Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var (
TokenProviders = map[string]TokenProvider{}
)
Functions ¶
This section is empty.
Types ¶
type Credentials ¶
type Credentials interface {
// GetTokenProvider returns a TokenProvider for the given key, applying the given options if a new TokenProvider is
// created to fulfill the request. If a TokenProvider already exists for the given key, it will be returned.
// It's important for callers to be consistent with the options they pass in, at least for a given Thelma execution,
// since the options are only used on the first call for a given key.
//
// The caching means that there will only ever be one TokenProvider for a given key, so the TokenProvider's
// concurrency-safety guarantees will reliably apply (and the caller doesn't need to worry about caching the
// response of this function).
GetTokenProvider(key string, opts ...TokenOption) TokenProvider
}
func NewWithStore ¶ added in v0.0.31
func NewWithStore(store stores.Store) Credentials
NewWithStore returns a new Credentials instance backed by the given store
type TokenOption ¶
type TokenOption func(*TokenOptions)
TokenOption function for configuring a token's Options
type TokenOptions ¶
type TokenOptions struct {
// EnvVars (optional) environment variables to use for this token. Defaults to key (upper-cased with s/-/_/, eg. "vault-token" -> "VAULT_TOKEN").
// Ideally only one environment variable should be used, but multiple are supported for backwards compatibility.
EnvVars []string
// PromptEnabled (optional) if true, user will be prompted to manually enter a token value if one does not exist in credential store.
PromptEnabled bool
// PromptMessage (optional) Override default prompt message ("Please enter VAULT_TOKEN: ")
PromptMessage string
// ValidateFn (optional) Optional function for validating a token. If supplied, stored credentials will be validated before being returned to caller.
// This function can be called quite frequently in Goroutine scenarios, so offline validation is ideal.
ValidateFn func([]byte) error
// RefreshFn (optional) Optional function for refreshing a token. Called if a stored credential turns out to be invalid. If an error is returned, IssueFn will be called to issue a new credential.
RefreshFn func([]byte) ([]byte, error)
// IssueFn (optional) Optional function for issuing a new token. If supplied, prompt options are ignored.
IssueFn func() ([]byte, error)
// CredentialStore (optional) Use a custom credential store instead of the default store (~/.thelma/credentials/$key)
CredentialStore stores.Store
}
TokenOptions configuration options for a TokenProvider
type TokenProvider ¶
type TokenProvider interface {
// Get provides a token value based on the configuration of the TokenProvider. The overall flow is as follows:
//
// 1. If a match for any TokenOptions.EnvVars is found, immediately return that value
// 2. If a match for the key is found in the TokenOptions.CredentialStore:
// - If it is valid per TokenOptions.ValidateFn, return it
// - If it is invalid but TokenOptions.RefreshFn is provided, attempt to refresh the token and validate, store, and return it
// (errors from TokenOptions.RefreshFn will cause the flow to continue to step 3)
// 3. If TokenOptions.IssueFn is provided, issue a new token and validate, store, and return it
// 4. If TokenOptions.IssueFn isn't provided but TokenOptions.PromptEnabled is true and the session is interactive,
// prompt the user for a new token value and validate, store, and return it
Get() ([]byte, error)
// Reissue clears the state of the TokenProvider and then calls Get (which will usually then issue a new token).
Reissue() ([]byte, error)
}
TokenProvider manages a token used for authentication, possibly stored on the local filesystem. The exported methods are Goroutine-safe.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.