Documentation ¶
Index ¶
- Constants
- Variables
- func AbortableScanView(ctx context.Context, view ClearableView, cb func(path string) (cont bool)) error
- func AdjustErrorStatusCode(status *int, err error)
- func ClearView(ctx context.Context, view ClearableView) error
- func ClearViewWithLogging(ctx context.Context, view ClearableView, logger hclog.Logger) error
- func CollectKeys(ctx context.Context, view ClearableView) ([]string, error)
- func CollectKeysWithPrefix(ctx context.Context, view ClearableView, prefix string) ([]string, error)
- func ContextDisableReplicationStatusEndpointsValue(ctx context.Context) (value, ok bool)
- func ContextOriginalBodyValue(ctx context.Context) (io.ReadCloser, bool)
- func ContextOriginalRequestPathValue(ctx context.Context) (value string, ok bool)
- func CreateContextDisableReplicationStatusEndpoints(parent context.Context, value bool) context.Context
- func CreateContextOriginalBody(parent context.Context, body io.ReadCloser) context.Context
- func CreateContextOriginalRequestPath(parent context.Context, value string) context.Context
- func CreateContextRedactionSettings(parent context.Context, redactVersion, redactAddresses, redactClusterName bool) context.Context
- func CtxRedactionSettingsValue(ctx context.Context) (redactVersion, redactAddresses, redactClusterName, ok bool)
- func IndexStateContext(ctx context.Context, state *WALState) context.Context
- func RegisterPluginVersionServer(s grpc.ServiceRegistrar, srv PluginVersionServer)
- func RespondError(w http.ResponseWriter, status int, err error)
- func RespondErrorAndData(w http.ResponseWriter, status int, data interface{}, err error)
- func RespondErrorCommon(req *Request, resp *Response, err error) (int, error)
- func ScanView(ctx context.Context, view ClearableView, cb func(path string)) error
- func SendEvent(ctx context.Context, sender EventSender, eventType string, ...) error
- func TestStorage(t testing.T, s Storage)
- type ACMEBillingSystemView
- type Alias
- func (*Alias) Descriptor() ([]byte, []int)deprecated
- func (x *Alias) GetCustomMetadata() map[string]string
- func (x *Alias) GetID() string
- func (x *Alias) GetLocal() bool
- func (x *Alias) GetMetadata() map[string]string
- func (x *Alias) GetMountAccessor() string
- func (x *Alias) GetMountType() string
- func (x *Alias) GetName() string
- func (x *Alias) GetNamespaceID() string
- func (*Alias) ProtoMessage()
- func (x *Alias) ProtoReflect() protoreflect.Message
- func (x *Alias) Reset()
- func (x *Alias) String() string
- type Auditor
- type Auth
- type Authz
- type Backend
- type BackendConfig
- type BackendType
- type ClearableView
- type ClientTokenSource
- type Connection
- type ControlGroup
- type CtxKeyDisableRequestLimiter
- type CtxKeyInFlightRequestID
- type CtxKeyInFlightRequestPriority
- type CtxKeyInFlightTraceID
- type CtxKeyRequestRole
- type CustomHeader
- type DelegatedAuthErrorHandler
- type Empty
- type Entity
- func (*Entity) Descriptor() ([]byte, []int)deprecated
- func (x *Entity) GetAliases() []*Alias
- func (x *Entity) GetDisabled() bool
- func (x *Entity) GetID() string
- func (x *Entity) GetMetadata() map[string]string
- func (x *Entity) GetName() string
- func (x *Entity) GetNamespaceID() string
- func (*Entity) ProtoMessage()
- func (x *Entity) ProtoReflect() protoreflect.Message
- func (x *Entity) Reset()
- func (x *Entity) String() string
- type EventData
- func (*EventData) Descriptor() ([]byte, []int)deprecated
- func (x *EventData) GetEntityIds() []string
- func (x *EventData) GetId() string
- func (x *EventData) GetMetadata() *structpb.Struct
- func (x *EventData) GetNote() string
- func (*EventData) ProtoMessage()
- func (x *EventData) ProtoReflect() protoreflect.Message
- func (x *EventData) Reset()
- func (x *EventData) String() string
- type EventPluginInfo
- func (*EventPluginInfo) Descriptor() ([]byte, []int)deprecated
- func (x *EventPluginInfo) GetMountAccessor() string
- func (x *EventPluginInfo) GetMountClass() string
- func (x *EventPluginInfo) GetMountPath() string
- func (x *EventPluginInfo) GetPlugin() string
- func (x *EventPluginInfo) GetPluginVersion() string
- func (x *EventPluginInfo) GetVersion() string
- func (*EventPluginInfo) ProtoMessage()
- func (x *EventPluginInfo) ProtoReflect() protoreflect.Message
- func (x *EventPluginInfo) Reset()
- func (x *EventPluginInfo) String() string
- type EventReceived
- func (x *EventReceived) BexprDatum() any
- func (*EventReceived) Descriptor() ([]byte, []int)deprecated
- func (x *EventReceived) GetEvent() *EventData
- func (x *EventReceived) GetEventType() string
- func (x *EventReceived) GetNamespace() string
- func (x *EventReceived) GetPluginInfo() *EventPluginInfo
- func (x *EventReceived) ID() string
- func (*EventReceived) ProtoMessage()
- func (x *EventReceived) ProtoReflect() protoreflect.Message
- func (x *EventReceived) Reset()
- func (x *EventReceived) String() string
- type EventReceivedBexpr
- type EventSender
- type EventType
- type ExtendedSystemView
- type Factory
- type Group
- func (*Group) Descriptor() ([]byte, []int)deprecated
- func (x *Group) GetID() string
- func (x *Group) GetMetadata() map[string]string
- func (x *Group) GetName() string
- func (x *Group) GetNamespaceID() string
- func (*Group) ProtoMessage()
- func (x *Group) ProtoReflect() protoreflect.Message
- func (x *Group) Reset()
- func (x *Group) String() string
- type HTTPAuth
- type HTTPCodedError
- type HTTPResponse
- type HTTPResponseWriter
- type HTTPSysInjector
- type HTTPWrapInfo
- type InitializationRequest
- type InmemStorage
- func (s *InmemStorage) Delete(ctx context.Context, key string) error
- func (s *InmemStorage) FailDelete(fail bool) *InmemStorage
- func (s *InmemStorage) FailGet(fail bool) *InmemStorage
- func (s *InmemStorage) FailList(fail bool) *InmemStorage
- func (s *InmemStorage) FailPut(fail bool) *InmemStorage
- func (s *InmemStorage) Get(ctx context.Context, key string) (*StorageEntry, error)
- func (s *InmemStorage) List(ctx context.Context, prefix string) ([]string, error)
- func (s *InmemStorage) Put(ctx context.Context, entry *StorageEntry) error
- func (s *InmemStorage) Underlying() *inmem.InmemBackend
- type KeyNotFoundError
- type KeyUsage
- type LeaseOptions
- type LogInput
- type LogInputBexpr
- type LogicalStorage
- func (s *LogicalStorage) Delete(ctx context.Context, key string) error
- func (s *LogicalStorage) Get(ctx context.Context, key string) (*StorageEntry, error)
- func (s *LogicalStorage) List(ctx context.Context, prefix string) ([]string, error)
- func (s *LogicalStorage) Put(ctx context.Context, entry *StorageEntry) error
- func (s *LogicalStorage) Underlying() physical.Backend
- type MFAConstraintAny
- type MFACreds
- type MFAMethodID
- func (*MFAMethodID) Descriptor() ([]byte, []int)deprecated
- func (x *MFAMethodID) GetID() string
- func (x *MFAMethodID) GetName() string
- func (x *MFAMethodID) GetType() string
- func (x *MFAMethodID) GetUsesPasscode() bool
- func (*MFAMethodID) ProtoMessage()
- func (x *MFAMethodID) ProtoReflect() protoreflect.Message
- func (x *MFAMethodID) Reset()
- func (x *MFAMethodID) String() string
- type MFARequirement
- func (*MFARequirement) Descriptor() ([]byte, []int)deprecated
- func (x *MFARequirement) GetMFAConstraints() map[string]*MFAConstraintAny
- func (x *MFARequirement) GetMFARequestID() string
- func (*MFARequirement) ProtoMessage()
- func (x *MFARequirement) ProtoReflect() protoreflect.Message
- func (x *MFARequirement) Reset()
- func (x *MFARequirement) String() string
- type ManagedAsymmetricKey
- type ManagedEncryptingKey
- type ManagedEncryptingKeyConsumer
- type ManagedKey
- type ManagedKeyConsumer
- type ManagedKeyLifecycle
- type ManagedKeyRandomSource
- type ManagedKeyRandomSourceConsumer
- type ManagedKeySystemView
- type ManagedMACKey
- type ManagedMACKeyConsumer
- type ManagedSigningKey
- type ManagedSigningKeyConsumer
- type MarshalOptions
- type MockEvent
- type MockEventSender
- type Operation
- type OptMarshaler
- type PasswordGenerator
- type PasswordPolicy
- type Paths
- type PluginEnvironment
- func (*PluginEnvironment) Descriptor() ([]byte, []int)deprecated
- func (x *PluginEnvironment) GetVaultVersion() string
- func (x *PluginEnvironment) GetVaultVersionMetadata() string
- func (x *PluginEnvironment) GetVaultVersionPrerelease() string
- func (*PluginEnvironment) ProtoMessage()
- func (x *PluginEnvironment) ProtoReflect() protoreflect.Message
- func (x *PluginEnvironment) Reset()
- func (x *PluginEnvironment) String() string
- type PluginVersion
- type PluginVersionClient
- type PluginVersionServer
- type PluginVersioner
- type PolicyInfo
- type PolicyResults
- type ReplicationCodedError
- type Request
- func RenewAuthRequest(path string, auth *Auth, data map[string]interface{}) *Request
- func RenewRequest(path string, secret *Secret, data map[string]interface{}) *Request
- func RevokeRequest(path string, secret *Secret, data map[string]interface{}) *Request
- func RollbackRequest(path string) *Request
- func TestRequest(t testing.T, op Operation, path string) *Request
- func (r *Request) Clone() (*Request, error)
- func (r *Request) Get(key string) interface{}
- func (r *Request) GetString(key string) string
- func (r *Request) GoString() string
- func (r *Request) LastRemoteWAL() uint64
- func (r *Request) MountClass() string
- func (r *Request) MountIsExternalPlugin() bool
- func (r *Request) MountRunningSha256() string
- func (r *Request) MountRunningVersion() string
- func (r *Request) RequiredState() []string
- func (r *Request) ResponseState() *WALState
- func (r *Request) SentinelGet(key string) (interface{}, error)
- func (r *Request) SentinelKeys() []string
- func (r *Request) SetLastRemoteWAL(last uint64)
- func (r *Request) SetMountClass(mountClass string)
- func (r *Request) SetMountIsExternalPlugin(mountIsExternalPlugin bool)
- func (r *Request) SetMountRunningSha256(mountRunningSha256 string)
- func (r *Request) SetMountRunningVersion(mountRunningVersion string)
- func (r *Request) SetRequiredState(state []string)
- func (r *Request) SetResponseState(w *WALState)
- func (r *Request) SetTokenEntry(te *TokenEntry)
- func (r *Request) TokenEntry() *TokenEntry
- type RequestDelegatedAuthError
- func (d *RequestDelegatedAuthError) AuthErrorHandler() DelegatedAuthErrorHandler
- func (d *RequestDelegatedAuthError) Data() map[string]interface{}
- func (d *RequestDelegatedAuthError) Error() string
- func (d *RequestDelegatedAuthError) MountAccessor() string
- func (d *RequestDelegatedAuthError) Path() string
- type RequestWrapInfo
- type Response
- func ErrorResponse(text string, vargs ...interface{}) *Response
- func HTTPResponseToLogicalResponse(input *HTTPResponse) *Response
- func HelpResponse(text string, seeAlso []string, oapiDoc interface{}) *Response
- func ListResponse(keys []string) *Response
- func ListResponseWithInfo(keys []string, keyInfo map[string]interface{}) *Response
- func ResolveRoleResponse(roleName string) (*Response, error)
- func RespondWithStatusCode(resp *Response, req *Request, code int) (*Response, error)
- type Secret
- type StaticSystemView
- func (d StaticSystemView) APILockShouldBlockRequest() (bool, error)
- func (d StaticSystemView) Auditor() Auditor
- func (d StaticSystemView) CachingDisabled() bool
- func (d StaticSystemView) ClusterID(ctx context.Context) (string, error)
- func (d StaticSystemView) DefaultLeaseTTL() time.Duration
- func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool)
- func (d StaticSystemView) EntityInfo(entityID string) (*Entity, error)
- func (d StaticSystemView) ForwardGenericRequest(ctx context.Context, req *Request) (*Response, error)
- func (d StaticSystemView) GenerateIdentityToken(_ context.Context, _ *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error)
- func (d StaticSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)
- func (d StaticSystemView) GroupsForEntity(entityID string) ([]*Group, error)
- func (d StaticSystemView) HasFeature(feature license.Features) bool
- func (d StaticSystemView) ListVersionedPlugins(_ context.Context, _ consts.PluginType) ([]pluginutil.VersionedPlugin, error)
- func (d StaticSystemView) LocalMount() bool
- func (d StaticSystemView) LookupPlugin(_ context.Context, _ string, _ consts.PluginType) (*pluginutil.PluginRunner, error)
- func (d StaticSystemView) LookupPluginVersion(_ context.Context, _ string, _ consts.PluginType, _ string) (*pluginutil.PluginRunner, error)
- func (d StaticSystemView) MaxLeaseTTL() time.Duration
- func (d StaticSystemView) MlockEnabled() bool
- func (d StaticSystemView) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error)
- func (d StaticSystemView) PluginEnv(_ context.Context) (*PluginEnvironment, error)
- func (d StaticSystemView) ReplicationState() consts.ReplicationState
- func (d StaticSystemView) ResponseWrapData(_ context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
- func (d *StaticSystemView) SetPasswordPolicy(name string, generator PasswordGenerator)
- func (d StaticSystemView) SudoPrivilege(_ context.Context, path string, token string) bool
- func (d StaticSystemView) Tainted() bool
- func (d StaticSystemView) VaultVersion(_ context.Context) (string, error)
- type StatusBadRequest
- type StatusHeaderResponseWriter
- func (w *StatusHeaderResponseWriter) Header() http.Header
- func (w *StatusHeaderResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error)
- func (w *StatusHeaderResponseWriter) Wrapped() http.ResponseWriter
- func (w *StatusHeaderResponseWriter) Write(buf []byte) (int, error)
- func (w *StatusHeaderResponseWriter) WriteHeader(statusCode int)
- type Storage
- type StorageEntry
- type StorageView
- func (s *StorageView) Delete(ctx context.Context, key string) error
- func (s *StorageView) ExpandKey(suffix string) string
- func (s *StorageView) Get(ctx context.Context, key string) (*StorageEntry, error)
- func (s *StorageView) List(ctx context.Context, prefix string) ([]string, error)
- func (s *StorageView) Prefix() string
- func (s *StorageView) Put(ctx context.Context, entry *StorageEntry) error
- func (s *StorageView) SanityCheck(key string) error
- func (s *StorageView) SubView(prefix string) *StorageView
- func (s *StorageView) TruncateKey(full string) string
- type SystemView
- type TokenEntry
- type TokenType
- type UnimplementedPluginVersionServer
- type UnsafePluginVersionServer
- type VersionReply
- type WALState
- type WellKnownSystemView
- type WrappingResponseWriter
Constants ¶
const ( // EventMetadataDataPath is used in event metadata to show the API path that can be used to fetch any underlying // data. For example, the KV plugin would set this to `data/mysecret`. The event system will automatically prepend // the plugin mount to this path, if present, so it would become `secret/data/mysecret`, for example. // If this is an auth plugin event, this will additionally be prepended with `auth/`. EventMetadataDataPath = "data_path" // EventMetadataOperation is used in event metadata to express what operation was performed that generated the // event, e.g., `read` or `write`. EventMetadataOperation = "operation" // EventMetadataModified is used in event metadata when the event attests that the underlying data has been modified // and might need to be re-fetched (at the EventMetadataDataPath). EventMetadataModified = "modified" )
common event metadata keys
const ( // The operations below are called per path CreateOperation Operation = "create" ReadOperation = "read" UpdateOperation = "update" PatchOperation = "patch" DeleteOperation = "delete" ListOperation = "list" HelpOperation = "help" AliasLookaheadOperation = "alias-lookahead" ResolveRoleOperation = "resolve-role" HeaderOperation = "header" // The operations below are called globally, the path is less relevant. RevokeOperation Operation = "revoke" RenewOperation = "renew" RollbackOperation = "rollback" )
const ( // HTTPContentType can be specified in the Data field of a Response // so that the HTTP front end can specify a custom Content-Type associated // with the HTTPRawBody. This can only be used for non-secrets, and should // be avoided unless absolutely necessary, such as implementing a specification. // The value must be a string. HTTPContentType = "http_content_type" // HTTPRawBody is the raw content of the HTTP body that goes with the HTTPContentType. // This can only be specified for non-secrets, and should should be similarly // avoided like the HTTPContentType. The value must be a byte slice. HTTPRawBody = "http_raw_body" // HTTPStatusCode is the response code of the HTTP body that goes with the HTTPContentType. // This can only be specified for non-secrets, and should should be similarly // avoided like the HTTPContentType. The value must be an integer. HTTPStatusCode = "http_status_code" // For unwrapping we may need to know whether the value contained in the // raw body is already JSON-unmarshaled. The presence of this key indicates // that it has already been unmarshaled. That way we don't need to simply // ignore errors. HTTPRawBodyAlreadyJSONDecoded = "http_raw_body_already_json_decoded" // If set, HTTPCacheControlHeader will replace the default Cache-Control=no-store header // set by the generic wrapping handler. The value must be a string. HTTPCacheControlHeader = "http_raw_cache_control" // If set, HTTPPragmaHeader will set the Pragma response header. // The value must be a string. HTTPPragmaHeader = "http_raw_pragma" // If set, HTTPWWWAuthenticateHeader will set the WWW-Authenticate response header. // The value must be a string. HTTPWWWAuthenticateHeader = "http_www_authenticate" )
const PBPWFClusterSentinel = "{{clusterId}}"
Plugins using Paths.WriteForwardedStorage will need to use this sentinel in their path to write cross-cluster. See the description of that parameter for more information.
const (
PluginVersion_Version_FullMethodName = "/logical.PluginVersion/Version"
)
Variables ¶
var ( // ErrUnsupportedOperation is returned if the operation is not supported // by the logical backend. ErrUnsupportedOperation = errors.New("unsupported operation") // ErrUnsupportedPath is returned if the path is not supported // by the logical backend. ErrUnsupportedPath = errors.New("unsupported path") // ErrInvalidRequest is returned if the request is invalid ErrInvalidRequest = errors.New("invalid request") // ErrPermissionDenied is returned if the client is not authorized ErrPermissionDenied = errors.New("permission denied") // ErrInvalidToken is returned if the token is revoked, expired, or non-existent ErrInvalidToken = errors.New("invalid token") // ErrInvalidCredentials is returned when the provided credentials are incorrect // This is used internally for user lockout purposes. This is not seen externally. // The status code returned does not change because of this error ErrInvalidCredentials = errors.New("invalid credentials") // ErrMultiAuthzPending is returned if the request needs more // authorizations ErrMultiAuthzPending = errors.New("request needs further approval") // ErrUpstreamRateLimited is returned when Vault receives a rate limited // response from an upstream ErrUpstreamRateLimited = errors.New("upstream rate limited") // ErrPerfStandbyForward is returned when Vault is in a state such that a // perf standby cannot satisfy a request ErrPerfStandbyPleaseForward = errors.New("please forward to the active node") // ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease // count quota being exceeded. ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded") // ErrRateLimitQuotaExceeded is returned when a request is rejected due to a // rate limit quota being exceeded. ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded") // ErrUnrecoverable is returned when a request fails due to something that // is likely to require manual intervention. This is a generic form of an // unrecoverable error. // e.g.: misconfigured or disconnected storage backend. ErrUnrecoverable = errors.New("unrecoverable error") // ErrMissingRequiredState is returned when a request can't be satisfied // with the data in the local node's storage, based on the provided // X-Vault-Index request header. ErrMissingRequiredState = errors.New("required index state not present") // Error indicating that the requested path used to serve a purpose in older // versions, but the functionality has now been removed ErrPathFunctionalityRemoved = errors.New("functionality on this path has been removed") // ErrNotFound is an error used to indicate that a particular resource was // not found. ErrNotFound = errors.New("not found") )
var EmptyPluginVersion = PluginVersion{""}
var ErrReadOnly = errors.New("cannot write to readonly storage")
ErrReadOnly is returned when a backend does not support writing. This can be caused by a read-only replica or secondary cluster operation.
var ErrRelativePath = errors.New("relative paths not supported")
var ErrSetupReadOnly = errors.New("cannot write to storage during setup")
ErrSetupReadOnly is returned when a write operation is attempted on a storage while the backend is still being setup.
var File_sdk_logical_event_proto protoreflect.FileDescriptor
var File_sdk_logical_identity_proto protoreflect.FileDescriptor
var File_sdk_logical_plugin_proto protoreflect.FileDescriptor
var File_sdk_logical_version_proto protoreflect.FileDescriptor
var PluginVersion_ServiceDesc = grpc.ServiceDesc{ ServiceName: "logical.PluginVersion", HandlerType: (*PluginVersionServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Version", Handler: _PluginVersion_Version_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "sdk/logical/version.proto", }
PluginVersion_ServiceDesc is the grpc.ServiceDesc for PluginVersion service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
Functions ¶
func AbortableScanView ¶ added in v0.10.1
func AbortableScanView(ctx context.Context, view ClearableView, cb func(path string) (cont bool)) error
AbortableScanView is used to scan all the keys in a view iteratively, but will abort the scan if cb returns false
func AdjustErrorStatusCode ¶
AdjustErrorStatusCode adjusts the status that will be sent in error conditions in a way that can be shared across http's respondError and other locations.
func ClearView ¶
func ClearView(ctx context.Context, view ClearableView) error
ClearView is used to delete all the keys in a view
func ClearViewWithLogging ¶ added in v0.1.12
func ClearViewWithLogging(ctx context.Context, view ClearableView, logger hclog.Logger) error
func CollectKeys ¶
func CollectKeys(ctx context.Context, view ClearableView) ([]string, error)
CollectKeys is used to collect all the keys in a view
func CollectKeysWithPrefix ¶ added in v0.1.10
func CollectKeysWithPrefix(ctx context.Context, view ClearableView, prefix string) ([]string, error)
CollectKeysWithPrefix is used to collect all the keys in a view with a given prefix string
func ContextDisableReplicationStatusEndpointsValue ¶ added in v0.11.0
ContextDisableReplicationStatusEndpointsValue examines the provided context.Context for the disable replication status endpoints value and returns it as a bool value if it's found along with the ok return value set to true; otherwise the ok return value is false.
func ContextOriginalBodyValue ¶ added in v0.11.0
func ContextOriginalBodyValue(ctx context.Context) (io.ReadCloser, bool)
func ContextOriginalRequestPathValue ¶ added in v0.11.0
ContextOriginalRequestPathValue examines the provided context.Context for the original request path value and returns it as a string value if it's found along with the ok value set to true; otherwise the ok return value is false.
func CreateContextDisableReplicationStatusEndpoints ¶ added in v0.11.0
func CreateContextDisableReplicationStatusEndpoints(parent context.Context, value bool) context.Context
CreateContextDisableReplicationStatusEndpoints creates a new context.Context based on the provided parent that also includes the provided value for the ctxKeyDisableReplicationStatusEndpoints key.
func CreateContextOriginalBody ¶ added in v0.11.0
func CreateContextOriginalRequestPath ¶ added in v0.11.0
CreateContextOriginalRequestPath creates a new context.Context based on the provided parent that also includes the provided original request path value for the ctxKeyOriginalRequestPath key.
func CreateContextRedactionSettings ¶ added in v0.11.1
func CreateContextRedactionSettings(parent context.Context, redactVersion, redactAddresses, redactClusterName bool) context.Context
CreatecontextRedactionSettings creates a new context.Context based on the provided parent that also includes the provided redaction settings values for the ctxKeyRedactionSettings key.
func CtxRedactionSettingsValue ¶ added in v0.11.1
func CtxRedactionSettingsValue(ctx context.Context) (redactVersion, redactAddresses, redactClusterName, ok bool)
CtxRedactionSettingsValue examines the provided context.Context for the redaction settings value and returns them as a tuple of bool values if they are found along with the ok return value set to true; otherwise the ok return value is false.
func IndexStateContext ¶ added in v0.2.0
IndexStateContext returns a context with an added value holding the index state that should be populated on writes.
func RegisterPluginVersionServer ¶ added in v0.6.0
func RegisterPluginVersionServer(s grpc.ServiceRegistrar, srv PluginVersionServer)
func RespondError ¶
func RespondError(w http.ResponseWriter, status int, err error)
func RespondErrorAndData ¶ added in v0.6.1
func RespondErrorAndData(w http.ResponseWriter, status int, data interface{}, err error)
func RespondErrorCommon ¶
RespondErrorCommon pulls most of the functionality from http's respondErrorCommon and some of http's handleLogical and makes it available to both the http package and elsewhere.
func ScanView ¶
func ScanView(ctx context.Context, view ClearableView, cb func(path string)) error
ScanView is used to scan all the keys in a view iteratively
func SendEvent ¶ added in v0.10.0
func SendEvent(ctx context.Context, sender EventSender, eventType string, metadataPairs ...string) error
SendEvent is a convenience method for plugins events to an EventSender, converting the metadataPairs to the EventData structure.
func TestStorage ¶
TestStorage is a helper that can be used from unit tests to verify the behavior of a Storage impl.
Types ¶
type ACMEBillingSystemView ¶ added in v0.9.1
type Alias ¶
type Alias struct { // MountType is the backend mount's type to which this identity belongs MountType string `protobuf:"bytes,1,opt,name=mount_type,json=mountType,proto3" json:"mount_type,omitempty"` // MountAccessor is the identifier of the mount entry to which this // identity belongs MountAccessor string `protobuf:"bytes,2,opt,name=mount_accessor,json=mountAccessor,proto3" json:"mount_accessor,omitempty"` // Name is the identifier of this identity in its authentication source Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` // Metadata represents the custom data tied to this alias. Fields added // to it should have a low rate of change (or no change) because each // change incurs a storage write, so quickly-changing fields can have // a significant performance impact at scale. See the SDK's // "aliasmetadata" package for a helper that eases and standardizes // using this safely. Metadata map[string]string `` /* 157-byte string literal not displayed */ // ID is the unique identifier for the alias ID string `protobuf:"bytes,5,opt,name=ID,proto3" json:"ID,omitempty"` // NamespaceID is the identifier of the namespace to which this alias // belongs. NamespaceID string `protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"` // Custom Metadata represents the custom data tied to this alias CustomMetadata map[string]string `` /* 191-byte string literal not displayed */ // Local indicates if the alias only belongs to the cluster where it was // created. If true, the alias will be stored in a location that are ignored // by the performance replication subsystem. Local bool `protobuf:"varint,8,opt,name=local,proto3" json:"local,omitempty"` // contains filtered or unexported fields }
func (*Alias) Descriptor
deprecated
func (*Alias) GetCustomMetadata ¶ added in v0.3.0
func (*Alias) GetMetadata ¶
func (*Alias) GetMountAccessor ¶
func (*Alias) GetMountType ¶
func (*Alias) GetNamespaceID ¶ added in v0.2.0
func (*Alias) ProtoMessage ¶
func (*Alias) ProtoMessage()
func (*Alias) ProtoReflect ¶ added in v0.2.0
func (x *Alias) ProtoReflect() protoreflect.Message
type Auth ¶
type Auth struct { LeaseOptions // InternalData is JSON-encodable data that is stored with the auth struct. // This will be sent back during a Renew/Revoke for storing internal data // used for those operations. InternalData map[string]interface{} `json:"internal_data" mapstructure:"internal_data" structs:"internal_data"` // DisplayName is a non-security sensitive identifier that is // applicable to this Auth. It is used for logging and prefixing // of dynamic secrets. For example, DisplayName may be "armon" for // the github credential backend. If the client token is used to // generate a SQL credential, the user may be "github-armon-uuid". // This is to help identify the source without using audit tables. DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"` // Policies is the list of policies that the authenticated user // is associated with. Policies []string `json:"policies" mapstructure:"policies" structs:"policies"` // TokenPolicies and IdentityPolicies break down the list in Policies to // help determine where a policy was sourced TokenPolicies []string `json:"token_policies" mapstructure:"token_policies" structs:"token_policies"` IdentityPolicies []string `json:"identity_policies" mapstructure:"identity_policies" structs:"identity_policies"` // ExternalNamespacePolicies represent the policies authorized from // different namespaces indexed by respective namespace identifiers ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies" mapstructure:"external_namespace_policies" structs:"external_namespace_policies"` // Indicates that the default policy should not be added by core when // creating a token. The default policy will still be added if it's // explicitly defined. NoDefaultPolicy bool `json:"no_default_policy" mapstructure:"no_default_policy" structs:"no_default_policy"` // Metadata is used to attach arbitrary string-type metadata to // an authenticated user. This metadata will be outputted into the // audit log. Metadata map[string]string `json:"metadata" mapstructure:"metadata" structs:"metadata"` // ClientToken is the token that is generated for the authentication. // This will be filled in by Vault core when an auth structure is // returned. Setting this manually will have no effect. ClientToken string `json:"client_token" mapstructure:"client_token" structs:"client_token"` // Accessor is the identifier for the ClientToken. This can be used // to perform management functionalities (especially revocation) when // ClientToken in the audit logs are obfuscated. Accessor can be used // to revoke a ClientToken and to lookup the capabilities of the ClientToken, // both without actually knowing the ClientToken. Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor"` // Period indicates that the token generated using this Auth object // should never expire. The token should be renewed within the duration // specified by this period. Period time.Duration `json:"period" mapstructure:"period" structs:"period"` // ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal // tokens, this value is constrained by the configured max ttl. ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"` // Number of allowed uses of the issued token NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"` // EntityID is the identifier of the entity in identity store to which the // identity of the authenticating client belongs to. EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"` // Alias is the information about the authenticated client returned by // the auth backend Alias *Alias `json:"alias" mapstructure:"alias" structs:"alias"` // GroupAliases are the informational mappings of external groups which an // authenticated user belongs to. This is used to check if there are // mappings groups for the group aliases in identity store. For all the // matching groups, the entity ID of the user will be added. GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"` // The set of CIDRs that this token can be used with BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"` // CreationPath is a path that the backend can return to use in the lease. // This is currently only supported for the token store where roles may // change the perceived path of the lease, even though they don't change // the request path itself. CreationPath string `json:"creation_path"` // TokenType is the type of token being requested TokenType TokenType `json:"token_type"` // Orphan is set if the token does not have a parent Orphan bool `json:"orphan"` // PolicyResults is the set of policies that grant the token access to the // requesting path. PolicyResults *PolicyResults `json:"policy_results"` // MFARequirement MFARequirement *MFARequirement `json:"mfa_requirement"` // EntityCreated is set to true if an entity is created as part of a login request EntityCreated bool `json:"entity_created"` // HTTPRequestPriority contains potential information about the request // priority based on required path capabilities HTTPRequestPriority *uint8 `json:"http_request_priority"` }
Auth is the resulting authentication information that is part of Response for credential backends. It's also attached to Request objects and defines the authentication used for the request. This value is audit logged.
type Backend ¶
type Backend interface { // Initialize is used to initialize a plugin after it has been mounted. Initialize(context.Context, *InitializationRequest) error // HandleRequest is used to handle a request and generate a response. // The backends must check the operation type and handle appropriately. HandleRequest(context.Context, *Request) (*Response, error) // SpecialPaths is a list of paths that are special in some way. // See PathType for the types of special paths. The key is the type // of the special path, and the value is a list of paths for this type. // This is not a regular expression but is an exact match. If the path // ends in '*' then it is a prefix-based match. The '*' can only appear // at the end. SpecialPaths() *Paths // System provides an interface to access certain system configuration // information, such as globally configured default and max lease TTLs. System() SystemView // Logger provides an interface to access the underlying logger. This // is useful when a struct embeds a Backend-implemented struct that // contains a private instance of logger. Logger() log.Logger // HandleExistenceCheck is used to handle a request and generate a response // indicating whether the given path exists or not; this is used to // understand whether the request must have a Create or Update capability // ACL applied. The first bool indicates whether an existence check // function was found for the backend; the second indicates whether, if an // existence check function was found, the item exists or not. HandleExistenceCheck(context.Context, *Request) (bool, bool, error) // Cleanup is invoked during an unmount of a backend to allow it to // handle any cleanup like connection closing or releasing of file handles. Cleanup(context.Context) // InvalidateKey may be invoked when an object is modified that belongs // to the backend. The backend can use this to clear any caches or reset // internal state as needed. InvalidateKey(context.Context, string) // Setup is used to set up the backend based on the provided backend // configuration. Setup(context.Context, *BackendConfig) error // Type returns the BackendType for the particular backend Type() BackendType }
Backend interface must be implemented to be "mountable" at a given path. Requests flow through a router which has various mount points that flow to a logical backend. The logic of each backend is flexible, and this is what allows materialized keys to function. There can be specialized logical backends for various upstreams (Consul, PostgreSQL, MySQL, etc) that can interact with remote APIs to generate keys dynamically. This interface also allows for a "procfs" like interaction, as internal state can be exposed by acting like a logical backend and being mounted.
type BackendConfig ¶
type BackendConfig struct { // View should not be stored, and should only be used for initialization StorageView Storage // The backend should use this logger. The log should not contain any secrets. Logger log.Logger // System provides a view into a subset of safe system information that // is useful for backends, such as the default/max lease TTLs System SystemView // BackendUUID is a unique identifier provided to this backend. It's useful // when a backend needs a consistent and unique string without using storage. BackendUUID string // Config is the opaque user configuration provided when mounting Config map[string]string // EventsSender provides a mechanism to interact with Vault events. EventsSender EventSender }
BackendConfig is provided to the factory to initialize the backend
func TestBackendConfig ¶
func TestBackendConfig() *BackendConfig
type BackendType ¶
type BackendType uint32
BackendType is the type of backend that is being implemented
const ( TypeUnknown BackendType = 0 // This is also the zero-value for BackendType TypeLogical BackendType = 1 TypeCredential BackendType = 2 )
The these are the types of backends that can be derived from logical.Backend
type ClearableView ¶
type ClientTokenSource ¶
type ClientTokenSource uint32
const ( NoClientToken ClientTokenSource = iota ClientTokenFromVaultHeader ClientTokenFromAuthzHeader ClientTokenFromInternalAuth )
func ClientTokenSourceString ¶ added in v0.13.0
func ClientTokenSourceString(s string) (ClientTokenSource, error)
ClientTokenSourceString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func ClientTokenSourceValues ¶ added in v0.13.0
func ClientTokenSourceValues() []ClientTokenSource
ClientTokenSourceValues returns all values of the enum
func (ClientTokenSource) IsAClientTokenSource ¶ added in v0.13.0
func (i ClientTokenSource) IsAClientTokenSource() bool
IsAClientTokenSource returns "true" if the value is listed in the enum definition. "false" otherwise
func (ClientTokenSource) String ¶ added in v0.13.0
func (i ClientTokenSource) String() string
type Connection ¶
type Connection struct { // RemoteAddr is the network address that sent the request. RemoteAddr string `json:"remote_addr"` // RemotePort is the network port that sent the request. RemotePort int `json:"remote_port"` // ConnState is the TLS connection state if applicable. ConnState *tls.ConnectionState `sentinel:""` }
Connection represents the connection information for a request. This is present on the Request structure for credential backends.
type ControlGroup ¶
type CtxKeyDisableRequestLimiter ¶ added in v0.11.0
type CtxKeyDisableRequestLimiter struct{}
func (CtxKeyDisableRequestLimiter) String ¶ added in v0.11.0
func (c CtxKeyDisableRequestLimiter) String() string
type CtxKeyInFlightRequestID ¶ added in v0.4.0
type CtxKeyInFlightRequestID struct{}
func (CtxKeyInFlightRequestID) String ¶ added in v0.4.0
func (c CtxKeyInFlightRequestID) String() string
type CtxKeyInFlightRequestPriority ¶ added in v0.13.0
type CtxKeyInFlightRequestPriority struct{}
func (CtxKeyInFlightRequestPriority) String ¶ added in v0.13.0
func (c CtxKeyInFlightRequestPriority) String() string
type CtxKeyInFlightTraceID ¶ added in v0.13.0
type CtxKeyInFlightTraceID struct{}
CtxKeyInFlightTraceID is used for passing a trace ID through request forwarding. The CtxKeyInFlightRequestID created at the HTTP layer is propagated on through any forwarded requests using this key.
Note that this applies to replication service RPCs (including ForwardingRequest from perf standbys or secondaries). The Forwarding RPC service may propagate the context but the handling on the active node runs back through the `http` package handler which builds a new context from HTTP request properties and creates a fresh request ID. Forwarding RPC is used exclusively in Community Edition but also in some special cases in Enterprise such as when forwarding is forced by an HTTP header.
func (CtxKeyInFlightTraceID) String ¶ added in v0.13.0
func (c CtxKeyInFlightTraceID) String() string
type CtxKeyRequestRole ¶ added in v0.10.0
type CtxKeyRequestRole struct{}
func (CtxKeyRequestRole) String ¶ added in v0.10.0
func (c CtxKeyRequestRole) String() string
type CustomHeader ¶ added in v0.4.0
type DelegatedAuthErrorHandler ¶ added in v0.11.0
type Empty ¶ added in v0.6.0
type Empty struct {
// contains filtered or unexported fields
}
func (*Empty) Descriptor
deprecated
added in
v0.6.0
func (*Empty) ProtoMessage ¶ added in v0.6.0
func (*Empty) ProtoMessage()
func (*Empty) ProtoReflect ¶ added in v0.6.0
func (x *Empty) ProtoReflect() protoreflect.Message
type Entity ¶
type Entity struct { // ID is the unique identifier for the entity ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"` // Name is the human-friendly unique identifier for the entity Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` // Aliases contains thhe alias mappings for the given entity Aliases []*Alias `protobuf:"bytes,3,rep,name=aliases,proto3" json:"aliases,omitempty"` // Metadata represents the custom data tied to this entity Metadata map[string]string `` /* 157-byte string literal not displayed */ // Disabled is true if the entity is disabled. Disabled bool `protobuf:"varint,5,opt,name=disabled,proto3" json:"disabled,omitempty"` // NamespaceID is the identifier of the namespace to which this entity // belongs to. NamespaceID string `protobuf:"bytes,6,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"` // contains filtered or unexported fields }
func (*Entity) Descriptor
deprecated
func (*Entity) GetAliases ¶
func (*Entity) GetDisabled ¶ added in v0.1.12
func (*Entity) GetMetadata ¶
func (*Entity) GetNamespaceID ¶ added in v0.2.0
func (*Entity) ProtoMessage ¶
func (*Entity) ProtoMessage()
func (*Entity) ProtoReflect ¶ added in v0.2.0
func (x *Entity) ProtoReflect() protoreflect.Message
type EventData ¶ added in v0.8.0
type EventData struct { // ID identifies the event. It is required. The combination of // CloudEvents Source (i.e., Vault cluster) + ID must be unique. // Events with the same Source + ID can be assumed to be duplicates // by consumers. // Be careful when setting this manually that the ID contains enough // entropy to be unique, or possibly that it is idempotent, such // as a hash of other fields with sufficient uniqueness. Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // Arbitrary non-secret data. Optional. Metadata *structpb.Struct `protobuf:"bytes,2,opt,name=metadata,proto3" json:"metadata,omitempty"` // Any IDs that the event relates to, i.e., UUIDs, paths. EntityIds []string `protobuf:"bytes,3,rep,name=entity_ids,json=entityIds,proto3" json:"entity_ids,omitempty"` // Human-readable note. Note string `protobuf:"bytes,4,opt,name=note,proto3" json:"note,omitempty"` // contains filtered or unexported fields }
EventData contains event data in a CloudEvents container.
func (*EventData) Descriptor
deprecated
added in
v0.8.0
func (*EventData) GetEntityIds ¶ added in v0.8.0
func (*EventData) GetMetadata ¶ added in v0.8.0
func (*EventData) ProtoMessage ¶ added in v0.8.0
func (*EventData) ProtoMessage()
func (*EventData) ProtoReflect ¶ added in v0.8.0
func (x *EventData) ProtoReflect() protoreflect.Message
type EventPluginInfo ¶ added in v0.8.0
type EventPluginInfo struct { // The type of plugin this event originated from, i.e., "auth" or "secrets. MountClass string `protobuf:"bytes,1,opt,name=mount_class,json=mountClass,proto3" json:"mount_class,omitempty"` // Unique ID of the mount entry, e.g., "kv_957bb7d8" MountAccessor string `protobuf:"bytes,2,opt,name=mount_accessor,json=mountAccessor,proto3" json:"mount_accessor,omitempty"` // Mount path of the plugin this event originated from, e.g., "secret/" MountPath string `protobuf:"bytes,3,opt,name=mount_path,json=mountPath,proto3" json:"mount_path,omitempty"` // Plugin name that this event originated from, e.g., "kv" Plugin string `protobuf:"bytes,4,opt,name=plugin,proto3" json:"plugin,omitempty"` // Plugin version of the plugin this event originated from, e.g., "v0.13.3+builtin" PluginVersion string `protobuf:"bytes,5,opt,name=plugin_version,json=pluginVersion,proto3" json:"plugin_version,omitempty"` // Mount version that this event originated from, i.e., if KVv2, then "2". Usually empty. Version string `protobuf:"bytes,6,opt,name=version,proto3" json:"version,omitempty"` // contains filtered or unexported fields }
EventPluginInfo contains data related to the plugin that generated an event.
func (*EventPluginInfo) Descriptor
deprecated
added in
v0.8.0
func (*EventPluginInfo) Descriptor() ([]byte, []int)
Deprecated: Use EventPluginInfo.ProtoReflect.Descriptor instead.
func (*EventPluginInfo) GetMountAccessor ¶ added in v0.8.0
func (x *EventPluginInfo) GetMountAccessor() string
func (*EventPluginInfo) GetMountClass ¶ added in v0.8.0
func (x *EventPluginInfo) GetMountClass() string
func (*EventPluginInfo) GetMountPath ¶ added in v0.8.0
func (x *EventPluginInfo) GetMountPath() string
func (*EventPluginInfo) GetPlugin ¶ added in v0.8.0
func (x *EventPluginInfo) GetPlugin() string
func (*EventPluginInfo) GetPluginVersion ¶ added in v0.8.0
func (x *EventPluginInfo) GetPluginVersion() string
func (*EventPluginInfo) GetVersion ¶ added in v0.8.0
func (x *EventPluginInfo) GetVersion() string
func (*EventPluginInfo) ProtoMessage ¶ added in v0.8.0
func (*EventPluginInfo) ProtoMessage()
func (*EventPluginInfo) ProtoReflect ¶ added in v0.8.0
func (x *EventPluginInfo) ProtoReflect() protoreflect.Message
func (*EventPluginInfo) Reset ¶ added in v0.8.0
func (x *EventPluginInfo) Reset()
func (*EventPluginInfo) String ¶ added in v0.8.0
func (x *EventPluginInfo) String() string
type EventReceived ¶ added in v0.8.0
type EventReceived struct { Event *EventData `protobuf:"bytes,1,opt,name=event,proto3" json:"event,omitempty"` // namespace path Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"` EventType string `protobuf:"bytes,3,opt,name=event_type,json=eventType,proto3" json:"event_type,omitempty"` PluginInfo *EventPluginInfo `protobuf:"bytes,4,opt,name=plugin_info,json=pluginInfo,proto3" json:"plugin_info,omitempty"` // contains filtered or unexported fields }
EventReceived is used to consume events and includes additional metadata regarding the event type and plugin information.
func (*EventReceived) BexprDatum ¶ added in v0.10.1
func (x *EventReceived) BexprDatum() any
BexprDatum returns a copy of EventReceived formatted for use in evaluating go-bexpr boolean expressions.
func (*EventReceived) Descriptor
deprecated
added in
v0.8.0
func (*EventReceived) Descriptor() ([]byte, []int)
Deprecated: Use EventReceived.ProtoReflect.Descriptor instead.
func (*EventReceived) GetEvent ¶ added in v0.8.0
func (x *EventReceived) GetEvent() *EventData
func (*EventReceived) GetEventType ¶ added in v0.8.0
func (x *EventReceived) GetEventType() string
func (*EventReceived) GetNamespace ¶ added in v0.8.0
func (x *EventReceived) GetNamespace() string
func (*EventReceived) GetPluginInfo ¶ added in v0.8.0
func (x *EventReceived) GetPluginInfo() *EventPluginInfo
func (*EventReceived) ID ¶ added in v0.9.0
func (x *EventReceived) ID() string
ID is an alias to GetId() for CloudEvents compatibility.
func (*EventReceived) ProtoMessage ¶ added in v0.8.0
func (*EventReceived) ProtoMessage()
func (*EventReceived) ProtoReflect ¶ added in v0.8.0
func (x *EventReceived) ProtoReflect() protoreflect.Message
func (*EventReceived) Reset ¶ added in v0.8.0
func (x *EventReceived) Reset()
func (*EventReceived) String ¶ added in v0.8.0
func (x *EventReceived) String() string
type EventReceivedBexpr ¶ added in v0.10.1
type EventReceivedBexpr struct { EventType string `bexpr:"event_type"` Operation string `bexpr:"operation"` SourcePluginMount string `bexpr:"source_plugin_mount"` DataPath string `bexpr:"data_path"` Namespace string `bexpr:"namespace"` }
EventReceivedBexpr is used for evaluating boolean expressions with go-bexpr.
type EventSender ¶ added in v0.8.0
type EventSender interface {
SendEvent(ctx context.Context, eventType EventType, event *EventData) error
}
EventSender sends events to the common event bus.
type EventType ¶ added in v0.8.0
type EventType string
EventType represents a topic, and is a wrapper around eventlogger.EventType.
type ExtendedSystemView ¶ added in v0.1.12
type ExtendedSystemView interface { WellKnownSystemView Auditor() Auditor ForwardGenericRequest(context.Context, *Request) (*Response, error) // APILockShouldBlockRequest returns whether a namespace for the requested // mount is locked and should be blocked APILockShouldBlockRequest() (bool, error) // GetPinnedPluginVersion returns the pinned version for the given plugin, if any. GetPinnedPluginVersion(ctx context.Context, pluginType consts.PluginType, pluginName string) (*pluginutil.PinnedVersion, error) }
type Factory ¶
type Factory func(context.Context, *BackendConfig) (Backend, error)
Factory is the factory function to create a logical backend.
type Group ¶ added in v0.2.0
type Group struct { // ID is the unique identifier for the group ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"` // Name is the human-friendly unique identifier for the group Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` // Metadata represents the custom data tied to this group Metadata map[string]string `` /* 157-byte string literal not displayed */ // NamespaceID is the identifier of the namespace to which this group // belongs to. NamespaceID string `protobuf:"bytes,4,opt,name=namespace_id,json=namespaceID,proto3" json:"namespace_id,omitempty"` // contains filtered or unexported fields }
func (*Group) Descriptor
deprecated
added in
v0.2.0
func (*Group) GetMetadata ¶ added in v0.2.0
func (*Group) GetNamespaceID ¶ added in v0.2.0
func (*Group) ProtoMessage ¶ added in v0.2.0
func (*Group) ProtoMessage()
func (*Group) ProtoReflect ¶ added in v0.2.0
func (x *Group) ProtoReflect() protoreflect.Message
type HTTPAuth ¶
type HTTPAuth struct { ClientToken string `json:"client_token"` Accessor string `json:"accessor"` Policies []string `json:"policies"` TokenPolicies []string `json:"token_policies,omitempty"` IdentityPolicies []string `json:"identity_policies,omitempty"` Metadata map[string]string `json:"metadata"` LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` EntityID string `json:"entity_id"` TokenType string `json:"token_type"` Orphan bool `json:"orphan"` MFARequirement *MFARequirement `json:"mfa_requirement"` NumUses int `json:"num_uses"` }
type HTTPCodedError ¶
func CodedError ¶
func CodedError(status int, msg string) HTTPCodedError
type HTTPResponse ¶
type HTTPResponse struct { RequestID string `json:"request_id"` LeaseID string `json:"lease_id"` Renewable bool `json:"renewable"` LeaseDuration int `json:"lease_duration"` Data map[string]interface{} `json:"data"` WrapInfo *HTTPWrapInfo `json:"wrap_info"` Warnings []string `json:"warnings"` Headers map[string][]string `json:"-"` Auth *HTTPAuth `json:"auth"` MountType string `json:"mount_type"` }
func LogicalResponseToHTTPResponse ¶
func LogicalResponseToHTTPResponse(input *Response) *HTTPResponse
This logic was pulled from the http package so that it can be used for encoding wrapped responses as well. It simply translates the logical response to an http response, with the values we want and omitting the values we don't.
type HTTPResponseWriter ¶ added in v0.1.12
type HTTPResponseWriter struct { http.ResponseWriter // contains filtered or unexported fields }
HTTPResponseWriter is optionally added to a request object and can be used to write directly to the HTTP response writer.
func NewHTTPResponseWriter ¶ added in v0.1.12
func NewHTTPResponseWriter(w http.ResponseWriter) *HTTPResponseWriter
NewHTTPResponseWriter creates a new HTTPResponseWriter object that wraps the provided io.Writer.
func (*HTTPResponseWriter) Write ¶ added in v0.1.12
func (w *HTTPResponseWriter) Write(bytes []byte) (int, error)
Write will write the bytes to the underlying io.Writer.
func (*HTTPResponseWriter) Written ¶ added in v0.1.12
func (w *HTTPResponseWriter) Written() bool
Written tells us if the writer has been written to yet.
type HTTPSysInjector ¶
type HTTPSysInjector struct {
Response *HTTPResponse
}
func (HTTPSysInjector) MarshalJSON ¶
func (h HTTPSysInjector) MarshalJSON() ([]byte, error)
type HTTPWrapInfo ¶
type InitializationRequest ¶ added in v0.1.12
type InitializationRequest struct { // Storage can be used to durably store and retrieve state. Storage Storage }
InitializationRequest stores the parameters and context of an Initialize() call being made to a logical.Backend.
type InmemStorage ¶
type InmemStorage struct {
// contains filtered or unexported fields
}
InmemStorage implements Storage and stores all data in memory. It is basically a straight copy of physical.Inmem, but it prevents backends from having to load all of physical's dependencies (which are legion) just to have some testing storage.
func (*InmemStorage) FailDelete ¶ added in v0.2.0
func (s *InmemStorage) FailDelete(fail bool) *InmemStorage
func (*InmemStorage) FailGet ¶ added in v0.2.0
func (s *InmemStorage) FailGet(fail bool) *InmemStorage
func (*InmemStorage) FailList ¶ added in v0.2.0
func (s *InmemStorage) FailList(fail bool) *InmemStorage
func (*InmemStorage) FailPut ¶ added in v0.2.0
func (s *InmemStorage) FailPut(fail bool) *InmemStorage
func (*InmemStorage) Get ¶
func (s *InmemStorage) Get(ctx context.Context, key string) (*StorageEntry, error)
func (*InmemStorage) Put ¶
func (s *InmemStorage) Put(ctx context.Context, entry *StorageEntry) error
func (*InmemStorage) Underlying ¶
func (s *InmemStorage) Underlying() *inmem.InmemBackend
type KeyNotFoundError ¶
type KeyNotFoundError struct {
Err error
}
func (*KeyNotFoundError) Error ¶
func (e *KeyNotFoundError) Error() string
func (*KeyNotFoundError) WrappedErrors ¶
func (e *KeyNotFoundError) WrappedErrors() []error
type KeyUsage ¶ added in v0.4.0
type KeyUsage int
func KeyUsageString ¶ added in v0.13.0
KeyUsageString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func KeyUsageValues ¶ added in v0.13.0
func KeyUsageValues() []KeyUsage
KeyUsageValues returns all values of the enum
func (KeyUsage) IsAKeyUsage ¶ added in v0.13.0
IsAKeyUsage returns "true" if the value is listed in the enum definition. "false" otherwise
type LeaseOptions ¶
type LeaseOptions struct { // TTL is the duration that this secret is valid for. Vault // will automatically revoke it after the duration. TTL time.Duration `json:"lease"` // MaxTTL is the maximum duration that this secret is valid for. MaxTTL time.Duration `json:"max_ttl"` // Renewable, if true, means that this secret can be renewed. Renewable bool `json:"renewable"` // Increment will be the lease increment that the user requested. // This is only available on a Renew operation and has no effect // when returning a response. Increment time.Duration `json:"-"` // IssueTime is the time of issue for the original lease. This is // only available on Renew and Revoke operations and has no effect when returning // a response. It can be used to enforce maximum lease periods by // a logical backend. IssueTime time.Time `json:"-"` }
LeaseOptions is an embeddable struct to capture common lease settings between a Secret and Auth
func (*LeaseOptions) ExpirationTime ¶
func (l *LeaseOptions) ExpirationTime() time.Time
ExpirationTime computes the time until expiration including the grace period
func (*LeaseOptions) LeaseEnabled ¶
func (l *LeaseOptions) LeaseEnabled() bool
LeaseEnabled checks if leasing is enabled
func (*LeaseOptions) LeaseTotal ¶
func (l *LeaseOptions) LeaseTotal() time.Duration
LeaseTotal is the lease duration with a guard against a negative TTL
type LogInput ¶ added in v0.1.11
type LogInput struct { Type string Auth *Auth Request *Request Response *Response OuterErr error NonHMACReqDataKeys []string NonHMACRespDataKeys []string }
LogInput is used as the input to the audit system on which audit entries are based.
func (*LogInput) BexprDatum ¶ added in v0.11.0
func (l *LogInput) BexprDatum(namespace string) *LogInputBexpr
BexprDatum returns values from a LogInput formatted for use in evaluating go-bexpr boolean expressions. The namespace should be supplied from the current request's context.
func (*LogInput) Clone ¶ added in v0.11.0
Clone will attempt to create a deep copy (almost) of the LogInput. If the LogInput type or any of the subtypes referenced by LogInput fields are changed, then the Clone methods will need to be updated. NOTE: Does not deep clone the LogInput.OuterError field as it represents an error interface. NOTE: LogInput.Request.Connection (at the time of writing) is also not deep-copied and remains a pointer, see Request.Clone for more information.
type LogInputBexpr ¶ added in v0.11.0
type LogInputBexpr struct { MountPoint string `bexpr:"mount_point"` MountType string `bexpr:"mount_type"` Namespace string `bexpr:"namespace"` Operation string `bexpr:"operation"` Path string `bexpr:"path"` }
LogInputBexpr is used for evaluating boolean expressions with go-bexpr.
type LogicalStorage ¶
type LogicalStorage struct {
// contains filtered or unexported fields
}
func NewLogicalStorage ¶
func NewLogicalStorage(underlying physical.Backend) *LogicalStorage
func (*LogicalStorage) Delete ¶
func (s *LogicalStorage) Delete(ctx context.Context, key string) error
func (*LogicalStorage) Get ¶
func (s *LogicalStorage) Get(ctx context.Context, key string) (*StorageEntry, error)
func (*LogicalStorage) Put ¶
func (s *LogicalStorage) Put(ctx context.Context, entry *StorageEntry) error
func (*LogicalStorage) Underlying ¶
func (s *LogicalStorage) Underlying() physical.Backend
type MFAConstraintAny ¶ added in v0.4.0
type MFAConstraintAny struct { Any []*MFAMethodID `protobuf:"bytes,1,rep,name=any,proto3" json:"any,omitempty"` // contains filtered or unexported fields }
func (*MFAConstraintAny) Descriptor
deprecated
added in
v0.4.0
func (*MFAConstraintAny) Descriptor() ([]byte, []int)
Deprecated: Use MFAConstraintAny.ProtoReflect.Descriptor instead.
func (*MFAConstraintAny) GetAny ¶ added in v0.4.0
func (x *MFAConstraintAny) GetAny() []*MFAMethodID
func (*MFAConstraintAny) ProtoMessage ¶ added in v0.4.0
func (*MFAConstraintAny) ProtoMessage()
func (*MFAConstraintAny) ProtoReflect ¶ added in v0.4.0
func (x *MFAConstraintAny) ProtoReflect() protoreflect.Message
func (*MFAConstraintAny) Reset ¶ added in v0.4.0
func (x *MFAConstraintAny) Reset()
func (*MFAConstraintAny) String ¶ added in v0.4.0
func (x *MFAConstraintAny) String() string
type MFAMethodID ¶ added in v0.4.0
type MFAMethodID struct { Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` ID string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` UsesPasscode bool `protobuf:"varint,3,opt,name=uses_passcode,json=usesPasscode,proto3" json:"uses_passcode,omitempty"` Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"` // contains filtered or unexported fields }
func (*MFAMethodID) Descriptor
deprecated
added in
v0.4.0
func (*MFAMethodID) Descriptor() ([]byte, []int)
Deprecated: Use MFAMethodID.ProtoReflect.Descriptor instead.
func (*MFAMethodID) GetID ¶ added in v0.4.0
func (x *MFAMethodID) GetID() string
func (*MFAMethodID) GetName ¶ added in v0.8.0
func (x *MFAMethodID) GetName() string
func (*MFAMethodID) GetType ¶ added in v0.4.0
func (x *MFAMethodID) GetType() string
func (*MFAMethodID) GetUsesPasscode ¶ added in v0.4.0
func (x *MFAMethodID) GetUsesPasscode() bool
func (*MFAMethodID) ProtoMessage ¶ added in v0.4.0
func (*MFAMethodID) ProtoMessage()
func (*MFAMethodID) ProtoReflect ¶ added in v0.4.0
func (x *MFAMethodID) ProtoReflect() protoreflect.Message
func (*MFAMethodID) Reset ¶ added in v0.4.0
func (x *MFAMethodID) Reset()
func (*MFAMethodID) String ¶ added in v0.4.0
func (x *MFAMethodID) String() string
type MFARequirement ¶ added in v0.4.0
type MFARequirement struct { MFARequestID string `protobuf:"bytes,1,opt,name=mfa_request_id,json=mfaRequestId,proto3" json:"mfa_request_id,omitempty"` MFAConstraints map[string]*MFAConstraintAny `` /* 191-byte string literal not displayed */ // contains filtered or unexported fields }
func (*MFARequirement) Descriptor
deprecated
added in
v0.4.0
func (*MFARequirement) Descriptor() ([]byte, []int)
Deprecated: Use MFARequirement.ProtoReflect.Descriptor instead.
func (*MFARequirement) GetMFAConstraints ¶ added in v0.4.0
func (x *MFARequirement) GetMFAConstraints() map[string]*MFAConstraintAny
func (*MFARequirement) GetMFARequestID ¶ added in v0.4.0
func (x *MFARequirement) GetMFARequestID() string
func (*MFARequirement) ProtoMessage ¶ added in v0.4.0
func (*MFARequirement) ProtoMessage()
func (*MFARequirement) ProtoReflect ¶ added in v0.4.0
func (x *MFARequirement) ProtoReflect() protoreflect.Message
func (*MFARequirement) Reset ¶ added in v0.4.0
func (x *MFARequirement) Reset()
func (*MFARequirement) String ¶ added in v0.4.0
func (x *MFARequirement) String() string
type ManagedAsymmetricKey ¶ added in v0.4.0
type ManagedEncryptingKey ¶ added in v0.6.0
type ManagedEncryptingKeyConsumer ¶ added in v0.6.0
type ManagedEncryptingKeyConsumer func(context.Context, ManagedEncryptingKey) error
type ManagedKey ¶ added in v0.4.0
type ManagedKey interface { // Name is a human-readable identifier for a managed key that may change/renamed. Use Uuid if a // long term consistent identifier is needed. Name() string // UUID is a unique identifier for a managed key that is guaranteed to remain // consistent even if a key is migrated or renamed. UUID() string // Present returns true if the key is established in the KMS. This may return false if for example // an HSM library is not configured on all cluster nodes. Present(ctx context.Context) (bool, error) // AllowsAll returns true if all the requested usages are supported by the managed key. AllowsAll(usages []KeyUsage) bool }
type ManagedKeyConsumer ¶ added in v0.4.0
type ManagedKeyConsumer func(context.Context, ManagedKey) error
type ManagedKeyLifecycle ¶ added in v0.4.0
type ManagedKeyRandomSource ¶ added in v0.6.2
type ManagedKeyRandomSource interface { ManagedKey // GetRandomBytes returns a number (specified by the count parameter) of random bytes sourced from the target managed key. GetRandomBytes(count int) ([]byte, error) }
type ManagedKeyRandomSourceConsumer ¶ added in v0.6.2
type ManagedKeyRandomSourceConsumer func(context.Context, ManagedKeyRandomSource) error
type ManagedKeySystemView ¶ added in v0.4.0
type ManagedKeySystemView interface { // WithManagedKeyByName retrieves an instantiated managed key for consumption by the given function. The // provided key can only be used within the scope of that function call WithManagedKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedKeyConsumer) error // WithManagedKeyByUUID retrieves an instantiated managed key for consumption by the given function. The // provided key can only be used within the scope of that function call WithManagedKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedKeyConsumer) error // WithManagedSigningKeyByName retrieves an instantiated managed signing key for consumption by the given function, // with the same semantics as WithManagedKeyByName WithManagedSigningKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedSigningKeyConsumer) error // WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function, // with the same semantics as WithManagedKeyByUUID WithManagedSigningKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedSigningKeyConsumer) error // WithManagedSigningKeyByName retrieves an instantiated managed signing key for consumption by the given function, // with the same semantics as WithManagedKeyByName WithManagedEncryptingKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedEncryptingKeyConsumer) error // WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function, // with the same semantics as WithManagedKeyByUUID WithManagedEncryptingKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedEncryptingKeyConsumer) error // WithManagedMACKeyByName retrieves an instantiated managed MAC key by name for consumption by the given function, // with the same semantics as WithManagedKeyByName. WithManagedMACKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedMACKeyConsumer) error // WithManagedMACKeyByUUID retrieves an instantiated managed MAC key by UUID for consumption by the given function, // with the same semantics as WithManagedKeyByUUID. WithManagedMACKeyByUUID(ctx context.Context, keyUUID, backendUUID string, f ManagedMACKeyConsumer) error }
type ManagedMACKey ¶ added in v0.6.2
type ManagedMACKeyConsumer ¶ added in v0.6.2
type ManagedMACKeyConsumer func(context.Context, ManagedMACKey) error
type ManagedSigningKey ¶ added in v0.4.0
type ManagedSigningKey interface { ManagedAsymmetricKey // Sign returns a digital signature of the provided value. The SignerOpts param must provide the hash function // that generated the value (if any). // The optional randomSource specifies the source of random values and may be ignored by the implementation // (such as on HSMs with their own internal RNG) Sign(ctx context.Context, value []byte, randomSource io.Reader, opts crypto.SignerOpts) ([]byte, error) // Verify verifies the provided signature against the value. The SignerOpts param must provide the hash function // that generated the value (if any). // If true is returned the signature is correct, false otherwise. Verify(ctx context.Context, signature, value []byte, opts crypto.SignerOpts) (bool, error) // GetSigner returns an implementation of crypto.Signer backed by the managed key. This should be called // as needed so as to use per request contexts. GetSigner(context.Context) (crypto.Signer, error) }
type ManagedSigningKeyConsumer ¶ added in v0.4.0
type ManagedSigningKeyConsumer func(context.Context, ManagedSigningKey) error
type MarshalOptions ¶ added in v0.1.11
type MockEventSender ¶ added in v0.11.0
MockEventSender is a simple implementation of logical.EventSender that simply stores whatever events it receives, meant to be used in testing. It is thread-safe.
func NewMockEventSender ¶ added in v0.11.0
func NewMockEventSender() *MockEventSender
NewMockEventSender returns a new MockEventSender ready to be used.
func (*MockEventSender) SendEvent ¶ added in v0.11.0
SendEvent implements the logical.EventSender interface.
func (*MockEventSender) Stop ¶ added in v0.11.0
func (m *MockEventSender) Stop()
type Operation ¶
type Operation string
Operation is an enum that is used to specify the type of request being made
type OptMarshaler ¶ added in v0.1.11
type OptMarshaler interface {
MarshalJSONWithOptions(*MarshalOptions) ([]byte, error)
}
type PasswordGenerator ¶ added in v0.2.0
type PasswordPolicy ¶ added in v0.2.0
type Paths ¶
type Paths struct { // Root are the API paths that require a root token to access Root []string // Unauthenticated are the API paths that can be accessed without any auth. // These can't be regular expressions, it is either exact match, a prefix // match and/or a wildcard match. For prefix match, append '*' as a suffix. // For a wildcard match, use '+' in the segment to match any identifier // (e.g. 'foo/+/bar'). Note that '+' can't be adjacent to a non-slash. Unauthenticated []string // LocalStorage are storage paths (prefixes) that are local to this cluster; // this indicates that these paths should not be replicated across performance clusters // (DR replication is unaffected). LocalStorage []string // SealWrapStorage are storage paths that, when using a capable seal, // should be seal wrapped with extra encryption. It is exact matching // unless it ends with '/' in which case it will be treated as a prefix. SealWrapStorage []string // WriteForwardedStorage are storage paths that, when running on a PR // Secondary cluster, cause a GRPC call up to the PR Primary cluster's // active node to handle storage.Put(...) and storage.Delete(...) events. // These paths MUST include a {{clusterId}} literal, which the write layer // will resolve to this cluster's UUID ("replication set" identifier). // storage.List(...) and storage.Get(...) operations occur from the // locally replicated data set, but can use path template expansion to be // identifier agnostic. // // These paths require careful considerations by developers to use. In // particular, writes on secondary clusters will not appear (when a // corresponding read is issued immediately after a write) until the // replication from primary->secondary has occurred. This replication // triggers an InvalidateKey(...) call on the secondary, which can be // used to detect the write has finished syncing. However, this will // likely occur after the request has finished, so it is important to // not block on this occurring. // // On standby nodes, like all storage write operations, this will trigger // an ErrReadOnly return. WriteForwardedStorage []string // Binary paths are those whose request bodies should not be assumed to // be JSON encoded, and for which the backend will decode values for auditing Binary []string // Limited paths are storage paths that require special-cased request // limiting. // // This was initially added to separate limiting of "write" requests // (limits.WriteLimiter) from limiting for CPU-bound pki/issue requests // (limits.SpecialPathLimiter). Other plugins might also choose to mark // paths if they don't follow a typical resource usage pattern. // // For more details, consult limits/registry.go. Limited []string }
Paths is the structure of special paths that is used for SpecialPaths.
type PluginEnvironment ¶
type PluginEnvironment struct { // VaultVersion is the version of the Vault server VaultVersion string `protobuf:"bytes,1,opt,name=vault_version,json=vaultVersion,proto3" json:"vault_version,omitempty"` // VaultVersionPrerelease is the prerelease information of the Vault server VaultVersionPrerelease string `` /* 129-byte string literal not displayed */ // VaultVersionMetadata is the version metadata of the Vault server VaultVersionMetadata string `protobuf:"bytes,3,opt,name=vault_version_metadata,json=vaultVersionMetadata,proto3" json:"vault_version_metadata,omitempty"` // contains filtered or unexported fields }
func (*PluginEnvironment) Descriptor
deprecated
func (*PluginEnvironment) Descriptor() ([]byte, []int)
Deprecated: Use PluginEnvironment.ProtoReflect.Descriptor instead.
func (*PluginEnvironment) GetVaultVersion ¶
func (x *PluginEnvironment) GetVaultVersion() string
func (*PluginEnvironment) GetVaultVersionMetadata ¶ added in v0.5.0
func (x *PluginEnvironment) GetVaultVersionMetadata() string
func (*PluginEnvironment) GetVaultVersionPrerelease ¶ added in v0.5.0
func (x *PluginEnvironment) GetVaultVersionPrerelease() string
func (*PluginEnvironment) ProtoMessage ¶
func (*PluginEnvironment) ProtoMessage()
func (*PluginEnvironment) ProtoReflect ¶ added in v0.2.0
func (x *PluginEnvironment) ProtoReflect() protoreflect.Message
func (*PluginEnvironment) Reset ¶
func (x *PluginEnvironment) Reset()
func (*PluginEnvironment) String ¶
func (x *PluginEnvironment) String() string
type PluginVersion ¶ added in v0.6.0
type PluginVersion struct {
Version string
}
type PluginVersionClient ¶ added in v0.6.0
type PluginVersionClient interface { // Version returns version information for the plugin. Version(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*VersionReply, error) }
PluginVersionClient is the client API for PluginVersion service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewPluginVersionClient ¶ added in v0.6.0
func NewPluginVersionClient(cc grpc.ClientConnInterface) PluginVersionClient
type PluginVersionServer ¶ added in v0.6.0
type PluginVersionServer interface { // Version returns version information for the plugin. Version(context.Context, *Empty) (*VersionReply, error) // contains filtered or unexported methods }
PluginVersionServer is the server API for PluginVersion service. All implementations must embed UnimplementedPluginVersionServer for forward compatibility
type PluginVersioner ¶ added in v0.6.0
type PluginVersioner interface { // PluginVersion returns the version for the backend PluginVersion() PluginVersion }
PluginVersioner is an optional interface to return version info.
type PolicyInfo ¶ added in v0.5.0
type PolicyResults ¶ added in v0.5.0
type PolicyResults struct { Allowed bool `json:"allowed"` GrantingPolicies []PolicyInfo `json:"granting_policies"` }
type ReplicationCodedError ¶
This is a new type declared to not cause potential compatibility problems if the logic around the CodedError changes; in particular for logical request paths it is basically ignored, and changing that behavior might cause unforeseen issues.
func (*ReplicationCodedError) Error ¶
func (r *ReplicationCodedError) Error() string
type Request ¶
type Request struct { // Id is the uuid associated with each request ID string `json:"id" structs:"id" mapstructure:"id" sentinel:""` // If set, the name given to the replication secondary where this request // originated ReplicationCluster string `json:"replication_cluster" structs:"replication_cluster" mapstructure:"replication_cluster" sentinel:""` // Operation is the requested operation type Operation Operation `json:"operation" structs:"operation" mapstructure:"operation"` // Path is the full path of the request Path string `json:"path" structs:"path" mapstructure:"path" sentinel:""` // Request data is an opaque map that must have string keys. Data map[string]interface{} `json:"map" structs:"data" mapstructure:"data"` // Storage can be used to durably store and retrieve state. Storage Storage `json:"-" sentinel:""` // Secret will be non-nil only for Revoke and Renew operations // to represent the secret that was returned prior. Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret" sentinel:""` // Auth will be non-nil only for Renew operations // to represent the auth that was returned prior. Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth" sentinel:""` // Headers will contain the http headers from the request. This value will // be used in the audit broker to ensure we are auditing only the allowed // headers. Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers" sentinel:""` // Connection will be non-nil only for credential providers to // inspect the connection information and potentially use it for // authentication/protection. Connection *Connection `json:"connection" structs:"connection" mapstructure:"connection"` // ClientToken is provided to the core so that the identity // can be verified and ACLs applied. This value is passed // through to the logical backends but after being salted and // hashed. ClientToken string `json:"client_token" structs:"client_token" mapstructure:"client_token" sentinel:""` // ClientTokenAccessor is provided to the core so that the it can get // logged as part of request audit logging. ClientTokenAccessor string `json:"client_token_accessor" structs:"client_token_accessor" mapstructure:"client_token_accessor" sentinel:""` // DisplayName is provided to the logical backend to help associate // dynamic secrets with the source entity. This is not a sensitive // name, but is useful for operators. DisplayName string `json:"display_name" structs:"display_name" mapstructure:"display_name" sentinel:""` // MountPoint is provided so that a logical backend can generate // paths relative to itself. The `Path` is effectively the client // request path with the MountPoint trimmed off. MountPoint string `json:"mount_point" structs:"mount_point" mapstructure:"mount_point" sentinel:""` // MountType is provided so that a logical backend can make decisions // based on the specific mount type (e.g., if a mount type has different // aliases, generating different defaults depending on the alias) MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type" sentinel:""` // MountAccessor is provided so that identities returned by the authentication // backends can be tied to the mount it belongs to. MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor" sentinel:""` // WrapInfo contains requested response wrapping parameters WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info" sentinel:""` // ClientTokenRemainingUses represents the allowed number of uses left on the // token supplied ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"` // EntityID is the identity of the caller extracted out of the token used // to make this request EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""` // PolicyOverride indicates that the requestor wishes to override // soft-mandatory Sentinel policies PolicyOverride bool `json:"policy_override" structs:"policy_override" mapstructure:"policy_override"` // Whether the request is unauthenticated, as in, had no client token // attached. Useful in some situations where the client token is not made // accessible. Unauthenticated bool `json:"unauthenticated" structs:"unauthenticated" mapstructure:"unauthenticated"` // PathLimited indicates that the request path is marked for special-case // request limiting. PathLimited bool `json:"path_limited" structs:"path_limited" mapstructure:"path_limited"` // MFACreds holds the parsed MFA information supplied over the API as part of // X-Vault-MFA header MFACreds MFACreds `json:"mfa_creds" structs:"mfa_creds" mapstructure:"mfa_creds" sentinel:""` // ControlGroup holds the authorizations that have happened on this // request ControlGroup *ControlGroup `json:"control_group" structs:"control_group" mapstructure:"control_group" sentinel:""` // ClientTokenSource tells us where the client token was sourced from, so // we can delete it before sending off to plugins ClientTokenSource ClientTokenSource // HTTPRequest, if set, can be used to access fields from the HTTP request // that generated this logical.Request object, such as the request body. HTTPRequest *http.Request `json:"-" sentinel:""` // ResponseWriter if set can be used to stream a response value to the http // request that generated this logical.Request object. ResponseWriter *HTTPResponseWriter `json:"-" sentinel:""` // ClientID is the identity of the caller. If the token is associated with an // entity, it will be the same as the EntityID . If the token has no entity, // this will be the sha256(sorted policies + namespace) associated with the // client token. ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""` // InboundSSCToken is the token that arrives on an inbound request, supplied // by the vault user. InboundSSCToken string // When a request has been forwarded, contains information of the host the request was forwarded 'from' ForwardedFrom string `json:"forwarded_from,omitempty"` // Name of the chroot namespace for the listener that the request was made against ChrootNamespace string `json:"chroot_namespace,omitempty"` // RequestLimiterDisabled tells whether the request context has Request Limiter applied. RequestLimiterDisabled bool `json:"request_limiter_disabled,omitempty"` // contains filtered or unexported fields }
Request is a struct that stores the parameters and context of a request being made to Vault. It is used to abstract the details of the higher level request protocol from the handlers.
Note: Many of these have Sentinel disabled because they are values populated by the router after policy checks; the token namespace would be the right place to access them via Sentinel
func RenewAuthRequest ¶
RenewAuthRequest creates the structure of the renew request for an auth.
func RenewRequest ¶
RenewRequest creates the structure of the renew request.
func RevokeRequest ¶
RevokeRequest creates the structure of the revoke request.
func RollbackRequest ¶
RollbackRequest creates the structure of the revoke request.
func TestRequest ¶
TestRequest is a helper to create a purely in-memory Request struct.
func (*Request) Clone ¶ added in v0.2.0
Clone returns a deep copy (almost) of the request. It will set unexported fields which were only previously accessible outside the package via receiver methods. NOTE: Request.Connection is NOT deep-copied, due to issues with the results of copystructure on serial numbers within the x509.Certificate objects.
func (*Request) LastRemoteWAL ¶
func (*Request) MountClass ¶ added in v0.9.0
func (*Request) MountIsExternalPlugin ¶ added in v0.9.0
func (*Request) MountRunningSha256 ¶ added in v0.9.0
func (*Request) MountRunningVersion ¶ added in v0.9.0
func (*Request) RequiredState ¶ added in v0.2.1
func (*Request) ResponseState ¶ added in v0.2.0
func (*Request) SentinelGet ¶
func (*Request) SentinelKeys ¶
func (*Request) SetLastRemoteWAL ¶
func (*Request) SetMountClass ¶ added in v0.9.0
func (*Request) SetMountIsExternalPlugin ¶ added in v0.9.0
func (*Request) SetMountRunningSha256 ¶ added in v0.9.0
func (*Request) SetMountRunningVersion ¶ added in v0.9.0
func (*Request) SetRequiredState ¶ added in v0.2.1
func (*Request) SetResponseState ¶ added in v0.2.0
func (*Request) SetTokenEntry ¶
func (r *Request) SetTokenEntry(te *TokenEntry)
func (*Request) TokenEntry ¶
func (r *Request) TokenEntry() *TokenEntry
type RequestDelegatedAuthError ¶ added in v0.11.0
type RequestDelegatedAuthError struct {
// contains filtered or unexported fields
}
RequestDelegatedAuthError Special error indicating the backend wants to delegate authentication elsewhere
func NewDelegatedAuthenticationRequest ¶ added in v0.11.0
func NewDelegatedAuthenticationRequest(mountAccessor, path string, data map[string]interface{}, errHandler DelegatedAuthErrorHandler) *RequestDelegatedAuthError
func (*RequestDelegatedAuthError) AuthErrorHandler ¶ added in v0.11.0
func (d *RequestDelegatedAuthError) AuthErrorHandler() DelegatedAuthErrorHandler
func (*RequestDelegatedAuthError) Data ¶ added in v0.11.0
func (d *RequestDelegatedAuthError) Data() map[string]interface{}
func (*RequestDelegatedAuthError) Error ¶ added in v0.11.0
func (d *RequestDelegatedAuthError) Error() string
func (*RequestDelegatedAuthError) MountAccessor ¶ added in v0.11.0
func (d *RequestDelegatedAuthError) MountAccessor() string
func (*RequestDelegatedAuthError) Path ¶ added in v0.11.0
func (d *RequestDelegatedAuthError) Path() string
type RequestWrapInfo ¶
type RequestWrapInfo struct { // Setting to non-zero specifies that the response should be wrapped. // Specifies the desired TTL of the wrapping token. TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl" sentinel:""` // The format to use for the wrapped response; if not specified it's a bare // token Format string `json:"format" structs:"format" mapstructure:"format" sentinel:""` // A flag to conforming backends that data for a given request should be // seal wrapped SealWrap bool `json:"seal_wrap" structs:"seal_wrap" mapstructure:"seal_wrap" sentinel:""` }
RequestWrapInfo is a struct that stores information about desired response and seal wrapping behavior
func (*RequestWrapInfo) SentinelGet ¶
func (r *RequestWrapInfo) SentinelGet(key string) (interface{}, error)
func (*RequestWrapInfo) SentinelKeys ¶
func (r *RequestWrapInfo) SentinelKeys() []string
type Response ¶
type Response struct { // Secret, if not nil, denotes that this response represents a secret. Secret *Secret `json:"secret" structs:"secret" mapstructure:"secret"` // Auth, if not nil, contains the authentication information for // this response. This is only checked and means something for // credential backends. Auth *Auth `json:"auth" structs:"auth" mapstructure:"auth"` // Response data is an opaque map that must have string keys. For // secrets, this data is sent down to the user as-is. To store internal // data that you don't want the user to see, store it in // Secret.InternalData. Data map[string]interface{} `json:"data" structs:"data" mapstructure:"data"` // Redirect is an HTTP URL to redirect to for further authentication. // This is only valid for credential backends. This will be blanked // for any logical backend and ignored. Redirect string `json:"redirect" structs:"redirect" mapstructure:"redirect"` // Warnings allow operations or backends to return warnings in response // to user actions without failing the action outright. Warnings []string `json:"warnings" structs:"warnings" mapstructure:"warnings"` // Information for wrapping the response in a cubbyhole WrapInfo *wrapping.ResponseWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info"` // Headers will contain the http headers from the plugin that it wishes to // have as part of the output Headers map[string][]string `json:"headers" structs:"headers" mapstructure:"headers"` // MountType, if non-empty, provides some information about what kind // of mount this secret came from. MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type"` }
Response is a struct that stores the response of a request. It is used to abstract the details of the higher level request protocol.
func ErrorResponse ¶
ErrorResponse is used to format an error response
func HTTPResponseToLogicalResponse ¶
func HTTPResponseToLogicalResponse(input *HTTPResponse) *Response
func HelpResponse ¶
HelpResponse is used to format a help response
func ListResponse ¶
ListResponse is used to format a response to a list operation.
func ListResponseWithInfo ¶
ListResponseWithInfo is used to format a response to a list operation and return the keys as well as a map with corresponding key info.
func ResolveRoleResponse ¶ added in v0.5.3
ResolveRoleResponse returns a standard response to be returned by functions handling a ResolveRoleOperation
func RespondWithStatusCode ¶
RespondWithStatusCode takes a response and converts it to a raw response with the provided Status Code.
func (*Response) AddWarning ¶
AddWarning adds a warning into the response's warning list
type Secret ¶
type Secret struct { LeaseOptions // InternalData is JSON-encodable data that is stored with the secret. // This will be sent back during a Renew/Revoke for storing internal data // used for those operations. InternalData map[string]interface{} `json:"internal_data" sentinel:""` // LeaseID is the ID returned to the user to manage this secret. // This is generated by Vault core. Any set value will be ignored. // For requests, this will always be blank. LeaseID string `sentinel:""` }
Secret represents the secret part of a response.
type StaticSystemView ¶
type StaticSystemView struct { DefaultLeaseTTLVal time.Duration MaxLeaseTTLVal time.Duration SudoPrivilegeVal bool TaintedVal bool CachingDisabledVal bool Primary bool EnableMlock bool LocalMountVal bool ReplicationStateVal consts.ReplicationState EntityVal *Entity GroupsVal []*Group Features license.Features PluginEnvironment *PluginEnvironment PasswordPolicies map[string]PasswordGenerator VersionString string ClusterUUID string APILockShouldBlockRequestVal bool }
func TestSystemView ¶
func TestSystemView() *StaticSystemView
func (StaticSystemView) APILockShouldBlockRequest ¶ added in v0.10.0
func (d StaticSystemView) APILockShouldBlockRequest() (bool, error)
func (StaticSystemView) Auditor ¶ added in v0.1.12
func (d StaticSystemView) Auditor() Auditor
func (StaticSystemView) CachingDisabled ¶
func (d StaticSystemView) CachingDisabled() bool
func (StaticSystemView) ClusterID ¶ added in v0.8.0
func (d StaticSystemView) ClusterID(ctx context.Context) (string, error)
func (StaticSystemView) DefaultLeaseTTL ¶
func (d StaticSystemView) DefaultLeaseTTL() time.Duration
func (*StaticSystemView) DeletePasswordPolicy ¶ added in v0.2.0
func (d *StaticSystemView) DeletePasswordPolicy(name string) (existed bool)
func (StaticSystemView) EntityInfo ¶
func (d StaticSystemView) EntityInfo(entityID string) (*Entity, error)
func (StaticSystemView) ForwardGenericRequest ¶ added in v0.1.12
func (StaticSystemView) GenerateIdentityToken ¶ added in v0.11.0
func (d StaticSystemView) GenerateIdentityToken(_ context.Context, _ *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error)
func (StaticSystemView) GeneratePasswordFromPolicy ¶ added in v0.2.0
func (StaticSystemView) GroupsForEntity ¶ added in v0.2.0
func (d StaticSystemView) GroupsForEntity(entityID string) ([]*Group, error)
func (StaticSystemView) HasFeature ¶
func (d StaticSystemView) HasFeature(feature license.Features) bool
func (StaticSystemView) ListVersionedPlugins ¶ added in v0.6.0
func (d StaticSystemView) ListVersionedPlugins(_ context.Context, _ consts.PluginType) ([]pluginutil.VersionedPlugin, error)
func (StaticSystemView) LocalMount ¶
func (d StaticSystemView) LocalMount() bool
func (StaticSystemView) LookupPlugin ¶
func (d StaticSystemView) LookupPlugin(_ context.Context, _ string, _ consts.PluginType) (*pluginutil.PluginRunner, error)
func (StaticSystemView) LookupPluginVersion ¶ added in v0.6.0
func (d StaticSystemView) LookupPluginVersion(_ context.Context, _ string, _ consts.PluginType, _ string) (*pluginutil.PluginRunner, error)
func (StaticSystemView) MaxLeaseTTL ¶
func (d StaticSystemView) MaxLeaseTTL() time.Duration
func (StaticSystemView) MlockEnabled ¶
func (d StaticSystemView) MlockEnabled() bool
func (StaticSystemView) NewPluginClient ¶ added in v0.4.0
func (d StaticSystemView) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error)
func (StaticSystemView) PluginEnv ¶
func (d StaticSystemView) PluginEnv(_ context.Context) (*PluginEnvironment, error)
func (StaticSystemView) ReplicationState ¶
func (d StaticSystemView) ReplicationState() consts.ReplicationState
func (StaticSystemView) ResponseWrapData ¶
func (d StaticSystemView) ResponseWrapData(_ context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
func (*StaticSystemView) SetPasswordPolicy ¶ added in v0.2.0
func (d *StaticSystemView) SetPasswordPolicy(name string, generator PasswordGenerator)
func (StaticSystemView) SudoPrivilege ¶
func (StaticSystemView) Tainted ¶
func (d StaticSystemView) Tainted() bool
func (StaticSystemView) VaultVersion ¶
func (d StaticSystemView) VaultVersion(_ context.Context) (string, error)
type StatusBadRequest ¶
type StatusBadRequest struct {
Err string
}
Struct to identify user input errors. This is helpful in responding the appropriate status codes to clients from the HTTP endpoints.
func (*StatusBadRequest) Error ¶
func (s *StatusBadRequest) Error() string
Implementing error interface
type StatusHeaderResponseWriter ¶ added in v0.4.0
type StatusHeaderResponseWriter struct { StatusCode int // contains filtered or unexported fields }
func NewStatusHeaderResponseWriter ¶ added in v0.4.0
func NewStatusHeaderResponseWriter(w http.ResponseWriter, h map[string][]*CustomHeader) *StatusHeaderResponseWriter
func (*StatusHeaderResponseWriter) Header ¶ added in v0.4.0
func (w *StatusHeaderResponseWriter) Header() http.Header
func (*StatusHeaderResponseWriter) Hijack ¶ added in v0.8.0
func (w *StatusHeaderResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error)
func (*StatusHeaderResponseWriter) Wrapped ¶ added in v0.4.0
func (w *StatusHeaderResponseWriter) Wrapped() http.ResponseWriter
func (*StatusHeaderResponseWriter) Write ¶ added in v0.4.0
func (w *StatusHeaderResponseWriter) Write(buf []byte) (int, error)
func (*StatusHeaderResponseWriter) WriteHeader ¶ added in v0.4.0
func (w *StatusHeaderResponseWriter) WriteHeader(statusCode int)
type Storage ¶
type Storage interface { List(context.Context, string) ([]string, error) Get(context.Context, string) (*StorageEntry, error) Put(context.Context, *StorageEntry) error Delete(context.Context, string) error }
Storage is the way that logical backends are able read/write data.
type StorageEntry ¶
StorageEntry is the entry for an item in a Storage implementation.
func StorageEntryJSON ¶
func StorageEntryJSON(k string, v interface{}) (*StorageEntry, error)
StorageEntryJSON creates a StorageEntry with a JSON-encoded value.
func (*StorageEntry) DecodeJSON ¶
func (e *StorageEntry) DecodeJSON(out interface{}) error
DecodeJSON decodes the 'Value' present in StorageEntry.
type StorageView ¶
type StorageView struct {
// contains filtered or unexported fields
}
func NewStorageView ¶
func NewStorageView(storage Storage, prefix string) *StorageView
func (*StorageView) Delete ¶
func (s *StorageView) Delete(ctx context.Context, key string) error
logical.Storage impl.
func (*StorageView) ExpandKey ¶
func (s *StorageView) ExpandKey(suffix string) string
ExpandKey is used to expand to the full key path with the prefix
func (*StorageView) Get ¶
func (s *StorageView) Get(ctx context.Context, key string) (*StorageEntry, error)
logical.Storage impl.
func (*StorageView) Prefix ¶
func (s *StorageView) Prefix() string
func (*StorageView) Put ¶
func (s *StorageView) Put(ctx context.Context, entry *StorageEntry) error
logical.Storage impl.
func (*StorageView) SanityCheck ¶
func (s *StorageView) SanityCheck(key string) error
SanityCheck is used to perform a sanity check on a key
func (*StorageView) SubView ¶
func (s *StorageView) SubView(prefix string) *StorageView
SubView constructs a nested sub-view using the given prefix
func (*StorageView) TruncateKey ¶
func (s *StorageView) TruncateKey(full string) string
TruncateKey is used to remove the prefix of the key
type SystemView ¶
type SystemView interface { // DefaultLeaseTTL returns the default lease TTL set in Vault configuration DefaultLeaseTTL() time.Duration // MaxLeaseTTL returns the max lease TTL set in Vault configuration; backend // authors should take care not to issue credentials that last longer than // this value, as Vault will revoke them MaxLeaseTTL() time.Duration // Returns true if the mount is tainted. A mount is tainted if it is in the // process of being unmounted. This should only be used in special // circumstances; a primary use-case is as a guard in revocation functions. // If revocation of a backend's leases fails it can keep the unmounting // process from being successful. If the reason for this failure is not // relevant when the mount is tainted (for instance, saving a CRL to disk // when the stored CRL will be removed during the unmounting process // anyways), we can ignore the errors to allow unmounting to complete. Tainted() bool // Returns true if caching is disabled. If true, no caches should be used, // despite known slowdowns. CachingDisabled() bool // When run from a system view attached to a request, indicates whether the // request is affecting a local mount or not LocalMount() bool // ReplicationState indicates the state of cluster replication ReplicationState() consts.ReplicationState // HasFeature returns true if the feature is currently enabled HasFeature(feature license.Features) bool // ResponseWrapData wraps the given data in a cubbyhole and returns the // token used to unwrap. ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) // LookupPlugin looks into the plugin catalog for a plugin with the given // name. Returns a PluginRunner or an error if a plugin can not be found. LookupPlugin(ctx context.Context, pluginName string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error) // LookupPluginVersion looks into the plugin catalog for a plugin with the given // name and version. Returns a PluginRunner or an error if a plugin can not be found. LookupPluginVersion(ctx context.Context, pluginName string, pluginType consts.PluginType, version string) (*pluginutil.PluginRunner, error) // ListVersionedPlugins returns information about all plugins of a certain // type in the catalog, including any versioning information stored for them. ListVersionedPlugins(ctx context.Context, pluginType consts.PluginType) ([]pluginutil.VersionedPlugin, error) // NewPluginClient returns a client for managing the lifecycle of plugin // processes NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) // MlockEnabled returns the configuration setting for enabling mlock on // plugins. MlockEnabled() bool // EntityInfo returns a subset of information related to the identity entity // for the given entity id EntityInfo(entityID string) (*Entity, error) // GroupsForEntity returns the group membership information for the provided // entity id GroupsForEntity(entityID string) ([]*Group, error) // PluginEnv returns Vault environment information used by plugins PluginEnv(context.Context) (*PluginEnvironment, error) // VaultVersion returns the version string for the currently running Vault. VaultVersion(context.Context) (string, error) // GeneratePasswordFromPolicy generates a password from the policy referenced. // If the policy does not exist, this will return an error. GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) // ClusterID returns the replication ClusterID, for use with path-based // write forwarding (WriteForwardedPaths). This value will be templated // in for the {{cluterId}} sentinel. ClusterID(ctx context.Context) (string, error) // GenerateIdentityToken returns an identity token for the requesting plugin. GenerateIdentityToken(ctx context.Context, req *pluginutil.IdentityTokenRequest) (*pluginutil.IdentityTokenResponse, error) }
SystemView exposes system configuration information in a safe way for logical backends to consume
type TokenEntry ¶
type TokenEntry struct { Type TokenType `json:"type" mapstructure:"type" structs:"type" sentinel:""` // ID of this entry, generally a random UUID ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""` // ExternalID is the ID of a newly created service // token that will be returned to a user ExternalID string `json:"-"` // Accessor for this token, a random UUID Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""` // Parent token, used for revocation trees Parent string `json:"parent" mapstructure:"parent" structs:"parent" sentinel:""` // Which named policies should be used Policies []string `json:"policies" mapstructure:"policies" structs:"policies"` // InlinePolicy specifies ACL rules to be applied to this token entry. InlinePolicy string `json:"inline_policy" mapstructure:"inline_policy" structs:"inline_policy"` // Used for audit trails, this is something like "auth/user/login" Path string `json:"path" mapstructure:"path" structs:"path"` // Used for auditing. This could include things like "source", "user", "ip" Meta map[string]string `json:"meta" mapstructure:"meta" structs:"meta" sentinel:"meta"` // InternalMeta is used to store internal metadata. This metadata will not be audit logged or returned from lookup APIs. InternalMeta map[string]string `json:"internal_meta" mapstructure:"internal_meta" structs:"internal_meta"` // Used for operators to be able to associate with the source DisplayName string `json:"display_name" mapstructure:"display_name" structs:"display_name"` // Used to restrict the number of uses (zero is unlimited). This is to // support one-time-tokens (generalized). There are a few special values: // if it's -1 it has run through its use counts and is executing its final // use; if it's -2 it is tainted, which means revocation is currently // running on it; and if it's -3 it's also tainted but revocation // previously ran and failed, so this hints the tidy function to try it // again. NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"` // Time of token creation CreationTime int64 `json:"creation_time" mapstructure:"creation_time" structs:"creation_time" sentinel:""` // Duration set when token was created TTL time.Duration `json:"ttl" mapstructure:"ttl" structs:"ttl" sentinel:""` // Explicit maximum TTL on the token ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl" sentinel:""` // If set, the role that was used for parameters at creation time Role string `json:"role" mapstructure:"role" structs:"role"` // If set, the period of the token. This is only used when created directly // through the create endpoint; periods managed by roles or other auth // backends are subject to those renewal rules. Period time.Duration `json:"period" mapstructure:"period" structs:"period" sentinel:""` // These are the deprecated fields DisplayNameDeprecated string `json:"DisplayName" mapstructure:"DisplayName" structs:"DisplayName" sentinel:""` NumUsesDeprecated int `json:"NumUses" mapstructure:"NumUses" structs:"NumUses" sentinel:""` CreationTimeDeprecated int64 `json:"CreationTime" mapstructure:"CreationTime" structs:"CreationTime" sentinel:""` ExplicitMaxTTLDeprecated time.Duration `json:"ExplicitMaxTTL" mapstructure:"ExplicitMaxTTL" structs:"ExplicitMaxTTL" sentinel:""` // EntityID is the ID of the entity associated with this token. EntityID string `json:"entity_id" mapstructure:"entity_id" structs:"entity_id"` // If NoIdentityPolicies is true, the token will not inherit // identity policies from the associated EntityID. NoIdentityPolicies bool `json:"no_identity_policies" mapstructure:"no_identity_policies" structs:"no_identity_policies"` // The set of CIDRs that this token can be used with BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs" sentinel:""` // NamespaceID is the identifier of the namespace to which this token is // confined to. Do not return this value over the API when the token is // being looked up. NamespaceID string `json:"namespace_id" mapstructure:"namespace_id" structs:"namespace_id" sentinel:""` // CubbyholeID is the identifier of the cubbyhole storage belonging to this // token CubbyholeID string `json:"cubbyhole_id" mapstructure:"cubbyhole_id" structs:"cubbyhole_id" sentinel:""` }
TokenEntry is used to represent a given token
func (*TokenEntry) CreateClientID ¶ added in v0.4.0
func (te *TokenEntry) CreateClientID() (string, bool)
CreateClientID returns the client ID, and a boolean which is false if the clientID has an entity, and true otherwise
func (*TokenEntry) IsRoot ¶ added in v0.3.0
func (te *TokenEntry) IsRoot() bool
IsRoot returns false if the token is not root (or doesn't exist)
func (*TokenEntry) SentinelGet ¶
func (te *TokenEntry) SentinelGet(key string) (interface{}, error)
func (*TokenEntry) SentinelKeys ¶
func (te *TokenEntry) SentinelKeys() []string
type TokenType ¶
type TokenType uint8
const ( // TokenTypeDefault means "use the default, if any, that is currently set // on the mount". If not set, results in a Service token. TokenTypeDefault TokenType = iota // TokenTypeService is a "normal" Vault token for long-lived services TokenTypeService // TokenTypeBatch is a batch token TokenTypeBatch // TokenTypeDefaultService configured on a mount, means that if // TokenTypeDefault is sent back by the mount, create Service tokens TokenTypeDefaultService // TokenTypeDefaultBatch configured on a mount, means that if // TokenTypeDefault is sent back by the mount, create Batch tokens TokenTypeDefaultBatch // ClientIDTWEDelimiter Delimiter between the string fields used to generate a client // ID for tokens without entities. This is the 0 character, which // is a non-printable string. Please see unicode.IsPrint for details. ClientIDTWEDelimiter = rune('\x00') // SortedPoliciesTWEDelimiter Delimiter between each policy in the sorted policies used to // generate a client ID for tokens without entities. This is the 127 // character, which is a non-printable string. Please see unicode.IsPrint // for details. SortedPoliciesTWEDelimiter = rune('\x7F') )
func TokenTypeString ¶ added in v0.13.0
TokenTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func TokenTypeValues ¶ added in v0.13.0
func TokenTypeValues() []TokenType
TokenTypeValues returns all values of the enum
func (TokenType) IsATokenType ¶ added in v0.13.0
IsATokenType returns "true" if the value is listed in the enum definition. "false" otherwise
func (*TokenType) UnmarshalJSON ¶ added in v0.2.0
type UnimplementedPluginVersionServer ¶ added in v0.6.0
type UnimplementedPluginVersionServer struct { }
UnimplementedPluginVersionServer must be embedded to have forward compatible implementations.
func (UnimplementedPluginVersionServer) Version ¶ added in v0.6.0
func (UnimplementedPluginVersionServer) Version(context.Context, *Empty) (*VersionReply, error)
type UnsafePluginVersionServer ¶ added in v0.6.0
type UnsafePluginVersionServer interface {
// contains filtered or unexported methods
}
UnsafePluginVersionServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to PluginVersionServer will result in compilation errors.
type VersionReply ¶ added in v0.6.0
type VersionReply struct { PluginVersion string `protobuf:"bytes,1,opt,name=plugin_version,json=pluginVersion,proto3" json:"plugin_version,omitempty"` // contains filtered or unexported fields }
VersionReply is the reply for the Version method.
func (*VersionReply) Descriptor
deprecated
added in
v0.6.0
func (*VersionReply) Descriptor() ([]byte, []int)
Deprecated: Use VersionReply.ProtoReflect.Descriptor instead.
func (*VersionReply) GetPluginVersion ¶ added in v0.6.0
func (x *VersionReply) GetPluginVersion() string
func (*VersionReply) ProtoMessage ¶ added in v0.6.0
func (*VersionReply) ProtoMessage()
func (*VersionReply) ProtoReflect ¶ added in v0.6.0
func (x *VersionReply) ProtoReflect() protoreflect.Message
func (*VersionReply) Reset ¶ added in v0.6.0
func (x *VersionReply) Reset()
func (*VersionReply) String ¶ added in v0.6.0
func (x *VersionReply) String() string
type WALState ¶ added in v0.2.0
func IndexStateFromContext ¶ added in v0.2.0
IndexStateFromContext is a helper to look up if the provided context contains an index state pointer.
type WellKnownSystemView ¶ added in v0.11.0
type WellKnownSystemView interface { // RequestWellKnownRedirect registers a redirect from .well-known/src // to dest, where dest is a sub-path of the mount. An error // is returned if that source path is already taken RequestWellKnownRedirect(ctx context.Context, src, dest string) error // DeregisterWellKnownRedirect unregisters a specific redirect. Returns // true if that redirect source was found DeregisterWellKnownRedirect(ctx context.Context, src string) bool }
type WrappingResponseWriter ¶ added in v0.4.0
type WrappingResponseWriter interface { http.ResponseWriter Wrapped() http.ResponseWriter }
Source Files ¶
- acme_billing.go
- audit.go
- auth.go
- clienttokensource_enumer.go
- connection.go
- controlgroup.go
- error.go
- event.pb.go
- events.go
- events_mock.go
- identity.pb.go
- keyusage_enumer.go
- lease.go
- logical.go
- logical_storage.go
- managed_key.go
- plugin.pb.go
- request.go
- response.go
- response_util.go
- secret.go
- storage.go
- storage_inmem.go
- storage_view.go
- system_view.go
- testing.go
- token.go
- tokentype_enumer.go
- translate_response.go
- version.pb.go
- version_grpc.pb.go