secrets

package
v0.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 31, 2018 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Package secrets implements a high throughput vault client.

Index

Constants

View Source 
const (
	// DefaultAddr is the default addr.
	DefaultAddr = "http://127.0.0.1:8200"

	// DefaultTimeout is the default timeout.
	DefaultTimeout = time.Second

	// DefaultMount is the default kv mount.
	DefaultMount = "/secret"
)
View Source 
const (
	// MethodGet is a request method.
	MethodGet = "GET"
	// MethodPost is a request method.
	MethodPost = "POST"
	// MethodPut is a request method.
	MethodPut = "PUT"
	// MethodDelete is a request method.
	MethodDelete = "DELETE"

	// HeaderVaultToken is the vault token header.
	HeaderVaultToken = "X-Vault-Token"
	// HeaderContentType is the content type header.
	HeaderContentType = "Content-Type"
	// ContentTypeApplicationJSON is a content type.
	ContentTypeApplicationJSON = "application/json"

	// DefaultBufferPoolSize is the default buffer pool size.
	DefaultBufferPoolSize = 1024

	// ReflectTagName is a reflect tag name.
	ReflectTagName = "secret"

	// Version1 is a constant.
	Version1 = "1"
	// Version2 is a constant.
	Version2 = "2"
)
View Source 
const (
	// Flag is the logger flag.
	Flag = "secrets"
)

Variables

This section is empty.

Functions

func ServiceConfigPath 

func ServiceConfigPath(config Config) string

ServiceConfigPath returns the service config path.

func URL 

func URL(format string, args ...interface{}) *url.URL

URL creates a new url.

Types

type Buffer 

type Buffer struct {
	*bytes.Buffer
	// contains filtered or unexported fields
}

Buffer is a bytes.Buffer with a reference back to the buffer pool. It returns itself to the pool on close.

func (*Buffer) Close 

func (b *Buffer) Close() error

Close returns the buffer to the pool.

type BufferPool 

type BufferPool struct {
	sync.Pool
}

BufferPool is a sync.Pool of bytes.Buffer.

func NewBufferPool 

func NewBufferPool(bufferSize int) *BufferPool

NewBufferPool returns a new BufferPool. bufferSize is the size of the returned buffers pre-allocated size in bytes. Typically this is something between 256 bytes and 1kb.

func (*BufferPool) Get 

func (bp *BufferPool) Get() *Buffer

Get returns a pooled bytes.Buffer instance.

func (*BufferPool) Put 

func (bp *BufferPool) Put(b *Buffer)

Put returns the pooled instance.

type CertPool 

type CertPool struct {
	// contains filtered or unexported fields
}

CertPool is a wrapper for x509.CertPool.

func NewCertPool 

func NewCertPool() (*CertPool, error)

NewCertPool creates a new cert pool. This cert pool starts with the system certs.

func (*CertPool) AddPaths 

func (cp *CertPool) AddPaths(paths ...string) error

AddPaths adds a ca path to the cert pool.

func (*CertPool) Pool 

func (cp *CertPool) Pool() *x509.CertPool

Pool returns the underlying cert pool.

type Client 

type Client interface {
	Put(key string, data Values, options ...Option) error
	Get(key string, options ...Option) (Values, error)
	Delete(key string, options ...Option) error
}

Client is the general interface for a Secrets client

type Config 

type Config struct {
	// Addr is the remote address of the secret store.
	Addr string `json:"addr" yaml:"addr" env:"VAULT_ADDR"`
	// Token is the authentication token used to talk to the secret store.
	Token string `json:"token" yaml:"token" env:"VAULT_TOKEN"`
	// Mount is the default mount path, it prefixes any keys.
	Mount string `json:"mount" yaml:"mount"`
	// Timeout is the dial timeout for requests to the secrets store.
	Timeout time.Duration `json:"timeout" yaml:"timeout"`
	// RootCAs is a list of certificate authority paths.
	RootCAs []string `json:"rootCAs" yaml:"rootCAs" env:"VAULT_CACERT,csv"`
	// ServicePath is the path that service secrets live under
	ServicePath string `json:"servicePath" yaml:"servicePath" env:"SECRETS_SERVICE_PATH"`
}

Config is the secrets config object.

func MustNewConfigFromEnv 

func MustNewConfigFromEnv() (cfg *Config)

MustNewConfigFromEnv returns a config set from the env, and panics on error.

func NewConfigFromEnv 

func NewConfigFromEnv() (*Config, error)

NewConfigFromEnv returns a config populated by the env.

func (Config) GetAddr 

func (c Config) GetAddr(inherited ...string) string

GetAddr returns the client addr.

func (Config) GetMount 

func (c Config) GetMount() string

GetMount returns the client token.

func (Config) GetRootCAs 

func (c Config) GetRootCAs() []string

GetRootCAs returns root ca paths.

func (Config) GetServicePath 

func (c Config) GetServicePath() string

GetServicePath returns the service path

func (Config) GetTimeout 

func (c Config) GetTimeout() time.Duration

GetTimeout returns the client timeout.

func (Config) GetToken 

func (c Config) GetToken() string

GetToken returns the client token.

func (Config) IsZero 

func (c Config) IsZero() bool

IsZero returns if the config is set or not.

func (Config) MustAddr 

func (c Config) MustAddr() *url.URL

MustAddr returns the addr as a url.

type Event 

type Event struct {
	*logger.EventMeta
	// contains filtered or unexported fields
}

Event is an event.

func NewEvent 

func NewEvent(req *http.Request) *Event

NewEvent returns a new event from a request.

func (*Event) Key 

func (e *Event) Key() string

Key returns the event key.

func (*Event) Method 

func (e *Event) Method() string

Method returns the method.

func (*Event) Remote 

func (e *Event) Remote() string

Remote returns the remote.

func (*Event) WithKey 

func (e *Event) WithKey(key string) *Event

WithKey sets the event method.

func (*Event) WithMethod 

func (e *Event) WithMethod(method string) *Event

WithMethod sets the event method.

func (*Event) WithRemote 

func (e *Event) WithRemote(remote string) *Event

WithRemote sets the event remote.

func (*Event) WriteJSON 

func (e *Event) WriteJSON() map[string]interface{}

WriteJSON returns json values.

func (*Event) WriteText 

func (e *Event) WriteText(tf logger.TextFormatter, buf *bytes.Buffer)

WriteText writes text for the event.

type HTTPClient 

type HTTPClient interface {
	Do(*http.Request) (*http.Response, error)
}

HTTPClient is a client that can send http requests.

type KV 

type KV interface {
	Put(key string, data Values, options ...Option) error
	Get(key string, options ...Option) (Values, error)
	Delete(key string, options ...Option) error
}

KV is a basic key value store.

type MockClient 

type MockClient struct {
	SecretValues map[string]Values
}

MockClient is a mock events client

func NewMockClient 

func NewMockClient() *MockClient

NewMockClient creates a new mock client.

func (*MockClient) Delete 

func (c *MockClient) Delete(key string, options ...Option) error

Delete deletes a key.

func (*MockClient) Get 

func (c *MockClient) Get(key string, options ...Option) (Values, error)

Get gets a value at a given key.

func (*MockClient) Put 

func (c *MockClient) Put(key string, data Values, options ...Option) error

Put puts a value.

type MockHTTPClient 

type MockHTTPClient struct {
	// contains filtered or unexported fields
}

MockHTTPClient is a mock http client.

func NewMockHTTPClient 

func NewMockHTTPClient() *MockHTTPClient

NewMockHTTPClient returns a new mock http client.

func (*MockHTTPClient) Do 

func (mh *MockHTTPClient) Do(req *http.Request) (*http.Response, error)

Do implements HTTPClient.

func (*MockHTTPClient) With 

func (mh *MockHTTPClient) With(verb string, url *url.URL, response *http.Response) *MockHTTPClient

With adds a mocked endpoint.

func (*MockHTTPClient) WithString 

func (mh *MockHTTPClient) WithString(verb string, url *url.URL, contents string) *MockHTTPClient

WithString adds a mocked endpoint.

type Mount 

type Mount struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Accessor    string            `json:"accessor"`
	Config      MountConfig       `json:"config"`
	Options     map[string]string `json:"options"`
	Local       bool              `json:"local"`
	SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
}

Mount is a vault mount.

type MountConfig 

type MountConfig struct {
	DefaultLeaseTTL           int      `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               int      `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool     `json:"force_no_cache" mapstructure:"force_no_cache"`
	PluginName                string   `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
	AuditNonHMACRequestKeys   []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}

MountConfig is a vault mount config.

type MountConfigInput 

type MountConfigInput struct {
	Options                   map[string]string `json:"options" mapstructure:"options"`
	DefaultLeaseTTL           string            `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
	MaxLeaseTTL               string            `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
	ForceNoCache              bool              `json:"force_no_cache" mapstructure:"force_no_cache"`
	PluginName                string            `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
	AuditNonHMACRequestKeys   []string          `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
	AuditNonHMACResponseKeys  []string          `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
	ListingVisibility         string            `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
	PassthroughRequestHeaders []string          `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
}

MountConfigInput is a vault mount config input.

type MountInput 

type MountInput struct {
	Type        string            `json:"type"`
	Description string            `json:"description"`
	Config      MountConfigInput  `json:"config"`
	Options     map[string]string `json:"options"`
	Local       bool              `json:"local"`
	PluginName  string            `json:"plugin_name,omitempty"`
	SealWrap    bool              `json:"seal_wrap" mapstructure:"seal_wrap"`
}

MountInput is a vault mount input.

type MountResponse 

type MountResponse struct {
	RequestID string `json:"request_id"`
	Data      Mount  `json:"data"`
}

MountResponse is the result of a call to a mount.

type Option 

type Option func(req *http.Request)

Option a thing that we can do to modify a request.

func List 

func List() Option

List adds a list parameter to the request.

func Version 

func Version(version int) Option

Version adds a version to the request.

type SecretAuth 

type SecretAuth struct {
	ClientToken   string            `json:"client_token"`
	Accessor      string            `json:"accessor"`
	Policies      []string          `json:"policies"`
	Metadata      map[string]string `json:"metadata"`
	LeaseDuration int               `json:"lease_duration"`
	Renewable     bool              `json:"renewable"`
}

SecretAuth is the structure containing auth information if we have it.

type SecretData 

type SecretData struct {
	Data Values `json:"data"`
}

SecretData is used for puts.

type SecretV1 

type SecretV1 struct {
	// The request ID that generated this response
	RequestID     string `json:"request_id"`
	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`
	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data Values `json:"data"`
	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`
	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`
	// WrapInfo, if non-nil, means that the initial response was wrapped in the
	// cubbyhole of the given token (which has a TTL of the given number of
	// seconds)
	WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}

SecretV1 is the structure returned for every secret within Vault.

type SecretV2 

type SecretV2 struct {
	// The request ID that generated this response
	RequestID     string `json:"request_id"`
	LeaseID       string `json:"lease_id"`
	LeaseDuration int    `json:"lease_duration"`
	Renewable     bool   `json:"renewable"`
	// Data is the actual contents of the secret. The format of the data
	// is arbitrary and up to the secret backend.
	Data SecretData `json:"data"`
	// Warnings contains any warnings related to the operation. These
	// are not issues that caused the command to fail, but that the
	// client should be aware of.
	Warnings []string `json:"warnings"`
	// Auth, if non-nil, means that there was authentication information
	// attached to this response.
	Auth *SecretAuth `json:"auth,omitempty"`
	// WrapInfo, if non-nil, means that the initial response was wrapped in the
	// cubbyhole of the given token (which has a TTL of the given number of
	// seconds)
	WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
}

SecretV2 is the structure returned for every secret within Vault.

type SecretWrapInfo 

type SecretWrapInfo struct {
	Token           string    `json:"token"`
	Accessor        string    `json:"accessor"`
	TTL             int       `json:"ttl"`
	CreationTime    time.Time `json:"creation_time"`
	CreationPath    string    `json:"creation_path"`
	WrappedAccessor string    `json:"wrapped_accessor"`
}

SecretWrapInfo contains wrapping information if we have it. If what is contained is an authentication token, the accessor for the token will be available in WrappedAccessor.

type Values 

type Values = map[string]string

Values is a bag of values.

type VaultClient 

type VaultClient struct {
	// contains filtered or unexported fields
}

VaultClient is a client to talk to the secrets store.

func Must 

func Must(c *VaultClient, err error) *VaultClient

Must does things with the error such as panic.

func NewVaultClient 

func NewVaultClient() (*VaultClient, error)

NewVaultClient returns a new client.

func NewVaultClientFromConfig 

func NewVaultClientFromConfig(cfg *Config) (*VaultClient, error)

NewVaultClientFromConfig returns a new client from a config.

func NewVaultClientFromEnv 

func NewVaultClientFromEnv() (*VaultClient, error)

NewVaultClientFromEnv is a helper to create a client from a config read from the environment.

func (*VaultClient) CertPool 

func (c *VaultClient) CertPool() *CertPool

CertPool returns the cert pool.

func (*VaultClient) Delete 

func (c *VaultClient) Delete(key string, options ...Option) error

Delete puts a key.

func (*VaultClient) Get 

func (c *VaultClient) Get(key string, options ...Option) (Values, error)

Get gets a value at a given key.

func (*VaultClient) HTTPClient 

func (c *VaultClient) HTTPClient() HTTPClient

HTTPClient sets the http client.

func (*VaultClient) Logger 

func (c *VaultClient) Logger() *logger.Logger

Logger returns the logger.

func (*VaultClient) Mount 

func (c *VaultClient) Mount() string

Mount returns the mount.

func (*VaultClient) Put 

func (c *VaultClient) Put(key string, data Values, options ...Option) error

Put puts a value.

func (*VaultClient) ReadInto 

func (c *VaultClient) ReadInto(key string, obj interface{}, options ...Option) error

ReadInto reads a secret into an object.

func (*VaultClient) Remote 

func (c *VaultClient) Remote() *url.URL

Remote returns the client remote addr.

func (*VaultClient) Token 

func (c *VaultClient) Token() string

Token returns the token.

func (*VaultClient) WithHTTPClient 

func (c *VaultClient) WithHTTPClient(hc HTTPClient) *VaultClient

WithHTTPClient sets the http client.

func (*VaultClient) WithLogger 

func (c *VaultClient) WithLogger(log *logger.Logger) *VaultClient

WithLogger sets the logger.

func (*VaultClient) WithMount 

func (c *VaultClient) WithMount(mount string) *VaultClient

WithMount sets the token.

func (*VaultClient) WithRemote 

func (c *VaultClient) WithRemote(remote *url.URL) *VaultClient

WithRemote set the client remote url.

func (*VaultClient) WithToken 

func (c *VaultClient) WithToken(token string) *VaultClient

WithToken sets the token.

func (*VaultClient) WriteInto 

func (c *VaultClient) WriteInto(key string, obj interface{}, options ...Option) error

WriteInto writes an object into a secret at a given key.

Source Files

View all Source files

Directories

Path Synopsis
_examples
client
config

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.