Documentation ¶
Overview ¶
Package vault provides access to credentials retrieved from a Vault server.
Index ¶
- Constants
- func RegisterJobs(ctx context.Context, scheduler *scheduler.Scheduler, r db.Reader, w db.Writer, ...) error
- type ClientCertificate
- type Credential
- type CredentialCleanupJob
- func (r *CredentialCleanupJob) Description() string
- func (r *CredentialCleanupJob) Name() string
- func (r *CredentialCleanupJob) NextRunIn(_ context.Context) (time.Duration, error)
- func (r *CredentialCleanupJob) Run(ctx context.Context) error
- func (r *CredentialCleanupJob) Status() scheduler.JobStatus
- type CredentialLibrary
- type CredentialRenewalJob
- func (r *CredentialRenewalJob) Description() string
- func (r *CredentialRenewalJob) Name() string
- func (r *CredentialRenewalJob) NextRunIn(ctx context.Context) (time.Duration, error)
- func (r *CredentialRenewalJob) Run(ctx context.Context) error
- func (r *CredentialRenewalJob) Status() scheduler.JobStatus
- type CredentialRevocationJob
- func (r *CredentialRevocationJob) Description() string
- func (r *CredentialRevocationJob) Name() string
- func (r *CredentialRevocationJob) NextRunIn(_ context.Context) (time.Duration, error)
- func (r *CredentialRevocationJob) Run(ctx context.Context) error
- func (r *CredentialRevocationJob) Status() scheduler.JobStatus
- type CredentialStatus
- type CredentialStore
- func NewCredentialStore(scopeId string, vaultAddress string, token TokenSecret, opt ...Option) (*CredentialStore, error)
- func TestCredentialStore(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, ...) *CredentialStore
- func TestCredentialStores(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, scopeId string, count int) []*CredentialStore
- type CredentialStoreCleanupJob
- func (r *CredentialStoreCleanupJob) Description() string
- func (r *CredentialStoreCleanupJob) Name() string
- func (r *CredentialStoreCleanupJob) NextRunIn(_ context.Context) (time.Duration, error)
- func (r *CredentialStoreCleanupJob) Run(ctx context.Context) error
- func (r *CredentialStoreCleanupJob) Status() scheduler.JobStatus
- type KeySecret
- type MappingOverride
- type Method
- type Option
- func WithCACert(cert []byte) Option
- func WithClientCert(clientCert *ClientCertificate) Option
- func WithCredentialType(t credential.Type) Option
- func WithDescription(desc string) Option
- func WithLimit(l int) Option
- func WithMappingOverride(m MappingOverride) Option
- func WithMethod(m Method) Option
- func WithName(name string) Option
- func WithNamespace(namespace string) Option
- func WithOverridePasswordAttribute(s string) Option
- func WithOverrideUsernameAttribute(s string) Option
- func WithRequestBody(b []byte) Option
- func WithTlsServerName(name string) Option
- func WithTlsSkipVerify(skipVerify bool) Option
- type Repository
- func (r *Repository) CreateCredentialLibrary(ctx context.Context, scopeId string, l *CredentialLibrary, _ ...Option) (*CredentialLibrary, error)
- func (r *Repository) CreateCredentialStore(ctx context.Context, cs *CredentialStore, _ ...Option) (*CredentialStore, error)
- func (r *Repository) DeleteCredentialLibrary(ctx context.Context, scopeId string, publicId string, _ ...Option) (int, error)
- func (r *Repository) DeleteCredentialStore(ctx context.Context, publicId string, _ ...Option) (int, error)
- func (r *Repository) Issue(ctx context.Context, sessionId string, requests []credential.Request) ([]credential.Dynamic, error)
- func (r *Repository) ListCredentialLibraries(ctx context.Context, storeId string, opt ...Option) ([]*CredentialLibrary, error)
- func (r *Repository) ListCredentialStores(ctx context.Context, scopeIds []string, opt ...Option) ([]*CredentialStore, error)
- func (r *Repository) LookupCredentialLibrary(ctx context.Context, publicId string, _ ...Option) (*CredentialLibrary, error)
- func (r *Repository) LookupCredentialStore(ctx context.Context, publicId string, _ ...Option) (*CredentialStore, error)
- func (r *Repository) Revoke(ctx context.Context, sessionId string) error
- func (r *Repository) UpdateCredentialLibrary(ctx context.Context, scopeId string, l *CredentialLibrary, version uint32, ...) (*CredentialLibrary, int, error)
- func (r *Repository) UpdateCredentialStore(ctx context.Context, cs *CredentialStore, version uint32, ...) (*CredentialStore, int, error)
- type TestDatabase
- type TestDatabaseURL
- type TestOption
- func TestOrphanToken(b bool) TestOption
- func TestPeriodicToken(b bool) TestOption
- func TestRenewableToken(b bool) TestOption
- func WithClientKey(k *ecdsa.PrivateKey) TestOption
- func WithDockerNetwork(b bool) TestOption
- func WithDontCleanUp() TestOption
- func WithPolicies(p []string) TestOption
- func WithTestMountPath(p string) TestOption
- func WithTestRoleName(n string) TestOption
- func WithTestVaultTLS(s TestVaultTLS) TestOption
- func WithTokenPeriod(d time.Duration) TestOption
- type TestVaultServer
- func (v *TestVaultServer) AddKVPolicy(t *testing.T, _ ...TestOption)
- func (v *TestVaultServer) CreateKVSecret(t *testing.T, p string, data []byte) *vault.Secret
- func (v *TestVaultServer) CreateToken(t *testing.T, opt ...TestOption) (*vault.Secret, string)
- func (v *TestVaultServer) LookupLease(t *testing.T, leaseId string) *vault.Secret
- func (v *TestVaultServer) LookupToken(t *testing.T, token string) *vault.Secret
- func (v *TestVaultServer) MountDatabase(t *testing.T, opt ...TestOption) *TestDatabase
- func (v *TestVaultServer) MountPKI(t *testing.T, opt ...TestOption) *vault.Secret
- func (v *TestVaultServer) VerifyTokenInvalid(t *testing.T, token string)
- type TestVaultTLS
- type Token
- type TokenRenewalJob
- type TokenRevocationJob
- type TokenSecret
- type TokenStatus
- type UserPasswordOverride
Constants ¶
const ( CredentialStorePrefix = "csvlt" CredentialLibraryPrefix = "clvlt" DynamicCredentialPrefix = "cdvlt" Subtype = subtypes.Subtype("vault") )
PublicId prefixes for the resources in the vault package.
const DefaultVaultVersion = "1.7.2"
const ( // MappingOverrideField represents the field mask indicating a mapping override // update has been requested. MappingOverrideField = "MappingOverride" )
These constants are the field names used in the vault related field masks.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ClientCertificate ¶
type ClientCertificate struct { *store.ClientCertificate // contains filtered or unexported fields }
ClientCertificate contains a client certificate and a private key for the certificate. It is owned by a credential store.
func NewClientCertificate ¶
func NewClientCertificate(certificate []byte, key KeySecret) (*ClientCertificate, error)
NewClientCertificate creates a new in memory ClientCertificate.
func (*ClientCertificate) SetTableName ¶
func (c *ClientCertificate) SetTableName(n string)
SetTableName sets the table name.
func (*ClientCertificate) TableName ¶
func (c *ClientCertificate) TableName() string
TableName returns the table name.
type Credential ¶
type Credential struct { *store.Credential // contains filtered or unexported fields }
A Credential contains the data for a Vault lease. It is owned by a credential library.
func TestCredentials ¶
func TestCredentials(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, libraryId, sessionId string, count int) []*Credential
TestCredentials creates count number of vault credentials in the provided DB with the provided library id and session id. If any errors are encountered during the creation of the credentials, the test will fail.
func (*Credential) SetTableName ¶
func (c *Credential) SetTableName(n string)
SetTableName sets the table name.
func (*Credential) TableName ¶
func (c *Credential) TableName() string
TableName returns the table name.
type CredentialCleanupJob ¶
type CredentialCleanupJob struct {
// contains filtered or unexported fields
}
CredentialCleanupJob is the recurring job that deletes Vault credentials that are no longer attached to a session (have a null session_id) and are not active. The CredentialCleanupJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.
func (*CredentialCleanupJob) Description ¶
func (r *CredentialCleanupJob) Description() string
Description is the human readable description of the job.
func (*CredentialCleanupJob) Name ¶
func (r *CredentialCleanupJob) Name() string
Name is the unique name of the job.
func (*CredentialCleanupJob) NextRunIn ¶
NextRunIn determine when the next credential cleanup job should run.
func (*CredentialCleanupJob) Run ¶
func (r *CredentialCleanupJob) Run(ctx context.Context) error
Run deletes all Vault credential in the repo that have a null session_id and are not active. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.
func (*CredentialCleanupJob) Status ¶
func (r *CredentialCleanupJob) Status() scheduler.JobStatus
Status returns the current status of the credential cleanup job.
type CredentialLibrary ¶
type CredentialLibrary struct { *store.CredentialLibrary MappingOverride MappingOverride `gorm:"-"` // contains filtered or unexported fields }
A CredentialLibrary contains a Vault path and is owned by a credential store.
func NewCredentialLibrary ¶
func NewCredentialLibrary(storeId string, vaultPath string, opt ...Option) (*CredentialLibrary, error)
NewCredentialLibrary creates a new in memory CredentialLibrary for a Vault backend at vaultPath assigned to storeId. Name, description, method, request body, credential type, and mapping override are the only valid options. All other options are ignored.
func TestCredentialLibraries ¶
func TestCredentialLibraries(t *testing.T, conn *db.DB, _ wrapping.Wrapper, storeId string, count int) []*CredentialLibrary
TestCredentialLibraries creates count number of vault credential libraries in the provided DB with the provided store id. If any errors are encountered during the creation of the credential libraries, the test will fail.
func (*CredentialLibrary) CredentialType ¶ added in v0.7.4
func (l *CredentialLibrary) CredentialType() credential.Type
CredentialType returns the type of credential the library retrieves.
func (*CredentialLibrary) SetTableName ¶
func (l *CredentialLibrary) SetTableName(n string)
SetTableName sets the table name.
func (*CredentialLibrary) TableName ¶
func (l *CredentialLibrary) TableName() string
TableName returns the table name.
type CredentialRenewalJob ¶
type CredentialRenewalJob struct {
// contains filtered or unexported fields
}
CredentialRenewalJob is the recurring job that renews Vault credentials issued to a session. The CredentialRenewalJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.
func (*CredentialRenewalJob) Description ¶
func (r *CredentialRenewalJob) Description() string
Description is the human readable description of the job.
func (*CredentialRenewalJob) Name ¶
func (r *CredentialRenewalJob) Name() string
Name is the unique name of the job.
func (*CredentialRenewalJob) NextRunIn ¶
NextRunIn queries the vault credential repo to determine when the next credential renewal job should run.
func (*CredentialRenewalJob) Run ¶
func (r *CredentialRenewalJob) Run(ctx context.Context) error
Run queries the vault credential repo for credentials that need to be renewed, it then creates a vault client and renews each credential. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.
func (*CredentialRenewalJob) Status ¶
func (r *CredentialRenewalJob) Status() scheduler.JobStatus
Status returns the current status of the credential renewal job. Total is the total number of credentials that are set to be renewed. Completed is the number of credential already renewed.
type CredentialRevocationJob ¶
type CredentialRevocationJob struct {
// contains filtered or unexported fields
}
CredentialRevocationJob is the recurring job that revokes Vault credentials that are no longer being used by an active or pending session. The CredentialRevocationJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.
func (*CredentialRevocationJob) Description ¶
func (r *CredentialRevocationJob) Description() string
Description is the human readable description of the job.
func (*CredentialRevocationJob) Name ¶
func (r *CredentialRevocationJob) Name() string
Name is the unique name of the job.
func (*CredentialRevocationJob) NextRunIn ¶
NextRunIn determine when the next credential revocation job should run.
func (*CredentialRevocationJob) Run ¶
func (r *CredentialRevocationJob) Run(ctx context.Context) error
Run queries the vault credential repo for credentials that need to be revoked, it then creates a vault client and revokes each credential. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.
func (*CredentialRevocationJob) Status ¶
func (r *CredentialRevocationJob) Status() scheduler.JobStatus
Status returns the current status of the credential revocation job. Total is the total number of credentials that are set to be revoked. Completed is the number of credentials already revoked.
type CredentialStatus ¶
type CredentialStatus string
A CredentialStatus represents the status of a vault credential.
const ( // ActiveCredential represents a vault credential that is being used in // an active session. Credentials in this state are renewed before they // expire. ActiveCredential CredentialStatus = "active" // RevokeCredential represents a vault credential that needs to be // revoked. RevokeCredential CredentialStatus = "revoke" // RevokedCredential represents a credential that has been revoked. This is a // terminal status. It does not transition to ExpiredCredential. RevokedCredential CredentialStatus = "revoked" // ExpiredCredential represents a credential that expired. This is a terminal // status. It does not transition to RevokedCredential. ExpiredCredential CredentialStatus = "expired" // UnknownCredentialStatus represents a credential that has an unknown // status. UnknownCredentialStatus CredentialStatus = "unknown" )
type CredentialStore ¶
type CredentialStore struct { *store.CredentialStore // contains filtered or unexported fields }
A CredentialStore contains credential libraries. It is owned by a scope.
func NewCredentialStore ¶
func NewCredentialStore(scopeId string, vaultAddress string, token TokenSecret, opt ...Option) (*CredentialStore, error)
NewCredentialStore creates a new in memory CredentialStore for a Vault server at vaultAddress assigned to scopeId. Name, description, CA cert, client cert, namespace, TLS server name, and TLS skip verify are the only valid options. All other options are ignored.
func TestCredentialStore ¶
func TestCredentialStore(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, scopeId, vaultAddr, vaultToken, accessor string, opts ...Option) *CredentialStore
TestCredentialStore creates a vault credential store in the provided DB with the provided scope, vault address, token, and accessor and any values passed in through the Options vargs. If any errors are encountered during the creation of the store, the test will fail.
func TestCredentialStores ¶
func TestCredentialStores(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, scopeId string, count int) []*CredentialStore
TestCredentialStores creates count number of vault credential stores in the provided DB with the provided scope id. If any errors are encountered during the creation of the credential stores, the test will fail.
func (*CredentialStore) ClientCertificate ¶
func (cs *CredentialStore) ClientCertificate() *ClientCertificate
ClientCertificate returns the client certificate if available.
func (*CredentialStore) SetTableName ¶
func (cs *CredentialStore) SetTableName(n string)
SetTableName sets the table name.
func (*CredentialStore) TableName ¶
func (cs *CredentialStore) TableName() string
TableName returns the table name.
func (*CredentialStore) Token ¶
func (cs *CredentialStore) Token() *Token
Token returns the current vault token if available.
type CredentialStoreCleanupJob ¶
type CredentialStoreCleanupJob struct {
// contains filtered or unexported fields
}
CredentialStoreCleanupJob is the recurring job that deletes Vault credential stores that have been soft deleted and tokens have been revoked or expired. The CredentialStoreCleanupJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.
func (*CredentialStoreCleanupJob) Description ¶
func (r *CredentialStoreCleanupJob) Description() string
Description is the human readable description of the job.
func (*CredentialStoreCleanupJob) Name ¶
func (r *CredentialStoreCleanupJob) Name() string
Name is the unique name of the job.
func (*CredentialStoreCleanupJob) NextRunIn ¶
NextRunIn determine when the next credential store cleanup job should run.
func (*CredentialStoreCleanupJob) Run ¶
func (r *CredentialStoreCleanupJob) Run(ctx context.Context) error
Run deletes all vault credential stores in the repo that have been soft deleted. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.
func (*CredentialStoreCleanupJob) Status ¶
func (r *CredentialStoreCleanupJob) Status() scheduler.JobStatus
Status returns the current status of the credential store cleanup job.
type KeySecret ¶
type KeySecret []byte
KeySecret equals a Vault client certificate private key. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.
func (KeySecret) MarshalJSON ¶
MarshalJSON will redact the TokenSecret.
type MappingOverride ¶ added in v0.7.4
type MappingOverride interface {
// contains filtered or unexported methods
}
A MappingOverride is an interface holding one of the mapping override types: UserPasswordOverride.
type Method ¶
type Method string
A Method represents an HTTP method used for communicating with Vault.
type Option ¶
type Option func(*options)
Option - how Options are passed as arguments.
func WithCACert ¶
WithCACert provides an optional PEM-encoded certificate to verify the Vault server's SSL certificate.
func WithClientCert ¶
func WithClientCert(clientCert *ClientCertificate) Option
WithClientCert provides an optional ClientCertificate to use for TLS authentication to a Vault server.
func WithCredentialType ¶ added in v0.7.4
func WithCredentialType(t credential.Type) Option
WithCredentialType provides an optional credential type to associate with a credential library.
func WithDescription ¶
WithDescription provides an optional description.
func WithLimit ¶
WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.
func WithMappingOverride ¶ added in v0.7.4
func WithMappingOverride(m MappingOverride) Option
WithMappingOverride provides an optional mapping override to use for mapping the Data fields of a Vault api.Secret to a credential.
func WithMethod ¶
WithMethod provides an optional Method to use for communicating with Vault.
func WithNamespace ¶
WithNamespace provides an optional Vault namespace.
func WithOverridePasswordAttribute ¶ added in v0.7.4
WithOverridePasswordAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a password value.
func WithOverrideUsernameAttribute ¶ added in v0.7.4
WithOverrideUsernameAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a username value.
func WithRequestBody ¶
WithRequestBody provides an optional request body for sending to Vault when requesting credentials using HTTP Post.
func WithTlsServerName ¶
WithTlsServerName provides an optional name to use as the SNI host when connecting to Vault via TLS.
func WithTlsSkipVerify ¶
WithTlsSkipVerify provides an option to disable verification of TLS certificates when connection to Vault. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server.
type Repository ¶
type Repository struct {
// contains filtered or unexported fields
}
A Repository stores and retrieves the persistent types in the vault package. It is not safe to use a repository concurrently.
func NewRepository ¶
func NewRepository(r db.Reader, w db.Writer, kms *kms.Kms, scheduler *scheduler.Scheduler, opt ...Option) (*Repository, error)
NewRepository creates a new Repository. The returned repository should only be used for one transaction and it is not safe for concurrent go routines to access it. WithLimit option is used as a repo wide default limit applied to all ListX methods.
func (*Repository) CreateCredentialLibrary ¶
func (r *Repository) CreateCredentialLibrary(ctx context.Context, scopeId string, l *CredentialLibrary, _ ...Option) (*CredentialLibrary, error)
CreateCredentialLibrary inserts l into the repository and returns a new CredentialLibrary containing the credential library's PublicId. l is not changed. l must contain a valid StoreId. l must not contain a PublicId. The PublicId is generated and assigned by this method.
Both l.Name and l.Description are optional. If l.Name is set, it must be unique within l.StoreId.
Both l.CreateTime and l.UpdateTime are ignored.
func (*Repository) CreateCredentialStore ¶
func (r *Repository) CreateCredentialStore(ctx context.Context, cs *CredentialStore, _ ...Option) (*CredentialStore, error)
CreateCredentialStore inserts cs into the repository and returns a new CredentialStore containing the credential store's PublicId. cs is not changed. cs must not contain a PublicId. The PublicId is generated and assigned by this method. cs must contain a valid ScopeId, VaultAddress, and Vault token. The Vault token must be renewable, periodic, and orphan. CreateCredentialStore calls the /auth/token/renew-self and /auth/token/lookup-self Vault endpoints.
Both cs.Name and cs.Description are optional. If cs.Name is set, it must be unique within cs.ScopeId. Both cs.CreateTime and cs.UpdateTime are ignored.
For more information about the required properties of the Vault token see: https://www.vaultproject.io/api-docs/auth/token#period, https://www.vaultproject.io/api-docs/auth/token#renewable, https://www.vaultproject.io/docs/concepts/tokens#token-hierarchies-and-orphan-tokens, https://www.vaultproject.io/docs/concepts/tokens#periodic-tokens, and https://www.vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls.
For more information about the Vault endpoints called by CreateCredentialStore see: https://www.vaultproject.io/api-docs/auth/token#renew-a-token-self and https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self.
func (*Repository) DeleteCredentialLibrary ¶
func (r *Repository) DeleteCredentialLibrary(ctx context.Context, scopeId string, publicId string, _ ...Option) (int, error)
DeleteCredentialLibrary deletes publicId from the repository and returns the number of records deleted.
func (*Repository) DeleteCredentialStore ¶
func (r *Repository) DeleteCredentialStore(ctx context.Context, publicId string, _ ...Option) (int, error)
DeleteCredentialStore deletes publicId from the repository and returns the number of records deleted. All options are ignored.
func (*Repository) Issue ¶
func (r *Repository) Issue(ctx context.Context, sessionId string, requests []credential.Request) ([]credential.Dynamic, error)
Issue issues and returns dynamic credentials from Vault for all of the requests and assigns them to sessionId.
func (*Repository) ListCredentialLibraries ¶
func (r *Repository) ListCredentialLibraries(ctx context.Context, storeId string, opt ...Option) ([]*CredentialLibrary, error)
ListCredentialLibraries returns a slice of CredentialLibraries for the storeId. WithLimit is the only option supported.
func (*Repository) ListCredentialStores ¶
func (r *Repository) ListCredentialStores(ctx context.Context, scopeIds []string, opt ...Option) ([]*CredentialStore, error)
ListCredentialStores returns a slice of CredentialStores for the scopeIds. WithLimit is the only option supported.
func (*Repository) LookupCredentialLibrary ¶
func (r *Repository) LookupCredentialLibrary(ctx context.Context, publicId string, _ ...Option) (*CredentialLibrary, error)
LookupCredentialLibrary returns the CredentialLibrary for publicId. Returns nil, nil if no CredentialLibrary is found for publicId.
func (*Repository) LookupCredentialStore ¶
func (r *Repository) LookupCredentialStore(ctx context.Context, publicId string, _ ...Option) (*CredentialStore, error)
LookupCredentialStore returns the CredentialStore for publicId. Returns nil, nil if no CredentialStore is found for publicId.
func (*Repository) Revoke ¶
func (r *Repository) Revoke(ctx context.Context, sessionId string) error
Revoke revokes all dynamic credentials issued from Vault for sessionId.
func (*Repository) UpdateCredentialLibrary ¶
func (r *Repository) UpdateCredentialLibrary(ctx context.Context, scopeId string, l *CredentialLibrary, version uint32, fieldMaskPaths []string, _ ...Option) (*CredentialLibrary, int, error)
UpdateCredentialLibrary updates the repository entry for l.PublicId with the values in l for the fields listed in fieldMaskPaths. It returns a new CredentialLibrary containing the updated values and a count of the number of records updated. l is not changed.
l must contain a valid PublicId. Only Name, Description, VaultPath, HttpMethod, HttpRequestBody, and MappingOverride can be updated. If l.Name is set to a non-empty string, it must be unique within l.StoreId.
An attribute of l will be set to NULL in the database if the attribute in l is the zero value and it is included in fieldMaskPaths except for HttpMethod. If HttpMethod is in the fieldMaskPath but l.HttpMethod is not set it will be set to the value "GET". If storage has a value for HttpRequestBody when l.HttpMethod is set to GET the update will fail.
func (*Repository) UpdateCredentialStore ¶
func (r *Repository) UpdateCredentialStore(ctx context.Context, cs *CredentialStore, version uint32, fieldMaskPaths []string, _ ...Option) (*CredentialStore, int, error)
UpdateCredentialStore updates the repository entry for cs.PublicId with the values in cs for the fields listed in fieldMaskPaths. It returns a new CredentialStore containing the updated values and a count of the number of records updated. cs is not changed.
cs must contain a valid PublicId. Only Name, Description, Namespace, TlsServerName, TlsSkipVerify, CaCert, VaultAddress, ClientCertificate, ClientCertificateKey, and Token can be changed. If cs.Name is set to a non-empty string, it must be unique within cs.ScopeId. If Token is changed, the new token must have the same properties defined in CreateCredentialStore and UpdateCredentialStore calls the same Vault endpoints described in CreateCredentialStore.
An attribute of cs will be set to NULL in the database if the attribute in cs is the zero value and it is included in fieldMaskPaths.
type TestDatabase ¶
type TestDatabase struct {
URL TestDatabaseURL
}
TestDatabase is returned from MountDatabase and can be used to test database credentials returned by Vault for that mount.
func (*TestDatabase) ValidateCredential ¶
ValidateCredential tests the credentials in s against d. An error is returned if the credentials are not valid.
type TestDatabaseURL ¶
type TestDatabaseURL string
TestDatabaseURL is a connection string with place holders for username and password to the database started by MountDatabase.
type TestOption ¶
TestOption - how Options are passed as arguments.
func TestOrphanToken ¶
func TestOrphanToken(b bool) TestOption
TestOrphanToken sets the token orphan option to b. The orphan option is true by default.
func TestPeriodicToken ¶
func TestPeriodicToken(b bool) TestOption
TestPeriodicToken sets the token periodic option to b. The periodic option is true by default.
func TestRenewableToken ¶
func TestRenewableToken(b bool) TestOption
TestRenewableToken sets the token renewable option to b. The renewable option is true by default.
func WithClientKey ¶
func WithClientKey(k *ecdsa.PrivateKey) TestOption
WithClientKey sets the private key that will be used to generate the client certificate. The option is only valid when used together with TestClientTLS.
func WithDockerNetwork ¶
func WithDockerNetwork(b bool) TestOption
WithDockerNetwork sets the option to create docker network when creating a Vault test server. The default is to not create a docker network.
func WithDontCleanUp ¶
func WithDontCleanUp() TestOption
WithDontCleanUp causes the resource created to not be automaticaly cleaned up at the end of the test run.
func WithPolicies ¶
func WithPolicies(p []string) TestOption
WithPolicies sets the polices to attach to a token. The default policy attached to tokens is 'default'.
func WithTestMountPath ¶
func WithTestMountPath(p string) TestOption
WithTestMountPath sets the mount path option to p.
func WithTestRoleName ¶
func WithTestRoleName(n string) TestOption
WithTestRoleName sets the roleName name to n. The default role name is boundary.
func WithTestVaultTLS ¶
func WithTestVaultTLS(s TestVaultTLS) TestOption
WithTestVaultTLS sets the Vault TLS option. TestNoTLS is the default TLS option.
func WithTokenPeriod ¶
func WithTokenPeriod(d time.Duration) TestOption
WithTokenPeriod sets the period value in a vault.TokenCreateRequest when the token being requested is a periodic token. The default token period is the value of t.Deadline() or 24 hours if t.Deadline() is nil.
type TestVaultServer ¶
type TestVaultServer struct { RootToken string Addr string CaCert []byte ServerCert []byte ClientCert []byte ClientKey []byte // contains filtered or unexported fields }
TestVaultServer is a vault server running in a docker container suitable for testing.
func NewTestVaultServer ¶
func NewTestVaultServer(t *testing.T, opt ...TestOption) *TestVaultServer
NewTestVaultServer creates and returns a TestVaultServer. Some Vault secret engines require the Vault server be created with a docker network. Check the Mount method for the Vault secret engine to see if a docker network is required.
WithTestVaultTLS and WithDockerNetwork are the only valid options. Setting the WithDockerNetwork option can significantly increase the amount of time required for a test to run.
func (*TestVaultServer) AddKVPolicy ¶ added in v0.7.3
func (v *TestVaultServer) AddKVPolicy(t *testing.T, _ ...TestOption)
AddKVPolicy adds a Vault policy named 'secret' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as:
path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] }
All options are ignored.
func (*TestVaultServer) CreateKVSecret ¶ added in v0.7.3
CreateKVSecret calls the /secret/data/:p endpoint with the provided data. Please note for KV-v2 the provided data needs to be in JSON format similar to: `{"data": {"key": "value", "key2": "value2"}}` See https://www.vaultproject.io/api-docs/secret/kv/kv-v2#create-update-secret
func (*TestVaultServer) CreateToken ¶
func (v *TestVaultServer) CreateToken(t *testing.T, opt ...TestOption) (*vault.Secret, string)
CreateToken creates a new Vault token by calling /auth/token/create on v using v.RootToken. It returns the vault secret containing the token and the token itself. See https://www.vaultproject.io/api-docs/auth/token#create-token.
func (*TestVaultServer) LookupLease ¶
LookupLease calls the /sys/leases/lookup Vault endpoint and returns the vault.Secret response. See https://www.vaultproject.io/api-docs/system/leases#read-lease.
func (*TestVaultServer) LookupToken ¶
LookupToken calls /auth/token/lookup on v for the token. See https://www.vaultproject.io/api-docs/auth/token#lookup-a-token.
func (*TestVaultServer) MountDatabase ¶
func (v *TestVaultServer) MountDatabase(t *testing.T, opt ...TestOption) *TestDatabase
MountDatabase starts a PostgreSQL database in a docker container then mounts the Vault database secrets engine and configures it to issue credentials for the database.
MountDatabase also adds a Vault policy named 'database' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as:
path "mountPath/*" { capabilities = ["create", "read", "update", "delete", "list"] }
MountDatabase returns a TestDatabase for testing credentials from the mount.
func (*TestVaultServer) MountPKI ¶
func (v *TestVaultServer) MountPKI(t *testing.T, opt ...TestOption) *vault.Secret
MountPKI mounts the Vault PKI secret engine and initializes it by generating a root certificate authority and creating a default role on the mount. The root CA is returned.
The default mount path is pki and the default role name is boundary. WithTestMountPath and WithTestRoleName are the only test options supported.
MountPKI also adds a Vault policy named 'pki' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as:
path "mountPath/*" { capabilities = ["create", "read", "update", "delete", "list"] }
func (*TestVaultServer) VerifyTokenInvalid ¶
func (v *TestVaultServer) VerifyTokenInvalid(t *testing.T, token string)
VerifyTokenInvalid calls /auth/token/lookup on v for the token. It expects the lookup to fail with a StatusForbidden. See https://www.vaultproject.io/api-docs/auth/token#lookup-a-token.
type TestVaultTLS ¶
type TestVaultTLS int
TestVaultTLS represents the TLS configuration level of a TestVaultServer.
const ( // TestNoTLS disables TLS. The test server Addr begins with http://. TestNoTLS TestVaultTLS = iota // no TLS // TestServerTLS configures the Vault test server listener to use TLS. // A CA certificate is generated and a server certificate is issued // from the CA certificate. The CA certificate is available in the // CaCert field of the TestVaultServer. The test server Addr begins // with https://. TestServerTLS // TestClientTLS configures the Vault test server listener to require a // client certificate for mTLS and includes all of the settings from // TestServerTLS. A second CA certificate is generated and a client // certificate is issued from this CA certificate. The client // certificate and the client certificate key are available in the in // the ClientCert and ClientKey fields of the TestVaultServer // respectively. TestClientTLS )
type Token ¶
Token contains a vault token. It is owned by a credential store.
func (*Token) SetTableName ¶
SetTableName sets the table name.
type TokenRenewalJob ¶
type TokenRenewalJob struct {
// contains filtered or unexported fields
}
TokenRenewalJob is the recurring job that renews credential store Vault tokens that are in the `current` and `maintaining` state. The TokenRenewalJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.
func (*TokenRenewalJob) Description ¶
func (r *TokenRenewalJob) Description() string
Description is the human readable description of the job.
func (*TokenRenewalJob) Name ¶
func (r *TokenRenewalJob) Name() string
Name is the unique name of the job.
func (*TokenRenewalJob) NextRunIn ¶
NextRunIn queries the vault credential repo to determine when the next token renewal job should run.
func (*TokenRenewalJob) Run ¶
func (r *TokenRenewalJob) Run(ctx context.Context) error
Run queries the vault credential repo for tokens that need to be renewed, it then creates a vault client and renews each token. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.
func (*TokenRenewalJob) Status ¶
func (r *TokenRenewalJob) Status() scheduler.JobStatus
Status returns the current status of the token renewal job. Total is the total number of tokens that are set to be renewed. Completed is the number of tokens already renewed.
type TokenRevocationJob ¶
type TokenRevocationJob struct {
// contains filtered or unexported fields
}
TokenRevocationJob is the recurring job that revokes credential store Vault tokens that are in the `maintaining` state and have no credentials being used by an active or pending session. The TokenRevocationJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.
func (*TokenRevocationJob) Description ¶
func (r *TokenRevocationJob) Description() string
Description is the human readable description of the job.
func (*TokenRevocationJob) Name ¶
func (r *TokenRevocationJob) Name() string
Name is the unique name of the job.
func (*TokenRevocationJob) NextRunIn ¶
NextRunIn determines when the next token revocation job should run.
func (*TokenRevocationJob) Run ¶
func (r *TokenRevocationJob) Run(ctx context.Context) error
Run queries the vault credential repo for tokens that need to be revoked, it then creates a vault client and revokes each token. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.
func (*TokenRevocationJob) Status ¶
func (r *TokenRevocationJob) Status() scheduler.JobStatus
Status returns the current status of the token revocation job. Total is the total number of tokens that are set to be revoked. Completed is the number of tokens already revoked.
type TokenSecret ¶
type TokenSecret []byte
TokenSecret equals a Vault token. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.
func (TokenSecret) GoString ¶
func (s TokenSecret) GoString() string
GoString will redact the TokenSecret.
func (TokenSecret) MarshalJSON ¶
func (s TokenSecret) MarshalJSON() ([]byte, error)
MarshalJSON will redact the TokenSecret.
func (TokenSecret) String ¶
func (s TokenSecret) String() string
String will redact the TokenSecret.
type TokenStatus ¶
type TokenStatus string
A TokenStatus represents the status of a vault token.
const ( // CurrentToken represents a vault token for a credential store that is // used for retrieving credentials. Tokens in this state are renewed // before they expire. A credential store can have only one current // token. CurrentToken TokenStatus = "current" // MaintainingToken represents a vault token that is no longer being // used for retrieving credentials but is being renewed because it was // used to retrieve credentials which are still being used in a // session. After the dependent sessions are terminated, the token is // revoked in Vault and the status transitions to RevokedToken. but is // no longer being used for retrieving credentials. MaintainingToken TokenStatus = "maintaining" // RevokeToken represents a token that should be revoked. RevokeToken TokenStatus = "revoke" // RevokedToken represents a token that has been revoked. This is a // terminal status. It does not transition to ExpiredToken. RevokedToken TokenStatus = "revoked" // ExpiredToken represents a token that expired. This is a terminal // status. It does not transition to RevokedToken. ExpiredToken TokenStatus = "expired" )
type UserPasswordOverride ¶ added in v0.7.4
type UserPasswordOverride struct { *store.UserPasswordOverride // contains filtered or unexported fields }
A UserPasswordOverride contains optional values for overriding the default mappings used to map a Vault secret to a UserPassword credential type for the credential library that owns it.
func NewUserPasswordOverride ¶ added in v0.7.4
func NewUserPasswordOverride(opt ...Option) *UserPasswordOverride
NewUserPasswordOverride creates a new in memory UserPasswordOverride. WithOverrideUsernameAttribute and WithOverridePasswordAttribute are the only valid options. All other options are ignored.
func (*UserPasswordOverride) SetTableName ¶ added in v0.7.4
func (o *UserPasswordOverride) SetTableName(n string)
SetTableName sets the table name.
func (*UserPasswordOverride) TableName ¶ added in v0.7.4
func (o *UserPasswordOverride) TableName() string
TableName returns the table name.
Source Files ¶
- client_certificate.go
- credential.go
- credential_library.go
- credential_store.go
- doc.go
- docker.go
- fields.go
- jobs.go
- mapping_overriders.go
- options.go
- private_credential.go
- private_library.go
- private_store.go
- public_ids.go
- query.go
- repository.go
- repository_credential_library.go
- repository_credential_store.go
- repository_credentials.go
- secret.go
- supported.go
- testing.go
- vault.go
- vault_capabilities.go
- vault_token.go
Directories ¶
Path | Synopsis |
---|---|
internal
|
|
userpassword
Package userpassword provides access to the username and password stored in a Vault secret.
|
Package userpassword provides access to the username and password stored in a Vault secret. |