Documentation ¶
Index ¶
- Constants
- func LoadCACert(path string) (*x509.CertPool, error)
- func LoadCAPath(path string) (*x509.CertPool, error)
- type Audit
- type Auth
- type AuthMount
- type Client
- func (c *Client) Auth() *Auth
- func (c *Client) ClearToken()
- func (c *Client) Help(path string) (*Help, error)
- func (c *Client) Logical() *Logical
- func (c *Client) NewRequest(method, path string) *Request
- func (c *Client) RawRequest(r *Request) (*Response, error)
- func (c *Client) SSH() *SSH
- func (c *Client) SSHAgent() *SSHAgent
- func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent
- func (c *Client) SSHWithMountPoint(mountPoint string) *SSH
- func (c *Client) SetToken(v string)
- func (c *Client) Sys() *Sys
- func (c *Client) Token() string
- type Config
- type ErrorResponse
- type GenerateRootStatusResponse
- type Help
- type InitRequest
- type InitResponse
- type InitStatusResponse
- type KeyStatus
- type LeaderResponse
- type Logical
- type MountConfigInput
- type MountConfigOutput
- type MountInput
- type MountOutput
- type RekeyInitRequest
- type RekeyRetrieveResponse
- type RekeyStatusResponse
- type RekeyUpdateResponse
- type Request
- type Response
- type SSH
- type SSHAgent
- type SSHAgentConfig
- type SSHVerifyResponse
- type SealStatusResponse
- type Secret
- type SecretAuth
- type Sys
- func (c *Sys) AuditHash(path string, input string) (string, error)
- func (c *Sys) DeletePolicy(name string) error
- func (c *Sys) DisableAudit(path string) error
- func (c *Sys) DisableAuth(path string) error
- func (c *Sys) EnableAudit(path string, auditType string, desc string, opts map[string]string) error
- func (c *Sys) EnableAuth(path, authType, desc string) error
- func (c *Sys) GenerateRootCancel() error
- func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)
- func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
- func (c *Sys) GetPolicy(name string) (string, error)
- func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)
- func (c *Sys) InitStatus() (bool, error)
- func (c *Sys) KeyStatus() (*KeyStatus, error)
- func (c *Sys) Leader() (*LeaderResponse, error)
- func (c *Sys) ListAudit() (map[string]*Audit, error)
- func (c *Sys) ListAuth() (map[string]*AuthMount, error)
- func (c *Sys) ListMounts() (map[string]*MountOutput, error)
- func (c *Sys) ListPolicies() ([]string, error)
- func (c *Sys) Mount(path string, mountInfo *MountInput) error
- func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)
- func (c *Sys) PutPolicy(name, rules string) error
- func (c *Sys) RekeyCancel() error
- func (c *Sys) RekeyDeleteBackup() error
- func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
- func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)
- func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)
- func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
- func (c *Sys) Remount(from, to string) error
- func (c *Sys) Renew(id string, increment int) (*Secret, error)
- func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)
- func (c *Sys) Revoke(id string) error
- func (c *Sys) RevokePrefix(id string) error
- func (c *Sys) Rotate() error
- func (c *Sys) Seal() error
- func (c *Sys) SealStatus() (*SealStatusResponse, error)
- func (c *Sys) TuneMount(path string, config MountConfigInput) error
- func (c *Sys) Unmount(path string) error
- func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)
- type TokenAuth
- func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)
- func (c *TokenAuth) Lookup(token string) (*Secret, error)
- func (c *TokenAuth) LookupSelf() (*Secret, error)
- func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)
- func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)
- func (c *TokenAuth) RevokeOrphan(token string) error
- func (c *TokenAuth) RevokePrefix(token string) error
- func (c *TokenAuth) RevokeSelf() error
- func (c *TokenAuth) RevokeTree(token string) error
- type TokenCreateRequest
Constants ¶
const ( // Default path at which SSH backend will be mounted in Vault server SSHAgentDefaultMountPoint = "ssh" // Echo request message sent as OTP by the agent VerifyEchoRequest = "verify-echo-request" // Echo response message sent as a response to OTP matching echo request VerifyEchoResponse = "verify-echo-response" )
const EnvVaultAddress = "VAULT_ADDR"
const EnvVaultCACert = "VAULT_CACERT"
const EnvVaultCAPath = "VAULT_CAPATH"
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
Variables ¶
This section is empty.
Functions ¶
func LoadCACert ¶
Loads the certificate from given path and creates a certificate pool from it.
Types ¶
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
Auth is used to perform credential backend related operations.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is the client to the Vault API. Create a client with NewClient.
func NewClient ¶
NewClient returns a new client for the given configuration.
If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.
func (*Client) ClearToken ¶
func (c *Client) ClearToken()
ClearToken deletes the token if it is set or does nothing otherwise.
func (*Client) NewRequest ¶
NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.
func (*Client) RawRequest ¶
RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.
func (*Client) SSHAgent ¶
SSHAgent creates an SSHAgent object which can talk to Vault server with SSH backend mounted at default path ("ssh").
func (*Client) SSHAgentWithMountPoint ¶
SSHAgentWithMountPoint creates an SSHAgent object which can talk to Vault server with SSH backend mounted at a specific mount point.
func (*Client) SSHWithMountPoint ¶
SSHWithMountPoint returns the client with specific SSH mount point.
func (*Client) SetToken ¶
SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.
type Config ¶
type Config struct { // Address is the address of the Vault server. This should be a complete // URL such as "http://vault.example.com". If you need a custom SSL // cert or want to enable insecure mode, you need to specify a custom // HttpClient. Address string // HttpClient is the HTTP client to use, which will currently always have the // same values as http.DefaultClient. This is used to control redirect behavior. HttpClient *http.Client // contains filtered or unexported fields }
Config is used to configure the creation of the client.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.
The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.
func (*Config) ReadEnvironment ¶
ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.
type ErrorResponse ¶
type ErrorResponse struct {
Errors []string
}
ErrorResponse is the raw structure of errors when they're returned by the HTTP API.
type InitRequest ¶
type InitResponse ¶
type InitStatusResponse ¶
type InitStatusResponse struct {
Initialized bool
}
type LeaderResponse ¶
type Logical ¶
type Logical struct {
// contains filtered or unexported fields
}
Logical is used to perform logical backend operations on Vault.
type MountConfigInput ¶
type MountConfigOutput ¶
type MountInput ¶
type MountInput struct { Type string `json:"type" structs:"type"` Description string `json:"description" structs:"description"` Config MountConfigInput `json:"config" structs:"config"` }
type MountOutput ¶
type MountOutput struct { Type string `json:"type" structs:"type"` Description string `json:"description" structs:"description"` Config MountConfigOutput `json:"config" structs:"config"` }
type RekeyInitRequest ¶
type RekeyRetrieveResponse ¶
type RekeyStatusResponse ¶
type RekeyUpdateResponse ¶
type Request ¶
type Request struct { Method string URL *url.URL Params url.Values ClientToken string Obj interface{} Body io.Reader BodySize int64 }
Request is a raw request configuration structure used to initiate API requests to the Vault server.
func (*Request) ResetJSONBody ¶
ResetJSONBody is used to reset the body for a redirect
func (*Request) SetJSONBody ¶
SetJSONBody is used to set a request body that is a JSON-encoded value.
type Response ¶
Response is a raw response that wraps an HTTP response.
func (*Response) DecodeJSON ¶
DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.
type SSH ¶
type SSH struct { MountPoint string // contains filtered or unexported fields }
SSH is used to return a client to invoke operations on SSH backend.
type SSHAgent ¶
type SSHAgent struct { MountPoint string // contains filtered or unexported fields }
SSHAgent is a structure representing an SSH agent which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.
func (*SSHAgent) Verify ¶
func (c *SSHAgent) Verify(otp string) (*SSHVerifyResponse, error)
Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by agent to verify if its configured correctly.
type SSHAgentConfig ¶
type SSHAgentConfig struct { VaultAddr string `hcl:"vault_addr"` SSHMountPoint string `hcl:"ssh_mount_point"` CACert string `hcl:"ca_cert"` CAPath string `hcl:"ca_path"` TLSSkipVerify bool `hcl:"tls_skip_verify"` AllowedCidrList string `hcl:"allowed_cidr_list"` }
SSHAgentConfig is a structure which represents the entries from the agent's configuration file.
func LoadSSHAgentConfig ¶
func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error)
LoadSSHAgentConfig loads agent's configuration from the file and populates the corresponding in-memory structure.
Vault address is a required parameter. Mount point defaults to "ssh".
func (*SSHAgentConfig) NewClient ¶
func (c *SSHAgentConfig) NewClient() (*Client, error)
NewClient returns a new client for the configuration. This client will be used by the SSH agent to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.
func (*SSHAgentConfig) SetTLSParameters ¶
func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)
TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given certificate pool.
type SSHVerifyResponse ¶
type SSHVerifyResponse struct { // Usually empty. If the request OTP is echo request message, this will // be set to the corresponding echo response message. Message string `mapstructure:"message"` // Username associated with the OTP Username string `mapstructure:"username"` // IP associated with the OTP IP string `mapstructure:"ip"` }
SSHVerifyResponse is a structure representing the fields in Vault server's response.
type Secret ¶
type Secret struct { LeaseID string `json:"lease_id"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` // Data is the actual contents of the secret. The format of the data // is arbitrary and up to the secret backend. Data map[string]interface{} `json:"data"` // Warnings contains any warnings related to the operation. These // are not issues that caused the command to fail, but that the // client should be aware of. Warnings []string `json:"warnings"` // Auth, if non-nil, means that there was authentication information // attached to this response. Auth *SecretAuth `json:"auth,omitempty"` }
Secret is the structure returned for every secret within Vault.
type SecretAuth ¶
type SecretAuth struct { ClientToken string `json:"client_token"` Policies []string `json:"policies"` Metadata map[string]string `json:"metadata"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` }
SecretAuth is the structure containing auth information if we have it.
type Sys ¶
type Sys struct {
// contains filtered or unexported fields
}
Sys is used to perform system-related operations on Vault.
func (*Sys) DeletePolicy ¶
func (*Sys) DisableAudit ¶
func (*Sys) DisableAuth ¶
func (*Sys) EnableAudit ¶
func (*Sys) EnableAuth ¶
func (*Sys) GenerateRootCancel ¶
func (*Sys) GenerateRootInit ¶
func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootStatus ¶
func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)
func (*Sys) GenerateRootUpdate ¶
func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)
func (*Sys) Init ¶
func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)
func (*Sys) InitStatus ¶
func (*Sys) Leader ¶
func (c *Sys) Leader() (*LeaderResponse, error)
func (*Sys) ListMounts ¶
func (c *Sys) ListMounts() (map[string]*MountOutput, error)
func (*Sys) ListPolicies ¶
func (*Sys) MountConfig ¶
func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)
func (*Sys) RekeyCancel ¶
func (*Sys) RekeyDeleteBackup ¶
func (*Sys) RekeyInit ¶
func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)
func (*Sys) RekeyRetrieveBackup ¶
func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)
func (*Sys) RekeyStatus ¶
func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)
func (*Sys) RekeyUpdate ¶
func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)
func (*Sys) ResetUnsealProcess ¶
func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)
func (*Sys) RevokePrefix ¶
func (*Sys) SealStatus ¶
func (c *Sys) SealStatus() (*SealStatusResponse, error)
type TokenAuth ¶
type TokenAuth struct {
// contains filtered or unexported fields
}
TokenAuth is used to perform token backend operations on Vault.
func (*TokenAuth) LookupSelf ¶
func (*TokenAuth) RevokeOrphan ¶
RevokeOrphan revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)
func (*TokenAuth) RevokePrefix ¶
RevokePrefix revokes a token based on a prefix, which can be used to revoke e.g. all tokens issued by a certain credential mount
func (*TokenAuth) RevokeSelf ¶
RevokeSelf revokes the token making the call
func (*TokenAuth) RevokeTree ¶
RevokeTree is the "normal" revoke operation that revokes the given token and the entire tree underneath -- all of its child tokens, their child tokens, etc.
type TokenCreateRequest ¶
type TokenCreateRequest struct { ID string `json:"id,omitempty"` Policies []string `json:"policies,omitempty"` Metadata map[string]string `json:"meta,omitempty"` Lease string `json:"lease,omitempty"` TTL string `json:"ttl,omitempty"` NoParent bool `json:"no_parent,omitempty"` NoDefaultPolicy bool `json:"no_default_policy,omitempty"` DisplayName string `json:"display_name"` NumUses int `json:"num_uses"` }
TokenCreateRequest is the options structure for creating a token.