vault

package
v0.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2023 License: MPL-2.0 Imports: 61 Imported by: 0

Documentation

Overview

Package vault provides access to credentials retrieved from a Vault server.

Index

Constants

View Source 
const (

	// CriticalOptionsField represents the field mask indicating a critical option
	// update has been requested.
	CriticalOptionsField = "CriticalOptions"
	// ExtensionsField represents the field mask indicating an extension
	// update has been requested.
	ExtensionsField = "Extensions"

	// MappingOverrideField represents the field mask indicating a mapping override
	// update has been requested.
	MappingOverrideField = "MappingOverride"
)

These constants are the field names used in the vault related field masks.

View Source 
const (
	CredentialStorePrefix                 = "csvlt"
	CredentialLibraryPrefix               = "clvlt"
	DynamicCredentialPrefix               = "cdvlt"
	SSHCertificateCredentialLibraryPrefix = "clvsclt"

	Subtype                      = subtypes.Subtype("vault")
	GenericLibrarySubtype        = subtypes.Subtype("vault-generic")
	SSHCertificateLibrarySubtype = subtypes.Subtype("vault-ssh-certificate")
)

PublicId prefixes for the resources in the vault package.

View Source 
const (
	KeyTypeEcdsa   = "ecdsa"
	KeyTypeEd25519 = "ed25519"
	KeyTypeRsa     = "rsa"

	KeyBitsDefault = 0

	KeyBitsEcdsa256 = 256
	KeyBitsEcdsa384 = 384
	KeyBitsEcdsa521 = 521

	KeyBitsRsa2048 = 2048
	KeyBitsRsa3072 = 3072
	KeyBitsRsa4096 = 4096
)
View Source 
const DefaultVaultVersion = "1.7.2"

Variables

This section is empty.

Functions

func RegisterJobs 

func RegisterJobs(ctx context.Context, scheduler *scheduler.Scheduler, r db.Reader, w db.Writer, kms *kms.Kms) error

func TestClientConfig added in v0.10.4 

func TestClientConfig(v *TestVaultServer, token string) *clientConfig

TestClientConfig returns a client config, using the provided Vault Server and token

Types

type ClientCertificate 

type ClientCertificate struct {
	*store.ClientCertificate
	// contains filtered or unexported fields
}

ClientCertificate contains a client certificate and a private key for the certificate. It is owned by a credential store.

func NewClientCertificate 

func NewClientCertificate(certificate []byte, key KeySecret) (*ClientCertificate, error)

NewClientCertificate creates a new in memory ClientCertificate.

func (*ClientCertificate) SetTableName 

func (c *ClientCertificate) SetTableName(n string)

SetTableName sets the table name.

func (*ClientCertificate) TableName 

func (c *ClientCertificate) TableName() string

TableName returns the table name.

type Credential 

type Credential struct {
	*store.Credential
	// contains filtered or unexported fields
}

A Credential contains the data for a Vault lease. It is owned by a credential library.

func TestCredentials 

func TestCredentials(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, libraryId, sessionId string, count int) []*Credential

TestCredentials creates count number of vault credentials in the provided DB with the provided library id and session id. If any errors are encountered during the creation of the credentials, the test will fail.

func (*Credential) SetTableName 

func (c *Credential) SetTableName(n string)

SetTableName sets the table name.

func (*Credential) TableName 

func (c *Credential) TableName() string

TableName returns the table name.

type CredentialCleanupJob 

type CredentialCleanupJob struct {
	// contains filtered or unexported fields
}

CredentialCleanupJob is the recurring job that deletes Vault credentials that are no longer attached to a session (have a null session_id) and are not active. The CredentialCleanupJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialCleanupJob) Description 

func (r *CredentialCleanupJob) Description() string

Description is the human readable description of the job.

func (*CredentialCleanupJob) Name 

func (r *CredentialCleanupJob) Name() string

Name is the unique name of the job.

func (*CredentialCleanupJob) NextRunIn 

func (r *CredentialCleanupJob) NextRunIn(_ context.Context) (time.Duration, error)

NextRunIn determine when the next credential cleanup job should run.

func (*CredentialCleanupJob) Run 

func (r *CredentialCleanupJob) Run(ctx context.Context) error

Run deletes all Vault credential in the repo that have a null session_id and are not active. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialCleanupJob) Status 

func (r *CredentialCleanupJob) Status() scheduler.JobStatus

Status returns the current status of the credential cleanup job.

type CredentialLibrary 

type CredentialLibrary struct {
	*store.CredentialLibrary

	MappingOverride MappingOverride `gorm:"-"`
	// contains filtered or unexported fields
}

A CredentialLibrary contains a Vault path and is owned by a credential store.

func NewCredentialLibrary 

func NewCredentialLibrary(storeId string, vaultPath string, opt ...Option) (*CredentialLibrary, error)

NewCredentialLibrary creates a new in memory CredentialLibrary for a Vault backend at vaultPath assigned to storeId. Name, description, method, request body, credential type, and mapping override are the only valid options. All other options are ignored.

func TestCredentialLibraries 

func TestCredentialLibraries(t testing.TB, conn *db.DB, _ wrapping.Wrapper, storeId string, count int) []*CredentialLibrary

TestCredentialLibraries creates count number of vault credential libraries in the provided DB with the provided store id. If any errors are encountered during the creation of the credential libraries, the test will fail.

func (*CredentialLibrary) CredentialType added in v0.7.4 

func (l *CredentialLibrary) CredentialType() credential.Type

CredentialType returns the type of credential the library retrieves.

func (*CredentialLibrary) SetTableName 

func (l *CredentialLibrary) SetTableName(n string)

SetTableName sets the table name.

func (*CredentialLibrary) TableName 

func (l *CredentialLibrary) TableName() string

TableName returns the table name.

type CredentialRenewalJob 

type CredentialRenewalJob struct {
	// contains filtered or unexported fields
}

CredentialRenewalJob is the recurring job that renews Vault credentials issued to a session. The CredentialRenewalJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialRenewalJob) Description 

func (r *CredentialRenewalJob) Description() string

Description is the human readable description of the job.

func (*CredentialRenewalJob) Name 

func (r *CredentialRenewalJob) Name() string

Name is the unique name of the job.

func (*CredentialRenewalJob) NextRunIn 

func (r *CredentialRenewalJob) NextRunIn(ctx context.Context) (time.Duration, error)

NextRunIn queries the vault credential repo to determine when the next credential renewal job should run.

func (*CredentialRenewalJob) Run 

func (r *CredentialRenewalJob) Run(ctx context.Context) error

Run queries the vault credential repo for credentials that need to be renewed, it then creates a vault client and renews each credential. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialRenewalJob) Status 

func (r *CredentialRenewalJob) Status() scheduler.JobStatus

Status returns the current status of the credential renewal job. Total is the total number of credentials that are set to be renewed. Completed is the number of credential already renewed.

type CredentialRevocationJob 

type CredentialRevocationJob struct {
	// contains filtered or unexported fields
}

CredentialRevocationJob is the recurring job that revokes Vault credentials that are no longer being used by an active or pending session. The CredentialRevocationJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialRevocationJob) Description 

func (r *CredentialRevocationJob) Description() string

Description is the human readable description of the job.

func (*CredentialRevocationJob) Name 

func (r *CredentialRevocationJob) Name() string

Name is the unique name of the job.

func (*CredentialRevocationJob) NextRunIn 

func (r *CredentialRevocationJob) NextRunIn(_ context.Context) (time.Duration, error)

NextRunIn determine when the next credential revocation job should run.

func (*CredentialRevocationJob) Run 

func (r *CredentialRevocationJob) Run(ctx context.Context) error

Run queries the vault credential repo for credentials that need to be revoked, it then creates a vault client and revokes each credential. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialRevocationJob) Status 

func (r *CredentialRevocationJob) Status() scheduler.JobStatus

Status returns the current status of the credential revocation job. Total is the total number of credentials that are set to be revoked. Completed is the number of credentials already revoked.

type CredentialStatus 

type CredentialStatus string

A CredentialStatus represents the status of a vault credential. 

const (
	// ActiveCredential represents a vault credential that is being used in
	// an active session. Credentials in this state are renewed before they
	// expire.
	ActiveCredential CredentialStatus = "active"

	// RevokeCredential represents a vault credential that needs to be
	// revoked.
	RevokeCredential CredentialStatus = "revoke"

	// RevokedCredential represents a credential that has been revoked. This is a
	// terminal status. It does not transition to ExpiredCredential.
	RevokedCredential CredentialStatus = "revoked"

	// ExpiredCredential represents a credential that expired. This is a terminal
	// status. It does not transition to RevokedCredential.
	ExpiredCredential CredentialStatus = "expired"

	// UnknownCredentialStatus represents a credential that has an unknown
	// status.
	UnknownCredentialStatus CredentialStatus = "unknown"
)

type CredentialStore 

type CredentialStore struct {
	*store.CredentialStore
	// contains filtered or unexported fields
}

A CredentialStore contains credential libraries. It is owned by a project.

func NewCredentialStore 

func NewCredentialStore(projectId string, vaultAddress string, token TokenSecret, opt ...Option) (*CredentialStore, error)

NewCredentialStore creates a new in memory CredentialStore for a Vault server at vaultAddress assigned to projectId. Name, description, CA cert, client cert, namespace, TLS server name, worker filter, and TLS skip verify are the only valid options. All other options are ignored.

func TestCredentialStore 

func TestCredentialStore(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, projectId, vaultAddr, vaultToken, accessor string, opts ...Option) *CredentialStore

TestCredentialStore creates a vault credential store in the provided DB with the provided project, vault address, token, and accessor and any values passed in through the Options vargs. If any errors are encountered during the creation of the store, the test will fail.

func TestCredentialStores 

func TestCredentialStores(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, projectId string, count int) []*CredentialStore

TestCredentialStores creates count number of vault credential stores in the provided DB with the provided project id. If any errors are encountered during the creation of the credential stores, the test will fail.

func (*CredentialStore) ClientCertificate 

func (cs *CredentialStore) ClientCertificate() *ClientCertificate

ClientCertificate returns the client certificate if available.

func (*CredentialStore) SetTableName 

func (cs *CredentialStore) SetTableName(n string)

SetTableName sets the table name.

func (*CredentialStore) TableName 

func (cs *CredentialStore) TableName() string

TableName returns the table name.

func (*CredentialStore) Token 

func (cs *CredentialStore) Token() *Token

Token returns the current vault token if available.

type CredentialStoreCleanupJob 

type CredentialStoreCleanupJob struct {
	// contains filtered or unexported fields
}

CredentialStoreCleanupJob is the recurring job that deletes Vault credential stores that have been soft deleted and tokens have been revoked or expired. The CredentialStoreCleanupJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialStoreCleanupJob) Description 

func (r *CredentialStoreCleanupJob) Description() string

Description is the human readable description of the job.

func (*CredentialStoreCleanupJob) Name 

func (r *CredentialStoreCleanupJob) Name() string

Name is the unique name of the job.

func (*CredentialStoreCleanupJob) NextRunIn 

func (r *CredentialStoreCleanupJob) NextRunIn(_ context.Context) (time.Duration, error)

NextRunIn determine when the next credential store cleanup job should run.

func (*CredentialStoreCleanupJob) Run 

func (r *CredentialStoreCleanupJob) Run(ctx context.Context) error

Run deletes all vault credential stores in the repo that have been soft deleted. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialStoreCleanupJob) Status 

func (r *CredentialStoreCleanupJob) Status() scheduler.JobStatus

Status returns the current status of the credential store cleanup job.

type KeySecret 

type KeySecret []byte

KeySecret equals a Vault client certificate private key. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (KeySecret) GoString 

func (s KeySecret) GoString() string

GoString will redact the TokenSecret.

func (KeySecret) MarshalJSON 

func (s KeySecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the TokenSecret.

func (KeySecret) String 

func (s KeySecret) String() string

String will redact the TokenSecret.

type MappingOverride added in v0.7.4 

type MappingOverride interface {
	// contains filtered or unexported methods
}

A MappingOverride is an interface holding one of the mapping override types: UsernamePasswordOverride.

type Method 

type Method string

A Method represents an HTTP method used for communicating with Vault. 

const (
	MethodGet  Method = "GET"
	MethodPost Method = "POST"
)

HTTP methods use for communicating with Vault.

type Option 

type Option func(*options)

Option - how Options are passed as arguments.

func WithCACert 

func WithCACert(cert []byte) Option

WithCACert provides an optional PEM-encoded certificate to verify the Vault server's SSL certificate.

func WithClientCert 

func WithClientCert(clientCert *ClientCertificate) Option

WithClientCert provides an optional ClientCertificate to use for TLS authentication to a Vault server.

func WithCredentialType added in v0.7.4 

func WithCredentialType(t credential.Type) Option

WithCredentialType provides an optional credential type to associate with a credential library.

func WithCriticalOptions added in v0.12.0 

func WithCriticalOptions(s string) Option

WithCriticalOptions provides an optional map of the critical options that the certificate should be signed for.

func WithDescription 

func WithDescription(desc string) Option

WithDescription provides an optional description.

func WithExtensions added in v0.12.0 

func WithExtensions(s string) Option

WithExtensions provides a optional map of the extensions that the certificate should be signed for.

func WithKeyBits added in v0.12.0 

func WithKeyBits(b uint32) Option

WithKeyBits provides an optional number of bits used to generate an ssh private key.

func WithKeyId added in v0.12.0 

func WithKeyId(i string) Option

WithKeyId provides an optional key id for a created certificate.

func WithKeyType added in v0.12.0 

func WithKeyType(t string) Option

WithKeyType provides an optional ssh private key type to use with a ssh certificate credential library. Must be rsa, ed25519, or ecdsa.

func WithLimit 

func WithLimit(l int) Option

WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.

func WithMappingOverride added in v0.7.4 

func WithMappingOverride(m MappingOverride) Option

WithMappingOverride provides an optional mapping override to use for mapping the Data fields of a Vault api.Secret to a credential.

func WithMethod 

func WithMethod(m Method) Option

WithMethod provides an optional Method to use for communicating with Vault.

func WithName 

func WithName(name string) Option

WithName provides an optional name.

func WithNamespace 

func WithNamespace(namespace string) Option

WithNamespace provides an optional Vault namespace.

func WithOverridePasswordAttribute added in v0.7.4 

func WithOverridePasswordAttribute(s string) Option

WithOverridePasswordAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a password value.

func WithOverridePrivateKeyAttribute added in v0.10.0 

func WithOverridePrivateKeyAttribute(s string) Option

WithOverridePrivateKeyAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a private key value.

func WithOverridePrivateKeyPassphraseAttribute added in v0.10.0 

func WithOverridePrivateKeyPassphraseAttribute(s string) Option

WithOverridePrivateKeyPassphraseAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a passphrase value.

func WithOverrideUsernameAttribute added in v0.7.4 

func WithOverrideUsernameAttribute(s string) Option

WithOverrideUsernameAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a username value.

func WithRequestBody 

func WithRequestBody(b []byte) Option

WithRequestBody provides an optional request body for sending to Vault when requesting credentials using HTTP Post.

func WithTlsServerName 

func WithTlsServerName(name string) Option

WithTlsServerName provides an optional name to use as the SNI host when connecting to Vault via TLS.

func WithTlsSkipVerify 

func WithTlsSkipVerify(skipVerify bool) Option

WithTlsSkipVerify provides an option to disable verification of TLS certificates when connection to Vault. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server.

func WithTtl added in v0.12.0 

func WithTtl(t string) Option

WithTtl provides an optional requested time to live for a generated ssh certificate.

func WithWorkerFilter added in v0.10.0 

func WithWorkerFilter(filter string) Option

WithWorkerFilter provides an optional worker filter.

type Repository 

type Repository struct {
	// contains filtered or unexported fields
}

A Repository stores and retrieves the persistent types in the vault package. It is not safe to use a repository concurrently.

func NewRepository 

func NewRepository(r db.Reader, w db.Writer, kms *kms.Kms, scheduler *scheduler.Scheduler, opt ...Option) (*Repository, error)

NewRepository creates a new Repository. The returned repository should only be used for one transaction and it is not safe for concurrent go routines to access it. WithLimit option is used as a repo wide default limit applied to all ListX methods.

func (*Repository) CreateCredentialLibrary 

func (r *Repository) CreateCredentialLibrary(ctx context.Context, projectId string, l *CredentialLibrary, _ ...Option) (*CredentialLibrary, error)

CreateCredentialLibrary inserts l into the repository and returns a new CredentialLibrary containing the credential library's PublicId. l is not changed. l must contain a valid StoreId. l must not contain a PublicId. The PublicId is generated and assigned by this method.

Both l.Name and l.Description are optional. If l.Name is set, it must be unique within l.StoreId.

Both l.CreateTime and l.UpdateTime are ignored.

func (*Repository) CreateCredentialStore 

func (r *Repository) CreateCredentialStore(ctx context.Context, cs *CredentialStore, _ ...Option) (*CredentialStore, error)

CreateCredentialStore inserts cs into the repository and returns a new CredentialStore containing the credential store's PublicId. cs is not changed. cs must not contain a PublicId. The PublicId is generated and assigned by this method. cs must contain a valid ProjectId, VaultAddress, and Vault token. The Vault token must be renewable, periodic, and orphan. CreateCredentialStore calls the /auth/token/renew-self and /auth/token/lookup-self Vault endpoints.

Both cs.Name and cs.Description are optional. If cs.Name is set, it must be unique within cs.ProjectId. Both cs.CreateTime and cs.UpdateTime are ignored.

For more information about the required properties of the Vault token see: https://www.vaultproject.io/api-docs/auth/token#period, https://www.vaultproject.io/api-docs/auth/token#renewable, https://www.vaultproject.io/docs/concepts/tokens#token-hierarchies-and-orphan-tokens, https://www.vaultproject.io/docs/concepts/tokens#periodic-tokens, and https://www.vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls.

For more information about the Vault endpoints called by CreateCredentialStore see: https://www.vaultproject.io/api-docs/auth/token#renew-a-token-self and https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self.

func (*Repository) CreateSSHCertificateCredentialLibrary added in v0.12.0 

func (r *Repository) CreateSSHCertificateCredentialLibrary(ctx context.Context, projectId string, l *SSHCertificateCredentialLibrary, _ ...Option) (*SSHCertificateCredentialLibrary, error)

CreateSSHCertificateCredentialLibrary inserts l into the repository and returns a new SSHCertificateCredentialLibrary containing the credential library's PublicId. l is not changed. l must contain a valid StoreId. l must not contain a PublicId. The PublicId is generated and assigned by this method.

Both l.Name and l.Description are optional. If l.Name is set, it must be unique within l.StoreId.

Both l.CreateTime and l.UpdateTime are ignored.

func (*Repository) DeleteCredentialLibrary 

func (r *Repository) DeleteCredentialLibrary(ctx context.Context, projectId string, publicId string, _ ...Option) (int, error)

DeleteCredentialLibrary deletes publicId from the repository and returns the number of records deleted.

func (*Repository) DeleteCredentialStore 

func (r *Repository) DeleteCredentialStore(ctx context.Context, publicId string, _ ...Option) (int, error)

DeleteCredentialStore deletes publicId from the repository and returns the number of records deleted. All options are ignored.

func (*Repository) DeleteSSHCertificateCredentialLibrary added in v0.12.0 

func (r *Repository) DeleteSSHCertificateCredentialLibrary(ctx context.Context, projectId string, publicId string, _ ...Option) (int, error)

DeleteSSHCertificateCredentialLibrary deletes publicId from the repository and returns the number of records deleted.

func (*Repository) Issue 

func (r *Repository) Issue(ctx context.Context, sessionId string, requests []credential.Request, opt ...credential.Option) ([]credential.Dynamic, error)

Issue issues and returns dynamic credentials from Vault for all of the requests and assigns them to sessionId.

func (*Repository) ListCredentialLibraries 

func (r *Repository) ListCredentialLibraries(ctx context.Context, storeId string, opt ...Option) ([]*CredentialLibrary, error)

ListCredentialLibraries returns a slice of CredentialLibraries for the storeId. WithLimit is the only option supported.

func (*Repository) ListCredentialStores 

func (r *Repository) ListCredentialStores(ctx context.Context, projectIds []string, opt ...Option) ([]*CredentialStore, error)

ListCredentialStores returns a slice of CredentialStores for the projectIds. WithLimit is the only option supported.

func (*Repository) ListSSHCertificateCredentialLibraries added in v0.12.0 

func (r *Repository) ListSSHCertificateCredentialLibraries(ctx context.Context, storeId string, opt ...Option) ([]*SSHCertificateCredentialLibrary, error)

ListSSHCertificateCredentialLibraries returns a slice of SSHCertificateCredentialLibraries for the storeId. WithLimit is the only option supported.

func (*Repository) LookupCredentialLibrary 

func (r *Repository) LookupCredentialLibrary(ctx context.Context, publicId string, _ ...Option) (*CredentialLibrary, error)

LookupCredentialLibrary returns the CredentialLibrary for publicId. Returns nil, nil if no CredentialLibrary is found for publicId.

func (*Repository) LookupCredentialStore 

func (r *Repository) LookupCredentialStore(ctx context.Context, publicId string, _ ...Option) (*CredentialStore, error)

LookupCredentialStore returns the CredentialStore for publicId. Returns nil, nil if no CredentialStore is found for publicId.

func (*Repository) LookupSSHCertificateCredentialLibrary added in v0.12.0 

func (r *Repository) LookupSSHCertificateCredentialLibrary(ctx context.Context, publicId string, _ ...Option) (*SSHCertificateCredentialLibrary, error)

LookupSSHCertificateCredentialLibrary returns the SSHCertificateCredentialLibrary for publicId. Returns nil, nil if no SSHCertificateCredentialLibrary is found for publicId.

func (*Repository) Revoke 

func (r *Repository) Revoke(ctx context.Context, sessionId string) error

Revoke revokes all dynamic credentials issued from Vault for sessionId.

func (*Repository) UpdateCredentialLibrary 

func (r *Repository) UpdateCredentialLibrary(ctx context.Context, projectId string, l *CredentialLibrary, version uint32, fieldMaskPaths []string, _ ...Option) (*CredentialLibrary, int, error)

UpdateCredentialLibrary updates the repository entry for l.PublicId with the values in l for the fields listed in fieldMaskPaths. It returns a new CredentialLibrary containing the updated values and a count of the number of records updated. l is not changed.

l must contain a valid PublicId. Only Name, Description, VaultPath, HttpMethod, HttpRequestBody, and MappingOverride can be updated. If l.Name is set to a non-empty string, it must be unique within l.StoreId.

An attribute of l will be set to NULL in the database if the attribute in l is the zero value and it is included in fieldMaskPaths except for HttpMethod. If HttpMethod is in the fieldMaskPath but l.HttpMethod is not set it will be set to the value "GET". If storage has a value for HttpRequestBody when l.HttpMethod is set to GET the update will fail.

func (*Repository) UpdateCredentialStore 

func (r *Repository) UpdateCredentialStore(ctx context.Context, cs *CredentialStore, version uint32, fieldMaskPaths []string, _ ...Option) (*CredentialStore, int, error)

UpdateCredentialStore updates the repository entry for cs.PublicId with the values in cs for the fields listed in fieldMaskPaths. It returns a new CredentialStore containing the updated values and a count of the number of records updated. cs is not changed.

cs must contain a valid PublicId. Only Name, Description, Namespace, TlsServerName, TlsSkipVerify, CaCert, VaultAddress, ClientCertificate, ClientCertificateKey, workerFilter, and Token can be changed. If cs.Name is set to a non-empty string, it must be unique within cs.Projectid. If Token is changed, the new token must have the same properties defined in CreateCredentialStore and UpdateCredentialStore calls the same Vault endpoints described in CreateCredentialStore.

An attribute of cs will be set to NULL in the database if the attribute in cs is the zero value and it is included in fieldMaskPaths.

func (*Repository) UpdateSSHCertificateCredentialLibrary added in v0.12.0 

func (r *Repository) UpdateSSHCertificateCredentialLibrary(ctx context.Context, projectId string, l *SSHCertificateCredentialLibrary, version uint32, fieldMaskPaths []string, _ ...Option) (*SSHCertificateCredentialLibrary, int, error)

UpdateSSHCertificateCredentialLibrary updates the repository entry for l.PublicId with the values in l for the fields listed in fieldMaskPaths. It returns a new SSHCertificateCredentialLibrary containing the updated values and a count of the number of records updated. l is not changed.

l must contain a valid PublicId. Name, Description, VaultPath, Username, KeyType, KeyBits, Ttl, KeyId, CriticalOptions, and Extensions can be updated. If l.Name is set to a non-empty string, it must be unique within l.StoreId.

An attribute of l will be set to NULL in the database if the attribute in l is the zero value and it is included in fieldMaskPaths.

type SSHCertificateCredentialLibrary added in v0.12.0 

type SSHCertificateCredentialLibrary struct {
	*store.SSHCertificateCredentialLibrary
	// contains filtered or unexported fields
}

SSHCertificateCredentialLibrary is a credential library that issues ssh certificate using the vault ssh secret engine. See: https://developer.hashicorp.com/vault/api-docs/secret/ssh#sign-ssh-key

func NewSSHCertificateCredentialLibrary added in v0.12.0 

func NewSSHCertificateCredentialLibrary(storeId string, vaultPath string, username string, opt ...Option) (*SSHCertificateCredentialLibrary, error)

NewSSHCertificateCredentialLibrary creates a new in memory SSHCertificateCredentialLibrary for a Vault backend at vaultPath assigned to storeId. The SSH username field must be set. Name, description, key type, key bits, ttl, key id, critical options, and extensions are the only valid options. All other options are ignored.

func TestSSHCertificateCredentialLibraries added in v0.12.0 

func TestSSHCertificateCredentialLibraries(t testing.TB, conn *db.DB, _ wrapping.Wrapper, storeId string, count int) []*SSHCertificateCredentialLibrary

TestSSHCertificateCredentialLibraries creates count number of vault ssh certificate credential libraries in the provided DB with the provided store id. If any errors are encountered during the creation of the credential libraries, the test will fail.

func (*SSHCertificateCredentialLibrary) CredentialType added in v0.12.0 

func (l *SSHCertificateCredentialLibrary) CredentialType() credential.Type

CredentialType returns the type of credential the library retrieves.

func (*SSHCertificateCredentialLibrary) SetTableName added in v0.12.0 

func (l *SSHCertificateCredentialLibrary) SetTableName(n string)

SetTableName sets the table name.

func (*SSHCertificateCredentialLibrary) TableName added in v0.12.0 

func (l *SSHCertificateCredentialLibrary) TableName() string

TableName returns the table name.

type SshPrivateKeyOverride added in v0.10.0 

type SshPrivateKeyOverride struct {
	*store.SshPrivateKeyOverride
	// contains filtered or unexported fields
}

A SshPrivateKeyOverride contains optional values for overriding the default mappings used to map a Vault secret to a SshPrivateKey credential type for the credential library that owns it.

func NewSshPrivateKeyOverride added in v0.10.0 

func NewSshPrivateKeyOverride(opt ...Option) *SshPrivateKeyOverride

NewSshPrivateKeyOverride creates a new in memory SshPrivateKeyOverride. WithOverrideUsernameAttribute, WithOverridePrivateKeyAttribute and WithOverridePrivateKeyPassphraseAttribute are the only valid options. All other options are ignored.

func (*SshPrivateKeyOverride) SetTableName added in v0.10.0 

func (o *SshPrivateKeyOverride) SetTableName(n string)

SetTableName sets the table name.

func (*SshPrivateKeyOverride) TableName added in v0.10.0 

func (o *SshPrivateKeyOverride) TableName() string

TableName returns the table name.

type TestDatabase 

type TestDatabase struct {
	URL TestDatabaseURL
}

TestDatabase is returned from MountDatabase and can be used to test database credentials returned by Vault for that mount.

func (*TestDatabase) ValidateCredential 

func (d *TestDatabase) ValidateCredential(t testing.TB, s *vault.Secret) error

ValidateCredential tests the credentials in s against d. An error is returned if the credentials are not valid.

type TestDatabaseURL 

type TestDatabaseURL string

TestDatabaseURL is a connection string with place holders for username and password to the database started by MountDatabase.

func (TestDatabaseURL) Encode 

func (u TestDatabaseURL) Encode(t testing.TB, s *vault.Secret) string

Encode encodes the username and password credentials from s into u.

type TestOption 

type TestOption func(testing.TB, *testOptions)

TestOption - how Options are passed as arguments.

func TestOrphanToken 

func TestOrphanToken(b bool) TestOption

TestOrphanToken sets the token orphan option to b. The orphan option is true by default.

func TestPeriodicToken 

func TestPeriodicToken(b bool) TestOption

TestPeriodicToken sets the token periodic option to b. The periodic option is true by default.

func TestRenewableToken 

func TestRenewableToken(b bool) TestOption

TestRenewableToken sets the token renewable option to b. The renewable option is true by default.

func WithAllowedExtension added in v0.12.0 

func WithAllowedExtension(e string) TestOption

WithAllowedExtension tells vault to allow a specific SSH extension to be used by vault's ssh secrets engine

func WithClientKey 

func WithClientKey(k *ecdsa.PrivateKey) TestOption

WithClientKey sets the private key that will be used to generate the client certificate. The option is only valid when used together with TestClientTLS.

func WithDockerNetwork 

func WithDockerNetwork(b bool) TestOption

WithDockerNetwork sets the option to create docker network when creating a Vault test server. The default is to not create a docker network.

func WithDontCleanUp 

func WithDontCleanUp() TestOption

WithDontCleanUp causes the resource created to not be automaticaly cleaned up at the end of the test run.

func WithPolicies 

func WithPolicies(p []string) TestOption

WithPolicies sets the polices to attach to a token. The default policy attached to tokens is 'default'.

func WithTestMountPath 

func WithTestMountPath(p string) TestOption

WithTestMountPath sets the mount path option to p.

func WithTestRoleName 

func WithTestRoleName(n string) TestOption

WithTestRoleName sets the roleName name to n. The default role name is boundary.

func WithTestVaultTLS 

func WithTestVaultTLS(s TestVaultTLS) TestOption

WithTestVaultTLS sets the Vault TLS option. TestNoTLS is the default TLS option.

func WithTokenPeriod 

func WithTokenPeriod(d time.Duration) TestOption

WithTokenPeriod sets the period value in a vault.TokenCreateRequest when the token being requested is a periodic token. The default token period is the value of t.Deadline() or 24 hours if t.Deadline() is nil.

func WithVaultVersion added in v0.12.0 

func WithVaultVersion(s string) TestOption

WithVaultVersion sets the version of vault that will be started. defaults to the value stored in vault.supported.DefaultVaultVersion

type TestVaultServer 

type TestVaultServer struct {
	RootToken string
	Addr      string

	CaCert     []byte
	ServerCert []byte
	ClientCert []byte
	ClientKey  []byte
	// contains filtered or unexported fields
}

TestVaultServer is a vault server running in a docker container suitable for testing.

func NewTestVaultServer 

func NewTestVaultServer(t testing.TB, opt ...TestOption) *TestVaultServer

NewTestVaultServer creates and returns a TestVaultServer. Some Vault secret engines require the Vault server be created with a docker network. Check the Mount method for the Vault secret engine to see if a docker network is required.

WithTestVaultTLS and WithDockerNetwork are the only valid options. Setting the WithDockerNetwork option can significantly increase the amount of time required for a test to run.

func (*TestVaultServer) AddKVPolicy added in v0.7.3 

func (v *TestVaultServer) AddKVPolicy(t testing.TB, _ ...TestOption)

AddKVPolicy adds a Vault policy named 'secret' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as: 

path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

All options are ignored.

func (*TestVaultServer) ClientUsingToken added in v0.10.4 

func (v *TestVaultServer) ClientUsingToken(t testing.TB, token string) *client

func (*TestVaultServer) CreateKVSecret added in v0.7.3 

func (v *TestVaultServer) CreateKVSecret(t testing.TB, p string, data []byte) *vault.Secret

CreateKVSecret calls the /secret/data/:p endpoint with the provided data. Please note for KV-v2 the provided data needs to be in JSON format similar to: `{"data": {"key": "value", "key2": "value2"}}` See https://www.vaultproject.io/api-docs/secret/kv/kv-v2#create-update-secret

func (*TestVaultServer) CreateToken 

func (v *TestVaultServer) CreateToken(t testing.TB, opt ...TestOption) (*vault.Secret, string)

CreateToken creates a new Vault token by calling /auth/token/create on v using v.RootToken. It returns the vault secret containing the token and the token itself. See https://www.vaultproject.io/api-docs/auth/token#create-token.

func (*TestVaultServer) LookupLease 

func (v *TestVaultServer) LookupLease(t testing.TB, leaseId string) *vault.Secret

LookupLease calls the /sys/leases/lookup Vault endpoint and returns the vault.Secret response. See https://www.vaultproject.io/api-docs/system/leases#read-lease.

func (*TestVaultServer) LookupToken 

func (v *TestVaultServer) LookupToken(t testing.TB, token string) *vault.Secret

LookupToken calls /auth/token/lookup on v for the token. See https://www.vaultproject.io/api-docs/auth/token#lookup-a-token.

func (*TestVaultServer) MountDatabase 

func (v *TestVaultServer) MountDatabase(t testing.TB, opt ...TestOption) *TestDatabase

MountDatabase starts a PostgreSQL database in a docker container then mounts the Vault database secrets engine and configures it to issue credentials for the database.

MountDatabase also adds a Vault policy named 'database' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as: 

path "mountPath/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

MountDatabase returns a TestDatabase for testing credentials from the mount.

func (*TestVaultServer) MountPKI 

func (v *TestVaultServer) MountPKI(t testing.TB, opt ...TestOption) *vault.Secret

MountPKI mounts the Vault PKI secret engine and initializes it by generating a root certificate authority and creating a default role on the mount. The root CA is returned.

The default mount path is pki and the default role name is boundary. WithTestMountPath and WithTestRoleName are the only test options supported.

MountPKI also adds a Vault policy named 'pki' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as: 

path "mountPath/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

func (*TestVaultServer) MountSSH added in v0.12.0 

func (v *TestVaultServer) MountSSH(t testing.TB, opt ...TestOption) *vault.Secret

MountSSH mounts the Vault SSH secret engine and initializes it by generating a root certificate authority and creating a default role on the mount. The root CA is returned.

The default mount path is ssh and the default role name is boundary. WithTestMountPath, WithTestRoleName, and WithAllowedExtension are the test options supported. extensions are combined into allowed_extensions. allowed_extensions defaults to "*" (allow all) The role is defined as: 

{
	"key_type": "ca",
	"allowed_users": "*",
	"allowed_extensions": "*",
	"allow_user_certificates": true,
	"ttl": "12h0m0s"
}

MountSSH also adds a Vault policy named 'ssh' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as: 

path "mountPath/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

func (*TestVaultServer) RevokeToken added in v0.10.4 

func (v *TestVaultServer) RevokeToken(t testing.TB, token string)

RevokeToken calls /auth/token/revoke-self on v for the token. See https://www.vaultproject.io/api-docs/auth/token#revoke-a-token-self.

func (*TestVaultServer) VerifyTokenInvalid 

func (v *TestVaultServer) VerifyTokenInvalid(t testing.TB, token string)

VerifyTokenInvalid calls /auth/token/lookup on v for the token. It expects the lookup to fail with a StatusForbidden. See https://www.vaultproject.io/api-docs/auth/token#lookup-a-token.

type TestVaultTLS 

type TestVaultTLS int

TestVaultTLS represents the TLS configuration level of a TestVaultServer. 

const (
	// TestNoTLS disables TLS. The test server Addr begins with http://.
	TestNoTLS TestVaultTLS = iota // no TLS

	// TestServerTLS configures the Vault test server listener to use TLS.
	// A CA certificate is generated and a server certificate is issued
	// from the CA certificate. The CA certificate is available in the
	// CaCert field of the TestVaultServer. The test server Addr begins
	// with https://.
	TestServerTLS

	// TestClientTLS configures the Vault test server listener to require a
	// client certificate for mTLS and includes all of the settings from
	// TestServerTLS. A second CA certificate is generated and a client
	// certificate is issued from this CA certificate. The client
	// certificate and the client certificate key are available in the in
	// the ClientCert and ClientKey fields of the TestVaultServer
	// respectively.
	TestClientTLS
)

type Token 

type Token struct {
	*store.Token
	// contains filtered or unexported fields
}

Token contains a vault token. It is owned by a credential store.

func (*Token) SetTableName 

func (t *Token) SetTableName(n string)

SetTableName sets the table name.

func (*Token) TableName 

func (t *Token) TableName() string

TableName returns the table name.

type TokenRenewalJob 

type TokenRenewalJob struct {
	// contains filtered or unexported fields
}

TokenRenewalJob is the recurring job that renews credential store Vault tokens that are in the `current` and `maintaining` state. The TokenRenewalJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*TokenRenewalJob) Description 

func (r *TokenRenewalJob) Description() string

Description is the human readable description of the job.

func (*TokenRenewalJob) Name 

func (r *TokenRenewalJob) Name() string

Name is the unique name of the job.

func (*TokenRenewalJob) NextRunIn 

func (r *TokenRenewalJob) NextRunIn(ctx context.Context) (time.Duration, error)

NextRunIn queries the vault credential repo to determine when the next token renewal job should run.

func (*TokenRenewalJob) Run 

func (r *TokenRenewalJob) Run(ctx context.Context) error

Run queries the vault credential repo for tokens that need to be renewed, it then creates a vault client and renews each token. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*TokenRenewalJob) Status 

func (r *TokenRenewalJob) Status() scheduler.JobStatus

Status returns the current status of the token renewal job. Total is the total number of tokens that are set to be renewed. Completed is the number of tokens already renewed.

type TokenRevocationJob 

type TokenRevocationJob struct {
	// contains filtered or unexported fields
}

TokenRevocationJob is the recurring job that revokes credential store Vault tokens that are in the `maintaining` state and have no credentials being used by an active or pending session. The TokenRevocationJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*TokenRevocationJob) Description 

func (r *TokenRevocationJob) Description() string

Description is the human readable description of the job.

func (*TokenRevocationJob) Name 

func (r *TokenRevocationJob) Name() string

Name is the unique name of the job.

func (*TokenRevocationJob) NextRunIn 

func (r *TokenRevocationJob) NextRunIn(_ context.Context) (time.Duration, error)

NextRunIn determines when the next token revocation job should run.

func (*TokenRevocationJob) Run 

func (r *TokenRevocationJob) Run(ctx context.Context) error

Run queries the vault credential repo for tokens that need to be revoked, it then creates a vault client and revokes each token. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*TokenRevocationJob) Status 

func (r *TokenRevocationJob) Status() scheduler.JobStatus

Status returns the current status of the token revocation job. Total is the total number of tokens that are set to be revoked. Completed is the number of tokens already revoked.

type TokenSecret 

type TokenSecret []byte

TokenSecret equals a Vault token. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (TokenSecret) GoString 

func (s TokenSecret) GoString() string

GoString will redact the TokenSecret.

func (TokenSecret) MarshalJSON 

func (s TokenSecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the TokenSecret.

func (TokenSecret) String 

func (s TokenSecret) String() string

String will redact the TokenSecret.

type TokenStatus 

type TokenStatus string

A TokenStatus represents the status of a vault token. 

const (
	// CurrentToken represents a vault token for a credential store that is
	// used for retrieving credentials. Tokens in this state are renewed
	// before they expire. A credential store can have only one current
	// token.
	CurrentToken TokenStatus = "current"

	// MaintainingToken represents a vault token that is no longer being
	// used for retrieving credentials but is being renewed because it was
	// used to retrieve credentials which are still being used in a
	// session. After the dependent sessions are terminated, the token is
	// revoked in Vault and the status transitions to RevokedToken. but is
	// no longer being used for retrieving credentials.
	MaintainingToken TokenStatus = "maintaining"

	// RevokeToken represents a token that should be revoked.
	RevokeToken TokenStatus = "revoke"

	// RevokedToken represents a token that has been revoked. This is a
	// terminal status. It does not transition to ExpiredToken.
	RevokedToken TokenStatus = "revoked"

	// ExpiredToken represents a token that expired. This is a terminal
	// status. It does not transition to RevokedToken.
	ExpiredToken TokenStatus = "expired"
)

type UsernamePasswordOverride added in v0.9.1 

type UsernamePasswordOverride struct {
	*store.UsernamePasswordOverride
	// contains filtered or unexported fields
}

A UsernamePasswordOverride contains optional values for overriding the default mappings used to map a Vault secret to a UsernamePassword credential type for the credential library that owns it.

func NewUsernamePasswordOverride added in v0.9.1 

func NewUsernamePasswordOverride(opt ...Option) *UsernamePasswordOverride

NewUsernamePasswordOverride creates a new in memory UsernamePasswordOverride. WithOverrideUsernameAttribute and WithOverridePasswordAttribute are the only valid options. All other options are ignored.

func (*UsernamePasswordOverride) SetTableName added in v0.9.1 

func (o *UsernamePasswordOverride) SetTableName(n string)

SetTableName sets the table name.

func (*UsernamePasswordOverride) TableName added in v0.9.1 

func (o *UsernamePasswordOverride) TableName() string

TableName returns the table name.

Source Files

View all Source files

Directories

Path Synopsis
internal
sshprivatekey
Package sshprivatekey provides access to the username and ssh private key stored in a Vault secret.
 Package sshprivatekey provides access to the username and ssh private key stored in a Vault secret.
usernamepassword
Package usernamepassword provides access to the username and password stored in a Vault secret.
 Package usernamepassword provides access to the username and password stored in a Vault secret.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.