api

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 16, 2016 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Default path at which SSH backend will be mounted in Vault server
	SSHAgentDefaultMountPoint = "ssh"

	// Echo request message sent as OTP by the agent
	VerifyEchoRequest = "verify-echo-request"

	// Echo response message sent as a response to OTP matching echo request
	VerifyEchoResponse = "verify-echo-response"
)
View Source
const EnvVaultAddress = "VAULT_ADDR"
View Source
const EnvVaultCACert = "VAULT_CACERT"
View Source
const EnvVaultCAPath = "VAULT_CAPATH"
View Source
const EnvVaultClientCert = "VAULT_CLIENT_CERT"
View Source
const EnvVaultClientKey = "VAULT_CLIENT_KEY"
View Source
const EnvVaultInsecure = "VAULT_SKIP_VERIFY"

Variables

This section is empty.

Functions

func LoadCACert

func LoadCACert(path string) (*x509.CertPool, error)

Loads the certificate from given path and creates a certificate pool from it.

func LoadCAPath

func LoadCAPath(path string) (*x509.CertPool, error)

Loads the certificates present in the given directory and creates a certificate pool from it.

Types

type Audit

type Audit struct {
	Type        string
	Description string
	Options     map[string]string
}

type Auth

type Auth struct {
	// contains filtered or unexported fields
}

Auth is used to perform credential backend related operations.

func (*Auth) Token

func (a *Auth) Token() *TokenAuth

Token is used to return the client for logical-backend API calls.

type AuthMount

type AuthMount struct {
	Type        string
	Description string
}

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is the client to the Vault API. Create a client with NewClient.

func NewClient

func NewClient(c *Config) (*Client, error)

NewClient returns a new client for the given configuration.

If the environment variable `VAULT_TOKEN` is present, the token will be automatically added to the client. Otherwise, you must manually call `SetToken()`.

func (*Client) Auth

func (c *Client) Auth() *Auth

Auth is used to return the client for logical-backend API calls.

func (*Client) ClearToken

func (c *Client) ClearToken()

ClearToken deletes the token if it is set or does nothing otherwise.

func (*Client) Help

func (c *Client) Help(path string) (*Help, error)

Help reads the help information for the given path.

func (*Client) Logical

func (c *Client) Logical() *Logical

Logical is used to return the client for logical-backend API calls.

func (*Client) NewRequest

func (c *Client) NewRequest(method, path string) *Request

NewRequest creates a new raw request object to query the Vault server configured for this client. This is an advanced method and generally doesn't need to be called externally.

func (*Client) RawRequest

func (c *Client) RawRequest(r *Request) (*Response, error)

RawRequest performs the raw request given. This request may be against a Vault server not configured with this client. This is an advanced operation that generally won't need to be called externally.

func (*Client) SSH

func (c *Client) SSH() *SSH

SSH returns the client for logical-backend API calls.

func (*Client) SSHAgent

func (c *Client) SSHAgent() *SSHAgent

SSHAgent creates an SSHAgent object which can talk to Vault server with SSH backend mounted at default path ("ssh").

func (*Client) SSHAgentWithMountPoint

func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent

SSHAgentWithMountPoint creates an SSHAgent object which can talk to Vault server with SSH backend mounted at a specific mount point.

func (*Client) SSHWithMountPoint

func (c *Client) SSHWithMountPoint(mountPoint string) *SSH

SSHWithMountPoint returns the client with specific SSH mount point.

func (*Client) SetToken

func (c *Client) SetToken(v string)

SetToken sets the token directly. This won't perform any auth verification, it simply sets the token properly for future requests.

func (*Client) Sys

func (c *Client) Sys() *Sys

Sys is used to return the client for sys-related API calls.

func (*Client) Token

func (c *Client) Token() string

Token returns the access token being used by this client. It will return the empty string if there is no token set.

type Config

type Config struct {
	// Address is the address of the Vault server. This should be a complete
	// URL such as "http://vault.example.com". If you need a custom SSL
	// cert or want to enable insecure mode, you need to specify a custom
	// HttpClient.
	Address string

	// HttpClient is the HTTP client to use, which will currently always have the
	// same values as http.DefaultClient. This is used to control redirect behavior.
	HttpClient *http.Client
	// contains filtered or unexported fields
}

Config is used to configure the creation of the client.

func DefaultConfig

func DefaultConfig() *Config

DefaultConfig returns a default configuration for the client. It is safe to modify the return value of this function.

The default Address is https://127.0.0.1:8200, but this can be overridden by setting the `VAULT_ADDR` environment variable.

func (*Config) ReadEnvironment

func (c *Config) ReadEnvironment() error

ReadEnvironment reads configuration information from the environment. If there is an error, no configuration value is updated.

type ErrorResponse

type ErrorResponse struct {
	Errors []string
}

ErrorResponse is the raw structure of errors when they're returned by the HTTP API.

type GenerateRootStatusResponse

type GenerateRootStatusResponse struct {
	Nonce            string
	Started          bool
	Progress         int
	Required         int
	Complete         bool
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
}

type Help

type Help struct {
	Help    string   `json:"help"`
	SeeAlso []string `json:"see_also"`
}

type InitRequest

type InitRequest struct {
	SecretShares    int      `json:"secret_shares"`
	SecretThreshold int      `json:"secret_threshold"`
	PGPKeys         []string `json:"pgp_keys"`
}

type InitResponse

type InitResponse struct {
	Keys      []string
	RootToken string `json:"root_token"`
}

type InitStatusResponse

type InitStatusResponse struct {
	Initialized bool
}

type KeyStatus

type KeyStatus struct {
	Term        int
	InstallTime time.Time `json:"install_time"`
}

type LeaderResponse

type LeaderResponse struct {
	HAEnabled     bool   `json:"ha_enabled"`
	IsSelf        bool   `json:"is_self"`
	LeaderAddress string `json:"leader_address"`
}

type Logical

type Logical struct {
	// contains filtered or unexported fields
}

Logical is used to perform logical backend operations on Vault.

func (*Logical) Delete

func (c *Logical) Delete(path string) (*Secret, error)

func (*Logical) List

func (c *Logical) List(path string) (*Secret, error)

func (*Logical) Read

func (c *Logical) Read(path string) (*Secret, error)

func (*Logical) Write

func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error)

type MountConfigInput

type MountConfigInput struct {
	DefaultLeaseTTL string `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL     string `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
}

type MountConfigOutput

type MountConfigOutput struct {
	DefaultLeaseTTL int `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL     int `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
}

type MountInput

type MountInput struct {
	Type        string           `json:"type" structs:"type"`
	Description string           `json:"description" structs:"description"`
	Config      MountConfigInput `json:"config" structs:"config"`
}

type MountOutput

type MountOutput struct {
	Type        string            `json:"type" structs:"type"`
	Description string            `json:"description" structs:"description"`
	Config      MountConfigOutput `json:"config" structs:"config"`
}

type RekeyInitRequest

type RekeyInitRequest struct {
	SecretShares    int      `json:"secret_shares"`
	SecretThreshold int      `json:"secret_threshold"`
	PGPKeys         []string `json:"pgp_keys"`
	Backup          bool
}

type RekeyRetrieveResponse

type RekeyRetrieveResponse struct {
	Nonce string
	Keys  map[string][]string
}

type RekeyStatusResponse

type RekeyStatusResponse struct {
	Nonce           string
	Started         bool
	T               int
	N               int
	Progress        int
	Required        int
	PGPFingerprints []string `json:"pgp_fingerprints"`
	Backup          bool
}

type RekeyUpdateResponse

type RekeyUpdateResponse struct {
	Nonce           string
	Complete        bool
	Keys            []string
	PGPFingerprints []string `json:"pgp_fingerprints"`
	Backup          bool
}

type Request

type Request struct {
	Method      string
	URL         *url.URL
	Params      url.Values
	ClientToken string
	Obj         interface{}
	Body        io.Reader
	BodySize    int64
}

Request is a raw request configuration structure used to initiate API requests to the Vault server.

func (*Request) ResetJSONBody

func (r *Request) ResetJSONBody() error

ResetJSONBody is used to reset the body for a redirect

func (*Request) SetJSONBody

func (r *Request) SetJSONBody(val interface{}) error

SetJSONBody is used to set a request body that is a JSON-encoded value.

func (*Request) ToHTTP

func (r *Request) ToHTTP() (*http.Request, error)

ToHTTP turns this request into a valid *http.Request for use with the net/http package.

type Response

type Response struct {
	*http.Response
}

Response is a raw response that wraps an HTTP response.

func (*Response) DecodeJSON

func (r *Response) DecodeJSON(out interface{}) error

DecodeJSON will decode the response body to a JSON structure. This will consume the response body, but will not close it. Close must still be called.

func (*Response) Error

func (r *Response) Error() error

Error returns an error response if there is one. If there is an error, this will fully consume the response body, but will not close it. The body must still be closed manually.

type SSH

type SSH struct {
	MountPoint string
	// contains filtered or unexported fields
}

SSH is used to return a client to invoke operations on SSH backend.

func (*SSH) Credential

func (c *SSH) Credential(role string, data map[string]interface{}) (*Secret, error)

Credential invokes the SSH backend API to create a credential to establish an SSH session.

type SSHAgent

type SSHAgent struct {
	MountPoint string
	// contains filtered or unexported fields
}

SSHAgent is a structure representing an SSH agent which can talk to vault server in order to verify the OTP entered by the user. It contains the path at which SSH backend is mounted at the server.

func (*SSHAgent) Verify

func (c *SSHAgent) Verify(otp string) (*SSHVerifyResponse, error)

Verify verifies if the key provided by user is present in Vault server. The response will contain the IP address and username associated with the OTP. In case the OTP matches the echo request message, instead of searching an entry for the OTP, an echo response message is returned. This feature is used by agent to verify if its configured correctly.

type SSHAgentConfig

type SSHAgentConfig struct {
	VaultAddr       string `hcl:"vault_addr"`
	SSHMountPoint   string `hcl:"ssh_mount_point"`
	CACert          string `hcl:"ca_cert"`
	CAPath          string `hcl:"ca_path"`
	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
	AllowedCidrList string `hcl:"allowed_cidr_list"`
}

SSHAgentConfig is a structure which represents the entries from the agent's configuration file.

func LoadSSHAgentConfig

func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error)

LoadSSHAgentConfig loads agent's configuration from the file and populates the corresponding in-memory structure.

Vault address is a required parameter. Mount point defaults to "ssh".

func (*SSHAgentConfig) NewClient

func (c *SSHAgentConfig) NewClient() (*Client, error)

NewClient returns a new client for the configuration. This client will be used by the SSH agent to communicate with Vault server and verify the OTP entered by user. If the configuration supplies Vault SSL certificates, then the client will have TLS configured in its transport.

func (*SSHAgentConfig) SetTLSParameters

func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool)

TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given certificate pool.

type SSHVerifyResponse

type SSHVerifyResponse struct {
	// Usually empty. If the request OTP is echo request message, this will
	// be set to the corresponding echo response message.
	Message string `mapstructure:"message"`

	// Username associated with the OTP
	Username string `mapstructure:"username"`

	// IP associated with the OTP
	IP string `mapstructure:"ip"`
}

SSHVerifyResponse is a structure representing the fields in Vault server's response.

type SealStatusResponse

type SealStatusResponse struct {
	Sealed   bool
	T        int
	N        int
	Progress int
}

type Secret

type Secret struct {
	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`

	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data map[string]interface{} `json:"data"`

	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`

	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`
}

Secret is the structure returned for every secret within Vault.

func ParseSecret

func ParseSecret(r io.Reader) (*Secret, error)

ParseSecret is used to parse a secret value from JSON from an io.Reader.

type SecretAuth

type SecretAuth struct {
	ClientToken string            `json:"client_token"`
	Policies    []string          `json:"policies"`
	Metadata    map[string]string `json:"metadata"`

	LeaseDuration int  `json:"lease_duration"`
	Renewable     bool `json:"renewable"`
}

SecretAuth is the structure containing auth information if we have it.

type Sys

type Sys struct {
	// contains filtered or unexported fields
}

Sys is used to perform system-related operations on Vault.

func (*Sys) AuditHash

func (c *Sys) AuditHash(path string, input string) (string, error)

func (*Sys) DeletePolicy

func (c *Sys) DeletePolicy(name string) error

func (*Sys) DisableAudit

func (c *Sys) DisableAudit(path string) error

func (*Sys) DisableAuth

func (c *Sys) DisableAuth(path string) error

func (*Sys) EnableAudit

func (c *Sys) EnableAudit(
	path string, auditType string, desc string, opts map[string]string) error

func (*Sys) EnableAuth

func (c *Sys) EnableAuth(path, authType, desc string) error

func (*Sys) GenerateRootCancel

func (c *Sys) GenerateRootCancel() error

func (*Sys) GenerateRootInit

func (c *Sys) GenerateRootInit(otp, pgpKey string) (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootStatus

func (c *Sys) GenerateRootStatus() (*GenerateRootStatusResponse, error)

func (*Sys) GenerateRootUpdate

func (c *Sys) GenerateRootUpdate(shard, nonce string) (*GenerateRootStatusResponse, error)

func (*Sys) GetPolicy

func (c *Sys) GetPolicy(name string) (string, error)

func (*Sys) Init

func (c *Sys) Init(opts *InitRequest) (*InitResponse, error)

func (*Sys) InitStatus

func (c *Sys) InitStatus() (bool, error)

func (*Sys) KeyStatus

func (c *Sys) KeyStatus() (*KeyStatus, error)

func (*Sys) Leader

func (c *Sys) Leader() (*LeaderResponse, error)

func (*Sys) ListAudit

func (c *Sys) ListAudit() (map[string]*Audit, error)

func (*Sys) ListAuth

func (c *Sys) ListAuth() (map[string]*AuthMount, error)

func (*Sys) ListMounts

func (c *Sys) ListMounts() (map[string]*MountOutput, error)

func (*Sys) ListPolicies

func (c *Sys) ListPolicies() ([]string, error)

func (*Sys) Mount

func (c *Sys) Mount(path string, mountInfo *MountInput) error

func (*Sys) MountConfig

func (c *Sys) MountConfig(path string) (*MountConfigOutput, error)

func (*Sys) PutPolicy

func (c *Sys) PutPolicy(name, rules string) error

func (*Sys) RekeyCancel

func (c *Sys) RekeyCancel() error

func (*Sys) RekeyDeleteBackup

func (c *Sys) RekeyDeleteBackup() error

func (*Sys) RekeyInit

func (c *Sys) RekeyInit(config *RekeyInitRequest) (*RekeyStatusResponse, error)

func (*Sys) RekeyRetrieveBackup

func (c *Sys) RekeyRetrieveBackup() (*RekeyRetrieveResponse, error)

func (*Sys) RekeyStatus

func (c *Sys) RekeyStatus() (*RekeyStatusResponse, error)

func (*Sys) RekeyUpdate

func (c *Sys) RekeyUpdate(shard, nonce string) (*RekeyUpdateResponse, error)

func (*Sys) Remount

func (c *Sys) Remount(from, to string) error

func (*Sys) Renew

func (c *Sys) Renew(id string, increment int) (*Secret, error)

func (*Sys) ResetUnsealProcess

func (c *Sys) ResetUnsealProcess() (*SealStatusResponse, error)

func (*Sys) Revoke

func (c *Sys) Revoke(id string) error

func (*Sys) RevokePrefix

func (c *Sys) RevokePrefix(id string) error

func (*Sys) Rotate

func (c *Sys) Rotate() error

func (*Sys) Seal

func (c *Sys) Seal() error

func (*Sys) SealStatus

func (c *Sys) SealStatus() (*SealStatusResponse, error)

func (*Sys) TuneMount

func (c *Sys) TuneMount(path string, config MountConfigInput) error

func (*Sys) Unmount

func (c *Sys) Unmount(path string) error

func (*Sys) Unseal

func (c *Sys) Unseal(shard string) (*SealStatusResponse, error)

type TokenAuth

type TokenAuth struct {
	// contains filtered or unexported fields
}

TokenAuth is used to perform token backend operations on Vault.

func (*TokenAuth) Create

func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error)

func (*TokenAuth) Lookup

func (c *TokenAuth) Lookup(token string) (*Secret, error)

func (*TokenAuth) LookupSelf

func (c *TokenAuth) LookupSelf() (*Secret, error)

func (*TokenAuth) Renew

func (c *TokenAuth) Renew(token string, increment int) (*Secret, error)

func (*TokenAuth) RenewSelf

func (c *TokenAuth) RenewSelf(increment int) (*Secret, error)

func (*TokenAuth) RevokeOrphan

func (c *TokenAuth) RevokeOrphan(token string) error

RevokeOrphan revokes a token without revoking the tree underneath it (so child tokens are orphaned rather than revoked)

func (*TokenAuth) RevokePrefix

func (c *TokenAuth) RevokePrefix(token string) error

RevokePrefix revokes a token based on a prefix, which can be used to revoke e.g. all tokens issued by a certain credential mount

func (*TokenAuth) RevokeSelf

func (c *TokenAuth) RevokeSelf() error

RevokeSelf revokes the token making the call

func (*TokenAuth) RevokeTree

func (c *TokenAuth) RevokeTree(token string) error

RevokeTree is the "normal" revoke operation that revokes the given token and the entire tree underneath -- all of its child tokens, their child tokens, etc.

type TokenCreateRequest

type TokenCreateRequest struct {
	ID              string            `json:"id,omitempty"`
	Policies        []string          `json:"policies,omitempty"`
	Metadata        map[string]string `json:"meta,omitempty"`
	Lease           string            `json:"lease,omitempty"`
	TTL             string            `json:"ttl,omitempty"`
	NoParent        bool              `json:"no_parent,omitempty"`
	NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
	DisplayName     string            `json:"display_name"`
	NumUses         int               `json:"num_uses"`
}

TokenCreateRequest is the options structure for creating a token.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL