secretstore

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 3, 2021 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source
const (
	VaultToken             = "X-Vault-Token"
	TokenCreatorPolicyName = "privileged-token-creator"

	// This is an admin token policy that allow for creation of
	// per-service tokens and policies
	TokenCreatorPolicy = `` /* 394-byte string literal not displayed */

)
View Source
const OneShotProvider = "oneshot"

Variables

This section is empty.

Functions

func Main

func Main(ctx context.Context, cancel context.CancelFunc, _ *mux.Router, _ chan<- bool)

Types

type Bootstrap

type Bootstrap struct {
	// contains filtered or unexported fields
}

func NewBootstrap

func NewBootstrap(insecureSkipVerify bool, vaultInterval int) *Bootstrap

func (*Bootstrap) BootstrapHandler

func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ startup.Timer, dic *di.Container) bool

BootstrapHandler fulfills the BootstrapHandler contract and performs initialization needed by the data service.

type CertCollect

type CertCollect struct {
	Pair CertPair `json:"data"`
}

type CertPair

type CertPair struct {
	Cert string `json:"cert,omitempty"`
	Key  string `json:"key,omitempty"`
}

type Certs

type Certs struct {
	// contains filtered or unexported fields
}

func NewCerts

func NewCerts(
	caller internal.HttpCaller,
	certPath string,
	rootToken string,
	secretServiceBaseURL string,
	lc logger.LoggingClient) Certs

func (*Certs) AlreadyinStore

func (cs *Certs) AlreadyinStore() (bool, error)

func (*Certs) ReadFrom

func (cs *Certs) ReadFrom(certPath string, keyPath string) (*CertPair, error)

func (*Certs) UploadToStore

func (cs *Certs) UploadToStore(cp *CertPair) error

type CmdRunner

type CmdRunner interface {
	Start() error
	Wait() error
}

CmdRunner is mockable interface for golang's exec.Cmd

type Cred

type Cred struct {
	// contains filtered or unexported fields
}

func NewCred

func NewCred(
	caller internal.HttpCaller,
	rootToken string,
	generator CredentialGenerator,
	secretServiceBaseURL string,
	lc logger.LoggingClient) Cred

func (*Cred) AlreadyInStore

func (cr *Cred) AlreadyInStore(path string) (bool, error)

func (*Cred) GeneratePassword

func (cr *Cred) GeneratePassword(ctx context.Context) (string, error)

GeneratePassword is a pass-through to the password generator

func (*Cred) UploadToStore

func (cr *Cred) UploadToStore(pair *UserPasswordPair, path string) error

type CredCollect

type CredCollect struct {
	Pair UserPasswordPair `json:"data"`
}

type CredentialGenerator

type CredentialGenerator interface {
	Generate(ctx context.Context) (string, error)
}

CredentialGenerator is the interface for pluggable password generators

func NewDefaultCredentialGenerator

func NewDefaultCredentialGenerator() CredentialGenerator

NewDefaultCredentialGenerator generates random passwords as base64-encoded strings

func NewPasswordGenerator

func NewPasswordGenerator(lc logger.LoggingClient, passwordProvider string, passwordProviderArgs []string) CredentialGenerator

NewPasswordGenerator wires up a pluggable password generator or defaults to a built-in implementation if the pluggable configuration is missing

type ExecRunner

type ExecRunner interface {
	SetStdout(stdout io.Writer)
	LookPath(file string) (string, error)
	CommandContext(ctx context.Context, name string, arg ...string) CmdRunner
}

ExecRunner is mockable interface for wrapping os/exec functionality

func NewDefaultExecRunner

func NewDefaultExecRunner() ExecRunner

NewDefaultExecRunner creates an os/exec wrapper that joins subprocesses' stdout and stderr with the caller's

type PasswordProvider

type PasswordProvider struct {
	// contains filtered or unexported fields
}

func NewPasswordProvider

func NewPasswordProvider(lc logger.LoggingClient, execRunner ExecRunner) *PasswordProvider

NewPasswordProvider creates a new PasswordProvider

func (*PasswordProvider) Generate

func (p *PasswordProvider) Generate(ctx context.Context) (string, error)

Generate retrives the password from the tool

func (*PasswordProvider) SetConfiguration

func (p *PasswordProvider) SetConfiguration(passwordProvider string, passwordProviderArgs []string) error

SetConfiguration parses token provider configuration and resolves paths specified therein

type RevokeFunc

type RevokeFunc func()

type TokenMaintenance

type TokenMaintenance struct {
	// contains filtered or unexported fields
}

func NewTokenMaintenance

func NewTokenMaintenance(logging logger.LoggingClient, secretClient secretstoreclient.SecretStoreClient) *TokenMaintenance

NewTokenMaintenance creates a new TokenProvider

func (*TokenMaintenance) CreateTokenIssuingToken

func (tm *TokenMaintenance) CreateTokenIssuingToken(rootToken string) (map[string]interface{}, RevokeFunc, error)

CreateTokenIssuingToken creates an admin token that allows the holder to create per-service tokens an policies. Requires a root token, returns a function that, if called, with revoke the token

func (*TokenMaintenance) RevokeNonRootTokens

func (tm *TokenMaintenance) RevokeNonRootTokens(privilegedToken string) error

RevokeNonRootTokens revokes non-root tokens that may have been issued in previous EdgeX runs. Should be called with a high-privileged token.

func (*TokenMaintenance) RevokeRootTokens

func (tm *TokenMaintenance) RevokeRootTokens(privilegedToken string) error

RevokeRootTokens revokes any root tokens found in the secret store. Should be called with a high-privileged token.

type TokenProvider

type TokenProvider struct {
	// contains filtered or unexported fields
}

func NewTokenProvider

func NewTokenProvider(ctx context.Context, lc logger.LoggingClient, execRunner ExecRunner) *TokenProvider

NewTokenProvider creates a new TokenProvider

func (*TokenProvider) Launch

func (p *TokenProvider) Launch() error

Launch spawns the token provider function

func (*TokenProvider) SetConfiguration

func (p *TokenProvider) SetConfiguration(config secretstoreclient.SecretServiceInfo) error

SetConfiguration parses token provider configuration and resolves paths specified therein

type UserPasswordPair

type UserPasswordPair struct {
	User     string `json:"username,omitempty"`
	Password string `json:"password,omitempty"`
}

type VMKEncryption

type VMKEncryption struct {
	// contains filtered or unexported fields
}

func NewVMKEncryption

func NewVMKEncryption(fileOpener fileioperformer.FileIoPerformer,
	pipedHexReader pipedhexreader.PipedHexReader,
	kdf kdf.KeyDeriver) *VMKEncryption

NewVMKEncryption - constructor

func (*VMKEncryption) DecryptInitResponse

func (v *VMKEncryption) DecryptInitResponse(initResp *secretstoreclient.InitResponse) error

DecryptInitResponse processes the InitResponse and decrypts the key shares in the end, EncryptedKeys and Nonces are removed and replaced with Keys and KeysBase64 in the resulting JSON like the init response was originally Root token is left untouched

func (*VMKEncryption) EncryptInitResponse

func (v *VMKEncryption) EncryptInitResponse(initResp *secretstoreclient.InitResponse) error

EncryptInitResponse processes the InitResponse and encrypts the key shares in the end, Keys and KeysBase64 are removed and replaced with EncryptedKeys and Nonces in the resulting JSON Root token is left untouched

func (*VMKEncryption) IsEncrypting

func (v *VMKEncryption) IsEncrypting() bool

IsEncrypting scrubs the input key material from memory

func (*VMKEncryption) LoadIKM

func (v *VMKEncryption) LoadIKM(ikmBinPath string) error

LoadIKM loads input key material from the specified path

func (*VMKEncryption) WipeIKM

func (v *VMKEncryption) WipeIKM()

WipeIKM scrubs the input key material from memory

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL