vault

package
v2.3.0-dev.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 1, 2022 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// NamespaceHeader specifies the header name to use when including Namespace information in a request.
	NamespaceHeader = "X-Vault-Namespace"
	AuthTypeHeader  = "X-Vault-Token"

	HealthAPI              = "/v1/sys/health"
	InitAPI                = "/v1/sys/init"
	UnsealAPI              = "/v1/sys/unseal"
	CreatePolicyPath       = "/v1/sys/policies/acl/%s"
	CreateTokenAPI         = "/v1/auth/token/create"    // nolint: gosec
	ListAccessorsAPI       = "/v1/auth/token/accessors" // nolint: gosec
	RevokeAccessorAPI      = "/v1/auth/token/revoke-accessor"
	LookupAccessorAPI      = "/v1/auth/token/lookup-accessor"
	LookupSelfAPI          = "/v1/auth/token/lookup-self"
	RevokeSelfAPI          = "/v1/auth/token/revoke-self"
	RootTokenControlAPI    = "/v1/sys/generate-root/attempt" // nolint: gosec
	RootTokenRetrievalAPI  = "/v1/sys/generate-root/update"  // nolint: gosec
	MountsAPI              = "/v1/sys/mounts"
	GenerateConsulTokenAPI = "/v1/consul/creds/%s" // nolint: gosec

)
View Source 
const (
	KeyValue = "kv"
	Consul   = "consul"
)

Variables

This section is empty.

Functions

func GetMockTokenServer 

func GetMockTokenServer(tokenDataMap *sync.Map) *httptest.Server

GetMockTokenServer returns a stub http test server for dealing with token lookup-self and renew-self API calls

Types

type Client 

type Client struct {
	Config     types.SecretConfig
	HttpCaller pkg.Caller
	// contains filtered or unexported fields
}

Client defines the behavior for interacting with the Vault REST secret key/value store via HTTP(S).

func NewClient 

func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error)

NewClient constructs a Vault *Client which communicates with Vault via HTTP(S) lc is any logging client that implements the loggingClient interface; today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation

func NewSecretsClient 

func NewSecretsClient(ctx context.Context, config types.SecretConfig, lc logger.LoggingClient, callback pkg.TokenExpiredCallback) (*Client, error)

NewSecretsClient constructs a Vault *Client which communicates with Vault via HTTP(S) for basic usage of secrets

func (*Client) CheckSecretEngineInstalled 

func (c *Client) CheckSecretEngineInstalled(token string, mountPoint string, engine string) (bool, error)

func (*Client) CreateToken 

func (c *Client) CreateToken(token string, parameters map[string]interface{}) (map[string]interface{}, error)

func (*Client) EnableConsulSecretEngine 

func (c *Client) EnableConsulSecretEngine(token string, mountPoint string, defaultLeaseTTL string) error

func (*Client) EnableKVSecretEngine 

func (c *Client) EnableKVSecretEngine(token string, mountPoint string, kvVersion string) error

func (*Client) GenerateConsulToken 

func (c *Client) GenerateConsulToken(serviceKey string) (string, error)

GenerateConsulToken generates a new Consul token using serviceKey as role name to call secret store's consul/creds API the serviceKey is used in the part of secret store's URL as role name and should be accessible to the API

func (*Client) GetKeys added in v2.3.0 

func (c *Client) GetKeys(subPath string) ([]string, error)

GetKeys retrieves the keys at the provided sub-path. Secret Store returns an array of keys for a given path when retrieving a list of keys, versus a k/v map when retrieving secrets.

func (*Client) GetSecrets 

func (c *Client) GetSecrets(subPath string, keys ...string) (map[string]string, error)

GetSecrets retrieves the secrets at the provided sub-path that matches the specified keys.

func (*Client) HealthCheck 

func (c *Client) HealthCheck() (int, error)

func (*Client) Init 

func (c *Client) Init(secretThreshold int, secretShares int) (types.InitResponse, error)

func (*Client) InstallPolicy 

func (c *Client) InstallPolicy(token string, policyName string, policyDocument string) error

func (*Client) ListTokenAccessors 

func (c *Client) ListTokenAccessors(token string) ([]string, error)

func (*Client) LookupToken 

func (c *Client) LookupToken(token string) (types.TokenMetadata, error)

func (*Client) LookupTokenAccessor 

func (c *Client) LookupTokenAccessor(token string, accessor string) (types.TokenMetadata, error)

func (*Client) RegenRootToken 

func (c *Client) RegenRootToken(keys []string) (string, error)

func (*Client) RevokeToken 

func (c *Client) RevokeToken(token string) error

func (*Client) RevokeTokenAccessor 

func (c *Client) RevokeTokenAccessor(token string, accessor string) error

func (*Client) SetAuthToken added in v2.1.0 

func (c *Client) SetAuthToken(ctx context.Context, newToken string) error

func (*Client) StoreSecrets 

func (c *Client) StoreSecrets(subPath string, secrets map[string]string) error

StoreSecrets stores the secrets at the provided sub-path for the specified keys.

func (*Client) Unseal 

func (c *Client) Unseal(keysBase64 []string) error

type EnableSecretsEngineRequest 

type EnableSecretsEngineRequest struct {
	Type        string                `json:"type"`
	Description string                `json:"description"`
	Options     *SecretsEngineOptions `json:"options,omitempty"`
	Config      *SecretsEngineConfig  `json:"config,omitempty"`
}

EnableSecretsEngineRequest is the POST request to /v1/sys/mounts

type ErrCaRootCert 

type ErrCaRootCert struct {
	// contains filtered or unexported fields
}

ErrCaRootCert error when the provided CA Root certificate is invalid.

func (ErrCaRootCert) Error 

func (e ErrCaRootCert) Error() string

type ErrHTTPResponse 

type ErrHTTPResponse struct {
	StatusCode int
	ErrMsg     string
}

func (ErrHTTPResponse) Error 

func (err ErrHTTPResponse) Error() string

type InitRequest 

type InitRequest struct {
	SecretShares    int `json:"secret_shares"`
	SecretThreshold int `json:"secret_threshold"`
}

InitRequest contains a Vault init request regarding the Shamir Secret Sharing (SSS) parameters

type ListSecretEnginesResponse 

type ListSecretEnginesResponse struct {
	Data map[string]struct {
		Type string `json:"type"`
	} `json:"data"`
}

ListSecretEnginesResponse is the response to GET /v1/sys/mounts

type ListTokenAccessorsResponse 

type ListTokenAccessorsResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListTokenAccessorsResponse is the response to the list accessors API

type LookupAccessorRequest 

type LookupAccessorRequest struct {
	Accessor string `json:"accessor"`
}

LookupAccessorRequest is used by accessor lookup API

type RequestArgs 

type RequestArgs struct {
	// Authentication token
	AuthToken string
	// HTTP method
	Method string
	// URL path
	Path string
	// If non-nil, passed to JSON serializer and included in request
	JSONObject interface{}
	// Included in HTTP request if JSONObject is nil
	BodyReader io.Reader
	// Description of the operation being performed included in log messages
	OperationDescription string
	// Expected status code to be returned from HTTP request
	ExpectedStatusCode int
	// If non-nil and request succeeded, response body will be serialized here (must be a pointer)
	ResponseObject interface{}
}

parameters structure for request method

type RevokeTokenAccessorRequest 

type RevokeTokenAccessorRequest struct {
	Accessor string `json:"accessor"`
}

RevokeTokenAccessorRequest is the input to the revoke token by accessor API

type RootTokenControlResponse 

type RootTokenControlResponse struct {
	Complete bool   `json:"complete"`
	Nonce    string `json:"nonce"`
	Otp      string `json:"otp"`
}

RootTokenControlResponse is the response to /v1/sys/generate-root/attempt

type RootTokenRetrievalRequest 

type RootTokenRetrievalRequest struct {
	Key   string `json:"key"`
	Nonce string `json:"nonce"`
}

RootTokenRetrievalRequest is the request to /v1/sys/generate-root/update

type RootTokenRetrievalResponse 

type RootTokenRetrievalResponse struct {
	Complete     bool   `json:"complete"`
	EncodedToken string `json:"encoded_token"`
}

RootTokenRetrievalResponse is the response to /v1/sys/generate-root/update

type SecretsEngineConfig 

type SecretsEngineConfig struct {
	DefaultLeaseTTLDuration string `json:"default_lease_ttl"`
}

SecretsEngineConfig is config for /v1/sys/mounts

type SecretsEngineOptions 

type SecretsEngineOptions struct {
	Version string `json:"version"`
}

type TokenLookupResponse 

type TokenLookupResponse struct {
	Data types.TokenMetadata
}

type UnsealRequest 

type UnsealRequest struct {
	Key   string `json:"key"`
	Reset bool   `json:"reset"`
}

UnsealRequest contains a Vault unseal request

type UnsealResponse 

type UnsealResponse struct {
	Sealed   bool `json:"sealed"`
	T        int  `json:"t"`
	N        int  `json:"n"`
	Progress int  `json:"progress"`
}

UnsealResponse contains a Vault unseal response

type UpdateACLPolicyRequest 

type UpdateACLPolicyRequest struct {
	Policy string `json:"policy"`
}

UpdateACLPolicyRequest contains a ACL policy create/update request

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.