credentials

Documentation

Index

• type Credentials
  • func New(thelmaConfig config.Config, thelmaRoot root.Root) (Credentials, error)
  • func NewWithStore(store stores.Store) Credentials
• type TokenOption
• type TokenOptions
• type TokenProvider

Types

type Credentials

type Credentials interface {
	// NewTokenProvider returns a new TokenProvider for the given key
	NewTokenProvider(key string, opts ...TokenOption) TokenProvider
}

func New

func New(thelmaConfig config.Config, thelmaRoot root.Root) (Credentials, error)

New returns a new Credentials instance using a directory store rooted at credentialsDir

func NewWithStore

func NewWithStore(store stores.Store) Credentials

NewWithStore returns a new Credentials instance backed by the given store

type TokenOption

type TokenOption func(*TokenOptions)

TokenOption function for configuring a token's Options

type TokenOptions

type TokenOptions struct {
	// EnvVars (optional) environment variables to use for this token. Defaults to key (upper-cased with s/-/_/, eg. "vault-token" -> "VAULT_TOKEN").
	// Ideally only one environment variable should be used, but multiple are supported for backwards compatibility.
	EnvVars []string
	// PromptEnabled (optional) if true, user will be prompted to manually enter a token value if one does not exist in credential store.
	PromptEnabled bool
	// PromptMessage (optional) Override default prompt message ("Please enter VAULT_TOKEN: ")
	PromptMessage string
	// ValidateFn (optional) Optional function for validating a token. If supplied, stored credentials will be validated before being returned to caller.
	// This function can be called quite frequently in Goroutine scenarios, so offline validation is ideal.
	ValidateFn func([]byte) error
	// RefreshFn (optional) Optional function for refreshing a token. Called if a stored credential turns out to be invalid. If an error is returned, IssueFn will be called to issue a new credential.
	RefreshFn func([]byte) ([]byte, error)
	// IssueFn (optional) Optional function for issuing a new token. If supplied, prompt options are ignored.
	IssueFn func() ([]byte, error)
	// CredentialStore (optional) Use a custom credential store instead of the default store (~/.thelma/credentials/$key)
	CredentialStore stores.Store
}

TokenOptions configuration options for a TokenProvider

type TokenProvider

type TokenProvider interface {
	// Get provides a token value based on the configuration of the TokenProvider. The overall flow is as follows:
	//
	// 1. If a match for any TokenOptions.EnvVars is found, immediately return that value
	// 2. If a match for the key is found in the TokenOptions.CredentialStore:
	//    - If it is valid per TokenOptions.ValidateFn, return it
	//    - If it is invalid but TokenOptions.RefreshFn is provided, attempt to refresh the token and validate, store, and return it
	//      (errors from TokenOptions.RefreshFn will cause the flow to continue to step 3)
	// 3. If TokenOptions.IssueFn is provided, issue a new token and validate, store, and return it
	// 4. If TokenOptions.IssueFn isn't provided but TokenOptions.PromptEnabled is true and the session is interactive,
	//    prompt the user for a new token value and validate, store, and return it
	Get() ([]byte, error)
	// Reissue clears the state of the TokenProvider and then calls Get (which will usually then issue a new token).
	Reissue() ([]byte, error)
}

TokenProvider manages a token used for authentication, possibly stored on the local filesystem. The exported methods are Goroutine-safe.