openbao

package
v4.0.0-dev.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// NamespaceHeader specifies the header name to use when including Namespace information in a request.
	NamespaceHeader = "X-Vault-Namespace"
	AuthTypeHeader  = "X-Vault-Token"

	HealthAPI             = "/v1/sys/health"
	InitAPI               = "/v1/sys/init"
	UnsealAPI             = "/v1/sys/unseal"
	CreatePolicyPath      = "/v1/sys/policies/acl/%s"
	CreateTokenAPI        = "/v1/auth/token/create"    // nolint: gosec
	ListAccessorsAPI      = "/v1/auth/token/accessors" // nolint: gosec
	RevokeAccessorAPI     = "/v1/auth/token/revoke-accessor"
	LookupAccessorAPI     = "/v1/auth/token/lookup-accessor"
	LookupSelfAPI         = "/v1/auth/token/lookup-self"
	RevokeSelfAPI         = "/v1/auth/token/revoke-self"
	RootTokenControlAPI   = "/v1/sys/generate-root/attempt" // nolint: gosec
	RootTokenRetrievalAPI = "/v1/sys/generate-root/update"  // nolint: gosec
	MountsAPI             = "/v1/sys/mounts"
)
View Source
const (
	KeyValue                   = "kv"
	UsernamePasswordAuthMethod = "userpass"
)

Variables

This section is empty.

Functions

func GetMockTokenServer

func GetMockTokenServer(tokenDataMap *sync.Map) *httptest.Server

GetMockTokenServer returns a stub http test server for dealing with token lookup-self and renew-self API calls

Types

type Accessor

type Accessor struct {
	Accessor string `json:"accessor"`
}

Accessor

type Client

type Client struct {
	Config     types.SecretConfig
	HttpCaller pkg.Caller
	// contains filtered or unexported fields
}

Client defines the behavior for interacting with the OpenBao REST secret key/value store via HTTP(S).

func NewClient

func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error)

NewClient constructs a secret store *Client which communicates with OpenBao via HTTP(S) lc is any logging client that implements the loggingClient interface; today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation

func NewSecretsClient

func NewSecretsClient(ctx context.Context, config types.SecretConfig, lc logger.LoggingClient, callback pkg.TokenExpiredCallback) (*Client, error)

NewSecretsClient constructs a secret store *Client which communicates with OpenBao via HTTP(S) for basic usage of secrets

func (*Client) BindUserToIdentity

func (c *Client) BindUserToIdentity(token string, identityId string, authHandle string, username string) error

func (*Client) CheckAuthMethodEnabled

func (c *Client) CheckAuthMethodEnabled(token string, mountPoint string, authType string) (bool, error)

func (*Client) CheckIdentityKeyExists

func (c *Client) CheckIdentityKeyExists(token string, keyName string) (bool, error)

func (*Client) CheckSecretEngineInstalled

func (c *Client) CheckSecretEngineInstalled(token string, mountPoint string, engine string) (bool, error)

func (*Client) CreateNamedIdentityKey

func (c *Client) CreateNamedIdentityKey(token string, keyName string, algorithm string) error

func (*Client) CreateOrUpdateIdentity

func (c *Client) CreateOrUpdateIdentity(secretStoreToken string, name string, metadata map[string]string, policies []string) (string, error)

func (*Client) CreateOrUpdateIdentityRole

func (c *Client) CreateOrUpdateIdentityRole(token string, roleName string, keyName string, template string, audience string, jwtTTL string) error

func (*Client) CreateOrUpdateUser

func (c *Client) CreateOrUpdateUser(token string, mountPoint string, username string, password string, tokenTTL string, tokenPolicies []string) error

func (*Client) CreateToken

func (c *Client) CreateToken(token string, parameters map[string]interface{}) (map[string]interface{}, error)

func (*Client) DeleteIdentity

func (c *Client) DeleteIdentity(secretStoreToken string, name string) error

func (*Client) DeleteUser

func (c *Client) DeleteUser(token string, mountPoint string, username string) error

func (*Client) EnableKVSecretEngine

func (c *Client) EnableKVSecretEngine(token string, mountPoint string, kvVersion string) error

func (*Client) EnablePasswordAuth

func (c *Client) EnablePasswordAuth(token string, mountPoint string) error

func (*Client) GetSecret

func (c *Client) GetSecret(secretName string, keys ...string) (map[string]string, error)

GetSecret retrieves the secret at the provided secretName that matches the specified keys.

func (*Client) GetSecretNames

func (c *Client) GetSecretNames() ([]string, error)

GetSecretNames retrieves the secret names currently in service's secret store.

func (*Client) GetSelfJWT

func (c *Client) GetSelfJWT(serviceKey string) (string, error)

GetSelfJWT returns an encoded JWT for the current identity-based secret store token

func (*Client) HealthCheck

func (c *Client) HealthCheck() (int, error)

func (*Client) Init

func (c *Client) Init(secretThreshold int, secretShares int) (types.InitResponse, error)

func (*Client) InstallPolicy

func (c *Client) InstallPolicy(token string, policyName string, policyDocument string) error

func (*Client) InternalServiceLogin

func (c *Client) InternalServiceLogin(token string, authEngine string, username string, password string) (map[string]interface{}, error)

func (*Client) IsJWTValid

func (c *Client) IsJWTValid(jwt string) (bool, error)

IsJWTValid evaluates a given JWT and returns a true/false if the JWT is valid (i.e. belongs to us and current) or not

func (*Client) ListTokenAccessors

func (c *Client) ListTokenAccessors(token string) ([]string, error)

func (*Client) LookupAuthHandle

func (c *Client) LookupAuthHandle(token string, mountPoint string) (string, error)

func (*Client) LookupIdentity

func (c *Client) LookupIdentity(secretStoreToken string, name string) (string, error)

func (*Client) LookupToken

func (c *Client) LookupToken(token string) (types.TokenMetadata, error)

func (*Client) LookupTokenAccessor

func (c *Client) LookupTokenAccessor(token string, accessor string) (types.TokenMetadata, error)

func (*Client) RegenRootToken

func (c *Client) RegenRootToken(keys []string) (string, error)

func (*Client) RevokeToken

func (c *Client) RevokeToken(token string) error

func (*Client) RevokeTokenAccessor

func (c *Client) RevokeTokenAccessor(token string, accessor string) error

func (*Client) SetAuthToken

func (c *Client) SetAuthToken(ctx context.Context, newToken string) error

func (*Client) StoreSecret

func (c *Client) StoreSecret(secretName string, secrets map[string]string) error

StoreSecret stores the secret at the provided secret name for the specified keys.

func (*Client) Unseal

func (c *Client) Unseal(keysBase64 []string) error

type CreateEntityAliasRequest

type CreateEntityAliasRequest struct {
	// Name is the username in the authenticator
	Name string `json:"name"`
	// CanonicalID is the entity ID
	CanonicalID string `json:"canonical_id"`
	// MountAccessor is the id if the auth engine to use
	MountAccessor string `json:"mount_accessor"`
}

CreateEntityAliasRequest is used to bind an authenticator to an identity

type CreateNamedKeyRequest

type CreateNamedKeyRequest struct {
	AllowedClientIDs []string `json:"allowed_client_ids"`
	Algorithm        string   `json:"algorithm"`
}

CreateNamedKeyRequest is the request to POST /v1/identity/oidc/key/:name:

type CreateOrUpdateIdentityRoleRequest

type CreateOrUpdateIdentityRoleRequest struct {
	ClientID string  `json:"client_id,omitempty"`
	Key      string  `json:"key"`
	Template *string `json:"template,omitempty"`
	TokenTTL string  `json:"ttl"`
}

CreateOrUpdateIdentityRoleRequest is the request to POST /v1/identity/oidc/role/:name

type CreateOrUpdateUserRequest

type CreateOrUpdateUserRequest struct {
	Password      string   `json:"password"`
	TokenPeriod   string   `json:"token_period"`
	TokenPolicies []string `json:"token_policies"`
}

CreateOrUpdateUserRequest is used to create a secret store login

type CreateOrUpdateUserResponse

type CreateOrUpdateUserResponse struct {
	Data JsonID `json:"data"`
}

CreateOrUpdateUserResponse is the response to get entity by name

type CreateUpdateEntityRequest

type CreateUpdateEntityRequest struct {
	Metadata map[string]string `json:"metadata"`
	Policies []string          `json:"policies"`
}

CreateUpdateEntityRequest enables or updates a secret store Identity

type CreateUpdateEntityResponse

type CreateUpdateEntityResponse struct {
	Data JsonID `json:"data"`
}

CreateUpdateEntityResponse is the response to CreateUpdateEntityRequest

type EnableAuthMethodRequest

type EnableAuthMethodRequest struct {
	Type string `json:"type"`
}

EnableAuthMethodRequest enables a secret store Identity authentication method

type EnableSecretsEngineRequest

type EnableSecretsEngineRequest struct {
	Type        string                `json:"type"`
	Description string                `json:"description"`
	Options     *SecretsEngineOptions `json:"options,omitempty"`
	Config      *SecretsEngineConfig  `json:"config,omitempty"`
}

EnableSecretsEngineRequest is the POST request to /v1/sys/mounts

type ErrCaRootCert

type ErrCaRootCert struct {
	// contains filtered or unexported fields
}

ErrCaRootCert error when the provided CA Root certificate is invalid.

func (ErrCaRootCert) Error

func (e ErrCaRootCert) Error() string

type ErrHTTPResponse

type ErrHTTPResponse struct {
	StatusCode int
	ErrMsg     string
}

func (ErrHTTPResponse) Error

func (err ErrHTTPResponse) Error() string

type InitRequest

type InitRequest struct {
	SecretShares    int `json:"secret_shares"`
	SecretThreshold int `json:"secret_threshold"`
}

InitRequest contains a secret store init request regarding the Shamir Secret Sharing (SSS) parameters

type JsonID

type JsonID struct {
	ID string `json:"id"`
}

JsonID

type ListAuthMethodsResponse

type ListAuthMethodsResponse struct {
	Data map[string]Accessor `json:"data"`
}

ListAuthMethodsResponse is used to look up the accessor ID of an auth method

type ListNamedKeysResponse

type ListNamedKeysResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListNamedKeysResponse is the response to LIST /v1/identity/oidc/key

type ListSecretEnginesResponse

type ListSecretEnginesResponse struct {
	Data map[string]struct {
		Type string `json:"type"`
	} `json:"data"`
}

ListSecretEnginesResponse is the response to GET /v1/sys/mounts (and /v1/sys/auth)

type ListTokenAccessorsResponse

type ListTokenAccessorsResponse struct {
	Data struct {
		Keys []string `json:"keys"`
	} `json:"data"`
}

ListTokenAccessorsResponse is the response to the list accessors API

type LookupAccessorRequest

type LookupAccessorRequest struct {
	Accessor string `json:"accessor"`
}

LookupAccessorRequest is used by accessor lookup API

type ReadEntityByNameResponse

type ReadEntityByNameResponse struct {
	Data JsonID `json:"data"`
}

ReadEntityByNameResponse is the response to get entity by name

type RequestArgs

type RequestArgs struct {
	// Authentication token
	AuthToken string
	// HTTP method
	Method string
	// URL path
	Path string
	// If non-nil, passed to JSON serializer and included in request
	JSONObject interface{}
	// Included in HTTP request if JSONObject is nil
	BodyReader io.Reader
	// Description of the operation being performed included in log messages
	OperationDescription string
	// Expected status code to be returned from HTTP request
	ExpectedStatusCode int
	// If non-nil and request succeeded, response body will be serialized here (must be a pointer)
	ResponseObject interface{}
}

parameters structure for request method

type RevokeTokenAccessorRequest

type RevokeTokenAccessorRequest struct {
	Accessor string `json:"accessor"`
}

RevokeTokenAccessorRequest is the input to the revoke token by accessor API

type RootTokenControlResponse

type RootTokenControlResponse struct {
	Complete bool   `json:"complete"`
	Nonce    string `json:"nonce"`
	Otp      string `json:"otp"`
}

RootTokenControlResponse is the response to /v1/sys/generate-root/attempt

type RootTokenRetrievalRequest

type RootTokenRetrievalRequest struct {
	Key   string `json:"key"`
	Nonce string `json:"nonce"`
}

RootTokenRetrievalRequest is the request to /v1/sys/generate-root/update

type RootTokenRetrievalResponse

type RootTokenRetrievalResponse struct {
	Complete     bool   `json:"complete"`
	EncodedToken string `json:"encoded_token"`
}

RootTokenRetrievalResponse is the response to /v1/sys/generate-root/update

type SecretsEngineConfig

type SecretsEngineConfig struct {
	DefaultLeaseTTLDuration string `json:"default_lease_ttl"`
}

SecretsEngineConfig is config for /v1/sys/mounts

type SecretsEngineOptions

type SecretsEngineOptions struct {
	Version string `json:"version"`
}

type TokenLookupResponse

type TokenLookupResponse struct {
	Data types.TokenMetadata
}

type UnsealRequest

type UnsealRequest struct {
	Key   string `json:"key"`
	Reset bool   `json:"reset"`
}

UnsealRequest contains a secret store unseal request

type UnsealResponse

type UnsealResponse struct {
	Sealed   bool `json:"sealed"`
	T        int  `json:"t"`
	N        int  `json:"n"`
	Progress int  `json:"progress"`
}

UnsealResponse contains a secret store unseal response

type UpdateACLPolicyRequest

type UpdateACLPolicyRequest struct {
	Policy string `json:"policy"`
}

UpdateACLPolicyRequest contains a ACL policy create/update request

type UserPassLoginRequest

type UserPassLoginRequest struct {
	Password string `json:"password"`
}

UserPassLoginRequest is used to to log in an identity with the userpass auth engine

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL