README
¶
Golang Library for HashiCorp vault
This is yet another golang vault client. It uses the official vault go client but adds some requests and responses types and some convenient methods for an improved Developing experience.
Typing every request and response is rather time consuming, only a few vault APIs are implemented at the moment. If there is demand for us to use other APIs, they will be added. We are also always open to Pull Requests :)
Supported APIs
Currently, these APIs are implemented:
Transit(mountPoint)
Authentication
Token-based and Kubernetes Auth are supported as of now.
Token-Based
Initialize a new Vault Client using your token and endpoint:
Kubernetes In-Cluster Example
Usage
Once the Vault Client is created, instanciate new clients for each engine:
Transit Encrypt/Decrypt Example
Run Tests
Tests require a running docker daemon. The test will automatically create a vault container.
> make test
Documentation
¶
Overview ¶
Example (EncryptDecryptType) ¶
const rsa4096 = "rsa-4096"
c, err := NewClient("https://vault:8200/", WithCaPath(""), WithAuthToken("test"))
if err != nil {
log.Fatal(err)
}
fmt.Println(c.Token())
transit := c.Transit()
key := "test123bacd"
err = transit.Create(key, &TransitCreateOptions{
Exportable: BoolPtr(true),
Type: rsa4096,
})
if err != nil {
log.Fatal(err)
}
res, err := transit.Read(key)
if err != nil {
log.Fatal(err)
} else {
log.Printf("%+v\n", res.Data)
}
exportRes, err := transit.Export(key, TransitExportOptions{
KeyType: "encryption-key",
})
if err != nil {
log.Fatal(err)
}
log.Printf("%v+", exportRes.Data.Keys[1])
encryptResponse, err := transit.Encrypt(key, &TransitEncryptOptions{
Plaintext: "plaintext",
})
if err != nil {
log.Fatalf("Error occurred during encryption: %v", err)
}
log.Println("Ciphertext: ", encryptResponse.Data.Ciphertext)
decryptResponse, err := transit.Decrypt(key, &TransitDecryptOptions{
Ciphertext: encryptResponse.Data.Ciphertext,
})
if err != nil {
log.Fatalf("Error occurred during decryption: %v", err)
}
log.Println("Plaintext: ", decryptResponse.Data.Plaintext)
Output:
Example (K8sInCluster) ¶
c, err := NewClient("https://vault:8200/", WithCaPath(""), WithKubernetesAuth("myrole"))
if err != nil {
log.Fatal(err)
}
log.Println(c.Address())
Output:
Example (TokenBased) ¶
c, err := NewClient("https://vault:8200/",
WithCaPath(""),
WithAuthToken("SECRET"),
)
if err != nil {
log.Fatal(err)
}
log.Println(c.Address())
Output:
Index ¶
- Variables
- func BoolPtr(input bool) *bool
- func IntPtr(input int) *int
- func StringPtr(input string) *string
- type AuthProvider
- type AuthResponse
- type Client
- func (c *Client) Delete(path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) List(path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) Read(path []string, response interface{}, opts *RequestOptions) error
- func (c *Client) Request(method string, path []string, body, response interface{}, opts *RequestOptions) error
- func (c *Client) Transit() *Transit
- func (c *Client) TransitWithMountPoint(mountPoint string) *Transit
- func (c *Client) Write(path []string, body, response interface{}, opts *RequestOptions) error
- type ClientOpts
- type KubernetesAuthOpt
- type RequestOptions
- type Service
- type TLSConfig
- type Transit
- func (t *Transit) Create(key string, opts *TransitCreateOptions) error
- func (t *Transit) Decrypt(key string, opts *TransitDecryptOptions) (*TransitDecryptResponse, error)
- func (t *Transit) DecryptBatch(key string, opts TransitDecryptOptionsBatch) (*TransitDecryptResponseBatch, error)
- func (t *Transit) Delete(key string) error
- func (t *Transit) Encrypt(key string, opts *TransitEncryptOptions) (*TransitEncryptResponse, error)
- func (t *Transit) EncryptBatch(key string, opts *TransitEncryptOptionsBatch) (*TransitEncryptResponseBatch, error)
- func (t *Transit) Export(key string, opts TransitExportOptions) (*TransitExportResponse, error)
- func (t *Transit) ForceDelete(key string) error
- func (t *Transit) KeyExists(key string) (bool, error)
- func (t *Transit) List() (*TransitListResponse, error)
- func (t *Transit) Read(key string) (*TransitReadResponse, error)
- func (t *Transit) Rotate(key string) error
- func (t *Transit) Sign(key string, opts *TransitSignOptions) (*TransitSignResponse, error)
- func (t *Transit) Update(key string, opts TransitUpdateOptions) error
- func (t *Transit) Verify(key string, opts *TransitVerifyOptions) (*TransitVerifyResponse, error)
- type TransitBatchCiphertext
- type TransitBatchPlaintext
- type TransitCreateOptions
- type TransitDecryptOptions
- type TransitDecryptOptionsBatch
- type TransitDecryptResponse
- type TransitDecryptResponseBatch
- type TransitEncryptOptions
- type TransitEncryptOptionsBatch
- type TransitEncryptResponse
- type TransitEncryptResponseBatch
- type TransitExportOptions
- type TransitExportResponse
- type TransitListResponse
- type TransitReadResponse
- type TransitReadResponseData
- type TransitSignOptions
- type TransitSignResponse
- type TransitUpdateOptions
- type TransitVerifyOptions
- type TransitVerifyResponse
Examples ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var (
ErrEncKeyNotFound = errors.New("encryption key not found")
)
Functions ¶
Types ¶
type AuthProvider ¶
type AuthProvider interface {
Auth() (*AuthResponse, error)
}
func NewKubernetesAuth ¶
func NewKubernetesAuth(c *Client, role string, opts ...KubernetesAuthOpt) (AuthProvider, error)
type AuthResponse ¶
type AuthResponse struct {
Auth struct {
ClientToken string `json:"client_token"`
Accessor string `json:"accessor"`
Policies []string `json:"policies"`
LeaseDuration int `json:"lease_duration"`
Renewable bool `json:"renewable"`
Metadata struct {
Role string `json:"role"`
ServiceAccountName string `json:"service_account_name"`
ServiceAccountNamespace string `json:"service_account_namespace"`
ServiceAccountSecretName string `json:"service_account_secret_name"`
ServiceAccountUID string `json:"service_account_uid"`
} `json:"metadata"`
} `json:"auth"`
}
type Client ¶
func NewClient ¶
func NewClient(addr string, tlsConf *TLSConfig, opts ...ClientOpts) (*Client, error)
func (*Client) Delete ¶
func (c *Client) Delete(path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) List ¶
func (c *Client) List(path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) Read ¶
func (c *Client) Read(path []string, response interface{}, opts *RequestOptions) error
func (*Client) Request ¶
func (c *Client) Request(method string, path []string, body, response interface{}, opts *RequestOptions) error
func (*Client) TransitWithMountPoint ¶
type ClientOpts ¶
func WithAuthToken ¶
func WithAuthToken(token string) ClientOpts
func WithKubernetesAuth ¶
func WithKubernetesAuth(role string, opts ...KubernetesAuthOpt) ClientOpts
type KubernetesAuthOpt ¶
type KubernetesAuthOpt func(k *kubernetesAuth) error
func WithJwt ¶
func WithJwt(jwt string) KubernetesAuthOpt
func WithJwtFromFile ¶
func WithJwtFromFile(path string) KubernetesAuthOpt
func WithMountPoint ¶
func WithMountPoint(mountPoint string) KubernetesAuthOpt
type RequestOptions ¶
type RequestOptions struct {
Parameters url.Values
// SkipRenewal defines if the client should retry this Request with a new Token if it fails because of
// 403 Permission Denied
// The default behavior of the client is to always Request a new Token on 403
// Only if this is explicitly set to true, the client will continue processing the first failed request
// and skip the renewal
// This should generally only be disabled for TokenAuth requests (a failed TokenAuth request can't be fixed by
// doing another TokenAuth request, this would lead to infinite recursion)
SkipRenewal bool
}
type Transit ¶
type Transit struct {
Service
}
func (*Transit) Decrypt ¶
func (t *Transit) Decrypt(key string, opts *TransitDecryptOptions) (*TransitDecryptResponse, error)
func (*Transit) DecryptBatch ¶
func (t *Transit) DecryptBatch(key string, opts TransitDecryptOptionsBatch) (*TransitDecryptResponseBatch, error)
func (*Transit) Encrypt ¶
func (t *Transit) Encrypt(key string, opts *TransitEncryptOptions) (*TransitEncryptResponse, error)
func (*Transit) EncryptBatch ¶
func (t *Transit) EncryptBatch(key string, opts *TransitEncryptOptionsBatch) (*TransitEncryptResponseBatch, error)
func (*Transit) Export ¶
func (t *Transit) Export(key string, opts TransitExportOptions) (*TransitExportResponse, error)
func (*Transit) ForceDelete ¶
func (*Transit) List ¶
func (t *Transit) List() (*TransitListResponse, error)
Example ¶
c, err := NewClient("https://vault:8200/",
WithCaPath(""),
WithAuthToken("SECRET"),
)
if err != nil {
log.Fatal(err)
}
l, err := c.TransitWithMountPoint("transit").List()
if err != nil {
log.Fatal()
}
log.Println(l)
Output:
func (*Transit) Sign ¶
func (t *Transit) Sign(key string, opts *TransitSignOptions) (*TransitSignResponse, error)
func (*Transit) Verify ¶
func (t *Transit) Verify(key string, opts *TransitVerifyOptions) (*TransitVerifyResponse, error)
type TransitBatchCiphertext ¶
type TransitBatchPlaintext ¶
type TransitCreateOptions ¶
type TransitDecryptOptions ¶
type TransitDecryptOptionsBatch ¶
type TransitDecryptOptionsBatch struct {
BatchInput []TransitBatchCiphertext `json:"batch_input"`
}
type TransitDecryptResponse ¶
type TransitDecryptResponse struct {
Data struct {
Plaintext string `json:"plaintext"`
} `json:"data"`
}
type TransitDecryptResponseBatch ¶
type TransitDecryptResponseBatch struct {
Data struct {
BatchResults []TransitBatchPlaintext `json:"batch_results"`
} `json:"data"`
}
type TransitEncryptOptions ¶
type TransitEncryptOptions struct {
Plaintext string `json:"plaintext"`
Context string `json:"context,omitempty"`
KeyVersion *int `json:"key_version,omitempty"`
Nonce string `json:"nonce,omitempty"`
Type string `json:"type,omitempty"`
ConvergentEncryption string `json:"convergent_encryption,omitempty"`
}
type TransitEncryptOptionsBatch ¶
type TransitEncryptOptionsBatch struct {
BatchInput []TransitBatchPlaintext `json:"batch_input"`
KeyVersion *int `json:"key_version,omitempty"`
Type string `json:"type,omitempty"`
ConvergentEncryption string `json:"convergent_encryption,omitempty"`
}
type TransitEncryptResponse ¶
type TransitEncryptResponse struct {
Data struct {
Ciphertext string `json:"ciphertext"`
} `json:"data"`
}
type TransitEncryptResponseBatch ¶
type TransitEncryptResponseBatch struct {
Data struct {
BatchResults []TransitBatchCiphertext `json:"batch_results"`
} `json:"data"`
}
type TransitExportOptions ¶
type TransitExportResponse ¶
type TransitListResponse ¶
type TransitListResponse struct {
Data struct {
Keys []string `json:"keys"`
} `json:"data"`
}
type TransitReadResponse ¶
type TransitReadResponse struct {
Data TransitReadResponseData `json:"data"`
}
type TransitReadResponseData ¶
type TransitReadResponseData struct {
Name string `json:"name"`
Type string `json:"type"`
Keys map[int]interface{} `json:"keys"`
MinDecryptionVersion int `json:"min_decrytion_version"`
MinEncryptionVersion int `json:"min_encryption_version"`
LatestVersion int `json:"latest_version"`
DeletionAllowed bool `json:"deletion_allowed"`
Derived bool `json:"derived"`
Exportable bool `json:"exportable"`
AllowPlaintextBackup bool `json:"allow_plaintext_backup"`
SupportsEncryption bool `json:"supports_encryption"`
SupportsDecryption bool `json:"supports_decryption"`
SupportsDerivation bool `json:"supports_derivation"`
SupportsSigning bool `json:"supports_signing"`
}
type TransitSignOptions ¶
type TransitSignOptions struct {
Plaintext string `json:"input"`
}
type TransitSignResponse ¶
type TransitSignResponse struct {
Data struct {
Signature string `json:"signature"`
} `json:"data"`
}
type TransitUpdateOptions ¶
type TransitUpdateOptions struct {
MinDecryptionVersion int `json:"min_decrytion_version,omitempty"`
MinEncryptionVersion int `json:"min_encryption_version,omitempty"`
DeletionAllowed *bool `json:"deletion_allowed,omitempty"`
Exportable *bool `json:"exportable,omitempty"`
AllowPlaintextBackup *bool `json:"allow_plaintext_backup,omitempty"`
}
type TransitVerifyOptions ¶
type TransitVerifyResponse ¶
type TransitVerifyResponse struct {
Data struct {
Valid bool `json:"valid"`
} `json:"data"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.