api

package
v0.8.0-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 25, 2017 License: MPL-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// SSHHelperDefaultMountPoint is the default path at which SSH backend will be
	// mounted in the Vault server.
	SSHHelperDefaultMountPoint = "ssh"

	// VerifyEchoRequest is the echo request message sent as OTP by the helper.
	VerifyEchoRequest = "verify-echo-request"

	// VerifyEchoResponse is the echo response message sent as a response to OTP
	// matching echo request.
	VerifyEchoResponse = "verify-echo-response"
)
View Source
const EnvVaultAddress = "VAULT_ADDR"
View Source
const EnvVaultCACert = "VAULT_CACERT"
View Source
const EnvVaultCAPath = "VAULT_CAPATH"
View Source
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
View Source
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
View Source
const EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
View Source
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
View Source
const EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
View Source
const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
View Source
const EnvVaultToken = "VAULT_TOKEN"
View Source
const EnvVaultWrapTTL = "VAULT_WRAP_TTL"

Variables

View Source
var (
	// The default TTL that will be used with `sys/wrapping/wrap`, can be
	// changed
	DefaultWrappingTTL = "5m"

	// The default function used if no other function is set, which honors the
	// env var and wraps `sys/wrapping/wrap`
	DefaultWrappingLookupFunc = func(operation, path string) string {
		if os.Getenv(EnvVaultWrapTTL) != "" {
			return os.Getenv(EnvVaultWrapTTL)
		}

		if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" {
			return DefaultWrappingTTL
		}

		return ""
	}
)
View Source
var (
	ErrRenewerMissingInput  = errors.New("missing input to renewer")
	ErrRenewerMissingSecret = errors.New("missing secret to renew")
	ErrRenewerNotRenewable  = errors.New("secret is not renewable")
	ErrRenewerNoSecretData  = errors.New("returned empty secret data")

	// DefaultRenewerGrace is the default grace period
	DefaultRenewerGrace = 15 * time.Second

	// DefaultRenewerRenewBuffer is the default size of the buffer for renew
	// messages on the channel.
	DefaultRenewerRenewBuffer = 5
)

Functions

This section is empty.

Types

type Audit

type Audit struct {
	Path        string
	Type        string
	Description string
	Options     map[string]string
	Local       bool
}

type Auth

type Auth struct {
	// contains filtered or unexported fields
}

Auth is used to perform credential backend related operations.

func (*Auth) Token

func (a *Auth) Token() *TokenAuth

Token is used to return the client for token-backend API calls

type AuthConfigOutput added in v0.6.1

type AuthConfigOutput struct {
	DefaultLeaseTTL int    `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL     int    `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	PluginName      string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type AuthMount

type AuthMount struct {
	Type        string           `json:"type" structs:"type" mapstructure:"type"`
	Description string           `json:"description" structs:"description" mapstructure:"description"`
	Accessor    string           `json:"accessor" structs:"accessor" mapstructure:"accessor"`
	Config      AuthConfigOutput `json:"config" structs:"config" mapstructure:"config"`
	Local       bool             `json:"local" structs:"local" mapstructure:"local"`
}

type CORSRequest added in v0.8.0

type CORSRequest struct {
	AllowedOrigins string `json:"allowed_origins"`
	Enabled        bool   `json:"enabled"`
}

type CORSResponse added in v0.8.0

type CORSResponse struct {
	AllowedOrigins string `json:"allowed_origins"`
	Enabled        bool   `json:"enabled"`
}

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is the client to the Vault API. Create a client with NewClient.

func NewClient

func NewClient(c *Config) (*Client, error)

NewClient returns a new client for the given configuration.

If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.

func (*Client) Address added in v0.6.3

func (c *Client) Address() string

Address returns the Vault URL the client is configured to connect to

func (*Client) Auth

func (c *Client) Auth() *Auth

Auth is used to return the client for credential-backend API calls.

func (*Client) ClearToken

func (c *Client) ClearToken()

ClearToken deletes the token if it is set or does nothing otherwise.

func (*Client) Clone added in v0.8.0

func (c *Client) Clone() (*Client, error)

Clone creates a copy of this client.

func (*Client) Help

func (c *Client) Help(path string) (*Help, error)

Help reads the help information for the given path.

func (*Client) Logical

func (c *Client) Logical() *Logical

Logical is used to return the client for logical-backend API calls.

func (*Client) NewRenewer added in v0.8.0

func (c *Client) NewRenewer(i *RenewerInput) (*Renewer, error)

NewRenewer creates a new renewer from the given input.

func (*Client) NewRequest

func (c *Client) NewRequest(method, requestPath string) *Request

NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.

func (*Client) RawRequest

func (c *Client) RawRequest(r *Request) (*Response, error)

RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

func (*Client) SSH added in v0.3.0

func (c *Client) SSH() *SSH

SSH returns the client for logical-backend API calls.

func (*Client) SSHHelper added in v0.5.1

func (c *Client) SSHHelper() *SSHHelper

SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend mounted at default path ("ssh").

func (*Client) SSHHelperWithMountPoint added in v0.5.1

func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper

SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend mounted at a specific mount point.

func (*Client) SSHWithMountPoint added in v0.3.0

func (c *Client) SSHWithMountPoint(mountPoint string) *SSH

SSHWithMountPoint returns the client with specific SSH mount point.

func (*Client) SetAddress added in v0.6.1

func (c *Client) SetAddress(addr string) error

Sets the address of Vault in the client. The format of address should be "<Scheme>://<Host>:<Port>". Setting this on a client will override the value of VAULT_ADDR environment variable.

func (*Client) SetClientTimeout added in v0.8.0

func (c *Client) SetClientTimeout(timeout time.Duration)

SetClientTimeout sets the client request timeout

func (*Client) SetMaxRetries added in v0.7.0

func (c *Client) SetMaxRetries(retries int)

SetMaxRetries sets the number of retries that will be used in the case of certain errors

func (*Client) SetToken

func (c *Client) SetToken(v string)

SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.

func (*Client) SetWrappingLookupFunc added in v0.6.0

func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc)

SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs for a given operation and path

func (*Client) Sys

func (c *Client) Sys() *Sys

Sys is used to return the client for sys-related API calls.

func (*Client) Token

func (c *Client) Token() string

Token returns the access token being used by this client. It will return the empty string if there is no token set.

type Config

type Config struct {
	// Address is the address of the Vault server. This should be a complete
	// URL such as "http://vault.example.com". If you need a custom SSL
	// cert or want to enable insecure mode, you need to specify a custom
	// HttpClient.
	Address string

	// HttpClient is the HTTP client to use, which will currently always have the
	// same values as http.DefaultClient. This is used to control redirect behavior.
	HttpClient *http.Client

	// MaxRetries controls the maximum number of times to retry when a 5xx error
	// occurs. Set to 0 or less to disable retrying. Defaults to 0.
	MaxRetries int

	// Timeout is for setting custom timeout parameter in the HttpClient
	Timeout time.Duration
	// contains filtered or unexported fields
}

Config is used to configure the creation of the client.

func DefaultConfig

func DefaultConfig() *Config

DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

func (*Config) ConfigureTLS added in v0.6.1

func (c *Config) ConfigureTLS(t *TLSConfig) error

ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client.

func (*Config) ReadEnvironment added in v0.4.0

func (c *Config) ReadEnvironment() error

ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.

type EnableAuditOptions added in v0.7.0

type EnableAuditOptions struct {
	Type        string            `json:"type" structs:"type"`
	Description string            `json:"description" structs:"description"`
	Options     map[string]string `json:"options" structs:"options"`
	Local       bool              `json:"local" structs:"local"`
}

type EnableAuthOptions added in v0.7.0

type EnableAuthOptions struct {
	Type        string `json:"type" structs:"type"`
	Description string `json:"description" structs:"description"`
	Local       bool   `json:"local" structs:"local"`
	PluginName  string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type ErrorResponse

type ErrorResponse struct {
	Errors []string
}

ErrorResponse is the raw structure of errors when they're returned by the HTTP API.

type GenerateRootStatusResponse added in v0.5.0

type GenerateRootStatusResponse struct {
	Nonce            string
	Started          bool
	Progress         int
	Required         int
	Complete         bool
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
}

type HealthResponse added in v0.7.3

type HealthResponse struct {
	Initialized   bool   `json:"initialized"`
	Sealed        bool   `json:"sealed"`
	Standby       bool   `json:"standby"`
	ServerTimeUTC int64  `json:"server_time_utc"`
	Version       string `json:"version"`
	ClusterName   string `json:"cluster_name,omitempty"`
	ClusterID     string `json:"cluster_id,omitempty"`
}

type Help

type Help struct {
	Help    string   `json:"help"`
	SeeAlso []string `json:"see_also"`
}

type InitRequest

type InitRequest struct {
	SecretShares      int      `json:"secret_shares"`
	SecretThreshold   int      `json:"secret_threshold"`
	StoredShares      int      `json:"stored_shares"`
	PGPKeys           []string `json:"pgp_keys"`
	RecoveryShares    int      `json:"recovery_shares"`
	RecoveryThreshold int      `json:"recovery_threshold"`
	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse

type InitResponse struct {
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	RecoveryKeys    []string `json:"recovery_keys"`
	RecoveryKeysB64 []string `json:"recovery_keys_base64"`
	RootToken       string   `json:"root_token"`
}

type InitStatusResponse

type InitStatusResponse struct {
	Initialized bool
}

type KeyStatus added in v0.2.0

type KeyStatus struct {
	Term        int       `json:"term"`
	InstallTime time.Time `json:"install_time"`
}

type LeaderResponse

type LeaderResponse struct {
	HAEnabled     bool   `json:"ha_enabled"`
	IsSelf        bool   `json:"is_self"`
	LeaderAddress string `json:"leader_address"`
}

type Logical

type Logical struct {
	// contains filtered or unexported fields
}

Logical is used to perform logical backend operations on Vault.

func (*Logical) Delete

func (c *Logical) Delete(path string) (*Secret, error)

func (*Logical) List added in v0.5.0

func (c *Logical) List(path string) (*Secret, error)

func (*Logical) Read

func (c *Logical) Read(path string) (*Secret, error)

func (*Logical) Unwrap added in v0.6.0

func (c *Logical) Unwrap(wrappingToken string) (*Secret, error)

func (*Logical) Write

func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)

type MountConfigInput added in v0.3.0

type MountConfigInput struct {
	DefaultLeaseTTL string `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL     string `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache    bool   `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"`
	PluginName      string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type MountConfigOutput added in v0.3.0

type MountConfigOutput struct {
	DefaultLeaseTTL int    `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL     int    `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache    bool   `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"`
	PluginName      string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
}

type MountInput added in v0.3.0

type MountInput struct {
	Type        string           `json:"type" structs:"type"`
	Description string           `json:"description" structs:"description"`
	Config      MountConfigInput `json:"config" structs:"config"`
	Local       bool             `json:"local" structs:"local"`
}

type MountOutput added in v0.3.0

type MountOutput struct {
	Type        string            `json:"type" structs:"type"`
	Description string            `json:"description" structs:"description"`
	Accessor    string            `json:"accessor" structs:"accessor"`
	Config      MountConfigOutput `json:"config" structs:"config"`
	Local       bool              `json:"local" structs:"local"`
}

type RekeyInitRequest added in v0.2.0

type RekeyInitRequest struct {
	SecretShares    int      `json:"secret_shares"`
	SecretThreshold int      `json:"secret_threshold"`
	PGPKeys         []string `json:"pgp_keys"`
	Backup          bool
}

type RekeyRetrieveResponse added in v0.5.0

type RekeyRetrieveResponse struct {
	Nonce   string
	Keys    map[string][]string
	KeysB64 map[string][]string `json:"keys_base64"`
}

type RekeyStatusResponse added in v0.2.0

type RekeyStatusResponse struct {
	Nonce           string
	Started         bool
	T               int
	N               int
	Progress        int
	Required        int
	PGPFingerprints []string `json:"pgp_fingerprints"`
	Backup          bool
}

type RekeyUpdateResponse added in v0.2.0

type RekeyUpdateResponse struct {
	Nonce           string
	Complete        bool
	Keys            []string
	KeysB64         []string `json:"keys_base64"`
	PGPFingerprints []string `json:"pgp_fingerprints"`
	Backup          bool
}

type RenewOutput added in v0.8.0

type RenewOutput struct {
	// RenewedAt is the timestamp when the renewal took place (UTC).
	RenewedAt time.Time

	// Secret is the underlying renewal data. It's the same struct as all data
	// that is returned from Vault, but since this is renewal data, it will not
	// usually include the secret itself.
	Secret *Secret
}

RenewOutput is the metadata returned to the client (if it's listening) to renew messages.

type Renewer added in v0.8.0

type Renewer struct {
	// contains filtered or unexported fields
}

Renewer is a process for renewing a secret.

renewer, err := client.NewRenewer(&RenewerInput{
	Secret: mySecret,
})
go renewer.Renew()
defer renewer.Stop()

for {
	select {
	case err := <-renewer.DoneCh():
		if err != nil {
			log.Fatal(err)
		}

		// Renewal is now over
	case renewal := <-renewer.RenewCh():
		log.Printf("Successfully renewed: %#v", renewal)
	}
}

The `DoneCh` will return if renewal fails or if the remaining lease duration after a renewal is less than or equal to the grace (in number of seconds). In both cases, the caller should attempt a re-read of the secret. Clients should check the return value of the channel to see if renewal was successful.

func (*Renewer) DoneCh added in v0.8.0

func (r *Renewer) DoneCh() <-chan error

DoneCh returns the channel where the renewer will publish when renewal stops. If there is an error, this will be an error.

func (*Renewer) Renew added in v0.8.0

func (r *Renewer) Renew()

Renew starts a background process for renewing this secret. When the secret is has auth data, this attempts to renew the auth (token). When the secret has a lease, this attempts to renew the lease.

func (*Renewer) RenewCh added in v0.8.0

func (r *Renewer) RenewCh() <-chan *RenewOutput

RenewCh is a channel that receives a message when a successful renewal takes place and includes metadata about the renewal.

func (*Renewer) Stop added in v0.8.0

func (r *Renewer) Stop()

Stop stops the renewer.

type RenewerInput added in v0.8.0

type RenewerInput struct {
	// Secret is the secret to renew
	Secret *Secret

	// Grace is a minimum renewal before returning so the upstream client
	// can do a re-read. This can be used to prevent clients from waiting
	// too long to read a new credential and incur downtime.
	Grace time.Duration

	// Rand is the randomizer to use for underlying randomization. If not
	// provided, one will be generated and seeded automatically. If provided, it
	// is assumed to have already been seeded.
	Rand *rand.Rand

	// RenewBuffer is the size of the buffered channel where renew messages are
	// dispatched.
	RenewBuffer int
}

RenewerInput is used as input to the renew function.

type Request

type Request struct {
	Method      string
	URL         *url.URL
	Params      url.Values
	Headers     http.Header
	ClientToken string
	WrapTTL     string
	Obj         interface{}
	Body        io.Reader
	BodySize    int64
}

Request is a raw request configuration structure used to initiate API requests to the Vault server.

func (*Request) ResetJSONBody

func (r *Request) ResetJSONBody() error

ResetJSONBody is used to reset the body for a redirect

func (*Request) SetJSONBody

func (r *Request) SetJSONBody(val interface{}) error

SetJSONBody is used to set a request body that is a JSON-encoded value.

func (*Request) ToHTTP

func (r *Request) ToHTTP() (*http.Request, error)

ToHTTP turns this request into a valid *http.Request for use with the net/http package.

type Response

type Response struct {
	*http.Response
}

Response is a raw response that wraps an HTTP response.

func (*Response) DecodeJSON

func (r *Response) DecodeJSON(out interface{}) error

DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.

func (*Response) Error

func (r *Response) Error() error

Error returns an error response if there is one. If there is an error, this will fully consume the response body, but will not close it. The body must still be closed manually.

type SSH added in v0.3.0

type SSH struct {
	MountPoint string
	// contains filtered or unexported fields
}

SSH is used to return a client to invoke operations on SSH backend.

func (*SSH) Credential added in v0.3.0

func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error)

Credential invokes the SSH backend API to create a credential to establish an SSH session.

type SSHHelper added in v0.5.1

type SSHHelper struct {
	MountPoint string
	// contains filtered or unexported fields
}

SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.

func (*SSHHelper) Verify added in v0.5.1

func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error)

Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by ssh-helper to verify if its configured correctly.

type SSHHelperConfig added in v0.5.1

type SSHHelperConfig struct {
	VaultAddr       string `hcl:"vault_addr"`
	SSHMountPoint   string `hcl:"ssh_mount_point"`
	CACert          string `hcl:"ca_cert"`
	CAPath          string `hcl:"ca_path"`
	AllowedCidrList string `hcl:"allowed_cidr_list"`
	AllowedRoles    string `hcl:"allowed_roles"`
	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
	TLSServerName   string `hcl:"tls_server_name"`
}

SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.

func LoadSSHHelperConfig added in v0.5.1

func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error)

LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding in-memory structure.

Vault address is a required parameter. Mount point defaults to "ssh".

func ParseSSHHelperConfig added in v0.5.2

func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error)

ParseSSHHelperConfig parses the given contents as a string for the SSHHelper configuration.

func (*SSHHelperConfig) NewClient added in v0.5.1

func (c *SSHHelperConfig) NewClient() (*Client, error)

NewClient returns a new client for the configuration. This client will be used by the vault-ssh-helper to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.

func (*SSHHelperConfig) SetTLSParameters added in v0.5.1

func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)

SetTLSParameters sets the TLS parameters for this SSH agent.

type SSHVerifyResponse added in v0.3.0

type SSHVerifyResponse struct {
	// Usually empty. If the request OTP is echo request message, this will
	// be set to the corresponding echo response message.
	Message string `json:"message" structs:"message" mapstructure:"message"`

	// Username associated with the OTP
	Username string `json:"username" structs:"username" mapstructure:"username"`

	// IP associated with the OTP
	IP string `json:"ip" structs:"ip" mapstructure:"ip"`

	// Name of the role against which the OTP was issued
	RoleName string `json:"role_name" structs:"role_name" mapstructure:"role_name"`
}

SSHVerifyResponse is a structure representing the fields in Vault server's response.

type SealStatusResponse

type SealStatusResponse struct {
	Sealed      bool   `json:"sealed"`
	T           int    `json:"t"`
	N           int    `json:"n"`
	Progress    int    `json:"progress"`
	Nonce       string `json:"nonce"`
	Version     string `json:"version"`
	ClusterName string `json:"cluster_name,omitempty"`
	ClusterID   string `json:"cluster_id,omitempty"`
}

type Secret

type Secret struct {
	// The request ID that generated this response
	RequestID string `json:"request_id"`

	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`

	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data map[string]interface{} `json:"data"`

	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`

	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`

	// WrapInfo, if non-nil, means that the initial response was wrapped in the
	// cubbyhole of the given token (which has a TTL of the given number of
	// seconds)
	WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}

Secret is the structure returned for every secret within Vault.

func ParseSecret

func ParseSecret(r io.Reader) (*Secret, error)

ParseSecret is used to parse a secret value from JSON from an io.Reader.

type SecretAuth

type SecretAuth struct {
	ClientToken string            `json:"client_token"`
	Accessor    string            `json:"accessor"`
	Policies    []string          `json:"policies"`
	Metadata    map[string]string `json:"metadata"`

	LeaseDuration int  `json:"lease_duration"`
	Renewable     bool `json:"renewable"`
}

SecretAuth is the structure containing auth information if we have it.

type SecretWrapInfo added in v0.6.0

type SecretWrapInfo struct {
	Token           string    `json:"token"`
	TTL             int       `json:"ttl"`
	CreationTime    time.Time `json:"creation_time"`
	WrappedAccessor string    `json:"wrapped_accessor"`
}

SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.

type Sys

type Sys struct {
	// contains filtered or unexported fields
}

Sys is used to perform system-related operations on Vault.

func (*Sys) AuditHash added in v0.4.0

func (c *Sys) AuditHash(path string, input string) (string, error)

func (*Sys) CORSStatus added in v0.8.0

func (c *Sys) CORSStatus() (*CORSResponse, error)

func (*Sys) Capabilities added in v0.5.2

func (c *Sys) Capabilities(token, path string) ([]string, error)

func (*Sys) CapabilitiesSelf added in v0.5.2

func (c *Sys) CapabilitiesSelf(path string) ([]string, error)

func (*Sys) ConfigureCORS added in v0.8.0

func (c *Sys) ConfigureCORS(req *CORSRequest) (*CORSResponse, error)

func (*Sys) DeletePolicy

func (c *Sys) DeletePolicy(name string) error

func (*Sys) DisableAudit

func (c *Sys) DisableAudit(path string) error

func (*Sys) DisableAuth

func (c *Sys) DisableAuth(path string) error

func (*Sys) DisableCORS added in v0.8.0

func (c *Sys) DisableCORS() (*CORSResponse, error)

func (*Sys) EnableAudit

func (c *Sys) EnableAudit(
	path string, auditType string, desc string, opts map[string]string) error

DEPRECATED: Use EnableAuditWithOptions instead

func (*Sys) EnableAuditWithOptions added in v0.7.0

func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) error

func (*Sys) EnableAuth

func (c *Sys) EnableAuth(path, authType, desc string) error

DEPRECATED: Use EnableAuthWithOptions instead

func (*Sys) EnableAuthWithOptions added in v0.7.0

func (c *Sys) EnableAuthWithOptions(path string, options *EnableAuthOptions) error

func (*Sys) GenerateRootCancel added in v0.5.0

func (c *Sys) GenerateRootCancel() error

func (*Sys) GenerateRootInit added in v0.5.0

func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootStatus added in v0.5.0

func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootUpdate added in v0.5.0

func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GetPolicy

func (c *Sys) GetPolicy(name string) (string, error)

func (*Sys) Health added in v0.7.3

func (c *Sys) Health() (*HealthResponse, error)

func (*Sys) Init

func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)

func (*Sys) InitStatus

func (c *Sys) InitStatus() (bool, error)

func (*Sys) KeyStatus added in v0.2.0

func (c *Sys) KeyStatus() (*KeyStatus, error)

func (*Sys) Leader

func (c *Sys) Leader() (*LeaderResponse, error)

func (*Sys) ListAudit

func (c *Sys) ListAudit() (map[string]*Audit, error)

func (*Sys) ListAuth

func (c *Sys) ListAuth() (map[string]*AuthMount, error)

func (*Sys) ListMounts

func (c *Sys) ListMounts() (map[string]*MountOutput, error)

func (*Sys) ListPolicies

func (c *Sys) ListPolicies() ([]string, error)

func (*Sys) Mount

func (c *Sys) Mount(path string, mountInfo *MountInput) error

func (*Sys) MountConfig added in v0.3.0

func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)

func (*Sys) PutPolicy

func (c *Sys) PutPolicy(name, rules string) error

func (*Sys) RekeyCancel added in v0.2.0

func (c *Sys) RekeyCancel() error

func (*Sys) RekeyDeleteBackup added in v0.5.0

func (c *Sys) RekeyDeleteBackup() error

func (*Sys) RekeyDeleteRecoveryBackup added in v0.6.0

func (c *Sys) RekeyDeleteRecoveryBackup() error

func (*Sys) RekeyInit added in v0.2.0

func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyCancel added in v0.6.0

func (c *Sys) RekeyRecoveryKeyCancel() error

func (*Sys) RekeyRecoveryKeyInit added in v0.6.0

func (c *Sys) RekeyRecoveryKeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyStatus added in v0.6.0

func (c *Sys) RekeyRecoveryKeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyRecoveryKeyUpdate added in v0.6.0

func (c *Sys) RekeyRecoveryKeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) RekeyRetrieveBackup added in v0.5.0

func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyRetrieveRecoveryBackup added in v0.6.0

func (c *Sys) RekeyRetrieveRecoveryBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyStatus added in v0.2.0

func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyUpdate added in v0.2.0

func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) Remount

func (c *Sys) Remount(from, to string) error

func (*Sys) Renew

func (c *Sys) Renew(id string, increment int) (*Secret, error)

func (*Sys) ResetUnsealProcess added in v0.4.0

func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)

func (*Sys) Revoke

func (c *Sys) Revoke(id string) error

func (*Sys) RevokeForce added in v0.5.2

func (c *Sys) RevokeForce(id string) error

func (*Sys) RevokePrefix

func (c *Sys) RevokePrefix(id string) error

func (*Sys) Rotate added in v0.2.0

func (c *Sys) Rotate() error

func (*Sys) Seal

func (c *Sys) Seal() error

func (*Sys) SealStatus

func (c *Sys) SealStatus() (*SealStatusResponse, error)

func (*Sys) StepDown added in v0.5.2

func (c *Sys) StepDown() error

func (*Sys) TuneMount added in v0.3.0

func (c *Sys) TuneMount(path string, config MountConfigInput) error

func (*Sys) Unmount

func (c *Sys) Unmount(path string) error

func (*Sys) Unseal

func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)

type TLSConfig added in v0.6.1

type TLSConfig struct {
	// CACert is the path to a PEM-encoded CA cert file to use to verify the
	// Vault server SSL certificate.
	CACert string

	// CAPath is the path to a directory of PEM-encoded CA cert files to verify
	// the Vault server SSL certificate.
	CAPath string

	// ClientCert is the path to the certificate for Vault communication
	ClientCert string

	// ClientKey is the path to the private key for Vault communication
	ClientKey string

	// TLSServerName, if set, is used to set the SNI host when connecting via
	// TLS.
	TLSServerName string

	// Insecure enables or disables SSL verification
	Insecure bool
}

TLSConfig contains the parameters needed to configure TLS on the HTTP client used to communicate with Vault.

type TokenAuth

type TokenAuth struct {
	// contains filtered or unexported fields
}

TokenAuth is used to perform token backend operations on Vault

func (*TokenAuth) Create

func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateOrphan added in v0.6.2

func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) CreateWithRole added in v0.5.2

func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error)

func (*TokenAuth) Lookup added in v0.5.0

func (c *TokenAuth) Lookup(token string) (*Secret, error)

func (*TokenAuth) LookupAccessor added in v0.5.2

func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error)

func (*TokenAuth) LookupSelf added in v0.4.0

func (c *TokenAuth) LookupSelf() (*Secret, error)

func (*TokenAuth) Renew

func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)

func (*TokenAuth) RenewSelf added in v0.4.0

func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)

func (*TokenAuth) RenewTokenAsSelf added in v0.8.0

func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error)

RenewTokenAsSelf behaves like renew-self, but authenticates using a provided token instead of the token attached to the client.

func (*TokenAuth) RevokeAccessor added in v0.5.2

func (c *TokenAuth) RevokeAccessor(accessor string) error

RevokeAccessor revokes a token associated with the given accessor along with all the child tokens.

func (*TokenAuth) RevokeOrphan

func (c *TokenAuth) RevokeOrphan(token string) error

RevokeOrphan revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)

func (*TokenAuth) RevokeSelf added in v0.4.0

func (c *TokenAuth) RevokeSelf(token string) error

RevokeSelf revokes the token making the call. The `token` parameter is kept for backwards compatibility but is ignored; only the client's set token has an effect.

func (*TokenAuth) RevokeTree

func (c *TokenAuth) RevokeTree(token string) error

RevokeTree is the "normal" revoke operation that revokes the given token and the entire tree underneath -- all of its child tokens, their child tokens, etc.

type TokenCreateRequest

type TokenCreateRequest struct {
	ID              string            `json:"id,omitempty"`
	Policies        []string          `json:"policies,omitempty"`
	Metadata        map[string]string `json:"meta,omitempty"`
	Lease           string            `json:"lease,omitempty"`
	TTL             string            `json:"ttl,omitempty"`
	ExplicitMaxTTL  string            `json:"explicit_max_ttl,omitempty"`
	Period          string            `json:"period,omitempty"`
	NoParent        bool              `json:"no_parent,omitempty"`
	NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
	DisplayName     string            `json:"display_name"`
	NumUses         int               `json:"num_uses"`
	Renewable       *bool             `json:"renewable,omitempty"`
}

TokenCreateRequest is the options structure for creating a token.

type WrappingLookupFunc added in v0.6.0

type WrappingLookupFunc func(operation, path string) string

WrappingLookupFunc is a function that, given an HTTP verb and a path, returns an optional string duration to be used for response wrapping (e.g. "15s", or simply "15"). The path will not begin with "/v1/" or "v1/" or "/", however, end-of-path forward slashes are not trimmed, so must match your called path precisely.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL