description string `json:"description"` Options *SecretsEngineOptions `json:"options,omitempty"` Config *SecretsEngineConfig `json:"config,omitempty"` }
EnableSecretsEngineRequest is the POST request to /v1/sys/mounts
type ErrCaRootCert ¶
type ErrCaRootCert struct {
// contains filtered or unexported fields
}
ErrCaRootCert error when the provided CA Root certificate is invalid.
func (ErrCaRootCert) Error ¶
func (e ErrCaRootCert) Error() string
type ErrHTTPResponse ¶
func (ErrHTTPResponse) Error ¶
func (err ErrHTTPResponse) Error() string
type InitRequest ¶
type InitRequest struct { SecretThreshold int `json:"secret_threshold"` }
InitRequest contains a Vault init request regarding the Shamir Secret Sharing (SSS) parameters
type ListAuthMethodsResponse ¶
ListAuthMethodsResponse is used to look up the accessor ID of an auth method
type ListNamedKeysResponse ¶
type ListNamedKeysResponse struct { Data struct { Keys []string `json:"keys"` } `json:"data"` }
ListNamedKeysResponse is the response to LIST /v1/identity/oidc/key
type ListSecretEnginesResponse ¶
type ListSecretEnginesResponse struct { Data map[string]struct { Type string `json:"type"` } `json:"data"` }
ListSecretEnginesResponse is the response to GET /v1/sys/mounts (and /v1/sys/auth)
type ListTokenAccessorsResponse ¶
type ListTokenAccessorsResponse struct { Data struct { Keys []string `json:"keys"` } `json:"data"` }
ListTokenAccessorsResponse is the response to the list accessors API
type LookupAccessorRequest ¶
type LookupAccessorRequest struct {
Accessor string `json:"accessor"`
}
LookupAccessorRequest is used by accessor lookup API
type ReadEntityByNameResponse ¶
type ReadEntityByNameResponse struct {
Data JsonID `json:"data"`
}
ReadEntityByNameResponse is the response to get entity by name
type RequestArgs ¶
type RequestArgs struct { // Authentication token AuthToken string // HTTP method Method string // URL path Path string // If non-nil, passed to JSON serializer and included in request JSONObject interface{} // Included in HTTP request if JSONObject is nil BodyReader io.Reader // Description of the operation being performed included in log messages OperationDescription string // Expected status code to be returned from HTTP request ExpectedStatusCode int // If non-nil and request succeeded, response body will be serialized here (must be a pointer) ResponseObject interface{} }
parameters structure for request method
type RevokeTokenAccessorRequest ¶
type RevokeTokenAccessorRequest struct {
Accessor string `json:"accessor"`
}
RevokeTokenAccessorRequest is the input to the revoke token by accessor API
type RootTokenControlResponse ¶
type RootTokenControlResponse struct { Complete bool `json:"complete"` Nonce string `json:"nonce"` Otp string `json:"otp"` }
RootTokenControlResponse is the response to /v1/sys/generate-root/attempt
type RootTokenRetrievalRequest ¶
RootTokenRetrievalRequest is the request to /v1/sys/generate-root/update
type RootTokenRetrievalResponse ¶
type RootTokenRetrievalResponse struct { Complete bool `json:"complete"` EncodedToken string `json:"encoded_token"` }
RootTokenRetrievalResponse is the response to /v1/sys/generate-root/update
type SecretsEngineConfig ¶
type SecretsEngineConfig struct {
DefaultLeaseTTLDuration string `json:"default_lease_ttl"`
}
SecretsEngineConfig is config for /v1/sys/mounts
type TokenLookupResponse ¶
type TokenLookupResponse struct {
Data types.TokenMetadata
}
type UnsealRequest ¶
UnsealRequest contains a Vault unseal request
type UnsealResponse ¶
type UnsealResponse struct { Sealed bool `json:"sealed"` T int `json:"t"` N int `json:"n"` Progress int `json:"progress"` }
UnsealResponse contains a Vault unseal response