vault

package
v0.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2022 License: MPL-2.0 Imports: 51 Imported by: 0

Documentation

Overview

Package vault provides access to credentials retrieved from a Vault server.

Index

Constants

View Source
const (
	CredentialStorePrefix   = "csvlt"
	CredentialLibraryPrefix = "clvlt"
	DynamicCredentialPrefix = "cdvlt"

	Subtype = subtypes.Subtype("vault")
)

PublicId prefixes for the resources in the vault package.

View Source
const DefaultVaultVersion = "1.7.2"
View Source
const (

	// MappingOverrideField represents the field mask indicating a mapping override
	// update has been requested.
	MappingOverrideField = "MappingOverride"
)

These constants are the field names used in the vault related field masks.

Variables

This section is empty.

Functions

func RegisterJobs

func RegisterJobs(ctx context.Context, scheduler *scheduler.Scheduler, r db.Reader, w db.Writer, kms *kms.Kms) error

Types

type ClientCertificate

type ClientCertificate struct {
	*store.ClientCertificate
	// contains filtered or unexported fields
}

ClientCertificate contains a client certificate and a private key for the certificate. It is owned by a credential store.

func NewClientCertificate

func NewClientCertificate(certificate []byte, key KeySecret) (*ClientCertificate, error)

NewClientCertificate creates a new in memory ClientCertificate.

func (*ClientCertificate) SetTableName

func (c *ClientCertificate) SetTableName(n string)

SetTableName sets the table name.

func (*ClientCertificate) TableName

func (c *ClientCertificate) TableName() string

TableName returns the table name.

type Credential

type Credential struct {
	*store.Credential
	// contains filtered or unexported fields
}

A Credential contains the data for a Vault lease. It is owned by a credential library.

func TestCredentials

func TestCredentials(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, libraryId, sessionId string, count int) []*Credential

TestCredentials creates count number of vault credentials in the provided DB with the provided library id and session id. If any errors are encountered during the creation of the credentials, the test will fail.

func (*Credential) SetTableName

func (c *Credential) SetTableName(n string)

SetTableName sets the table name.

func (*Credential) TableName

func (c *Credential) TableName() string

TableName returns the table name.

type CredentialCleanupJob

type CredentialCleanupJob struct {
	// contains filtered or unexported fields
}

CredentialCleanupJob is the recurring job that deletes Vault credentials that are no longer attached to a session (have a null session_id) and are not active. The CredentialCleanupJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialCleanupJob) Description

func (r *CredentialCleanupJob) Description() string

Description is the human readable description of the job.

func (*CredentialCleanupJob) Name

func (r *CredentialCleanupJob) Name() string

Name is the unique name of the job.

func (*CredentialCleanupJob) NextRunIn

NextRunIn determine when the next credential cleanup job should run.

func (*CredentialCleanupJob) Run

Run deletes all Vault credential in the repo that have a null session_id and are not active. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialCleanupJob) Status

Status returns the current status of the credential cleanup job.

type CredentialLibrary

type CredentialLibrary struct {
	*store.CredentialLibrary

	MappingOverride MappingOverride `gorm:"-"`
	// contains filtered or unexported fields
}

A CredentialLibrary contains a Vault path and is owned by a credential store.

func NewCredentialLibrary

func NewCredentialLibrary(storeId string, vaultPath string, opt ...Option) (*CredentialLibrary, error)

NewCredentialLibrary creates a new in memory CredentialLibrary for a Vault backend at vaultPath assigned to storeId. Name, description, method, request body, credential type, and mapping override are the only valid options. All other options are ignored.

func TestCredentialLibraries

func TestCredentialLibraries(t testing.TB, conn *db.DB, _ wrapping.Wrapper, storeId string, count int) []*CredentialLibrary

TestCredentialLibraries creates count number of vault credential libraries in the provided DB with the provided store id. If any errors are encountered during the creation of the credential libraries, the test will fail.

func (*CredentialLibrary) CredentialType added in v0.7.4

func (l *CredentialLibrary) CredentialType() credential.Type

CredentialType returns the type of credential the library retrieves.

func (*CredentialLibrary) SetTableName

func (l *CredentialLibrary) SetTableName(n string)

SetTableName sets the table name.

func (*CredentialLibrary) TableName

func (l *CredentialLibrary) TableName() string

TableName returns the table name.

type CredentialRenewalJob

type CredentialRenewalJob struct {
	// contains filtered or unexported fields
}

CredentialRenewalJob is the recurring job that renews Vault credentials issued to a session. The CredentialRenewalJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialRenewalJob) Description

func (r *CredentialRenewalJob) Description() string

Description is the human readable description of the job.

func (*CredentialRenewalJob) Name

func (r *CredentialRenewalJob) Name() string

Name is the unique name of the job.

func (*CredentialRenewalJob) NextRunIn

func (r *CredentialRenewalJob) NextRunIn(ctx context.Context) (time.Duration, error)

NextRunIn queries the vault credential repo to determine when the next credential renewal job should run.

func (*CredentialRenewalJob) Run

Run queries the vault credential repo for credentials that need to be renewed, it then creates a vault client and renews each credential. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialRenewalJob) Status

Status returns the current status of the credential renewal job. Total is the total number of credentials that are set to be renewed. Completed is the number of credential already renewed.

type CredentialRevocationJob

type CredentialRevocationJob struct {
	// contains filtered or unexported fields
}

CredentialRevocationJob is the recurring job that revokes Vault credentials that are no longer being used by an active or pending session. The CredentialRevocationJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialRevocationJob) Description

func (r *CredentialRevocationJob) Description() string

Description is the human readable description of the job.

func (*CredentialRevocationJob) Name

func (r *CredentialRevocationJob) Name() string

Name is the unique name of the job.

func (*CredentialRevocationJob) NextRunIn

NextRunIn determine when the next credential revocation job should run.

func (*CredentialRevocationJob) Run

Run queries the vault credential repo for credentials that need to be revoked, it then creates a vault client and revokes each credential. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialRevocationJob) Status

Status returns the current status of the credential revocation job. Total is the total number of credentials that are set to be revoked. Completed is the number of credentials already revoked.

type CredentialStatus

type CredentialStatus string

A CredentialStatus represents the status of a vault credential.

const (
	// ActiveCredential represents a vault credential that is being used in
	// an active session. Credentials in this state are renewed before they
	// expire.
	ActiveCredential CredentialStatus = "active"

	// RevokeCredential represents a vault credential that needs to be
	// revoked.
	RevokeCredential CredentialStatus = "revoke"

	// RevokedCredential represents a credential that has been revoked. This is a
	// terminal status. It does not transition to ExpiredCredential.
	RevokedCredential CredentialStatus = "revoked"

	// ExpiredCredential represents a credential that expired. This is a terminal
	// status. It does not transition to RevokedCredential.
	ExpiredCredential CredentialStatus = "expired"

	// UnknownCredentialStatus represents a credential that has an unknown
	// status.
	UnknownCredentialStatus CredentialStatus = "unknown"
)

type CredentialStore

type CredentialStore struct {
	*store.CredentialStore
	// contains filtered or unexported fields
}

A CredentialStore contains credential libraries. It is owned by a scope.

func NewCredentialStore

func NewCredentialStore(scopeId string, vaultAddress string, token TokenSecret, opt ...Option) (*CredentialStore, error)

NewCredentialStore creates a new in memory CredentialStore for a Vault server at vaultAddress assigned to scopeId. Name, description, CA cert, client cert, namespace, TLS server name, and TLS skip verify are the only valid options. All other options are ignored.

func TestCredentialStore

func TestCredentialStore(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, scopeId, vaultAddr, vaultToken, accessor string, opts ...Option) *CredentialStore

TestCredentialStore creates a vault credential store in the provided DB with the provided scope, vault address, token, and accessor and any values passed in through the Options vargs. If any errors are encountered during the creation of the store, the test will fail.

func TestCredentialStores

func TestCredentialStores(t testing.TB, conn *db.DB, wrapper wrapping.Wrapper, scopeId string, count int) []*CredentialStore

TestCredentialStores creates count number of vault credential stores in the provided DB with the provided scope id. If any errors are encountered during the creation of the credential stores, the test will fail.

func (*CredentialStore) ClientCertificate

func (cs *CredentialStore) ClientCertificate() *ClientCertificate

ClientCertificate returns the client certificate if available.

func (*CredentialStore) SetTableName

func (cs *CredentialStore) SetTableName(n string)

SetTableName sets the table name.

func (*CredentialStore) TableName

func (cs *CredentialStore) TableName() string

TableName returns the table name.

func (*CredentialStore) Token

func (cs *CredentialStore) Token() *Token

Token returns the current vault token if available.

type CredentialStoreCleanupJob

type CredentialStoreCleanupJob struct {
	// contains filtered or unexported fields
}

CredentialStoreCleanupJob is the recurring job that deletes Vault credential stores that have been soft deleted and tokens have been revoked or expired. The CredentialStoreCleanupJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*CredentialStoreCleanupJob) Description

func (r *CredentialStoreCleanupJob) Description() string

Description is the human readable description of the job.

func (*CredentialStoreCleanupJob) Name

Name is the unique name of the job.

func (*CredentialStoreCleanupJob) NextRunIn

NextRunIn determine when the next credential store cleanup job should run.

func (*CredentialStoreCleanupJob) Run

Run deletes all vault credential stores in the repo that have been soft deleted. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*CredentialStoreCleanupJob) Status

Status returns the current status of the credential store cleanup job.

type KeySecret

type KeySecret []byte

KeySecret equals a Vault client certificate private key. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (KeySecret) GoString

func (s KeySecret) GoString() string

GoString will redact the TokenSecret.

func (KeySecret) MarshalJSON

func (s KeySecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the TokenSecret.

func (KeySecret) String

func (s KeySecret) String() string

String will redact the TokenSecret.

type MappingOverride added in v0.7.4

type MappingOverride interface {
	// contains filtered or unexported methods
}

A MappingOverride is an interface holding one of the mapping override types: UsernamePasswordOverride.

type Method

type Method string

A Method represents an HTTP method used for communicating with Vault.

const (
	MethodGet  Method = "GET"
	MethodPost Method = "POST"
)

HTTP methods use for communicating with Vault.

type Option

type Option func(*options)

Option - how Options are passed as arguments.

func WithCACert

func WithCACert(cert []byte) Option

WithCACert provides an optional PEM-encoded certificate to verify the Vault server's SSL certificate.

func WithClientCert

func WithClientCert(clientCert *ClientCertificate) Option

WithClientCert provides an optional ClientCertificate to use for TLS authentication to a Vault server.

func WithCredentialType added in v0.7.4

func WithCredentialType(t credential.Type) Option

WithCredentialType provides an optional credential type to associate with a credential library.

func WithDescription

func WithDescription(desc string) Option

WithDescription provides an optional description.

func WithLimit

func WithLimit(l int) Option

WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.

func WithMappingOverride added in v0.7.4

func WithMappingOverride(m MappingOverride) Option

WithMappingOverride provides an optional mapping override to use for mapping the Data fields of a Vault api.Secret to a credential.

func WithMethod

func WithMethod(m Method) Option

WithMethod provides an optional Method to use for communicating with Vault.

func WithName

func WithName(name string) Option

WithName provides an optional name.

func WithNamespace

func WithNamespace(namespace string) Option

WithNamespace provides an optional Vault namespace.

func WithOverridePasswordAttribute added in v0.7.4

func WithOverridePasswordAttribute(s string) Option

WithOverridePasswordAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a password value.

func WithOverrideUsernameAttribute added in v0.7.4

func WithOverrideUsernameAttribute(s string) Option

WithOverrideUsernameAttribute provides the name of an attribute in the Data field of a Vault api.Secret that maps to a username value.

func WithRequestBody

func WithRequestBody(b []byte) Option

WithRequestBody provides an optional request body for sending to Vault when requesting credentials using HTTP Post.

func WithTlsServerName

func WithTlsServerName(name string) Option

WithTlsServerName provides an optional name to use as the SNI host when connecting to Vault via TLS.

func WithTlsSkipVerify

func WithTlsSkipVerify(skipVerify bool) Option

WithTlsSkipVerify provides an option to disable verification of TLS certificates when connection to Vault. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server.

type Repository

type Repository struct {
	// contains filtered or unexported fields
}

A Repository stores and retrieves the persistent types in the vault package. It is not safe to use a repository concurrently.

func NewRepository

func NewRepository(r db.Reader, w db.Writer, kms *kms.Kms, scheduler *scheduler.Scheduler, opt ...Option) (*Repository, error)

NewRepository creates a new Repository. The returned repository should only be used for one transaction and it is not safe for concurrent go routines to access it. WithLimit option is used as a repo wide default limit applied to all ListX methods.

func (*Repository) CreateCredentialLibrary

func (r *Repository) CreateCredentialLibrary(ctx context.Context, scopeId string, l *CredentialLibrary, _ ...Option) (*CredentialLibrary, error)

CreateCredentialLibrary inserts l into the repository and returns a new CredentialLibrary containing the credential library's PublicId. l is not changed. l must contain a valid StoreId. l must not contain a PublicId. The PublicId is generated and assigned by this method.

Both l.Name and l.Description are optional. If l.Name is set, it must be unique within l.StoreId.

Both l.CreateTime and l.UpdateTime are ignored.

func (*Repository) CreateCredentialStore

func (r *Repository) CreateCredentialStore(ctx context.Context, cs *CredentialStore, _ ...Option) (*CredentialStore, error)

CreateCredentialStore inserts cs into the repository and returns a new CredentialStore containing the credential store's PublicId. cs is not changed. cs must not contain a PublicId. The PublicId is generated and assigned by this method. cs must contain a valid ScopeId, VaultAddress, and Vault token. The Vault token must be renewable, periodic, and orphan. CreateCredentialStore calls the /auth/token/renew-self and /auth/token/lookup-self Vault endpoints.

Both cs.Name and cs.Description are optional. If cs.Name is set, it must be unique within cs.ScopeId. Both cs.CreateTime and cs.UpdateTime are ignored.

For more information about the required properties of the Vault token see: https://www.vaultproject.io/api-docs/auth/token#period, https://www.vaultproject.io/api-docs/auth/token#renewable, https://www.vaultproject.io/docs/concepts/tokens#token-hierarchies-and-orphan-tokens, https://www.vaultproject.io/docs/concepts/tokens#periodic-tokens, and https://www.vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls.

For more information about the Vault endpoints called by CreateCredentialStore see: https://www.vaultproject.io/api-docs/auth/token#renew-a-token-self and https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self.

func (*Repository) DeleteCredentialLibrary

func (r *Repository) DeleteCredentialLibrary(ctx context.Context, scopeId string, publicId string, _ ...Option) (int, error)

DeleteCredentialLibrary deletes publicId from the repository and returns the number of records deleted.

func (*Repository) DeleteCredentialStore

func (r *Repository) DeleteCredentialStore(ctx context.Context, publicId string, _ ...Option) (int, error)

DeleteCredentialStore deletes publicId from the repository and returns the number of records deleted. All options are ignored.

func (*Repository) Issue

func (r *Repository) Issue(ctx context.Context, sessionId string, requests []credential.Request) ([]credential.Dynamic, error)

Issue issues and returns dynamic credentials from Vault for all of the requests and assigns them to sessionId.

func (*Repository) ListCredentialLibraries

func (r *Repository) ListCredentialLibraries(ctx context.Context, storeId string, opt ...Option) ([]*CredentialLibrary, error)

ListCredentialLibraries returns a slice of CredentialLibraries for the storeId. WithLimit is the only option supported.

func (*Repository) ListCredentialStores

func (r *Repository) ListCredentialStores(ctx context.Context, scopeIds []string, opt ...Option) ([]*CredentialStore, error)

ListCredentialStores returns a slice of CredentialStores for the scopeIds. WithLimit is the only option supported.

func (*Repository) LookupCredentialLibrary

func (r *Repository) LookupCredentialLibrary(ctx context.Context, publicId string, _ ...Option) (*CredentialLibrary, error)

LookupCredentialLibrary returns the CredentialLibrary for publicId. Returns nil, nil if no CredentialLibrary is found for publicId.

func (*Repository) LookupCredentialStore

func (r *Repository) LookupCredentialStore(ctx context.Context, publicId string, _ ...Option) (*CredentialStore, error)

LookupCredentialStore returns the CredentialStore for publicId. Returns nil, nil if no CredentialStore is found for publicId.

func (*Repository) Revoke

func (r *Repository) Revoke(ctx context.Context, sessionId string) error

Revoke revokes all dynamic credentials issued from Vault for sessionId.

func (*Repository) UpdateCredentialLibrary

func (r *Repository) UpdateCredentialLibrary(ctx context.Context, scopeId string, l *CredentialLibrary, version uint32, fieldMaskPaths []string, _ ...Option) (*CredentialLibrary, int, error)

UpdateCredentialLibrary updates the repository entry for l.PublicId with the values in l for the fields listed in fieldMaskPaths. It returns a new CredentialLibrary containing the updated values and a count of the number of records updated. l is not changed.

l must contain a valid PublicId. Only Name, Description, VaultPath, HttpMethod, HttpRequestBody, and MappingOverride can be updated. If l.Name is set to a non-empty string, it must be unique within l.StoreId.

An attribute of l will be set to NULL in the database if the attribute in l is the zero value and it is included in fieldMaskPaths except for HttpMethod. If HttpMethod is in the fieldMaskPath but l.HttpMethod is not set it will be set to the value "GET". If storage has a value for HttpRequestBody when l.HttpMethod is set to GET the update will fail.

func (*Repository) UpdateCredentialStore

func (r *Repository) UpdateCredentialStore(ctx context.Context, cs *CredentialStore, version uint32, fieldMaskPaths []string, _ ...Option) (*CredentialStore, int, error)

UpdateCredentialStore updates the repository entry for cs.PublicId with the values in cs for the fields listed in fieldMaskPaths. It returns a new CredentialStore containing the updated values and a count of the number of records updated. cs is not changed.

cs must contain a valid PublicId. Only Name, Description, Namespace, TlsServerName, TlsSkipVerify, CaCert, VaultAddress, ClientCertificate, ClientCertificateKey, and Token can be changed. If cs.Name is set to a non-empty string, it must be unique within cs.ScopeId. If Token is changed, the new token must have the same properties defined in CreateCredentialStore and UpdateCredentialStore calls the same Vault endpoints described in CreateCredentialStore.

An attribute of cs will be set to NULL in the database if the attribute in cs is the zero value and it is included in fieldMaskPaths.

type TestDatabase

type TestDatabase struct {
	URL TestDatabaseURL
}

TestDatabase is returned from MountDatabase and can be used to test database credentials returned by Vault for that mount.

func (*TestDatabase) ValidateCredential

func (d *TestDatabase) ValidateCredential(t testing.TB, s *vault.Secret) error

ValidateCredential tests the credentials in s against d. An error is returned if the credentials are not valid.

type TestDatabaseURL

type TestDatabaseURL string

TestDatabaseURL is a connection string with place holders for username and password to the database started by MountDatabase.

func (TestDatabaseURL) Encode

func (u TestDatabaseURL) Encode(t testing.TB, s *vault.Secret) string

Encode encodes the username and password credentials from s into u.

type TestOption

type TestOption func(testing.TB, *testOptions)

TestOption - how Options are passed as arguments.

func TestOrphanToken

func TestOrphanToken(b bool) TestOption

TestOrphanToken sets the token orphan option to b. The orphan option is true by default.

func TestPeriodicToken

func TestPeriodicToken(b bool) TestOption

TestPeriodicToken sets the token periodic option to b. The periodic option is true by default.

func TestRenewableToken

func TestRenewableToken(b bool) TestOption

TestRenewableToken sets the token renewable option to b. The renewable option is true by default.

func WithClientKey

func WithClientKey(k *ecdsa.PrivateKey) TestOption

WithClientKey sets the private key that will be used to generate the client certificate. The option is only valid when used together with TestClientTLS.

func WithDockerNetwork

func WithDockerNetwork(b bool) TestOption

WithDockerNetwork sets the option to create docker network when creating a Vault test server. The default is to not create a docker network.

func WithDontCleanUp

func WithDontCleanUp() TestOption

WithDontCleanUp causes the resource created to not be automaticaly cleaned up at the end of the test run.

func WithPolicies

func WithPolicies(p []string) TestOption

WithPolicies sets the polices to attach to a token. The default policy attached to tokens is 'default'.

func WithTestMountPath

func WithTestMountPath(p string) TestOption

WithTestMountPath sets the mount path option to p.

func WithTestRoleName

func WithTestRoleName(n string) TestOption

WithTestRoleName sets the roleName name to n. The default role name is boundary.

func WithTestVaultTLS

func WithTestVaultTLS(s TestVaultTLS) TestOption

WithTestVaultTLS sets the Vault TLS option. TestNoTLS is the default TLS option.

func WithTokenPeriod

func WithTokenPeriod(d time.Duration) TestOption

WithTokenPeriod sets the period value in a vault.TokenCreateRequest when the token being requested is a periodic token. The default token period is the value of t.Deadline() or 24 hours if t.Deadline() is nil.

type TestVaultServer

type TestVaultServer struct {
	RootToken string
	Addr      string

	CaCert     []byte
	ServerCert []byte
	ClientCert []byte
	ClientKey  []byte
	// contains filtered or unexported fields
}

TestVaultServer is a vault server running in a docker container suitable for testing.

func NewTestVaultServer

func NewTestVaultServer(t testing.TB, opt ...TestOption) *TestVaultServer

NewTestVaultServer creates and returns a TestVaultServer. Some Vault secret engines require the Vault server be created with a docker network. Check the Mount method for the Vault secret engine to see if a docker network is required.

WithTestVaultTLS and WithDockerNetwork are the only valid options. Setting the WithDockerNetwork option can significantly increase the amount of time required for a test to run.

func (*TestVaultServer) AddKVPolicy added in v0.7.3

func (v *TestVaultServer) AddKVPolicy(t testing.TB, _ ...TestOption)

AddKVPolicy adds a Vault policy named 'secret' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as:

path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

All options are ignored.

func (*TestVaultServer) CreateKVSecret added in v0.7.3

func (v *TestVaultServer) CreateKVSecret(t testing.TB, p string, data []byte) *vault.Secret

CreateKVSecret calls the /secret/data/:p endpoint with the provided data. Please note for KV-v2 the provided data needs to be in JSON format similar to: `{"data": {"key": "value", "key2": "value2"}}` See https://www.vaultproject.io/api-docs/secret/kv/kv-v2#create-update-secret

func (*TestVaultServer) CreateToken

func (v *TestVaultServer) CreateToken(t testing.TB, opt ...TestOption) (*vault.Secret, string)

CreateToken creates a new Vault token by calling /auth/token/create on v using v.RootToken. It returns the vault secret containing the token and the token itself. See https://www.vaultproject.io/api-docs/auth/token#create-token.

func (*TestVaultServer) LookupLease

func (v *TestVaultServer) LookupLease(t testing.TB, leaseId string) *vault.Secret

LookupLease calls the /sys/leases/lookup Vault endpoint and returns the vault.Secret response. See https://www.vaultproject.io/api-docs/system/leases#read-lease.

func (*TestVaultServer) LookupToken

func (v *TestVaultServer) LookupToken(t testing.TB, token string) *vault.Secret

LookupToken calls /auth/token/lookup on v for the token. See https://www.vaultproject.io/api-docs/auth/token#lookup-a-token.

func (*TestVaultServer) MountDatabase

func (v *TestVaultServer) MountDatabase(t testing.TB, opt ...TestOption) *TestDatabase

MountDatabase starts a PostgreSQL database in a docker container then mounts the Vault database secrets engine and configures it to issue credentials for the database.

MountDatabase also adds a Vault policy named 'database' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as:

path "mountPath/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

MountDatabase returns a TestDatabase for testing credentials from the mount.

func (*TestVaultServer) MountPKI

func (v *TestVaultServer) MountPKI(t testing.TB, opt ...TestOption) *vault.Secret

MountPKI mounts the Vault PKI secret engine and initializes it by generating a root certificate authority and creating a default role on the mount. The root CA is returned.

The default mount path is pki and the default role name is boundary. WithTestMountPath and WithTestRoleName are the only test options supported.

MountPKI also adds a Vault policy named 'pki' to v and adds it to the standard set of polices attached to tokens created with v.CreateToken. The policy is defined as:

path "mountPath/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

func (*TestVaultServer) VerifyTokenInvalid

func (v *TestVaultServer) VerifyTokenInvalid(t testing.TB, token string)

VerifyTokenInvalid calls /auth/token/lookup on v for the token. It expects the lookup to fail with a StatusForbidden. See https://www.vaultproject.io/api-docs/auth/token#lookup-a-token.

type TestVaultTLS

type TestVaultTLS int

TestVaultTLS represents the TLS configuration level of a TestVaultServer.

const (
	// TestNoTLS disables TLS. The test server Addr begins with http://.
	TestNoTLS TestVaultTLS = iota // no TLS

	// TestServerTLS configures the Vault test server listener to use TLS.
	// A CA certificate is generated and a server certificate is issued
	// from the CA certificate. The CA certificate is available in the
	// CaCert field of the TestVaultServer. The test server Addr begins
	// with https://.
	TestServerTLS

	// TestClientTLS configures the Vault test server listener to require a
	// client certificate for mTLS and includes all of the settings from
	// TestServerTLS. A second CA certificate is generated and a client
	// certificate is issued from this CA certificate. The client
	// certificate and the client certificate key are available in the in
	// the ClientCert and ClientKey fields of the TestVaultServer
	// respectively.
	TestClientTLS
)

type Token

type Token struct {
	*store.Token
	// contains filtered or unexported fields
}

Token contains a vault token. It is owned by a credential store.

func (*Token) SetTableName

func (t *Token) SetTableName(n string)

SetTableName sets the table name.

func (*Token) TableName

func (t *Token) TableName() string

TableName returns the table name.

type TokenRenewalJob

type TokenRenewalJob struct {
	// contains filtered or unexported fields
}

TokenRenewalJob is the recurring job that renews credential store Vault tokens that are in the `current` and `maintaining` state. The TokenRenewalJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*TokenRenewalJob) Description

func (r *TokenRenewalJob) Description() string

Description is the human readable description of the job.

func (*TokenRenewalJob) Name

func (r *TokenRenewalJob) Name() string

Name is the unique name of the job.

func (*TokenRenewalJob) NextRunIn

func (r *TokenRenewalJob) NextRunIn(ctx context.Context) (time.Duration, error)

NextRunIn queries the vault credential repo to determine when the next token renewal job should run.

func (*TokenRenewalJob) Run

func (r *TokenRenewalJob) Run(ctx context.Context) error

Run queries the vault credential repo for tokens that need to be renewed, it then creates a vault client and renews each token. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*TokenRenewalJob) Status

func (r *TokenRenewalJob) Status() scheduler.JobStatus

Status returns the current status of the token renewal job. Total is the total number of tokens that are set to be renewed. Completed is the number of tokens already renewed.

type TokenRevocationJob

type TokenRevocationJob struct {
	// contains filtered or unexported fields
}

TokenRevocationJob is the recurring job that revokes credential store Vault tokens that are in the `maintaining` state and have no credentials being used by an active or pending session. The TokenRevocationJob is not thread safe, an attempt to Run the job concurrently will result in an JobAlreadyRunning error.

func (*TokenRevocationJob) Description

func (r *TokenRevocationJob) Description() string

Description is the human readable description of the job.

func (*TokenRevocationJob) Name

func (r *TokenRevocationJob) Name() string

Name is the unique name of the job.

func (*TokenRevocationJob) NextRunIn

func (r *TokenRevocationJob) NextRunIn(_ context.Context) (time.Duration, error)

NextRunIn determines when the next token revocation job should run.

func (*TokenRevocationJob) Run

Run queries the vault credential repo for tokens that need to be revoked, it then creates a vault client and revokes each token. Can not be run in parallel, if Run is invoked while already running an error with code JobAlreadyRunning will be returned.

func (*TokenRevocationJob) Status

Status returns the current status of the token revocation job. Total is the total number of tokens that are set to be revoked. Completed is the number of tokens already revoked.

type TokenSecret

type TokenSecret []byte

TokenSecret equals a Vault token. This type provides a wrapper so the secret isn't inadvertently leaked into a log or error.

func (TokenSecret) GoString

func (s TokenSecret) GoString() string

GoString will redact the TokenSecret.

func (TokenSecret) MarshalJSON

func (s TokenSecret) MarshalJSON() ([]byte, error)

MarshalJSON will redact the TokenSecret.

func (TokenSecret) String

func (s TokenSecret) String() string

String will redact the TokenSecret.

type TokenStatus

type TokenStatus string

A TokenStatus represents the status of a vault token.

const (
	// CurrentToken represents a vault token for a credential store that is
	// used for retrieving credentials. Tokens in this state are renewed
	// before they expire. A credential store can have only one current
	// token.
	CurrentToken TokenStatus = "current"

	// MaintainingToken represents a vault token that is no longer being
	// used for retrieving credentials but is being renewed because it was
	// used to retrieve credentials which are still being used in a
	// session. After the dependent sessions are terminated, the token is
	// revoked in Vault and the status transitions to RevokedToken. but is
	// no longer being used for retrieving credentials.
	MaintainingToken TokenStatus = "maintaining"

	// RevokeToken represents a token that should be revoked.
	RevokeToken TokenStatus = "revoke"

	// RevokedToken represents a token that has been revoked. This is a
	// terminal status. It does not transition to ExpiredToken.
	RevokedToken TokenStatus = "revoked"

	// ExpiredToken represents a token that expired. This is a terminal
	// status. It does not transition to RevokedToken.
	ExpiredToken TokenStatus = "expired"
)

type UsernamePasswordOverride added in v0.9.1

type UsernamePasswordOverride struct {
	*store.UsernamePasswordOverride
	// contains filtered or unexported fields
}

A UsernamePasswordOverride contains optional values for overriding the default mappings used to map a Vault secret to a UsernamePassword credential type for the credential library that owns it.

func NewUsernamePasswordOverride added in v0.9.1

func NewUsernamePasswordOverride(opt ...Option) *UsernamePasswordOverride

NewUsernamePasswordOverride creates a new in memory UsernamePasswordOverride. WithOverrideUsernameAttribute and WithOverridePasswordAttribute are the only valid options. All other options are ignored.

func (*UsernamePasswordOverride) SetTableName added in v0.9.1

func (o *UsernamePasswordOverride) SetTableName(n string)

SetTableName sets the table name.

func (*UsernamePasswordOverride) TableName added in v0.9.1

func (o *UsernamePasswordOverride) TableName() string

TableName returns the table name.

Directories

Path Synopsis
internal
usernamepassword
Package usernamepassword provides access to the username and password stored in a Vault secret.
Package usernamepassword provides access to the username and password stored in a Vault secret.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL