Documentation ¶
Index ¶
- Constants
- Variables
- func ActiveEntitiesEqual(active map[string]*activity.EntityRecord, test []*activity.EntityRecord) bool
- func AddNoopAudit(conf *CoreConfig, records **[][]byte)
- func AddTestCredentialBackend(name string, factory logical.Factory) error
- func AddTestLogicalBackend(name string, factory logical.Factory) error
- func CubbyholeBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func DiagnoseCheckLicense(ctx context.Context, vaultCore *Core, coreConfig CoreConfig, generate bool) (bool, []string)
- func GenerateRandBytes(length int) ([]byte, error)
- func GenerateTestLicenseKeys() (ed25519.PublicKey, ed25519.PrivateKey, error)
- func IsBatchToken(token string) bool
- func IsFatalError(err error) bool
- func IsJWT(token string) bool
- func IsSSCToken(token string) bool
- func IsServiceToken(token string) bool
- func IsWrappingToken(te *logical.TokenEntry) bool
- func LeaseSwitchedPassthroughBackend(ctx context.Context, conf *logical.BackendConfig, leases bool) (logical.Backend, error)
- func LeasedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func NewAutoSeal(lowLevel *seal.Access) *autoSeal
- func NewMockBuiltinRegistry() *mockBuiltinRegistry
- func NewRequestForwardingHandler(c *Core, fws *http2.Server, perfStandbySlots chan struct{}, ...) (*requestForwardingHandler, error)
- func NewSealUnwrapper(underlying physical.Backend, logger log.Logger) physical.Backend
- func NoopBackendFactory(_ context.Context, _ *logical.BackendConfig) (logical.Backend, error)
- func PassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func RandStringBytes(n int) string
- func RegisterRequestForwardingServer(s grpc.ServiceRegistrar, srv RequestForwardingServer)
- func RetryUntil(t testing.T, timeout time.Duration, f func() error)
- func SetReplicationFailureMode(core *TestClusterCore, mode uint32)
- func SetupMFAMemDB(schemaFuncs []func() *memdb.TableSchema) (*memdb.MemDB, error)
- func TestAddTestPlugin(t testing.T, c *Core, name string, pluginType consts.PluginType, ...)
- func TestCoreInit(t testing.T, core *Core) ([][]byte, string)
- func TestCoreInitClusterWrapperSetup(t testing.T, core *Core, handler http.Handler) ([][]byte, [][]byte, string)
- func TestCoreUnseal(core *Core, key []byte) (bool, error)
- func TestDynamicSystemView(c *Core, ns *namespace.Namespace) *dynamicSystemView
- func TestKeyCopy(key []byte) []byte
- func TestWaitActive(t testing.T, core *Core)
- func TestWaitActiveForwardingReady(t testing.T, core *Core)
- func TestWaitActiveWithError(core *Core) error
- func WriteToStorage(t *testing.T, c *Core, path string, data []byte)
- type ACL
- type ACLPermissions
- type ACLResults
- type AESGCMBarrier
- func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)
- func (b *AESGCMBarrier) AddRemoteEncryptions(encryptions int64)
- func (b *AESGCMBarrier) CheckBarrierAutoRotate(ctx context.Context) (string, error)
- func (b *AESGCMBarrier) CheckUpgrade(ctx context.Context) (bool, uint32, error)
- func (b *AESGCMBarrier) ConsumeEncryptionCount(consumer func(int64) error) error
- func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error
- func (b *AESGCMBarrier) Decrypt(_ context.Context, key string, ciphertext []byte) ([]byte, error)
- func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error
- func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error
- func (b *AESGCMBarrier) Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error)
- func (b *AESGCMBarrier) GenerateKey(reader io.Reader) ([]byte, error)
- func (b *AESGCMBarrier) Get(ctx context.Context, key string) (*logical.StorageEntry, error)
- func (b *AESGCMBarrier) Initialize(ctx context.Context, key, sealKey []byte, reader io.Reader) error
- func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error)
- func (b *AESGCMBarrier) KeyLength() (int, int)
- func (b *AESGCMBarrier) Keyring() (*Keyring, error)
- func (b *AESGCMBarrier) List(ctx context.Context, prefix string) ([]string, error)
- func (b *AESGCMBarrier) Put(ctx context.Context, entry *logical.StorageEntry) error
- func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error
- func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error
- func (b *AESGCMBarrier) ReloadRootKey(ctx context.Context) error
- func (b *AESGCMBarrier) Rotate(ctx context.Context, randomSource io.Reader) (uint32, error)
- func (b *AESGCMBarrier) RotationConfig() (kc KeyRotationConfig, err error)
- func (b *AESGCMBarrier) Seal() error
- func (b *AESGCMBarrier) Sealed() (bool, error)
- func (b *AESGCMBarrier) SetRootKey(key []byte) error
- func (b *AESGCMBarrier) SetRotationConfig(ctx context.Context, rotConfig KeyRotationConfig) error
- func (b *AESGCMBarrier) TotalLocalEncryptions() int64
- func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error
- func (b *AESGCMBarrier) VerifyRoot(key []byte) error
- type APIMountConfig
- type ActiveEntities
- type ActiveTokens
- type ActivityIntentLog
- type ActivityLog
- func (a *ActivityLog) AddClientToFragment(clientID string, namespaceID string, timestamp int64, isTWE bool, ...)
- func (a *ActivityLog) AddEntityToFragment(entityID string, namespaceID string, timestamp int64)
- func (a *ActivityLog) AddTokenToFragment(namespaceID string)
- func (a *ActivityLog) DefaultStartTime(endTime time.Time) time.Time
- func (a *ActivityLog) ExpectCurrentSegmentRefreshed(t *testing.T, expectedStart int64, verifyTimeNotZero bool)
- func (a *ActivityLog) GetCurrentEntities() *activity.EntityActivityLog
- func (a *ActivityLog) GetEnabled() bool
- func (a *ActivityLog) GetEntitySequenceNumber() uint64
- func (a *ActivityLog) GetStartTimestamp() int64
- func (a *ActivityLog) GetStoredTokenCountByNamespaceID() map[string]uint64
- func (a *ActivityLog) HandleEndOfMonth(ctx context.Context, currentTime time.Time) error
- func (a *ActivityLog) HandleTokenUsage(ctx context.Context, entry *logical.TokenEntry, clientID string, isTWE bool)
- func (a *ActivityLog) PartialMonthMetrics(ctx context.Context) ([]metricsutil.GaugeLabelValues, error)
- func (a *ActivityLog) SetConfig(ctx context.Context, config activityConfig)
- func (a *ActivityLog) SetConfigInit(config activityConfig)
- func (a *ActivityLog) SetConfigStandby(ctx context.Context, config activityConfig)
- func (a *ActivityLog) SetEnable(enabled bool)
- func (a *ActivityLog) SetStandbyEnable(ctx context.Context, enabled bool)
- func (a *ActivityLog) SetStartTimestamp(timestamp int64)
- func (a *ActivityLog) StartOfNextMonth() time.Time
- func (a *ActivityLog) WaitForDeletion()
- func (a *ActivityLog) WalkEntitySegments(ctx context.Context, startTime time.Time, ...) error
- func (a *ActivityLog) WalkTokenSegments(ctx context.Context, startTime time.Time, walkFn func(*activity.TokenCount)) error
- type ActivityLogCoreConfig
- type AuditBroker
- func (a *AuditBroker) Deregister(name string)
- func (a *AuditBroker) GetHash(ctx context.Context, name string, input string) (string, error)
- func (a *AuditBroker) Invalidate(ctx context.Context, key string)
- func (a *AuditBroker) IsLocal(name string) (bool, error)
- func (a *AuditBroker) IsRegistered(name string) bool
- func (a *AuditBroker) LogRequest(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error)
- func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error)
- func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView, local bool)
- type AuditLogger
- type AuditedHeadersConfig
- type AuthResults
- type BarrierEncryptor
- type BarrierEncryptorAccess
- type BarrierStorage
- type BarrierView
- func (v *BarrierView) Delete(ctx context.Context, key string) error
- func (v *BarrierView) Get(ctx context.Context, key string) (*logical.StorageEntry, error)
- func (v *BarrierView) List(ctx context.Context, prefix string) ([]string, error)
- func (v *BarrierView) Prefix() string
- func (v *BarrierView) Put(ctx context.Context, entry *logical.StorageEntry) error
- func (v *BarrierView) SubView(prefix string) *BarrierView
- type BuiltinRegistry
- type CORSConfig
- type ClientKey
- func (*ClientKey) Descriptor() ([]byte, []int)deprecated
- func (x *ClientKey) GetD() []byte
- func (x *ClientKey) GetType() string
- func (x *ClientKey) GetX() []byte
- func (x *ClientKey) GetY() []byte
- func (*ClientKey) ProtoMessage()
- func (x *ClientKey) ProtoReflect() protoreflect.Message
- func (x *ClientKey) Reset()
- func (x *ClientKey) String() string
- type Cluster
- type ClusterLeaderParams
- type ControlGroup
- type ControlGroupFactor
- type ControlGroupHCL
- type Core
- func CreateCore(conf *CoreConfig) (*Core, error)
- func NewCore(conf *CoreConfig) (*Core, error)
- func TestCore(t testing.T) *Core
- func TestCoreNewSeal(t testing.T) *Core
- func TestCoreRaw(t testing.T) *Core
- func TestCoreUI(t testing.T, enableUI bool) *Core
- func TestCoreUnsealed(t testing.T) (*Core, [][]byte, string)
- func TestCoreUnsealedBackend(t testing.T, backend physical.Backend) (*Core, [][]byte, string)
- func TestCoreUnsealedRaw(t testing.T) (*Core, [][]byte, string)
- func TestCoreUnsealedWithConfig(t testing.T, conf *CoreConfig) (*Core, [][]byte, string)
- func TestCoreUnsealedWithConfigSealOpts(t testing.T, barrierConf, recoveryConf *SealConfig, ...) (*Core, [][]byte, [][]byte, string)
- func TestCoreUnsealedWithConfigs(t testing.T, barrierConf, recoveryConf *SealConfig) (*Core, [][]byte, [][]byte, string)
- func TestCoreUnsealedWithMetrics(t testing.T) (*Core, [][]byte, string, *metrics.InmemSink)
- func TestCoreWithConfig(t testing.T, conf *CoreConfig) *Core
- func TestCoreWithCustomResponseHeaderAndUI(t testing.T, CustomResponseHeaders map[string]map[string]string, enableUI bool) (*Core, [][]byte, string)
- func TestCoreWithSeal(t testing.T, testSeal Seal, enableRaw bool) *Core
- func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core
- func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core
- func (c *Core) ActiveNodeReplicationState() consts.ReplicationState
- func (c *Core) ActiveTime() time.Time
- func (c *Core) ActivityLogInjectResponse(ctx context.Context, pq *activity.PrecomputedQuery) error
- func (c *Core) AddIrrevocableLease(ctx context.Context, pathPrefix string) (*basicLeaseTestInfo, error)
- func (c *Core) AddLogger(logger log.Logger)
- func (c *Core) AllowForwardingViaHeader() bool
- func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error)
- func (c *Core) AuditLogger() AuditLogger
- func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig
- func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess
- func (c *Core) BarrierKeyLength() (min, max int)
- func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError
- func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError)
- func (c *Core) CORSConfig() *CORSConfig
- func (c *Core) Capabilities(ctx context.Context, token, path string) ([]string, error)
- func (c *Core) CheckSSCToken(ctx context.Context, token string, unauth bool, isPerfStandby bool) (string, error)
- func (c *Core) Cluster(ctx context.Context) (*Cluster, error)
- func (c *Core) ClusterAddr() string
- func (c *Core) CreateEntity(ctx context.Context) (*identity.Entity, error)
- func (c *Core) CreateToken(ctx context.Context, entry *logical.TokenEntry) error
- func (c *Core) DecodeSSCToken(token string) (string, error)
- func (c *Core) DecodeSSCTokenInternal(token string) (*tokens.Token, error)
- func (c *Core) DisableSSCTokens() bool
- func (c *Core) ExistCustomResponseHeader(header string) bool
- func (c *Core) Features() license.Features
- func (c *Core) FetchLeaseCountToRevoke() int
- func (c *Core) FinalizeInFlightReqData(reqID string, statusCode int)
- func (c *Core) FindNewestVersionTimestamp() (string, time.Time, error)
- func (c *Core) FindOldestVersionTimestamp() (string, time.Time, error)
- func (c *Core) ForwardRequest(req *http.Request) (int, http.Header, []byte, error)
- func (c *Core) ForwardToActive() string
- func (c *Core) GenerateRootCancel() error
- func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)
- func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy) error
- func (c *Core) GenerateRootProgress() (int, error)
- func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy) (*GenerateRootResult, error)
- func (c *Core) GetActiveClients() map[string]*activity.EntityRecord
- func (c *Core) GetActivityLog() *ActivityLog
- func (c *Core) GetContext() (context.Context, context.CancelFunc)
- func (c *Core) GetCoreConfigInternal() *server.Config
- func (c *Core) GetHAPeerNodesCached() []PeerNode
- func (core *Core) GetLeaderStatus() (*LeaderResponse, error)
- func (c *Core) GetListenerCustomResponseHeaders(listenerAdd string) *ListenerCustomHeaders
- func (c *Core) GetRaftIndexes() (committed uint64, applied uint64)
- func (c *Core) GetRaftNodeID() string
- func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error)
- func (c *Core) HAState() consts.HAState
- func (c *Core) HandleRequest(httpCtx context.Context, req *logical.Request) (resp *logical.Response, err error)
- func (c *Core) HasFeature(license.Features) bool
- func (c *Core) HasWALState(required *logical.WALState, perfStandby bool) bool
- func (c *Core) HostnameHeaderEnabled() bool
- func (c *Core) IdentityStore() *IdentityStore
- func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitResult, error)
- func (c *Core) InitializeRecovery(ctx context.Context) error
- func (c *Core) Initialized(ctx context.Context) (bool, error)
- func (c *Core) InitializedLocally(ctx context.Context) (bool, error)
- func (c *Core) InitiateRetryJoin(ctx context.Context) error
- func (c *Core) InjectActivityLogDataThisMonth(t *testing.T) map[string]*activity.EntityRecord
- func (c *Core) InjectIrrevocableLeases(ctx context.Context, count int) (map[string]int, error)
- func (c *Core) IsBatchTokenCreationRequest(ctx context.Context, path string) (bool, error)
- func (c *Core) IsDRSecondary() bool
- func (c *Core) IsInSealMigrationMode() bool
- func (c *Core) IsPerfSecondary() bool
- func (c *Core) IsSealMigrated() bool
- func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJoinInfo, nonVoter bool) (bool, error)
- func (c *Core) KeyRotateGracePeriod() time.Duration
- func (c *Core) Leader() (isLeader bool, leaderAddr, clusterAddr string, err error)
- func (c *Core) ListNamespaces() []*namespace.Namespace
- func (c *Core) LoadInFlightReqData() map[string]InFlightReqData
- func (c *Core) LogCompletedRequests(reqID string, statusCode int)
- func (c *Core) LogFormat() string
- func (c *Core) Logger() log.Logger
- func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, ...) (bool, *logical.Response, error)
- func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAuth *logical.Auth) (*logical.Response, error)
- func (c *Core) LookupToken(ctx context.Context, token string) (*logical.TokenEntry, error)
- func (c *Core) MatchingMount(ctx context.Context, reqPath string) string
- func (c *Core) MetricSink() *metricsutil.ClusterMetricSink
- func (c *Core) MetricsHelper() *metricsutil.MetricsHelper
- func (c *Core) MissingRequiredState(raw []string, perfStandby bool) bool
- func (c *Core) NamespaceByID(ctx context.Context, nsID string) (*namespace.Namespace, error)
- func (c *Core) PerfStandby() bool
- func (c *Core) PersistTOTPKey(ctx context.Context, methodID, entityID, key string) error
- func (c *Core) PhysicalAccess() *physical.PhysicalAccess
- func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfig, error)
- func (c *Core) PopMFAResponseAuthByID(reqID string) (*MFACachedAuthResponse, error)
- func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) error
- func (c *Core) RaftBootstrap(ctx context.Context, onInit bool) error
- func (c *Core) RaftNodeIDHeaderEnabled() bool
- func (c *Core) RateLimitAuditLoggingEnabled() bool
- func (c *Core) RateLimitResponseHeadersEnabled() bool
- func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError
- func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError)
- func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path string, auth *logical.Auth) error
- func (c *Core) RekeyCancel(recovery bool) logical.HTTPCodedError
- func (c *Core) RekeyConfig(recovery bool) (*SealConfig, logical.HTTPCodedError)
- func (c *Core) RekeyDeleteBackup(ctx context.Context, recovery bool) logical.HTTPCodedError
- func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedError
- func (c *Core) RekeyProgress(recovery, verification bool) (bool, int, logical.HTTPCodedError)
- func (c *Core) RekeyRetrieveBackup(ctx context.Context, recovery bool) (*RekeyBackup, logical.HTTPCodedError)
- func (c *Core) RekeyThreshold(ctx context.Context, recovery bool) (int, logical.HTTPCodedError)
- func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, logical.HTTPCodedError)
- func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recovery bool) (ret *RekeyVerifyResult, retErr logical.HTTPCodedError)
- func (c *Core) RekeyVerifyRestart(recovery bool) logical.HTTPCodedError
- func (c *Core) ReloadCustomResponseHeaders() error
- func (c *Core) ReloadLogRequestsLevel()
- func (c *Core) ReloadManagedKeyRegistryConfig()
- func (c *Core) ReplicationState() consts.ReplicationState
- func (c *Core) ResetActivityLog() []*activity.LogFragment
- func (c *Core) ResetUnsealProcess()
- func (c *Core) RouterAccess() *RouterAccess
- func (c *Core) SanitizedConfig() map[string]interface{}
- func (c *Core) SaveMFAResponseAuth(respAuth *MFACachedAuthResponse) error
- func (c *Core) Seal(token string) error
- func (c *Core) SealAccess() *SealAccess
- func (c *Core) SealWithRequest(httpCtx context.Context, req *logical.Request) error
- func (c *Core) Sealed() bool
- func (c *Core) SecretProgress() (int, string)
- func (c *Core) SendGroupUpdate(context.Context, *identity.Group) (bool, error)
- func (c *Core) SetClusterHandler(handler http.Handler)
- func (c *Core) SetClusterListenerAddrs(addrs []*net.TCPAddr)
- func (c *Core) SetConfig(conf *server.Config)
- func (c *Core) SetKeyRotateGracePeriod(t time.Duration)
- func (c *Core) SetLoadCaseSensitiveIdentityStore(caseSensitive bool)
- func (c *Core) SetLogLevel(level log.Level)
- func (c *Core) SetLogLevelByName(name string, level log.Level) error
- func (c *Core) SetNeverBecomeActive(on bool)
- func (c *Core) Shutdown() error
- func (c *Core) ShutdownDone() <-chan struct{}
- func (c *Core) ShutdownWait() error
- func (c *Core) Standby() (bool, error)
- func (c *Core) StandbyStates() (standby, perfStandby bool)
- func (c *Core) StepDown(httpCtx context.Context, req *logical.Request) (retErr error)
- func (c *Core) StorageType() string
- func (c *Core) StoreInFlightReqData(reqID string, data InFlightReqData)
- func (c *Core) UIEnabled() bool
- func (c *Core) UIHeaders() (http.Header, error)
- func (c *Core) Unseal(key []byte) (bool, error)
- func (c *Core) UnsealMigrate(key []byte) (bool, error)
- func (c *Core) UnsealWithStoredKeys(ctx context.Context) error
- func (c *Core) UpdateInFlightReqData(reqID, clientID string)
- type CoreConfig
- type CubbyholeBackend
- type DeadlockMutex
- type DeadlockRWMutex
- type EchoReply
- func (*EchoReply) Descriptor() ([]byte, []int)deprecated
- func (x *EchoReply) GetClusterAddrs() []string
- func (x *EchoReply) GetMessage() string
- func (x *EchoReply) GetNodeInfo() *NodeInformation
- func (x *EchoReply) GetRaftAppliedIndex() uint64
- func (x *EchoReply) GetRaftNodeID() string
- func (x *EchoReply) GetReplicationState() uint32
- func (*EchoReply) ProtoMessage()
- func (x *EchoReply) ProtoReflect() protoreflect.Message
- func (x *EchoReply) Reset()
- func (x *EchoReply) String() string
- type EchoRequest
- func (*EchoRequest) Descriptor() ([]byte, []int)deprecated
- func (x *EchoRequest) GetClusterAddr() string
- func (x *EchoRequest) GetClusterAddrs() []string
- func (x *EchoRequest) GetMessage() string
- func (x *EchoRequest) GetNodeInfo() *NodeInformation
- func (x *EchoRequest) GetRaftAppliedIndex() uint64
- func (x *EchoRequest) GetRaftDesiredSuffrage() string
- func (x *EchoRequest) GetRaftNodeID() string
- func (x *EchoRequest) GetRaftTerm() uint64
- func (*EchoRequest) ProtoMessage()
- func (x *EchoRequest) ProtoReflect() protoreflect.Message
- func (x *EchoRequest) Reset()
- func (x *EchoRequest) String() string
- type EncodedKeyring
- type EntityCounter
- type EntityCreator
- type ErrDecrypt
- type ErrEncrypt
- type ErrInvalidKey
- type ExpirationManager
- func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(ctx context.Context, te *logical.TokenEntry) (string, error)
- func (m *ExpirationManager) FetchLeaseTimes(ctx context.Context, leaseID string) (*leaseEntry, error)
- func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, te *logical.TokenEntry) (*leaseEntry, error)
- func (m *ExpirationManager) LazyRevoke(ctx context.Context, leaseID string) error
- func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request, resp *logical.Response) (id string, retErr error)
- func (m *ExpirationManager) RegisterAuth(ctx context.Context, te *logical.TokenEntry, auth *logical.Auth) error
- func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment time.Duration) (*logical.Response, error)
- func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request, te *logical.TokenEntry, ...) (*logical.Response, error)
- func (m *ExpirationManager) Restore(errorFunc func()) (retErr error)
- func (m *ExpirationManager) Revoke(ctx context.Context, leaseID string) error
- func (m *ExpirationManager) RevokeByToken(ctx context.Context, te *logical.TokenEntry) error
- func (m *ExpirationManager) RevokeForce(ctx context.Context, prefix string) error
- func (m *ExpirationManager) RevokePrefix(ctx context.Context, prefix string, sync bool) error
- func (m *ExpirationManager) Stop() error
- func (m *ExpirationManager) Tidy(ctx context.Context) error
- func (m *ExpirationManager) WalkTokens(walkFn ExpirationWalkFunction) error
- type ExpirationWalkFunction
- type ExpireLeaseStrategy
- type FeatureFlags
- type GenerateRootConfig
- type GenerateRootResult
- type GenerateRootStrategy
- type GroupUpdater
- type HAStatusNode
- type HandlerProperties
- type IdentityFactor
- type IdentityStore
- func (i *IdentityStore) CreateEntity(ctx context.Context) (*identity.Entity, error)
- func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.Alias) (*identity.Entity, error)
- func (i *IdentityStore) Invalidate(ctx context.Context, key string)
- func (i *IdentityStore) MemDBAliasByFactors(mountAccessor, aliasName string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByFactorsInTxn(txn *memdb.Txn, mountAccessor, aliasName string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByID(aliasID string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliasByIDInTxn(txn *memdb.Txn, aliasID string, clone bool, groupAlias bool) (*identity.Alias, error)
- func (i *IdentityStore) MemDBAliases(ws memdb.WatchSet, groupAlias bool) (memdb.ResultIterator, error)
- func (i *IdentityStore) MemDBDeleteAliasByIDInTxn(txn *memdb.Txn, aliasID string, groupAlias bool) error
- func (i *IdentityStore) MemDBDeleteEntityByID(entityID string) error
- func (i *IdentityStore) MemDBDeleteEntityByIDInTxn(txn *memdb.Txn, entityID string) error
- func (i *IdentityStore) MemDBDeleteGroupByIDInTxn(txn *memdb.Txn, groupID string) error
- func (i *IdentityStore) MemDBEntitiesByBucketKeyInTxn(txn *memdb.Txn, bucketKey string) ([]*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByAliasID(aliasID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByAliasIDInTxn(txn *memdb.Txn, aliasID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByID(entityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByIDInTxn(txn *memdb.Txn, entityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByMergedEntityID(mergedEntityID string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByName(ctx context.Context, entityName string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBEntityByNameInTxn(ctx context.Context, txn *memdb.Txn, entityName string, clone bool) (*identity.Entity, error)
- func (i *IdentityStore) MemDBGroupByAliasID(aliasID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByAliasIDInTxn(txn *memdb.Txn, aliasID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByID(groupID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByIDInTxn(txn *memdb.Txn, groupID string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByName(ctx context.Context, groupName string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupByNameInTxn(ctx context.Context, txn *memdb.Txn, groupName string, clone bool) (*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByBucketKeyInTxn(txn *memdb.Txn, bucketKey string) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByMemberEntityID(entityID string, clone bool, externalOnly bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByMemberEntityIDInTxn(txn *memdb.Txn, entityID string, clone bool, externalOnly bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByParentGroupID(memberGroupID string, clone bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBGroupsByParentGroupIDInTxn(txn *memdb.Txn, memberGroupID string, clone bool) ([]*identity.Group, error)
- func (i *IdentityStore) MemDBLocalAliasesByBucketKeyInTxn(txn *memdb.Txn, bucketKey string) ([]*identity.Alias, error)
- func (i *IdentityStore) MemDBUpsertAliasInTxn(txn *memdb.Txn, alias *identity.Alias, groupAlias bool) error
- func (i *IdentityStore) MemDBUpsertEntityInTxn(txn *memdb.Txn, entity *identity.Entity) error
- func (i *IdentityStore) MemDBUpsertGroupInTxn(txn *memdb.Txn, group *identity.Group) error
- func (i *IdentityStore) UpsertGroup(ctx context.Context, group *identity.Group, persist bool) error
- func (i *IdentityStore) UpsertGroupInTxn(ctx context.Context, txn *memdb.Txn, group *identity.Group, persist bool) error
- type InFlightReqData
- type InFlightRequests
- type InitParams
- type InitResult
- type InitializableBackend
- type Key
- type KeyInfo
- type KeyRotationConfig
- type Keyring
- func (k *Keyring) ActiveKey() *Key
- func (k *Keyring) ActiveTerm() uint32
- func (k *Keyring) AddKey(key *Key) (*Keyring, error)
- func (k *Keyring) Clone() *Keyring
- func (k *Keyring) RemoveKey(term uint32) (*Keyring, error)
- func (k *Keyring) RootKey() []byte
- func (k *Keyring) Serialize() ([]byte, error)
- func (k *Keyring) SetRootKey(val []byte) *Keyring
- func (k *Keyring) TermKey(term uint32) *Key
- func (k *Keyring) Zeroize(keysToo bool)
- type LeaderResponse
- type LicenseState
- type LicensingConfig
- type ListenerCustomHeaders
- type ListingVisibilityType
- type LocalNode
- type LoginMFABackend
- func (b *LoginMFABackend) MemDBDeleteMFAConfigByID(methodId, tableName string) error
- func (b *LoginMFABackend) MemDBDeleteMFAConfigByIDInTxn(txn *memdb.Txn, configID string) error
- func (b *LoginMFABackend) MemDBDeleteMFALoginEnforcementConfigByNameAndNamespace(name, namespaceId, tableName string) error
- func (b *LoginMFABackend) MemDBMFAConfigByID(mConfigID string) (*mfa.Config, error)
- func (b *LoginMFABackend) MemDBMFAConfigByIDInTxn(txn *memdb.Txn, mConfigID string) (*mfa.Config, error)
- func (b *LoginMFABackend) MemDBMFALoginEnforcementConfigByNameAndNamespace(name, namespaceId string) (*mfa.MFAEnforcementConfig, error)
- func (b *LoginMFABackend) MemDBMFALoginEnforcementConfigIterator() (memdb.ResultIterator, error)
- func (b *LoginMFABackend) MemDBUpsertMFALoginEnforcementConfig(ctx context.Context, eConfig *mfa.MFAEnforcementConfig) error
- func (b *LoginMFABackend) ResetLoginMFAMemDB() error
- type LoginMFAPriorityQueue
- func (pq *LoginMFAPriorityQueue) Len() int
- func (pq *LoginMFAPriorityQueue) PopByKey(reqID string) (*MFACachedAuthResponse, error)
- func (pq *LoginMFAPriorityQueue) Push(resp *MFACachedAuthResponse) error
- func (pq *LoginMFAPriorityQueue) RemoveExpiredMfaAuthResponse(expiryTime time.Duration, cutoffTime time.Time) error
- type MFABackend
- type MFACachedAuthResponse
- type MountConfig
- type MountEntry
- type MountMigrationInfo
- type MountMigrationStatus
- type MountTable
- type Namespacer
- type NodeInformation
- func (*NodeInformation) Descriptor() ([]byte, []int)deprecated
- func (x *NodeInformation) GetApiAddr() string
- func (x *NodeInformation) GetClusterAddr() string
- func (x *NodeInformation) GetHostname() string
- func (x *NodeInformation) GetMode() string
- func (x *NodeInformation) GetNodeID() string
- func (x *NodeInformation) GetReplicationState() uint32
- func (*NodeInformation) ProtoMessage()
- func (x *NodeInformation) ProtoReflect() protoreflect.Message
- func (x *NodeInformation) Reset()
- func (x *NodeInformation) String() string
- type NonFatalError
- type NoopAudit
- func (n *NoopAudit) GetHash(ctx context.Context, data string) (string, error)
- func (n *NoopAudit) Invalidate(ctx context.Context)
- func (n *NoopAudit) LogRequest(ctx context.Context, in *logical.LogInput) error
- func (n *NoopAudit) LogResponse(ctx context.Context, in *logical.LogInput) error
- func (n *NoopAudit) LogTestMessage(ctx context.Context, in *logical.LogInput, options map[string]string) error
- func (n *NoopAudit) Reload(ctx context.Context) error
- func (n *NoopAudit) Salt(ctx context.Context) (*salt.Salt, error)
- type NoopBackend
- func (n *NoopBackend) Cleanup(ctx context.Context)
- func (n *NoopBackend) HandleExistenceCheck(ctx context.Context, req *logical.Request) (bool, bool, error)
- func (n *NoopBackend) HandleRequest(ctx context.Context, req *logical.Request) (*logical.Response, error)
- func (n *NoopBackend) Initialize(ctx context.Context, req *logical.InitializationRequest) error
- func (n *NoopBackend) InvalidateKey(ctx context.Context, k string)
- func (n *NoopBackend) Logger() log.Logger
- func (n *NoopBackend) Setup(ctx context.Context, config *logical.BackendConfig) error
- func (n *NoopBackend) SpecialPaths() *logical.Paths
- func (n *NoopBackend) System() logical.SystemView
- func (n *NoopBackend) Type() logical.BackendType
- type PassthroughBackend
- type PathRules
- type PeerNode
- type PerfStandbyElectionInput
- type PerfStandbyElectionResponse
- func (*PerfStandbyElectionResponse) Descriptor() ([]byte, []int)deprecated
- func (x *PerfStandbyElectionResponse) GetCaCert() []byte
- func (x *PerfStandbyElectionResponse) GetClientCert() []byte
- func (x *PerfStandbyElectionResponse) GetClientKey() *ClientKey
- func (x *PerfStandbyElectionResponse) GetClusterID() string
- func (x *PerfStandbyElectionResponse) GetID() string
- func (x *PerfStandbyElectionResponse) GetPrimaryClusterAddr() string
- func (*PerfStandbyElectionResponse) ProtoMessage()
- func (x *PerfStandbyElectionResponse) ProtoReflect() protoreflect.Message
- func (x *PerfStandbyElectionResponse) Reset()
- func (x *PerfStandbyElectionResponse) String() string
- type PhysicalBackendBundle
- type PluginCatalog
- func (c *PluginCatalog) Delete(ctx context.Context, name string, pluginType consts.PluginType) error
- func (c *PluginCatalog) Get(ctx context.Context, name string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error)
- func (c *PluginCatalog) List(ctx context.Context, pluginType consts.PluginType) ([]string, error)
- func (c *PluginCatalog) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (*pluginClient, error)
- func (c *PluginCatalog) Set(ctx context.Context, name string, pluginType consts.PluginType, command string, ...) error
- func (c *PluginCatalog) UpgradePlugins(ctx context.Context, logger log.Logger) error
- type Policy
- type PolicyCheckOpts
- type PolicyEntry
- type PolicyMFABackend
- type PolicyStore
- func (ps *PolicyStore) ACL(ctx context.Context, entity *identity.Entity, policyNames map[string][]string, ...) (*ACL, error)
- func (ps *PolicyStore) DeletePolicy(ctx context.Context, name string, policyType PolicyType) error
- func (ps *PolicyStore) GetPolicy(ctx context.Context, name string, policyType PolicyType) (*Policy, error)
- func (ps *PolicyStore) ListPolicies(ctx context.Context, policyType PolicyType) ([]string, error)
- func (ps *PolicyStore) SetPolicy(ctx context.Context, p *Policy) error
- type PolicyType
- type RawBackend
- type RegisterAuthFunc
- type RekeyBackup
- type RekeyResult
- type RekeyVerifyResult
- type ReplicationTokenInfo
- type RequestForwardingClient
- type RequestForwardingServer
- type RequestForwarding_PerformanceStandbyElectionRequestClient
- type RequestForwarding_PerformanceStandbyElectionRequestServer
- type ResponseCounts
- type ResponseMonth
- type ResponseMonthlyNamespace
- type ResponseMount
- type ResponseNamespace
- type ResponseNewClients
- type RollbackManager
- type Router
- func (r *Router) LoginPath(ctx context.Context, path string) bool
- func (r *Router) MatchingAPIPrefixByStoragePath(ctx context.Context, path string) (*namespace.Namespace, string, string, bool)
- func (r *Router) MatchingBackend(ctx context.Context, path string) logical.Backend
- func (r *Router) MatchingMount(ctx context.Context, path string) string
- func (r *Router) MatchingMountByAPIPath(ctx context.Context, path string) string
- func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry
- func (r *Router) MatchingMountByUUID(mountID string) *MountEntry
- func (r *Router) MatchingMountEntry(ctx context.Context, path string) *MountEntry
- func (r *Router) MatchingStorageByAPIPath(ctx context.Context, path string) logical.Storage
- func (r *Router) MatchingStorageByStoragePath(ctx context.Context, path string) logical.Storage
- func (r *Router) MatchingStoragePrefixByAPIPath(ctx context.Context, path string) (string, bool)
- func (r *Router) MatchingSystemView(ctx context.Context, path string) logical.SystemView
- func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, ...) error
- func (r *Router) MountConflict(ctx context.Context, path string) string
- func (r *Router) Remount(ctx context.Context, src, dst string) error
- func (r *Router) RootPath(ctx context.Context, path string) bool
- func (r *Router) Route(ctx context.Context, req *logical.Request) (*logical.Response, error)
- func (r *Router) RouteExistenceCheck(ctx context.Context, req *logical.Request) (*logical.Response, bool, bool, error)
- func (r *Router) Taint(ctx context.Context, path string) error
- func (r *Router) Unmount(ctx context.Context, prefix string) error
- func (r *Router) Untaint(ctx context.Context, path string) error
- func (r *Router) ValidateMountByAccessor(accessor string) *ValidateMountResponse
- type RouterAccess
- type RouterTestHandlerFunc
- type SSCTokenGenerationCounter
- type Seal
- type SealAccess
- func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error)
- func (s *SealAccess) BarrierType() string
- func (s *SealAccess) ClearCaches(ctx context.Context)
- func (s *SealAccess) GetAccess() *seal.Access
- func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error)
- func (s *SealAccess) RecoveryKeySupported() bool
- func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport
- func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error
- type SealConfig
- type SealStatusResponse
- type SecurityBarrier
- type SystemBackend
- type TOTPPersister
- type TemplateError
- type TestCluster
- func (c *TestCluster) AttemptUnsealCore(core *TestClusterCore) error
- func (c *TestCluster) Cleanup()
- func (c *TestCluster) EnsureCoresSealed(t testing.T)
- func (c *TestCluster) Start()
- func (cluster *TestCluster) StartCore(t testing.T, idx int, opts *TestClusterOptions)
- func (cluster *TestCluster) StopCore(t testing.T, idx int)
- func (c *TestCluster) UnsealCore(t testing.T, core *TestClusterCore)
- func (c *TestCluster) UnsealCoreWithStoredKeys(t testing.T, core *TestClusterCore)
- func (c *TestCluster) UnsealCores(t testing.T)
- func (c *TestCluster) UnsealCoresWithError(useStoredKeys bool) error
- type TestClusterCore
- type TestClusterOptions
- type TestListener
- type TestLogger
- type TokenCounter
- type TokenStore
- func (ts *TokenStore) CalculateSignedTokenHMAC(marshalledToken []byte) ([]byte, error)
- func (ts *TokenStore) GenerateSSCTokenID(innerToken string, walState *logical.WALState, te *logical.TokenEntry) string
- func (ts *TokenStore) GetSSCTokensGenerationCounter() int
- func (ts *TokenStore) Invalidate(ctx context.Context, key string)
- func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntry, error)
- func (ts *TokenStore) Salt(ctx context.Context) (*salt.Salt, error)
- func (ts *TokenStore) SaltID(ctx context.Context, id string) (string, error)
- func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)
- func (ts *TokenStore) UpdateSSCTokensGenerationCounter(ctx context.Context) error
- func (ts *TokenStore) UseToken(ctx context.Context, te *logical.TokenEntry) (*logical.TokenEntry, error)
- func (ts *TokenStore) UseTokenByID(ctx context.Context, id string) (*logical.TokenEntry, error)
- type TokenStorer
- type UIConfig
- func (c *UIConfig) DeleteHeader(ctx context.Context, header string) error
- func (c *UIConfig) Enabled() bool
- func (c *UIConfig) GetHeader(ctx context.Context, header string) ([]string, error)
- func (c *UIConfig) HeaderKeys(ctx context.Context) ([]string, error)
- func (c *UIConfig) Headers(ctx context.Context) (http.Header, error)
- func (c *UIConfig) SetHeader(ctx context.Context, header string, values []string) error
- type UnimplementedRequestForwardingServer
- func (UnimplementedRequestForwardingServer) Echo(context.Context, *EchoRequest) (*EchoReply, error)
- func (UnimplementedRequestForwardingServer) ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error)
- func (UnimplementedRequestForwardingServer) PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, ...) error
- type UnsafeRequestForwardingServer
- type UnsealStrategy
- type ValidateMountResponse
- type VaultVersion
Constants ¶
const ( // for testing purposes (public as needed) ActivityLogPrefix = "sys/counters/activity/log/" ActivityPrefix = "sys/counters/activity/" )
const ( AESGCMVersion1 = 0x1 AESGCMVersion2 = 0x2 )
Versions of the AESGCM storage methodology
const ( // CoreLockPath is the path used to acquire a coordinating lock // for a highly-available deploy. CoreLockPath = "core/lock" // ForwardSSCTokenToActive is the value that must be set in the // forwardToActive to trigger forwarding if a perf standby encounters // an SSC Token that it does not have the WAL state for. ForwardSSCTokenToActive = "new_token" )
const ( CORSDisabled uint32 = iota CORSEnabled )
const ( // maximum number of irrevocable leases we return to the irrevocable lease // list API **without** the `force` flag set MaxIrrevocableLeasesToReturn = 10000 MaxIrrevocableLeasesWarning = "Command halted because many irrevocable leases were found. To emit the entire list, re-run the command with force set true." )
const ( // Error constants used in the Authorization Endpoint. See details at // https://openid.net/specs/openid-connect-core-1_0.html#AuthError. ErrAuthUnsupportedResponseType = "unsupported_response_type" ErrAuthInvalidRequest = "invalid_request" ErrAuthAccessDenied = "access_denied" ErrAuthServerError = "server_error" ErrAuthRequestNotSupported = "request_not_supported" ErrAuthRequestURINotSupported = "request_uri_not_supported" // Error constants used in the Token Endpoint. See details at // https://openid.net/specs/openid-connect-core-1_0.html#TokenErrorResponse ErrTokenInvalidRequest = "invalid_request" ErrTokenInvalidClient = "invalid_client" ErrTokenInvalidGrant = "invalid_grant" ErrTokenUnsupportedGrantType = "unsupported_grant_type" ErrTokenServerError = "server_error" // Error constants used in the UserInfo Endpoint. See details at // https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError ErrUserInfoServerError = "server_error" ErrUserInfoInvalidRequest = "invalid_request" ErrUserInfoInvalidToken = "invalid_token" ErrUserInfoAccessDenied = "access_denied" // The following errors are used by the UI for specific behavior of // the OIDC specification. Any changes to their values must come with // a corresponding change in the UI code. ErrAuthInvalidClientID = "invalid_client_id" ErrAuthInvalidRedirectURI = "invalid_redirect_uri" ErrAuthMaxAgeReAuthenticate = "max_age_violation" )
const ( DenyCapability = "deny" CreateCapability = "create" ReadCapability = "read" UpdateCapability = "update" DeleteCapability = "delete" ListCapability = "list" SudoCapability = "sudo" RootCapability = "root" PatchCapability = "patch" // Backwards compatibility OldDenyPathPolicy = "deny" OldReadPathPolicy = "read" OldWritePathPolicy = "write" OldSudoPathPolicy = "sudo" )
const ( DenyCapabilityInt uint32 = 1 << iota CreateCapabilityInt ReadCapabilityInt UpdateCapabilityInt DeleteCapabilityInt ListCapabilityInt SudoCapabilityInt PatchCapabilityInt )
const ( RecoveryTypeUnsupported = "unsupported" RecoveryTypeShamir = "shamir" )
const ( // TokenLength is the size of tokens we are currently generating, without // any namespace information TokenLength = 24 // MaxNsIdLength is the maximum namespace ID length (4 characters prepended by a ".") MaxNsIdLength = 5 // TokenPrefixLength is the length of the new token prefixes ("hvs.", "hvb.", // and "hvr.") TokenPrefixLength = 4 // OldTokenPrefixLength is the length of the old token prefixes ("s.", "b.". "r.") OldTokenPrefixLength = 2 // GenerationCounterBuffer is a buffer for the generation counter estimation in the // case where a counter cannot be retrieved from storage GenerationCounterBuffer = 5 // MaxRetrySSCTokensGenerationCounter is the maximum number of retries the TokenStore // will make when attempting to get the SSCTokensGenerationCounter MaxRetrySSCTokensGenerationCounter = 3 )
const ( // ControlledCapabilityPolicySubsetError is thrown when a control group's controlled capabilities // are not a subset of the policy's capabilities. ControlledCapabilityPolicySubsetError = "control group factor capabilities must be a subset of the policy's capabilities" )
Error constants for testing
const (
EnvVaultDisableLocalAuthMountEntities = "VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES"
)
const (
// Internal so as not to log a trace message
IntNoForwardingHeaderName = "X-Vault-Internal-No-Request-Forwarding"
)
const (
// StoredBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
StoredBarrierKeysPath = "core/hsm/barrier-unseal-keys"
)
Variables ¶
var ( // ErrBarrierSealed is returned if an operation is performed on // a sealed barrier. No operation is expected to succeed before unsealing ErrBarrierSealed = errors.New("Vault is sealed") // ErrBarrierAlreadyInit is returned if the barrier is already // initialized. This prevents a re-initialization. ErrBarrierAlreadyInit = errors.New("Vault is already initialized") // ErrBarrierNotInit is returned if a non-initialized barrier // is attempted to be unsealed. ErrBarrierNotInit = errors.New("Vault is not initialized") // ErrBarrierInvalidKey is returned if the Unseal key is invalid ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key") // ErrPlaintextTooLarge is returned if a plaintext is offered for encryption // that is too large to encrypt in memory ErrPlaintextTooLarge = errors.New("plaintext value too large") )
var ( ErrCannotForward = errors.New("cannot forward request; no connection or address not known") ErrCannotForwardLocalOnly = errors.New("cannot forward local-only request") )
var ( // ErrAlreadyInit is returned if the core is already // initialized. This prevents a re-initialization. ErrAlreadyInit = errors.New("Vault is already initialized") // ErrNotInit is returned if a non-initialized barrier // is attempted to be unsealed. ErrNotInit = errors.New("Vault is not initialized") // ErrInternalError is returned when we don't want to leak // any information about an internal error ErrInternalError = errors.New("internal error") // ErrHANotEnabled is returned if the operation only makes sense // in an HA setting ErrHANotEnabled = errors.New("Vault is not configured for highly-available mode") LastWAL = lastWALImpl LastPerformanceWAL = lastPerformanceWALImpl LastDRWAL = lastDRWALImpl PerformanceMerkleRoot = merkleRootImpl DRMerkleRoot = merkleRootImpl LastRemoteWAL = lastRemoteWALImpl LastRemoteUpstreamWAL = lastRemoteUpstreamWALImpl WaitUntilWALShipped = waitUntilWALShippedImpl LicenseAutoloaded = func(*Core) bool { return false } LicenseInitCheck = func(*Core) error { return nil } LicenseSummary = func(*Core) (*LicenseState, error) { return nil, nil } LicenseReload = func(*Core) error { return nil } )
var ( ErrDirectoryNotConfigured = errors.New("could not set plugin, plugin directory is not configured") ErrPluginNotFound = errors.New("plugin not found in the catalog") ErrPluginBadType = errors.New("unable to determine plugin type") )
var ( // TestingUpdateClusterAddr is used in tests to override the cluster address TestingUpdateClusterAddr uint32 ErrJoinWithoutAutoloading = errors.New("attempt to join a cluster using autoloaded licenses while not using autoloading ourself") )
var ( // DefaultMaxRequestDuration is the amount of time we'll wait for a request // to complete, unless overridden on a per-handler basis DefaultMaxRequestDuration = 90 * time.Second )
var DefaultNumCores = 3
var ErrInRestoreMode = errors.New("expiration manager in restore mode")
var (
ErrInitWithoutAutoloading = errors.New("cannot initialize storage without an autoloaded license")
)
var File_vault_request_forwarding_service_proto protoreflect.FileDescriptor
var NamespaceByID func(context.Context, string, *Core) (*namespace.Namespace, error) = namespaceByID
var RequestForwarding_ServiceDesc = grpc.ServiceDesc{ ServiceName: "vault.RequestForwarding", HandlerType: (*RequestForwardingServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "ForwardRequest", Handler: _RequestForwarding_ForwardRequest_Handler, }, { MethodName: "Echo", Handler: _RequestForwarding_Echo_Handler, }, }, Streams: []grpc.StreamDesc{ { StreamName: "PerformanceStandbyElectionRequest", Handler: _RequestForwarding_PerformanceStandbyElectionRequest_Handler, ServerStreams: true, }, }, Metadata: "vault/request_forwarding_service.proto", }
RequestForwarding_ServiceDesc is the grpc.ServiceDesc for RequestForwarding service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
var StdAllowedHeaders = []string{ "Content-Type", "X-Requested-With", "X-Vault-AWS-IAM-Server-ID", "X-Vault-MFA", "X-Vault-No-Request-Forwarding", "X-Vault-Wrap-Format", "X-Vault-Wrap-TTL", "X-Vault-Policy-Override", "Authorization", consts.AuthHeaderName, }
Functions ¶
func ActiveEntitiesEqual ¶ added in v1.6.2
func ActiveEntitiesEqual(active map[string]*activity.EntityRecord, test []*activity.EntityRecord) bool
ActiveEntitiesEqual checks that only the set of `test` exists in `active`
func AddNoopAudit ¶ added in v1.1.1
func AddNoopAudit(conf *CoreConfig, records **[][]byte)
func AddTestCredentialBackend ¶ added in v0.9.0
This adds a credential backend for the test core. This needs to be invoked before the test core is created.
func AddTestLogicalBackend ¶ added in v0.3.0
This adds a logical backend for the test core. This needs to be invoked before the test core is created.
func CubbyholeBackendFactory ¶ added in v0.3.0
func CubbyholeBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
CubbyholeBackendFactory constructs a new cubbyhole backend
func DiagnoseCheckLicense ¶ added in v1.8.0
func GenerateRandBytes ¶ added in v0.5.0
func GenerateTestLicenseKeys ¶ added in v1.8.0
func GenerateTestLicenseKeys() (ed25519.PublicKey, ed25519.PrivateKey, error)
func IsBatchToken ¶ added in v1.10.0
func IsFatalError ¶ added in v1.0.3
IsFatalError returns true if the given error is a fatal error.
func IsSSCToken ¶ added in v1.10.0
func IsServiceToken ¶ added in v1.10.0
func IsWrappingToken ¶ added in v1.8.0
func IsWrappingToken(te *logical.TokenEntry) bool
func LeaseSwitchedPassthroughBackend ¶ added in v0.3.0
func LeaseSwitchedPassthroughBackend(ctx context.Context, conf *logical.BackendConfig, leases bool) (logical.Backend, error)
LeaseSwitchedPassthroughBackend returns a PassthroughBackend with leases switched on or off
func LeasedPassthroughBackendFactory ¶ added in v0.3.0
func LeasedPassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
LeasedPassthroughBackendFactory returns a PassthroughBackend with leases switched on
func NewAutoSeal ¶ added in v1.0.0
func NewMockBuiltinRegistry ¶ added in v1.0.0
func NewMockBuiltinRegistry() *mockBuiltinRegistry
func NewRequestForwardingHandler ¶ added in v1.1.0
func NewRequestForwardingHandler(c *Core, fws *http2.Server, perfStandbySlots chan struct{}, perfStandbyRepCluster *replication.Cluster) (*requestForwardingHandler, error)
NewRequestForwardingHandler creates a cluster handler for use with request forwarding.
func NewSealUnwrapper ¶ added in v0.9.4
NewSealUnwrapper creates a new seal unwrapper
func NoopBackendFactory ¶ added in v1.1.4
func PassthroughBackendFactory ¶
func PassthroughBackendFactory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
PassthroughBackendFactory returns a PassthroughBackend with leases switched off
func RandStringBytes ¶ added in v1.9.0
func RegisterRequestForwardingServer ¶ added in v0.6.1
func RegisterRequestForwardingServer(s grpc.ServiceRegistrar, srv RequestForwardingServer)
func RetryUntil ¶ added in v1.10.0
RetryUntil runs f until it returns a nil result or the timeout is reached. If a nil result hasn't been obtained by timeout, calls t.Fatal.
func SetReplicationFailureMode ¶ added in v0.11.2
func SetReplicationFailureMode(core *TestClusterCore, mode uint32)
func SetupMFAMemDB ¶ added in v1.10.3
func SetupMFAMemDB(schemaFuncs []func() *memdb.TableSchema) (*memdb.MemDB, error)
func TestAddTestPlugin ¶ added in v0.7.1
func TestAddTestPlugin(t testing.T, c *Core, name string, pluginType consts.PluginType, testFunc string, env []string, tempDir string)
TestAddTestPlugin registers the testFunc as part of the plugin command to the plugin catalog. If provided, uses tmpDir as the plugin directory.
func TestCoreInit ¶
TestCoreInit initializes the core with a single key, and returns the key that must be used to unseal the core and a root token.
func TestCoreInitClusterWrapperSetup ¶ added in v0.6.1
func TestDynamicSystemView ¶ added in v0.7.1
func TestKeyCopy ¶
TestKeyCopy is a silly little function to just copy the key so that it can be used with Unseal easily.
func TestWaitActive ¶ added in v0.6.1
func TestWaitActive(t testing.T, core *Core)
func TestWaitActiveForwardingReady ¶ added in v1.6.0
func TestWaitActiveForwardingReady(t testing.T, core *Core)
func TestWaitActiveWithError ¶ added in v0.10.2
Types ¶
type ACL ¶
type ACL struct {
// contains filtered or unexported fields
}
ACL is used to wrap a set of policies to provide an efficient interface for access control.
func (*ACL) AllowOperation ¶
func (a *ACL) AllowOperation(ctx context.Context, req *logical.Request, capCheckOnly bool) (ret *ACLResults)
AllowOperation is used to check if the given operation is permitted.
func (*ACL) Capabilities ¶ added in v0.5.2
func (*ACL) CheckAllowedFromNonExactPaths ¶ added in v1.1.1
func (a *ACL) CheckAllowedFromNonExactPaths(path string, bareMount bool) *ACLPermissions
CheckAllowedFromNonExactPaths returns permissions corresponding to a matching path with wildcards/globs. If bareMount is true, the path should correspond to a mount prefix, and what is returned is either a non-nil set of permissions from some allowed path underneath the mount (for use in mount access checks), or nil indicating no non-deny permissions were found.
type ACLPermissions ¶ added in v0.9.0
type ACLPermissions struct { CapabilitiesBitmap uint32 MinWrappingTTL time.Duration MaxWrappingTTL time.Duration AllowedParameters map[string][]interface{} DeniedParameters map[string][]interface{} RequiredParameters []string MFAMethods []string ControlGroup *ControlGroup }
func (*ACLPermissions) Clone ¶ added in v0.9.0
func (p *ACLPermissions) Clone() (*ACLPermissions, error)
type ACLResults ¶ added in v0.9.0
type AESGCMBarrier ¶
type AESGCMBarrier struct { UnaccountedEncryptions *atomic.Int64 // Used only for testing RemoteEncryptions *atomic.Int64 // contains filtered or unexported fields }
AESGCMBarrier is a SecurityBarrier implementation that uses the AES cipher core and the Galois Counter Mode block mode. It defaults to the golang NONCE default value of 12 and a key size of 256 bit. AES-GCM is high performance, and provides both confidentiality and integrity.
func NewAESGCMBarrier ¶
func NewAESGCMBarrier(physical physical.Backend) (*AESGCMBarrier, error)
NewAESGCMBarrier is used to construct a new barrier that uses the provided physical backend for storage.
func (*AESGCMBarrier) ActiveKeyInfo ¶ added in v0.2.0
func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error)
ActiveKeyInfo is used to inform details about the active key
func (*AESGCMBarrier) AddRemoteEncryptions ¶ added in v1.7.0
func (b *AESGCMBarrier) AddRemoteEncryptions(encryptions int64)
func (*AESGCMBarrier) CheckBarrierAutoRotate ¶ added in v1.7.0
func (b *AESGCMBarrier) CheckBarrierAutoRotate(ctx context.Context) (string, error)
func (*AESGCMBarrier) CheckUpgrade ¶ added in v0.2.0
CheckUpgrade looks for an upgrade to the current term and installs it
func (*AESGCMBarrier) ConsumeEncryptionCount ¶ added in v1.7.0
func (b *AESGCMBarrier) ConsumeEncryptionCount(consumer func(int64) error) error
func (*AESGCMBarrier) CreateUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) CreateUpgrade(ctx context.Context, term uint32) error
CreateUpgrade creates an upgrade path key to the given term from the previous term
func (*AESGCMBarrier) Decrypt ¶ added in v0.7.0
Decrypt is used to decrypt in-memory for the BarrierEncryptor interface
func (*AESGCMBarrier) Delete ¶
func (b *AESGCMBarrier) Delete(ctx context.Context, key string) error
Delete is used to permanently delete an entry
func (*AESGCMBarrier) DestroyUpgrade ¶ added in v0.2.0
func (b *AESGCMBarrier) DestroyUpgrade(ctx context.Context, term uint32) error
DestroyUpgrade destroys the upgrade path key to the given term
func (*AESGCMBarrier) Encrypt ¶ added in v0.7.0
Encrypt is used to encrypt in-memory for the BarrierEncryptor interface
func (*AESGCMBarrier) GenerateKey ¶
func (b *AESGCMBarrier) GenerateKey(reader io.Reader) ([]byte, error)
GenerateKey is used to generate a new key
func (*AESGCMBarrier) Get ¶
func (b *AESGCMBarrier) Get(ctx context.Context, key string) (*logical.StorageEntry, error)
Get is used to fetch an entry
func (*AESGCMBarrier) Initialize ¶
func (b *AESGCMBarrier) Initialize(ctx context.Context, key, sealKey []byte, reader io.Reader) error
Initialize works only if the barrier has not been initialized and makes use of the given root key.
func (*AESGCMBarrier) Initialized ¶
func (b *AESGCMBarrier) Initialized(ctx context.Context) (bool, error)
Initialized checks if the barrier has been initialized and has a root key set.
func (*AESGCMBarrier) KeyLength ¶
func (b *AESGCMBarrier) KeyLength() (int, int)
KeyLength is used to sanity check a key
func (*AESGCMBarrier) Keyring ¶ added in v0.7.0
func (b *AESGCMBarrier) Keyring() (*Keyring, error)
func (*AESGCMBarrier) List ¶
List is used ot list all the keys under a given prefix, up to the next prefix.
func (*AESGCMBarrier) Put ¶
func (b *AESGCMBarrier) Put(ctx context.Context, entry *logical.StorageEntry) error
Put is used to insert or update an entry
func (*AESGCMBarrier) Rekey ¶ added in v0.2.0
func (b *AESGCMBarrier) Rekey(ctx context.Context, key []byte) error
Rekey is used to change the root key used to protect the keyring
func (*AESGCMBarrier) ReloadKeyring ¶ added in v0.2.0
func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error
ReloadKeyring is used to re-read the underlying keyring. This is used for HA deployments to ensure the latest keyring is present in the leader.
func (*AESGCMBarrier) ReloadRootKey ¶ added in v1.10.0
func (b *AESGCMBarrier) ReloadRootKey(ctx context.Context) error
ReloadRootKey is used to re-read the underlying root key. This is used for HA deployments to ensure the latest root key is available for keyring reloading.
func (*AESGCMBarrier) Rotate ¶ added in v0.2.0
Rotate is used to create a new encryption key. All future writes should use the new key, while old values should still be decryptable.
func (*AESGCMBarrier) RotationConfig ¶ added in v1.7.0
func (b *AESGCMBarrier) RotationConfig() (kc KeyRotationConfig, err error)
func (*AESGCMBarrier) Seal ¶
func (b *AESGCMBarrier) Seal() error
Seal is used to re-seal the barrier. This requires the barrier to be unsealed again to perform any further operations.
func (*AESGCMBarrier) Sealed ¶
func (b *AESGCMBarrier) Sealed() (bool, error)
Sealed checks if the barrier has been unlocked yet. The Barrier is not expected to be able to perform any CRUD until it is unsealed.
func (*AESGCMBarrier) SetRootKey ¶ added in v1.10.0
func (b *AESGCMBarrier) SetRootKey(key []byte) error
SetRootKey updates the keyring's in-memory root key but does not persist anything to storage
func (*AESGCMBarrier) SetRotationConfig ¶ added in v1.7.0
func (b *AESGCMBarrier) SetRotationConfig(ctx context.Context, rotConfig KeyRotationConfig) error
func (*AESGCMBarrier) TotalLocalEncryptions ¶ added in v1.7.0
func (b *AESGCMBarrier) TotalLocalEncryptions() int64
UnaccountedEncryptions returns the number of encryptions made on the local instance only for the current key term
func (*AESGCMBarrier) Unseal ¶
func (b *AESGCMBarrier) Unseal(ctx context.Context, key []byte) error
Unseal is used to provide the root key which permits the barrier to be unsealed. If the key is not correct, the barrier remains sealed.
func (*AESGCMBarrier) VerifyRoot ¶ added in v1.10.0
func (b *AESGCMBarrier) VerifyRoot(key []byte) error
VerifyRoot is used to check if the given key matches the root key
type APIMountConfig ¶ added in v0.8.0
type APIMountConfig struct { DefaultLeaseTTL string `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` MaxLeaseTTL string `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` ForceNoCache bool `json:"force_no_cache" structs:"force_no_cache" mapstructure:"force_no_cache"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACResponseKeys []string `` /* 128-byte string literal not displayed */ ListingVisibility ListingVisibilityType `json:"listing_visibility,omitempty" structs:"listing_visibility" mapstructure:"listing_visibility"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" structs:"passthrough_request_headers" mapstructure:"passthrough_request_headers"` AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" structs:"allowed_response_headers" mapstructure:"allowed_response_headers"` TokenType string `json:"token_type" structs:"token_type" mapstructure:"token_type"` AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"` // PluginName is the name of the plugin registered in the catalog. // // Deprecated: MountEntry.Type should be used instead for Vault 1.0.0 and beyond. PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
APIMountConfig is an embedded struct of api.MountConfigInput
type ActiveEntities ¶ added in v1.3.0
type ActiveEntities struct { // Entities contains information about the number of active entities. Entities EntityCounter `json:"entities"` }
ActiveEntities contains the number of active entities.
type ActiveTokens ¶ added in v1.3.0
type ActiveTokens struct { // ServiceTokens contains information about the number of active service // tokens. ServiceTokens TokenCounter `json:"service_tokens"` }
ActiveTokens contains the number of active tokens.
type ActivityIntentLog ¶ added in v1.6.0
type ActivityLog ¶ added in v1.6.0
type ActivityLog struct {
// contains filtered or unexported fields
}
ActivityLog tracks unique entity counts and non-entity token counts. It handles assembling log fragments (and sending them to the active node), writing log segments, and precomputing queries.
func NewActivityLog ¶ added in v1.6.0
func NewActivityLog(core *Core, logger log.Logger, view *BarrierView, metrics metricsutil.Metrics) (*ActivityLog, error)
NewActivityLog creates an activity log.
func (*ActivityLog) AddClientToFragment ¶ added in v1.9.0
func (a *ActivityLog) AddClientToFragment(clientID string, namespaceID string, timestamp int64, isTWE bool, mountAccessor string)
AddClientToFragment checks a client ID for uniqueness and if not already present, adds it to the current fragment. The timestamp is a Unix timestamp *without* nanoseconds, as that is what token.CreationTime uses.
func (*ActivityLog) AddEntityToFragment ¶ added in v1.6.0
func (a *ActivityLog) AddEntityToFragment(entityID string, namespaceID string, timestamp int64)
func (*ActivityLog) AddTokenToFragment ¶ added in v1.6.0
func (a *ActivityLog) AddTokenToFragment(namespaceID string)
NOTE: AddTokenToFragment is deprecated and can no longer be used, except for testing backward compatibility. Please use AddClientToFragment instead.
func (*ActivityLog) DefaultStartTime ¶ added in v1.6.0
func (a *ActivityLog) DefaultStartTime(endTime time.Time) time.Time
func (*ActivityLog) ExpectCurrentSegmentRefreshed ¶ added in v1.6.2
func (a *ActivityLog) ExpectCurrentSegmentRefreshed(t *testing.T, expectedStart int64, verifyTimeNotZero bool)
ExpectCurrentSegmentRefreshed verifies that the current segment has been refreshed non-nil empty components and updated with the `expectedStart` timestamp Note: if `verifyTimeNotZero` is true, ignore `expectedStart` and just make sure the timestamp isn't 0
func (*ActivityLog) GetCurrentEntities ¶ added in v1.6.2
func (a *ActivityLog) GetCurrentEntities() *activity.EntityActivityLog
GetCurrentEntities returns the current entity activity log
func (*ActivityLog) GetEnabled ¶ added in v1.6.2
func (a *ActivityLog) GetEnabled() bool
GetEnabled returns the enabled flag on an activity log
func (*ActivityLog) GetEntitySequenceNumber ¶ added in v1.6.2
func (a *ActivityLog) GetEntitySequenceNumber() uint64
GetEntitySequenceNumber returns the current entity sequence number
func (*ActivityLog) GetStartTimestamp ¶ added in v1.6.2
func (a *ActivityLog) GetStartTimestamp() int64
GetStartTimestamp returns the start timestamp on an activity log
func (*ActivityLog) GetStoredTokenCountByNamespaceID ¶ added in v1.9.0
func (a *ActivityLog) GetStoredTokenCountByNamespaceID() map[string]uint64
GetStoredTokenCountByNamespaceID returns the count of tokens by namespace ID
func (*ActivityLog) HandleEndOfMonth ¶ added in v1.6.0
Handle rotation to end-of-month currentTime is an argument for unit-testing purposes
func (*ActivityLog) HandleTokenUsage ¶ added in v1.9.0
func (a *ActivityLog) HandleTokenUsage(ctx context.Context, entry *logical.TokenEntry, clientID string, isTWE bool)
HandleTokenUsage adds the TokenEntry to the current fragment of the activity log This currently occurs on token usage only.
func (*ActivityLog) PartialMonthMetrics ¶ added in v1.7.0
func (a *ActivityLog) PartialMonthMetrics(ctx context.Context) ([]metricsutil.GaugeLabelValues, error)
Periodic report of number of active entities, with the current month. We don't break this down by namespace because that would require going to storage (that information is not currently stored in memory.)
func (*ActivityLog) SetConfig ¶ added in v1.6.0
func (a *ActivityLog) SetConfig(ctx context.Context, config activityConfig)
This version reacts to user changes
func (*ActivityLog) SetConfigInit ¶ added in v1.6.0
func (a *ActivityLog) SetConfigInit(config activityConfig)
This version is used during construction
func (*ActivityLog) SetConfigStandby ¶ added in v1.6.0
func (a *ActivityLog) SetConfigStandby(ctx context.Context, config activityConfig)
update the enable flag and reset the current log
func (*ActivityLog) SetEnable ¶ added in v1.6.2
func (a *ActivityLog) SetEnable(enabled bool)
SetEnable sets the enabled flag on the activity log
func (*ActivityLog) SetStandbyEnable ¶ added in v1.6.2
func (a *ActivityLog) SetStandbyEnable(ctx context.Context, enabled bool)
SetStandbyEnable sets enabled on a performance standby (using config)
func (*ActivityLog) SetStartTimestamp ¶ added in v1.6.2
func (a *ActivityLog) SetStartTimestamp(timestamp int64)
SetStartTimestamp sets the start timestamp on an activity log
func (*ActivityLog) StartOfNextMonth ¶ added in v1.6.0
func (a *ActivityLog) StartOfNextMonth() time.Time
func (*ActivityLog) WaitForDeletion ¶ added in v1.7.0
func (a *ActivityLog) WaitForDeletion()
func (*ActivityLog) WalkEntitySegments ¶ added in v1.6.0
func (a *ActivityLog) WalkEntitySegments(ctx context.Context, startTime time.Time, walkFn func(*activity.EntityActivityLog, time.Time)) error
WalkEntitySegments loads each of the entity segments for a particular start time
func (*ActivityLog) WalkTokenSegments ¶ added in v1.6.0
func (a *ActivityLog) WalkTokenSegments(ctx context.Context, startTime time.Time, walkFn func(*activity.TokenCount)) error
WalkTokenSegments loads each of the token segments (expected 1) for a particular start time
type ActivityLogCoreConfig ¶ added in v1.6.0
type ActivityLogCoreConfig struct { // Enable activity log even if the feature flag not set ForceEnable bool // Do not start timers to send or persist fragments. DisableTimers bool }
These non-persistent configuration options allow us to disable parts of the implementation for integration testing. The default values should turn everything on.
type AuditBroker ¶
AuditBroker is used to provide a single ingest interface to auditable events given that multiple backends may be configured.
func NewAuditBroker ¶
func NewAuditBroker(log log.Logger) *AuditBroker
NewAuditBroker creates a new audit broker
func (*AuditBroker) Deregister ¶
func (a *AuditBroker) Deregister(name string)
Deregister is used to remove an audit backend from the broker
func (*AuditBroker) GetHash ¶ added in v0.4.0
GetHash returns a hash using the salt of the given backend
func (*AuditBroker) Invalidate ¶ added in v0.7.3
func (a *AuditBroker) Invalidate(ctx context.Context, key string)
func (*AuditBroker) IsLocal ¶ added in v0.11.2
func (a *AuditBroker) IsLocal(name string) (bool, error)
IsLocal is used to check if a given audit backend is registered
func (*AuditBroker) IsRegistered ¶
func (a *AuditBroker) IsRegistered(name string) bool
IsRegistered is used to check if a given audit backend is registered
func (*AuditBroker) LogRequest ¶
func (a *AuditBroker) LogRequest(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error)
LogRequest is used to ensure all the audit backends have an opportunity to log the given request and that *at least one* succeeds.
func (*AuditBroker) LogResponse ¶
func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, headersConfig *AuditedHeadersConfig) (ret error)
LogResponse is used to ensure all the audit backends have an opportunity to log the given response and that *at least one* succeeds.
func (*AuditBroker) Register ¶
func (a *AuditBroker) Register(name string, b audit.Backend, v *BarrierView, local bool)
Register is used to add new audit backend to the broker
type AuditLogger ¶ added in v1.4.0
type AuditedHeadersConfig ¶ added in v0.6.5
type AuditedHeadersConfig struct { Headers map[string]*auditedHeaderSettings sync.RWMutex // contains filtered or unexported fields }
AuditedHeadersConfig is used by the Audit Broker to write only approved headers to the audit logs. It uses a BarrierView to persist the settings.
func (*AuditedHeadersConfig) ApplyConfig ¶ added in v0.6.5
func (a *AuditedHeadersConfig) ApplyConfig(ctx context.Context, headers map[string][]string, hashFunc func(context.Context, string) (string, error)) (result map[string][]string, retErr error)
ApplyConfig returns a map of approved headers and their values, either hmac'ed or plaintext
type AuthResults ¶ added in v0.9.0
type AuthResults struct { ACLResults *ACLResults Allowed bool RootPrivs bool DeniedError bool Error *multierror.Error }
type BarrierEncryptor ¶ added in v0.7.0
type BarrierEncryptor interface { Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error) Decrypt(ctx context.Context, key string, ciphertext []byte) ([]byte, error) }
BarrierEncryptor is the in memory only interface that does not actually use the underlying barrier. It is used for lower level modules like the Write-Ahead-Log and Merkle index to allow them to use the barrier.
type BarrierEncryptorAccess ¶ added in v0.9.0
type BarrierEncryptorAccess struct {
// contains filtered or unexported fields
}
BarrierEncryptorAccess is a wrapper around BarrierEncryptor that allows Core to expose its barrier encrypt/decrypt operations through BarrierEncryptorAccess() while restricting the ability to modify Core.barrier itself.
func NewBarrierEncryptorAccess ¶ added in v0.9.0
func NewBarrierEncryptorAccess(barrierEncryptor BarrierEncryptor) *BarrierEncryptorAccess
type BarrierStorage ¶
type BarrierStorage interface { // Put is used to insert or update an entry Put(ctx context.Context, entry *logical.StorageEntry) error // Get is used to fetch an entry Get(ctx context.Context, key string) (*logical.StorageEntry, error) // Delete is used to permanently delete an entry Delete(ctx context.Context, key string) error // List is used ot list all the keys under a given // prefix, up to the next prefix. List(ctx context.Context, prefix string) ([]string, error) }
BarrierStorage is the storage only interface required for a Barrier.
type BarrierView ¶
type BarrierView struct {
// contains filtered or unexported fields
}
BarrierView wraps a SecurityBarrier and ensures all access is automatically prefixed. This is used to prevent anyone with access to the view to access any data in the durable storage outside of their prefix. Conceptually this is like a "chroot" into the barrier.
BarrierView implements logical.Storage so it can be passed in as the durable storage mechanism for logical views.
func NewBarrierView ¶
func NewBarrierView(barrier logical.Storage, prefix string) *BarrierView
NewBarrierView takes an underlying security barrier and returns a view of it that can only operate with the given prefix.
func (*BarrierView) Delete ¶
func (v *BarrierView) Delete(ctx context.Context, key string) error
logical.Storage impl.
func (*BarrierView) Get ¶
func (v *BarrierView) Get(ctx context.Context, key string) (*logical.StorageEntry, error)
func (*BarrierView) Prefix ¶ added in v1.0.3
func (v *BarrierView) Prefix() string
func (*BarrierView) Put ¶
func (v *BarrierView) Put(ctx context.Context, entry *logical.StorageEntry) error
Put differs from List/Get because it checks read-only errors
func (*BarrierView) SubView ¶
func (v *BarrierView) SubView(prefix string) *BarrierView
SubView constructs a nested sub-view using the given prefix
type BuiltinRegistry ¶ added in v1.0.0
type BuiltinRegistry interface { Contains(name string, pluginType consts.PluginType) bool Get(name string, pluginType consts.PluginType) (func() (interface{}, error), bool) Keys(pluginType consts.PluginType) []string }
BuiltinRegistry is an interface that allows the "vault" package to use the registry of builtin plugins without getting an import cycle. It also allows for mocking the registry easily.
type CORSConfig ¶ added in v0.8.0
type CORSConfig struct { sync.RWMutex `json:"-"` Enabled *uint32 `json:"enabled"` AllowedOrigins []string `json:"allowed_origins,omitempty"` AllowedHeaders []string `json:"allowed_headers,omitempty"` // contains filtered or unexported fields }
CORSConfig stores the state of the CORS configuration.
func (*CORSConfig) Disable ¶ added in v0.8.0
func (c *CORSConfig) Disable(ctx context.Context) error
Disable sets CORS to disabled and clears the allowed origins & headers.
func (*CORSConfig) Enable ¶ added in v0.8.0
Enable takes either a '*' or a comma-separated list of URLs that can make cross-origin requests to Vault.
func (*CORSConfig) IsEnabled ¶ added in v0.8.0
func (c *CORSConfig) IsEnabled() bool
IsEnabled returns the value of CORSConfig.isEnabled
func (*CORSConfig) IsValidOrigin ¶ added in v0.8.0
func (c *CORSConfig) IsValidOrigin(origin string) bool
IsValidOrigin determines if the origin of the request is allowed to make cross-origin requests based on the CORSConfig.
type ClientKey ¶ added in v0.11.2
type ClientKey struct { Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` X []byte `protobuf:"bytes,2,opt,name=x,proto3" json:"x,omitempty"` Y []byte `protobuf:"bytes,3,opt,name=y,proto3" json:"y,omitempty"` D []byte `protobuf:"bytes,4,opt,name=d,proto3" json:"d,omitempty"` // contains filtered or unexported fields }
func (*ClientKey) Descriptor
deprecated
added in
v0.11.2
func (*ClientKey) ProtoMessage ¶ added in v0.11.2
func (*ClientKey) ProtoMessage()
func (*ClientKey) ProtoReflect ¶ added in v1.5.0
func (x *ClientKey) ProtoReflect() protoreflect.Message
type Cluster ¶ added in v0.6.1
type Cluster struct { // Name of the cluster Name string `json:"name" structs:"name" mapstructure:"name"` // Identifier of the cluster ID string `json:"id" structs:"id" mapstructure:"id"` }
Structure representing the storage entry that holds cluster information
type ClusterLeaderParams ¶ added in v1.0.3
type ControlGroup ¶ added in v0.11.2
type ControlGroup struct { TTL time.Duration Factors []*ControlGroupFactor }
type ControlGroupFactor ¶ added in v0.11.2
type ControlGroupFactor struct { Name string Identity *IdentityFactor `hcl:"identity"` ControlledCapabilities []string `hcl:"controlled_capabilities"` }
type ControlGroupHCL ¶ added in v0.11.2
type ControlGroupHCL struct { TTL interface{} `hcl:"ttl"` Factors map[string]*ControlGroupFactor `hcl:"factor"` }
type Core ¶
type Core struct { // PR1103disabled is used to test upgrade workflows: when set to true, // the correct behaviour for namespaced cubbyholes is disabled, so we // can test an upgrade to a version that includes the fixes from // https://github.com/hashicorp/vault-enterprise/pull/1103 PR1103disabled bool IndexHeaderHMACKey uberAtomic.Value // contains filtered or unexported fields }
Core is used as the central manager of Vault activity. It is the primary point of interface for API handlers and is responsible for managing the logical and physical backends, router, security barrier, and audit trails.
func CreateCore ¶ added in v1.8.0
func CreateCore(conf *CoreConfig) (*Core, error)
CreateCore conducts static validations on the Core Config and returns an uninitialized core.
func NewCore ¶
func NewCore(conf *CoreConfig) (*Core, error)
NewCore is used to construct a new core
func TestCore ¶
func TestCore(t testing.T) *Core
TestCore returns a pure in-memory, uninitialized core for testing.
func TestCoreNewSeal ¶ added in v0.6.5
func TestCoreNewSeal(t testing.T) *Core
TestCoreNewSeal returns a pure in-memory, uninitialized core with the new seal configuration.
func TestCoreRaw ¶ added in v0.8.3
func TestCoreRaw(t testing.T) *Core
TestCoreRaw returns a pure in-memory, uninitialized core for testing. The raw storage endpoints are enabled with this core.
func TestCoreUI ¶ added in v0.11.2
func TestCoreUnsealed ¶
TestCoreUnsealed returns a pure in-memory core that is already initialized and unsealed.
func TestCoreUnsealedBackend ¶ added in v0.7.0
func TestCoreUnsealedRaw ¶ added in v0.8.3
TestCoreUnsealedRaw returns a pure in-memory core that is already initialized, unsealed, and with raw endpoints enabled.
func TestCoreUnsealedWithConfig ¶ added in v0.11.2
func TestCoreUnsealedWithConfig(t testing.T, conf *CoreConfig) (*Core, [][]byte, string)
TestCoreUnsealedWithConfig returns a pure in-memory core that is already initialized, unsealed, with the any provided core config values overridden.
func TestCoreUnsealedWithConfigSealOpts ¶ added in v0.9.0
func TestCoreUnsealedWithConfigSealOpts(t testing.T, barrierConf, recoveryConf *SealConfig, sealOpts *seal.TestSealOpts) (*Core, [][]byte, [][]byte, string)
func TestCoreUnsealedWithConfigs ¶ added in v0.6.5
func TestCoreUnsealedWithMetrics ¶ added in v1.6.0
func TestCoreWithConfig ¶ added in v0.11.2
func TestCoreWithConfig(t testing.T, conf *CoreConfig) *Core
TestCoreWithConfig returns a pure in-memory, uninitialized core with the specified core configurations overridden for testing.
func TestCoreWithCustomResponseHeaderAndUI ¶ added in v1.9.0
func TestCoreWithSeal ¶ added in v0.6.0
TestCoreWithSeal returns a pure in-memory, uninitialized core with the specified seal for testing.
func TestCoreWithSealAndUI ¶ added in v0.11.2
func TestCoreWithSealAndUI(t testing.T, opts *CoreConfig) *Core
func TestCoreWithSealAndUINoCleanup ¶ added in v1.10.0
func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core
func (*Core) ActiveNodeReplicationState ¶ added in v0.9.2
func (c *Core) ActiveNodeReplicationState() consts.ReplicationState
func (*Core) ActiveTime ¶ added in v1.7.0
func (*Core) ActivityLogInjectResponse ¶ added in v1.6.0
ActivityLogInjectResponse injects a precomputed query into storage for testing.
func (*Core) AddIrrevocableLease ¶ added in v1.8.0
func (c *Core) AddIrrevocableLease(ctx context.Context, pathPrefix string) (*basicLeaseTestInfo, error)
add an irrevocable lease for test purposes returns the lease ID and expire time
func (*Core) AllowForwardingViaHeader ¶ added in v1.7.0
func (*Core) ApplyRateLimitQuota ¶ added in v1.5.0
func (c *Core) ApplyRateLimitQuota(ctx context.Context, req *quotas.Request) (quotas.Response, error)
ApplyRateLimitQuota checks the request against all the applicable quota rules. If the given request's path is exempt, no rate limiting will be applied.
func (*Core) AuditLogger ¶ added in v1.4.0
func (c *Core) AuditLogger() AuditLogger
func (*Core) AuditedHeadersConfig ¶ added in v0.6.5
func (c *Core) AuditedHeadersConfig() *AuditedHeadersConfig
func (*Core) BarrierEncryptorAccess ¶ added in v0.9.0
func (c *Core) BarrierEncryptorAccess() *BarrierEncryptorAccess
func (*Core) BarrierKeyLength ¶ added in v0.6.1
func (*Core) BarrierRekeyInit ¶ added in v0.6.0
func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError
BarrierRekeyInit is used to initialize the rekey settings for the barrier key
func (*Core) BarrierRekeyUpdate ¶ added in v0.6.0
func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError)
BarrierRekeyUpdate is used to provide a new key part. Barrier rekey can be done with unseal keys, or recovery keys if that's supported and we are storing the barrier key.
N.B.: If recovery keys are used to rekey, the new barrier key shares are not returned.
func (*Core) CORSConfig ¶ added in v0.8.0
func (c *Core) CORSConfig() *CORSConfig
CORSConfig returns the current CORS configuration
func (*Core) Capabilities ¶ added in v0.5.2
Capabilities is used to fetch the capabilities of the given token on the given path
func (*Core) CheckSSCToken ¶ added in v1.10.0
func (*Core) Cluster ¶ added in v0.6.1
Cluster fetches the details of the local cluster. This method errors out when Vault is sealed.
func (*Core) ClusterAddr ¶ added in v1.2.0
func (*Core) CreateEntity ¶ added in v1.9.0
func (*Core) CreateToken ¶ added in v1.9.0
CreateToken creates the given token in the core's token store.
func (*Core) DecodeSSCToken ¶ added in v1.10.0
DecodeSSCToken returns the random part of an SSCToken without performing any signature or WAL checks.
func (*Core) DecodeSSCTokenInternal ¶ added in v1.10.0
DecodeSSCTokenInternal is a helper used to get the inner part of a SSC token without checking the token signature or the WAL index.
func (*Core) DisableSSCTokens ¶ added in v1.10.0
DisableSSCTokens determines whether to use server side consistent tokens or not.
func (*Core) ExistCustomResponseHeader ¶ added in v1.9.0
ExistCustomResponseHeader checks if a custom header is configured in any listener's stanza
func (*Core) FetchLeaseCountToRevoke ¶ added in v1.8.0
func (*Core) FinalizeInFlightReqData ¶ added in v1.10.0
FinalizeInFlightReqData is going log the completed request if the corresponding server config option is enabled. It also removes the request from the inFlightReqMap and decrement the number of in-flight requests by one.
func (*Core) FindNewestVersionTimestamp ¶ added in v1.10.0
func (*Core) FindOldestVersionTimestamp ¶ added in v1.9.0
FindOldestVersionTimestamp searches for the vault version with the oldest upgrade timestamp from storage. The earliest version this can be is 1.9.0.
func (*Core) ForwardRequest ¶ added in v0.6.1
ForwardRequest forwards a given request to the active node and returns the response.
func (*Core) ForwardToActive ¶ added in v1.10.0
func (*Core) GenerateRootCancel ¶ added in v0.5.0
GenerateRootCancel is used to cancel an in-progress root generation
func (*Core) GenerateRootConfiguration ¶ added in v0.5.0
func (c *Core) GenerateRootConfiguration() (*GenerateRootConfig, error)
GenerateRootConfiguration is used to read the root generation configuration It stubbornly refuses to return the OTP if one is there.
func (*Core) GenerateRootInit ¶ added in v0.5.0
func (c *Core) GenerateRootInit(otp, pgpKey string, strategy GenerateRootStrategy) error
GenerateRootInit is used to initialize the root generation settings
func (*Core) GenerateRootProgress ¶ added in v0.5.0
GenerateRootProgress is used to return the root generation progress (num shares)
func (*Core) GenerateRootUpdate ¶ added in v0.5.0
func (c *Core) GenerateRootUpdate(ctx context.Context, key []byte, nonce string, strategy GenerateRootStrategy) (*GenerateRootResult, error)
GenerateRootUpdate is used to provide a new key part
func (*Core) GetActiveClients ¶ added in v1.9.0
func (c *Core) GetActiveClients() map[string]*activity.EntityRecord
GetActiveClients returns the in-memory partialMonthClientTracker from an activity log.
func (*Core) GetActivityLog ¶ added in v1.7.0
func (c *Core) GetActivityLog() *ActivityLog
GetActivityLog returns a pointer to the (private) activity log on a core Note: you must do the usual locking scheme when modifying the ActivityLog
func (*Core) GetContext ¶ added in v0.9.2
func (c *Core) GetContext() (context.Context, context.CancelFunc)
func (*Core) GetCoreConfigInternal ¶ added in v1.8.0
GetCoreConfigInternal returns the server configuration in struct format.
func (*Core) GetHAPeerNodesCached ¶ added in v1.10.0
GetHAPeerNodesCached returns the nodes that've sent us Echo requests recently.
func (*Core) GetLeaderStatus ¶ added in v1.6.2
func (core *Core) GetLeaderStatus() (*LeaderResponse, error)
func (*Core) GetListenerCustomResponseHeaders ¶ added in v1.9.0
func (c *Core) GetListenerCustomResponseHeaders(listenerAdd string) *ListenerCustomHeaders
func (*Core) GetRaftIndexes ¶ added in v1.4.2
func (*Core) GetRaftNodeID ¶ added in v1.7.2
GetRaftNodeID returns the raft node ID if there is one, or an empty string if there's not
func (*Core) GetSealStatus ¶ added in v1.6.2
func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error)
func (*Core) HandleRequest ¶
func (c *Core) HandleRequest(httpCtx context.Context, req *logical.Request) (resp *logical.Response, err error)
HandleRequest is used to handle a new incoming request
func (*Core) HasWALState ¶ added in v1.10.0
func (*Core) HostnameHeaderEnabled ¶ added in v1.7.2
HostnameHeaderEnabled determines whether to add the X-Vault-Hostname header to HTTP responses.
func (*Core) IdentityStore ¶ added in v0.9.0
func (c *Core) IdentityStore() *IdentityStore
func (*Core) Initialize ¶
func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitResult, error)
Initialize is used to initialize the Vault with the given configurations.
func (*Core) InitializeRecovery ¶ added in v1.3.0
func (*Core) Initialized ¶
Initialized checks if the Vault is already initialized. This means one of two things: either the barrier has been created (with keyring and master key) and the seal config written to storage, or Raft is forming a cluster and a join/bootstrap is in progress.
func (*Core) InitializedLocally ¶ added in v1.6.1
InitializedLocally checks if the Vault is already initialized from the local node's perspective. This is the same thing as Initialized, unless using Raft, in which case Initialized may return true (because a peer we're joining to has been initialized) while InitializedLocally returns false (because we're not done bootstrapping raft on the local node).
func (*Core) InitiateRetryJoin ¶ added in v1.4.0
func (*Core) InjectActivityLogDataThisMonth ¶ added in v1.7.0
InjectActivityLogDataThisMonth populates the in-memory client store with some entities and tokens, overriding what was already there It is currently used for API integration tests
func (*Core) InjectIrrevocableLeases ¶ added in v1.8.0
InjectIrrevocableLeases injects `count` irrevocable leases (currently to a single mount). It returns a map of the mount accessor to the number of leases stored there
func (*Core) IsBatchTokenCreationRequest ¶ added in v1.0.0
func (*Core) IsDRSecondary ¶ added in v0.9.2
IsDRSecondary returns if the current cluster state is a DR secondary.
func (*Core) IsInSealMigrationMode ¶ added in v1.6.0
IsInSealMigrationMode returns true if we're configured to perform a seal migration, meaning either that we have a disabled seal in HCL configuration or the seal configuration in storage is Shamir but the seal in HCL is not. In this mode we should not auto-unseal (even if the migration is done) and we will accept unseal requests with and without the `migrate` option, though the migrate option is required if we haven't yet performed the seal migration.
func (*Core) IsPerfSecondary ¶ added in v1.6.7
func (*Core) IsSealMigrated ¶ added in v1.6.0
IsSealMigrated returns true if we're in seal migration mode but migration has already been performed (possibly by another node, or prior to this node's current invocation.)
func (*Core) JoinRaftCluster ¶ added in v1.2.0
func (*Core) KeyRotateGracePeriod ¶ added in v1.7.0
func (*Core) ListNamespaces ¶ added in v1.9.0
func (*Core) LoadInFlightReqData ¶ added in v1.10.0
func (c *Core) LoadInFlightReqData() map[string]InFlightReqData
LoadInFlightReqData creates a snapshot map of the current in-flight requests
func (*Core) LogCompletedRequests ¶ added in v1.10.0
LogCompletedRequests Logs the completed request to the server logs
func (*Core) LoginCreateToken ¶ added in v1.10.0
func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response) (bool, *logical.Response, error)
LoginCreateToken creates a token as a result of a login request. If MFA is enforced, mfa/validate endpoint calls this functions after successful MFA validation to generate the token.
func (*Core) LoginMFACreateToken ¶ added in v1.10.0
func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAuth *logical.Auth) (*logical.Response, error)
LoginMFACreateToken creates a token after the login MFA is validated. It also applies the lease quotas on the original login request path.
func (*Core) LookupToken ¶ added in v0.6.3
LookupToken returns the properties of the token from the token store. This is particularly useful to fetch the accessor of the client token and get it populated in the logical request along with the client token. The accessor of the client token can get audit logged.
Should be called with read stateLock held.
func (*Core) MatchingMount ¶ added in v1.5.0
MatchingMount returns the path of the mount that will be responsible for handling the given request path.
func (*Core) MetricSink ¶ added in v1.5.0
func (c *Core) MetricSink() *metricsutil.ClusterMetricSink
MetricSink returns the metrics wrapper with which Core has been configured.
func (*Core) MetricsHelper ¶ added in v1.3.0
func (c *Core) MetricsHelper() *metricsutil.MetricsHelper
MetricsHelper returns the global metrics helper which allows external packages to access Vault's internal metrics.
func (*Core) MissingRequiredState ¶ added in v1.7.0
func (*Core) NamespaceByID ¶ added in v1.9.0
func (*Core) PerfStandby ¶ added in v0.11.0
PerfStandby checks if the vault is a performance standby This function cannot be used during request handling because this causes a deadlock with the statelock.
func (*Core) PersistTOTPKey ¶ added in v1.9.0
func (*Core) PhysicalAccess ¶ added in v0.9.0
func (c *Core) PhysicalAccess() *physical.PhysicalAccess
func (*Core) PhysicalSealConfigs ¶ added in v1.0.0
func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfig, error)
func (*Core) PopMFAResponseAuthByID ¶ added in v1.10.0
func (c *Core) PopMFAResponseAuthByID(reqID string) (*MFACachedAuthResponse, error)
PopMFAResponseAuthByID pops an item from the mfaResponseAuthQueue by ID it returns the cached auth response or an error
func (*Core) PopulateTokenEntry ¶ added in v1.8.0
PopulateTokenEntry looks up req.ClientToken in the token store and uses it to set other fields in req. Does nothing if ClientToken is empty or a JWT token, or for service tokens that don't exist in the token store. Should be called with read stateLock held.
func (*Core) RaftBootstrap ¶ added in v1.5.0
RaftBootstrap performs bootstrapping of a raft cluster if core contains a raft backend. If raft is not part for the storage or HA storage backend, this call results in an error.
func (*Core) RaftNodeIDHeaderEnabled ¶ added in v1.7.2
RaftNodeIDHeaderEnabled determines whether to add the X-Vault-Raft-Node-ID header to HTTP responses.
func (*Core) RateLimitAuditLoggingEnabled ¶ added in v1.5.0
RateLimitAuditLoggingEnabled returns if the quota configuration allows audit logging of request rejections due to rate limiting quota rule violations.
func (*Core) RateLimitResponseHeadersEnabled ¶ added in v1.6.0
RateLimitResponseHeadersEnabled returns if the quota configuration allows for rate limit quota HTTP headers to be added to responses.
func (*Core) RecoveryRekeyInit ¶ added in v0.6.0
func (c *Core) RecoveryRekeyInit(config *SealConfig) logical.HTTPCodedError
RecoveryRekeyInit is used to initialize the rekey settings for the recovery key
func (*Core) RecoveryRekeyUpdate ¶ added in v0.6.0
func (c *Core) RecoveryRekeyUpdate(ctx context.Context, key []byte, nonce string) (*RekeyResult, logical.HTTPCodedError)
RecoveryRekeyUpdate is used to provide a new key part
func (*Core) RegisterAuth ¶ added in v0.11.2
func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path string, auth *logical.Auth) error
RegisterAuth uses a logical.Auth object to create a token entry in the token store, and registers a corresponding token lease to the expiration manager.
func (*Core) RekeyCancel ¶ added in v0.2.0
func (c *Core) RekeyCancel(recovery bool) logical.HTTPCodedError
RekeyCancel is used to cancel an in-progress rekey
func (*Core) RekeyConfig ¶ added in v0.2.0
func (c *Core) RekeyConfig(recovery bool) (*SealConfig, logical.HTTPCodedError)
RekeyConfig is used to read the rekey configuration
func (*Core) RekeyDeleteBackup ¶ added in v0.5.0
RekeyDeleteBackup is used to delete any backed-up PGP-encrypted unseal keys
func (*Core) RekeyInit ¶ added in v0.2.0
func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedError
RekeyInit will either initialize the rekey of barrier or recovery key. recovery determines whether this is a rekey on the barrier or recovery key.
func (*Core) RekeyProgress ¶ added in v0.2.0
RekeyProgress is used to return the rekey progress (num shares).
func (*Core) RekeyRetrieveBackup ¶ added in v0.5.0
func (c *Core) RekeyRetrieveBackup(ctx context.Context, recovery bool) (*RekeyBackup, logical.HTTPCodedError)
RekeyRetrieveBackup is used to retrieve any backed-up PGP-encrypted unseal keys
func (*Core) RekeyThreshold ¶ added in v0.6.0
RekeyThreshold returns the secret threshold for the current seal config. This threshold can either be the barrier key threshold or the recovery key threshold, depending on whether rekey is being performed on the recovery key, or whether the seal supports recovery keys.
func (*Core) RekeyUpdate ¶ added in v0.2.0
func (c *Core) RekeyUpdate(ctx context.Context, key []byte, nonce string, recovery bool) (*RekeyResult, logical.HTTPCodedError)
RekeyUpdate is used to provide a new key part for the barrier or recovery key.
func (*Core) RekeyVerify ¶ added in v0.10.2
func (c *Core) RekeyVerify(ctx context.Context, key []byte, nonce string, recovery bool) (ret *RekeyVerifyResult, retErr logical.HTTPCodedError)
func (*Core) RekeyVerifyRestart ¶ added in v0.10.2
func (c *Core) RekeyVerifyRestart(recovery bool) logical.HTTPCodedError
RekeyVerifyRestart is used to start the verification process over
func (*Core) ReloadCustomResponseHeaders ¶ added in v1.9.0
func (*Core) ReloadLogRequestsLevel ¶ added in v1.10.0
func (c *Core) ReloadLogRequestsLevel()
func (*Core) ReloadManagedKeyRegistryConfig ¶ added in v1.10.0
func (c *Core) ReloadManagedKeyRegistryConfig()
func (*Core) ReplicationState ¶ added in v0.7.0
func (c *Core) ReplicationState() consts.ReplicationState
func (*Core) ResetActivityLog ¶ added in v1.6.0
func (c *Core) ResetActivityLog() []*activity.LogFragment
ResetActivityLog is used to extract the current fragment(s) during integration testing, so that it can be checked in a race-free way.
func (*Core) ResetUnsealProcess ¶ added in v0.4.0
func (c *Core) ResetUnsealProcess()
ResetUnsealProcess removes the current unlock parts from memory, to reset the unsealing process
func (*Core) RouterAccess ¶ added in v0.9.0
func (c *Core) RouterAccess() *RouterAccess
func (*Core) SanitizedConfig ¶ added in v1.3.0
SanitizedConfig returns a sanitized version of the current config. See server.Config.Sanitized for specific values omitted.
func (*Core) SaveMFAResponseAuth ¶ added in v1.10.0
func (c *Core) SaveMFAResponseAuth(respAuth *MFACachedAuthResponse) error
SaveMFAResponseAuth pushes an MFACachedAuthResponse to the mfaResponseAuthQueue. it returns an error in case of failure
func (*Core) Seal ¶
Seal takes in a token and creates a logical.Request, acquires the lock, and passes through to sealInternal
func (*Core) SealAccess ¶ added in v0.6.0
func (c *Core) SealAccess() *SealAccess
func (*Core) SealWithRequest ¶ added in v0.6.0
SealWithRequest takes in a logical.Request, acquires the lock, and passes through to sealInternal
func (*Core) SecretProgress ¶
SecretProgress returns the number of keys provided so far
func (*Core) SendGroupUpdate ¶ added in v1.9.0
func (*Core) SetClusterHandler ¶ added in v0.7.3
func (*Core) SetClusterListenerAddrs ¶ added in v0.6.1
func (*Core) SetConfig ¶ added in v1.3.0
SetConfig sets core's config object to the newly provided config.
func (*Core) SetKeyRotateGracePeriod ¶ added in v1.7.0
func (*Core) SetLoadCaseSensitiveIdentityStore ¶ added in v1.0.3
func (*Core) SetLogLevel ¶ added in v0.11.1
func (*Core) SetLogLevelByName ¶ added in v1.10.5
func (*Core) SetNeverBecomeActive ¶ added in v1.0.3
func (*Core) Shutdown ¶ added in v0.2.0
Shutdown is invoked when the Vault instance is about to be terminated. It should not be accessible as part of an API call as it will cause an availability problem. It is only used to gracefully quit in the case of HA so that failover happens as quickly as possible.
func (*Core) ShutdownDone ¶ added in v1.4.0
func (c *Core) ShutdownDone() <-chan struct{}
ShutdownDone returns a channel that will be closed after Shutdown completes
func (*Core) ShutdownWait ¶ added in v1.10.0
func (*Core) StandbyStates ¶ added in v1.6.0
StandbyStates is meant as a way to avoid some extra locking on the very common sys/health check.
func (*Core) StorageType ¶ added in v1.3.0
StorageType returns a string equal to the storage configuration's type.
func (*Core) StoreInFlightReqData ¶ added in v1.10.0
func (c *Core) StoreInFlightReqData(reqID string, data InFlightReqData)
func (*Core) UnsealWithStoredKeys ¶ added in v0.6.0
UnsealWithStoredKeys performs auto-unseal using stored keys. An error return value of "nil" implies the Vault instance is unsealed.
Callers should attempt to retry any NonFatalErrors. Callers should not re-attempt fatal errors.
func (*Core) UpdateInFlightReqData ¶ added in v1.10.0
UpdateInFlightReqData updates the data for a specific reqID with the clientID
type CoreConfig ¶
type CoreConfig struct { DevToken string BuiltinRegistry BuiltinRegistry LogicalBackends map[string]logical.Factory CredentialBackends map[string]logical.Factory AuditBackends map[string]audit.Factory Physical physical.Backend StorageType string // May be nil, which disables HA operations HAPhysical physical.HABackend ServiceRegistration sr.ServiceRegistration // Seal is the configured seal, or if none is configured explicitly, a // shamir seal. In migration scenarios this is the new seal. Seal Seal // Unwrap seal is the optional seal marked "disabled"; this is the old // seal in migration scenarios. UnwrapSeal Seal SecureRandomReader io.Reader LogLevel string Logger log.Logger // Disables the trace display for Sentinel checks DisableSentinelTrace bool // Disables the LRU cache on the physical backend DisableCache bool // Disables mlock syscall DisableMlock bool // Custom cache size for the LRU cache on the physical backend, or zero for default CacheSize int // Set as the leader address for HA RedirectAddr string // Set as the cluster address for HA ClusterAddr string DefaultLeaseTTL time.Duration MaxLeaseTTL time.Duration ClusterName string ClusterCipherSuites string EnableUI bool // Enable the raw endpoint EnableRaw bool PluginDirectory string DisableSealWrap bool RawConfig *server.Config ReloadFuncs *map[string][]reloadutil.ReloadFunc ReloadFuncsLock *sync.RWMutex // Licensing License string LicensePath string LicensingConfig *LicensingConfig DisablePerformanceStandby bool DisableIndexing bool DisableKeyEncodingChecks bool AllLoggers []log.Logger // Telemetry objects MetricsHelper *metricsutil.MetricsHelper MetricSink *metricsutil.ClusterMetricSink RecoveryMode bool ClusterNetworkLayer cluster.NetworkLayer ClusterHeartbeatInterval time.Duration // Activity log controls ActivityLogConfig ActivityLogCoreConfig // number of workers to use for lease revocation in the expiration manager NumExpirationWorkers int // DisableAutopilot is used to disable autopilot subsystem in raft storage DisableAutopilot bool // Whether to send headers in the HTTP response showing hostname or raft node ID EnableResponseHeaderHostname bool EnableResponseHeaderRaftNodeID bool // DisableSSCTokens is used to disable the use of server side consistent tokens DisableSSCTokens bool // contains filtered or unexported fields }
CoreConfig is used to parameterize a core
func (*CoreConfig) GetServiceRegistration ¶ added in v1.4.0
func (c *CoreConfig) GetServiceRegistration() sr.ServiceRegistration
GetServiceRegistration returns the config's ServiceRegistration, or nil if it does not exist.
type CubbyholeBackend ¶ added in v0.3.0
CubbyholeBackend is used for storing secrets directly into the physical backend. The secrets are encrypted in the durable storage. This differs from kv in that every token has its own private storage view. The view is removed when the token expires.
type DeadlockMutex ¶ added in v1.5.0
DeadlockMutex is just a sync.Mutex when the build tag `deadlock` is absent. See its other definition in the corresponding deadlock-build-tag-constrained file for more details.
type DeadlockRWMutex ¶ added in v1.5.0
DeadlockRWMutex is the RW version of DeadlockMutex.
type EchoReply ¶ added in v0.7.3
type EchoReply struct { Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` ClusterAddrs []string `protobuf:"bytes,2,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"` ReplicationState uint32 `protobuf:"varint,3,opt,name=replication_state,json=replicationState,proto3" json:"replication_state,omitempty"` RaftAppliedIndex uint64 `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"` RaftNodeID string `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"` NodeInfo *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"` // contains filtered or unexported fields }
func (*EchoReply) Descriptor
deprecated
added in
v0.7.3
func (*EchoReply) GetClusterAddrs ¶ added in v0.7.3
func (*EchoReply) GetMessage ¶ added in v0.7.3
func (*EchoReply) GetNodeInfo ¶ added in v1.5.0
func (x *EchoReply) GetNodeInfo() *NodeInformation
func (*EchoReply) GetRaftAppliedIndex ¶ added in v1.2.0
func (*EchoReply) GetRaftNodeID ¶ added in v1.2.0
func (*EchoReply) GetReplicationState ¶ added in v0.9.2
func (*EchoReply) ProtoMessage ¶ added in v0.7.3
func (*EchoReply) ProtoMessage()
func (*EchoReply) ProtoReflect ¶ added in v1.5.0
func (x *EchoReply) ProtoReflect() protoreflect.Message
type EchoRequest ¶ added in v0.7.3
type EchoRequest struct { Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` // ClusterAddr is used to send up a standby node's address to the active // node upon heartbeat ClusterAddr string `protobuf:"bytes,2,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"` // ClusterAddrs is used to send up a list of cluster addresses to a dr // primary from a dr secondary ClusterAddrs []string `protobuf:"bytes,3,rep,name=cluster_addrs,json=clusterAddrs,proto3" json:"cluster_addrs,omitempty"` RaftAppliedIndex uint64 `protobuf:"varint,4,opt,name=raft_applied_index,json=raftAppliedIndex,proto3" json:"raft_applied_index,omitempty"` RaftNodeID string `protobuf:"bytes,5,opt,name=raft_node_id,json=raftNodeId,proto3" json:"raft_node_id,omitempty"` NodeInfo *NodeInformation `protobuf:"bytes,6,opt,name=node_info,json=nodeInfo,proto3" json:"node_info,omitempty"` RaftTerm uint64 `protobuf:"varint,7,opt,name=raft_term,json=raftTerm,proto3" json:"raft_term,omitempty"` RaftDesiredSuffrage string `protobuf:"bytes,8,opt,name=raft_desired_suffrage,json=raftDesiredSuffrage,proto3" json:"raft_desired_suffrage,omitempty"` // contains filtered or unexported fields }
func (*EchoRequest) Descriptor
deprecated
added in
v0.7.3
func (*EchoRequest) Descriptor() ([]byte, []int)
Deprecated: Use EchoRequest.ProtoReflect.Descriptor instead.
func (*EchoRequest) GetClusterAddr ¶ added in v0.7.3
func (x *EchoRequest) GetClusterAddr() string
func (*EchoRequest) GetClusterAddrs ¶ added in v0.9.0
func (x *EchoRequest) GetClusterAddrs() []string
func (*EchoRequest) GetMessage ¶ added in v0.7.3
func (x *EchoRequest) GetMessage() string
func (*EchoRequest) GetNodeInfo ¶ added in v1.5.0
func (x *EchoRequest) GetNodeInfo() *NodeInformation
func (*EchoRequest) GetRaftAppliedIndex ¶ added in v1.2.0
func (x *EchoRequest) GetRaftAppliedIndex() uint64
func (*EchoRequest) GetRaftDesiredSuffrage ¶ added in v1.7.0
func (x *EchoRequest) GetRaftDesiredSuffrage() string
func (*EchoRequest) GetRaftNodeID ¶ added in v1.2.0
func (x *EchoRequest) GetRaftNodeID() string
func (*EchoRequest) GetRaftTerm ¶ added in v1.7.0
func (x *EchoRequest) GetRaftTerm() uint64
func (*EchoRequest) ProtoMessage ¶ added in v0.7.3
func (*EchoRequest) ProtoMessage()
func (*EchoRequest) ProtoReflect ¶ added in v1.5.0
func (x *EchoRequest) ProtoReflect() protoreflect.Message
func (*EchoRequest) Reset ¶ added in v0.7.3
func (x *EchoRequest) Reset()
func (*EchoRequest) String ¶ added in v0.7.3
func (x *EchoRequest) String() string
type EncodedKeyring ¶ added in v0.2.0
type EncodedKeyring struct { MasterKey []byte Keys []*Key RotationConfig KeyRotationConfig }
EncodedKeyring is used for serialization of the keyring
type EntityCounter ¶ added in v1.3.0
type EntityCounter struct { // Total is the total number of entities Total int `json:"total"` }
EntityCounter counts the number of entities
type EntityCreator ¶ added in v1.9.0
type ErrDecrypt ¶ added in v1.6.0
type ErrDecrypt struct {
Err error
}
func (*ErrDecrypt) Error ¶ added in v1.6.0
func (e *ErrDecrypt) Error() string
func (*ErrDecrypt) Is ¶ added in v1.6.0
func (e *ErrDecrypt) Is(target error) bool
type ErrEncrypt ¶ added in v1.6.0
type ErrEncrypt struct {
Err error
}
func (*ErrEncrypt) Error ¶ added in v1.6.0
func (e *ErrEncrypt) Error() string
func (*ErrEncrypt) Is ¶ added in v1.6.0
func (e *ErrEncrypt) Is(target error) bool
type ErrInvalidKey ¶
type ErrInvalidKey struct {
Reason string
}
ErrInvalidKey is returned if there is a user-based error with a provided unseal key. This will be shown to the user, so should not contain information that is sensitive.
func (*ErrInvalidKey) Error ¶
func (e *ErrInvalidKey) Error() string
type ExpirationManager ¶
type ExpirationManager struct {
// contains filtered or unexported fields
}
ExpirationManager is used by the Core to manage leases. Secrets can provide a lease, meaning that they can be renewed or revoked. If a secret is not renewed in timely manner, it may be expired, and the ExpirationManager will handle doing automatic revocation.
func NewExpirationManager ¶
func NewExpirationManager(c *Core, view *BarrierView, e ExpireLeaseStrategy, logger log.Logger) *ExpirationManager
NewExpirationManager creates a new ExpirationManager that is backed using a given view, and uses the provided router for revocation.
func (*ExpirationManager) CreateOrFetchRevocationLeaseByToken ¶ added in v0.10.2
func (m *ExpirationManager) CreateOrFetchRevocationLeaseByToken(ctx context.Context, te *logical.TokenEntry) (string, error)
CreateOrFetchRevocationLeaseByToken is used to create or fetch the matching leaseID for a particular token. The lease is set to expire immediately after it's created.
func (*ExpirationManager) FetchLeaseTimes ¶ added in v0.5.0
func (m *ExpirationManager) FetchLeaseTimes(ctx context.Context, leaseID string) (*leaseEntry, error)
FetchLeaseTimes is used to fetch the issue time, expiration time, and last renewed time of a lease entry. It returns a leaseEntry itself, but with only those values copied over.
func (*ExpirationManager) FetchLeaseTimesByToken ¶ added in v0.5.0
func (m *ExpirationManager) FetchLeaseTimesByToken(ctx context.Context, te *logical.TokenEntry) (*leaseEntry, error)
FetchLeaseTimesByToken is a helper function to use token values to compute the leaseID, rather than pushing that logic back into the token store. As a special case, for a batch token it simply returns the information encoded on it.
func (*ExpirationManager) LazyRevoke ¶ added in v0.10.4
func (m *ExpirationManager) LazyRevoke(ctx context.Context, leaseID string) error
LazyRevoke is used to queue revocation for a secret named by the given LeaseID. If the lease was not found it returns nil; if the lease was found it triggers a return of a 202.
func (*ExpirationManager) Register ¶
func (m *ExpirationManager) Register(ctx context.Context, req *logical.Request, resp *logical.Response) (id string, retErr error)
Register is used to take a request and response with an associated lease. The secret gets assigned a LeaseID and the management of of lease is assumed by the expiration manager.
func (*ExpirationManager) RegisterAuth ¶
func (m *ExpirationManager) RegisterAuth(ctx context.Context, te *logical.TokenEntry, auth *logical.Auth) error
RegisterAuth is used to take an Auth response with an associated lease. The token does not get a LeaseID, but the lease management is handled by the expiration manager.
func (*ExpirationManager) Renew ¶
func (m *ExpirationManager) Renew(ctx context.Context, leaseID string, increment time.Duration) (*logical.Response, error)
Renew is used to renew a secret using the given leaseID and a renew interval. The increment may be ignored.
func (*ExpirationManager) RenewToken ¶
func (m *ExpirationManager) RenewToken(ctx context.Context, req *logical.Request, te *logical.TokenEntry, increment time.Duration, ) (*logical.Response, error)
RenewToken is used to renew a token which does not need to invoke a logical backend.
func (*ExpirationManager) Restore ¶
func (m *ExpirationManager) Restore(errorFunc func()) (retErr error)
Restore is used to recover the lease states when starting. This is used after starting the vault.
func (*ExpirationManager) Revoke ¶
func (m *ExpirationManager) Revoke(ctx context.Context, leaseID string) error
Revoke is used to revoke a secret named by the given LeaseID
func (*ExpirationManager) RevokeByToken ¶
func (m *ExpirationManager) RevokeByToken(ctx context.Context, te *logical.TokenEntry) error
RevokeByToken is used to revoke all the secrets issued with a given token. This is done by using the secondary index. It also removes the lease entry for the token itself. As a result it should *ONLY* ever be called from the token store's revokeInternal function. (NB: it's called by token tidy as well.)
func (*ExpirationManager) RevokeForce ¶ added in v0.5.2
func (m *ExpirationManager) RevokeForce(ctx context.Context, prefix string) error
RevokeForce works similarly to RevokePrefix but continues in the case of a revocation error; this is mostly meant for recovery operations
func (*ExpirationManager) RevokePrefix ¶
RevokePrefix is used to revoke all secrets with a given prefix. The prefix maps to that of the mount table to make this simpler to reason about.
func (*ExpirationManager) Stop ¶
func (m *ExpirationManager) Stop() error
Stop is used to prevent further automatic revocations. This must be called before sealing the view.
func (*ExpirationManager) Tidy ¶ added in v0.7.1
func (m *ExpirationManager) Tidy(ctx context.Context) error
Tidy cleans up the dangling storage entries for leases. It scans the storage view to find all the available leases, checks if the token embedded in it is either empty or invalid and in both the cases, it revokes them. It also uses a token cache to avoid multiple lookups of the same token ID. It is normally not required to use the API that invokes this. This is only intended to clean up the corrupt storage due to bugs.
func (*ExpirationManager) WalkTokens ¶ added in v1.5.0
func (m *ExpirationManager) WalkTokens(walkFn ExpirationWalkFunction) error
WalkTokens extracts the Auth structure from leases corresponding to tokens. Returning false from the walk function terminates the iteration.
type ExpirationWalkFunction ¶ added in v1.5.0
Callback function type to walk tokens referenced in the expiration manager. Don't want to use leaseEntry here because it's an unexported type (though most likely we would only call this from within the "vault" core package.)
type ExpireLeaseStrategy ¶ added in v0.11.2
type FeatureFlags ¶ added in v1.4.0
type FeatureFlags struct {
NamespacesCubbyholesLocal bool `json:"namespace_cubbyholes_local"`
}
type GenerateRootConfig ¶ added in v0.5.0
type GenerateRootConfig struct { Nonce string PGPKey string PGPFingerprint string OTP string Strategy GenerateRootStrategy }
GenerateRootConfig holds the configuration for a root generation command.
type GenerateRootResult ¶ added in v0.5.0
type GenerateRootResult struct { Progress int Required int EncodedToken string PGPFingerprint string }
GenerateRootResult holds the result of a root generation update command
type GenerateRootStrategy ¶ added in v0.9.0
type GenerateRootStrategy interface {
// contains filtered or unexported methods
}
GenerateRootStrategy allows us to swap out the strategy we want to use to create a token upon completion of the generate root process.
var ( // GenerateStandardRootTokenStrategy is the strategy used to generate a // typical root token GenerateStandardRootTokenStrategy GenerateRootStrategy = generateStandardRootToken{} // GenerateDROperationTokenStrategy is the strategy used to generate a // DR operational token GenerateDROperationTokenStrategy GenerateRootStrategy = generateStandardRootToken{} )
func GenerateRecoveryTokenStrategy ¶ added in v1.3.0
func GenerateRecoveryTokenStrategy(token *atomic.String) GenerateRootStrategy
GenerateRecoveryTokenStrategy is the strategy used to generate a recovery token
type GroupUpdater ¶ added in v1.9.0
type HAStatusNode ¶ added in v1.10.0
type HandlerProperties ¶ added in v0.10.4
type HandlerProperties struct { Core *Core ListenerConfig *configutil.Listener DisablePrintableCheck bool RecoveryMode bool RecoveryToken *uberAtomic.String }
HandlerProperties is used to seed configuration into a vaulthttp.Handler. It's in this package to avoid a circular dependency
type IdentityFactor ¶ added in v0.11.2
type IdentityStore ¶ added in v0.9.0
type IdentityStore struct { // IdentityStore is a secret backend in Vault *framework.Backend // contains filtered or unexported fields }
IdentityStore is composed of its own storage view and a MemDB which maintains active in-memory replicas of the storage contents indexed by multiple fields.
func NewIdentityStore ¶ added in v0.9.0
func NewIdentityStore(ctx context.Context, core *Core, config *logical.BackendConfig, logger log.Logger) (*IdentityStore, error)
func (*IdentityStore) CreateEntity ¶ added in v0.9.0
CreateEntity creates a new entity.
func (*IdentityStore) CreateOrFetchEntity ¶ added in v0.9.4
func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.Alias) (*identity.Entity, error)
CreateOrFetchEntity creates a new entity. This is used by core to associate each login attempt by an alias to a unified entity in Vault.
func (*IdentityStore) Invalidate ¶ added in v0.9.0
func (i *IdentityStore) Invalidate(ctx context.Context, key string)
Invalidate is a callback wherein the backend is informed that the value at the given key is updated. In identity store's case, it would be the entity storage entries that get updated. The value needs to be read and MemDB needs to be updated accordingly.
func (*IdentityStore) MemDBAliasByFactors ¶ added in v0.9.0
func (*IdentityStore) MemDBAliasByFactorsInTxn ¶ added in v0.9.4
func (*IdentityStore) MemDBAliasByID ¶ added in v0.9.0
func (*IdentityStore) MemDBAliasByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBAliases ¶ added in v0.9.0
func (i *IdentityStore) MemDBAliases(ws memdb.WatchSet, groupAlias bool) (memdb.ResultIterator, error)
func (*IdentityStore) MemDBDeleteAliasByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBDeleteEntityByID ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteEntityByID(entityID string) error
func (*IdentityStore) MemDBDeleteEntityByIDInTxn ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteEntityByIDInTxn(txn *memdb.Txn, entityID string) error
func (*IdentityStore) MemDBDeleteGroupByIDInTxn ¶ added in v0.9.0
func (i *IdentityStore) MemDBDeleteGroupByIDInTxn(txn *memdb.Txn, groupID string) error
func (*IdentityStore) MemDBEntitiesByBucketKeyInTxn ¶ added in v1.2.0
func (*IdentityStore) MemDBEntityByAliasID ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByAliasIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByID ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByMergedEntityID ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByName ¶ added in v0.9.0
func (*IdentityStore) MemDBEntityByNameInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByAliasID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByAliasIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByName ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupByNameInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByBucketKeyInTxn ¶ added in v1.2.0
func (*IdentityStore) MemDBGroupsByMemberEntityID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByMemberEntityIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByParentGroupID ¶ added in v0.9.0
func (*IdentityStore) MemDBGroupsByParentGroupIDInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBLocalAliasesByBucketKeyInTxn ¶ added in v1.9.0
func (*IdentityStore) MemDBUpsertAliasInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBUpsertEntityInTxn ¶ added in v0.9.0
func (*IdentityStore) MemDBUpsertGroupInTxn ¶ added in v0.9.0
func (*IdentityStore) UpsertGroup ¶ added in v0.9.0
type InFlightReqData ¶ added in v1.10.0
type InFlightRequests ¶ added in v1.10.0
type InFlightRequests struct { InFlightReqMap *sync.Map InFlightReqCount *uberAtomic.Uint64 }
type InitParams ¶ added in v0.6.2
type InitParams struct { BarrierConfig *SealConfig RecoveryConfig *SealConfig RootTokenPGPKey string // LegacyShamirSeal should only be used in test code, we don't want to // give the user a way to create legacy shamir seals. LegacyShamirSeal bool }
InitParams keeps the init function from being littered with too many params, that's it!
type InitResult ¶
type InitResult struct { RootToken string }
InitResult is used to provide the key parts back after they are generated as part of the initialization.
type InitializableBackend ¶ added in v1.2.0
type InitializableBackend struct { *NoopBackend // contains filtered or unexported fields }
InitializableBackend is a backend that knows whether it has been initialized properly.
func (*InitializableBackend) Initialize ¶ added in v1.2.0
func (b *InitializableBackend) Initialize(ctx context.Context, req *logical.InitializationRequest) error
type Key ¶ added in v0.2.0
type Key struct { Term uint32 Version int Value []byte InstallTime time.Time Encryptions uint64 `json:"encryptions,omitempty"` }
Key represents a single term, along with the key used.
func DeserializeKey ¶ added in v0.2.0
DeserializeKey is used to deserialize and return a new key
type KeyRotationConfig ¶ added in v1.7.0
func (KeyRotationConfig) Clone ¶ added in v1.7.0
func (c KeyRotationConfig) Clone() KeyRotationConfig
func (*KeyRotationConfig) Equals ¶ added in v1.7.0
func (c *KeyRotationConfig) Equals(config KeyRotationConfig) bool
func (*KeyRotationConfig) Sanitize ¶ added in v1.7.0
func (c *KeyRotationConfig) Sanitize()
type Keyring ¶ added in v0.2.0
type Keyring struct {
// contains filtered or unexported fields
}
Keyring is used to manage multiple encryption keys used by the barrier. New keys can be installed and each has a sequential term. The term used to encrypt a key is prefixed to the key written out. All data is encrypted with the latest key, but storing the old keys allows for decryption of keys written previously. Along with the encryption keys, the keyring also tracks the root key. This is necessary so that when a new key is added to the keyring, we can encrypt with the root key and write out the new keyring.
func DeserializeKeyring ¶ added in v0.2.0
DeserializeKeyring is used to deserialize and return a new keyring
func (*Keyring) ActiveTerm ¶ added in v0.2.0
ActiveTerm returns the currently active term
func (*Keyring) SetRootKey ¶ added in v1.10.0
SetRootKey is used to update the root key
type LeaderResponse ¶ added in v1.6.2
type LeaderResponse struct { HAEnabled bool `json:"ha_enabled"` IsSelf bool `json:"is_self"` ActiveTime time.Time `json:"active_time,omitempty"` LeaderAddress string `json:"leader_address"` LeaderClusterAddress string `json:"leader_cluster_address"` PerfStandby bool `json:"performance_standby"` PerfStandbyLastRemoteWAL uint64 `json:"performance_standby_last_remote_wal"` LastWAL uint64 `json:"last_wal,omitempty"` // Raft Indexes for this node RaftCommittedIndex uint64 `json:"raft_committed_index,omitempty"` RaftAppliedIndex uint64 `json:"raft_applied_index,omitempty"` }
type LicenseState ¶ added in v1.8.0
type LicensingConfig ¶ added in v0.11.2
type LicensingConfig struct {
AdditionalPublicKeys []interface{}
}
type ListenerCustomHeaders ¶ added in v1.9.0
type ListenerCustomHeaders struct { Address string StatusCodeHeaderMap map[string][]*logical.CustomHeader // contains filtered or unexported fields }
func NewListenerCustomHeader ¶ added in v1.9.0
func NewListenerCustomHeader(ln []*configutil.Listener, logger log.Logger, uiHeaders http.Header) []*ListenerCustomHeaders
func (*ListenerCustomHeaders) ExistCustomResponseHeader ¶ added in v1.9.0
func (l *ListenerCustomHeaders) ExistCustomResponseHeader(header string) bool
type ListingVisibilityType ¶ added in v0.10.2
type ListingVisibilityType string
ListingVisibilityType represents the types for listing visibility
const ( // ListingVisibilityDefault is the default value for listing visibility ListingVisibilityDefault ListingVisibilityType = "" // ListingVisibilityHidden is the hidden type for listing visibility ListingVisibilityHidden ListingVisibilityType = "hidden" // ListingVisibilityUnauth is the unauth type for listing visibility ListingVisibilityUnauth ListingVisibilityType = "unauth" MountTableUpdateStorage = true MountTableNoUpdateStorage = false )
type LocalNode ¶ added in v1.9.0
type LocalNode interface { ReplicationState() consts.ReplicationState HAState() consts.HAState }
type LoginMFABackend ¶ added in v1.10.0
type LoginMFABackend struct {
*MFABackend
}
func NewLoginMFABackend ¶ added in v1.10.0
func NewLoginMFABackend(core *Core, logger hclog.Logger) *LoginMFABackend
func (*LoginMFABackend) MemDBDeleteMFAConfigByID ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBDeleteMFAConfigByID(methodId, tableName string) error
func (*LoginMFABackend) MemDBDeleteMFAConfigByIDInTxn ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBDeleteMFAConfigByIDInTxn(txn *memdb.Txn, configID string) error
func (*LoginMFABackend) MemDBDeleteMFALoginEnforcementConfigByNameAndNamespace ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBDeleteMFALoginEnforcementConfigByNameAndNamespace(name, namespaceId, tableName string) error
func (*LoginMFABackend) MemDBMFAConfigByID ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBMFAConfigByID(mConfigID string) (*mfa.Config, error)
func (*LoginMFABackend) MemDBMFAConfigByIDInTxn ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBMFAConfigByIDInTxn(txn *memdb.Txn, mConfigID string) (*mfa.Config, error)
func (*LoginMFABackend) MemDBMFALoginEnforcementConfigByNameAndNamespace ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBMFALoginEnforcementConfigByNameAndNamespace(name, namespaceId string) (*mfa.MFAEnforcementConfig, error)
func (*LoginMFABackend) MemDBMFALoginEnforcementConfigIterator ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBMFALoginEnforcementConfigIterator() (memdb.ResultIterator, error)
func (*LoginMFABackend) MemDBUpsertMFALoginEnforcementConfig ¶ added in v1.10.0
func (b *LoginMFABackend) MemDBUpsertMFALoginEnforcementConfig(ctx context.Context, eConfig *mfa.MFAEnforcementConfig) error
func (*LoginMFABackend) ResetLoginMFAMemDB ¶ added in v1.10.3
func (b *LoginMFABackend) ResetLoginMFAMemDB() error
type LoginMFAPriorityQueue ¶ added in v1.10.0
type LoginMFAPriorityQueue struct {
// contains filtered or unexported fields
}
func NewLoginMFAPriorityQueue ¶ added in v1.10.0
func NewLoginMFAPriorityQueue() *LoginMFAPriorityQueue
NewLoginMFAPriorityQueue initializes the internal data structures and returns a new PriorityQueue
func (*LoginMFAPriorityQueue) Len ¶ added in v1.10.0
func (pq *LoginMFAPriorityQueue) Len() int
Len returns the count of items in the Priority Queue
func (*LoginMFAPriorityQueue) PopByKey ¶ added in v1.10.0
func (pq *LoginMFAPriorityQueue) PopByKey(reqID string) (*MFACachedAuthResponse, error)
PopByKey searches the queue for an item with the given key and removes it from the queue if found. Returns nil if not found.
func (*LoginMFAPriorityQueue) Push ¶ added in v1.10.0
func (pq *LoginMFAPriorityQueue) Push(resp *MFACachedAuthResponse) error
Push pushes an item on to the queue. This is a wrapper/convenience method that calls heap.Push, so consumers do not need to invoke heap functions directly. Items must have unique Keys, and Items in the queue cannot be updated. To modify an Item, users must first remove it and re-push it after modifications
func (*LoginMFAPriorityQueue) RemoveExpiredMfaAuthResponse ¶ added in v1.10.0
func (pq *LoginMFAPriorityQueue) RemoveExpiredMfaAuthResponse(expiryTime time.Duration, cutoffTime time.Time) error
RemoveExpiredMfaAuthResponse pops elements of the queue and check if the entry has expired or not. If the entry has not expired, it pushes back the entry to the queue. It returns false if there is no expired element left to be removed, true otherwise. cutoffTime should normally be time.Now() except for tests.
type MFABackend ¶ added in v1.10.0
type MFABackend struct { Core *Core // contains filtered or unexported fields }
func NewMFABackend ¶ added in v1.10.0
func NewMFABackend(core *Core, logger hclog.Logger, prefix string, schemaFuncs []func() *memdb.TableSchema) *MFABackend
func (*MFABackend) MemDBUpsertMFAConfig ¶ added in v1.10.0
func (*MFABackend) MemDBUpsertMFAConfigInTxn ¶ added in v1.10.0
func (b *MFABackend) MemDBUpsertMFAConfigInTxn(txn *memdb.Txn, mConfig *mfa.Config) error
type MFACachedAuthResponse ¶ added in v1.10.0
type MountConfig ¶ added in v0.3.0
type MountConfig struct { DefaultLeaseTTL time.Duration `json:"default_lease_ttl,omitempty" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"` // Override for global default MaxLeaseTTL time.Duration `json:"max_lease_ttl,omitempty" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"` // Override for global default ForceNoCache bool `json:"force_no_cache,omitempty" structs:"force_no_cache" mapstructure:"force_no_cache"` // Override for global default AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACResponseKeys []string `` /* 128-byte string literal not displayed */ ListingVisibility ListingVisibilityType `json:"listing_visibility,omitempty" structs:"listing_visibility" mapstructure:"listing_visibility"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" structs:"passthrough_request_headers" mapstructure:"passthrough_request_headers"` AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" structs:"allowed_response_headers" mapstructure:"allowed_response_headers"` TokenType logical.TokenType `json:"token_type,omitempty" structs:"token_type" mapstructure:"token_type"` AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"` // PluginName is the name of the plugin registered in the catalog. // // Deprecated: MountEntry.Type should be used instead for Vault 1.0.0 and beyond. PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"` }
MountConfig is used to hold settable options
type MountEntry ¶
type MountEntry struct { Table string `json:"table"` // The table it belongs to Path string `json:"path"` // Mount Path Type string `json:"type"` // Logical backend Type Description string `json:"description"` // User-provided description UUID string `json:"uuid"` // Barrier view UUID BackendAwareUUID string `json:"backend_aware_uuid"` // UUID that can be used by the backend as a helper when a consistent value is needed outside of storage. Accessor string `json:"accessor"` // Unique but more human-friendly ID. Does not change, not used for any sensitive things (like as a salt, which the UUID sometimes is). Config MountConfig `json:"config"` // Configuration related to this mount (but not backend-derived) Options map[string]string `json:"options"` // Backend options Local bool `json:"local"` // Local mounts are not replicated or affected by replication SealWrap bool `json:"seal_wrap"` // Whether to wrap CSPs ExternalEntropyAccess bool `json:"external_entropy_access,omitempty"` // Whether to allow external entropy source access Tainted bool `json:"tainted,omitempty"` // Set as a Write-Ahead flag for unmount/remount MountState string `json:"mount_state,omitempty"` // The current mount state. The only non-empty mount state right now is "unmounting" NamespaceID string `json:"namespace_id"` // contains filtered or unexported fields }
MountEntry is used to represent a mount table entry
func (*MountEntry) APIPath ¶ added in v0.11.2
func (e *MountEntry) APIPath() string
APIPath returns the full API Path for the given mount entry
func (*MountEntry) Clone ¶
func (e *MountEntry) Clone() (*MountEntry, error)
Clone returns a deep copy of the mount entry
func (*MountEntry) Namespace ¶ added in v0.11.2
func (e *MountEntry) Namespace() *namespace.Namespace
Namespace returns the namespace for the mount entry
func (*MountEntry) SyncCache ¶ added in v0.9.6
func (e *MountEntry) SyncCache()
SyncCache syncs tunable configuration values to the cache. In the case of cached values, they should be retrieved via synthesizedConfigCache.Load() instead of accessing them directly through MountConfig.
func (*MountEntry) ViewPath ¶ added in v0.11.2
func (e *MountEntry) ViewPath() string
ViewPath returns storage prefix for the view
type MountMigrationInfo ¶ added in v1.10.0
type MountMigrationStatus ¶ added in v1.10.0
type MountMigrationStatus int
const ( MigrationInProgressStatus MountMigrationStatus = iota MigrationSuccessStatus MigrationFailureStatus )
func (MountMigrationStatus) String ¶ added in v1.10.0
func (m MountMigrationStatus) String() string
type MountTable ¶
type MountTable struct { Type string `json:"type"` Entries []*MountEntry `json:"entries"` }
MountTable is used to represent the internal mount table
type Namespacer ¶ added in v1.9.0
type NodeInformation ¶ added in v1.5.0
type NodeInformation struct { ClusterAddr string `protobuf:"bytes,1,opt,name=cluster_addr,json=clusterAddr,proto3" json:"cluster_addr,omitempty"` ApiAddr string `protobuf:"bytes,2,opt,name=api_addr,json=apiAddr,proto3" json:"api_addr,omitempty"` Mode string `protobuf:"bytes,3,opt,name=mode,proto3" json:"mode,omitempty"` NodeID string `protobuf:"bytes,4,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"` ReplicationState uint32 `protobuf:"varint,5,opt,name=replication_state,json=replicationState,proto3" json:"replication_state,omitempty"` Hostname string `protobuf:"bytes,6,opt,name=hostname,proto3" json:"hostname,omitempty"` // contains filtered or unexported fields }
func (*NodeInformation) Descriptor
deprecated
added in
v1.5.0
func (*NodeInformation) Descriptor() ([]byte, []int)
Deprecated: Use NodeInformation.ProtoReflect.Descriptor instead.
func (*NodeInformation) GetApiAddr ¶ added in v1.5.0
func (x *NodeInformation) GetApiAddr() string
func (*NodeInformation) GetClusterAddr ¶ added in v1.5.0
func (x *NodeInformation) GetClusterAddr() string
func (*NodeInformation) GetHostname ¶ added in v1.10.0
func (x *NodeInformation) GetHostname() string
func (*NodeInformation) GetMode ¶ added in v1.5.0
func (x *NodeInformation) GetMode() string
func (*NodeInformation) GetNodeID ¶ added in v1.5.0
func (x *NodeInformation) GetNodeID() string
func (*NodeInformation) GetReplicationState ¶ added in v1.5.0
func (x *NodeInformation) GetReplicationState() uint32
func (*NodeInformation) ProtoMessage ¶ added in v1.5.0
func (*NodeInformation) ProtoMessage()
func (*NodeInformation) ProtoReflect ¶ added in v1.5.0
func (x *NodeInformation) ProtoReflect() protoreflect.Message
func (*NodeInformation) Reset ¶ added in v1.5.0
func (x *NodeInformation) Reset()
func (*NodeInformation) String ¶ added in v1.5.0
func (x *NodeInformation) String() string
type NonFatalError ¶ added in v0.6.0
type NonFatalError struct {
Err error
}
NonFatalError is an error that can be returned during NewCore that should be displayed but not cause a program exit
func NewNonFatalError ¶ added in v1.0.3
func NewNonFatalError(err error) *NonFatalError
NewNonFatalError returns a new non-fatal error.
func (*NonFatalError) Error ¶ added in v0.6.0
func (e *NonFatalError) Error() string
func (*NonFatalError) WrappedErrors ¶ added in v0.6.0
func (e *NonFatalError) WrappedErrors() []error
type NoopAudit ¶ added in v1.2.0
type NoopAudit struct { Config *audit.BackendConfig ReqErr error ReqAuth []*logical.Auth Req []*logical.Request ReqHeaders []map[string][]string ReqNonHMACKeys []string ReqErrs []error RespErr error RespAuth []*logical.Auth RespReq []*logical.Request Resp []*logical.Response RespNonHMACKeys []string RespReqNonHMACKeys []string RespErrs []error // contains filtered or unexported fields }
func (*NoopAudit) Invalidate ¶ added in v1.2.0
func (*NoopAudit) LogRequest ¶ added in v1.2.0
func (*NoopAudit) LogResponse ¶ added in v1.2.0
func (*NoopAudit) LogTestMessage ¶ added in v1.7.0
type NoopBackend ¶ added in v1.1.4
type NoopBackend struct { sync.Mutex Root []string Login []string Paths []string Requests []*logical.Request Response *logical.Response RequestHandler RouterTestHandlerFunc Invalidations []string DefaultLeaseTTL time.Duration MaxLeaseTTL time.Duration BackendType logical.BackendType }
func (*NoopBackend) Cleanup ¶ added in v1.1.4
func (n *NoopBackend) Cleanup(ctx context.Context)
func (*NoopBackend) HandleExistenceCheck ¶ added in v1.1.4
func (*NoopBackend) HandleRequest ¶ added in v1.1.4
func (*NoopBackend) Initialize ¶ added in v1.1.4
func (n *NoopBackend) Initialize(ctx context.Context, req *logical.InitializationRequest) error
func (*NoopBackend) InvalidateKey ¶ added in v1.1.4
func (n *NoopBackend) InvalidateKey(ctx context.Context, k string)
func (*NoopBackend) Logger ¶ added in v1.1.4
func (n *NoopBackend) Logger() log.Logger
func (*NoopBackend) Setup ¶ added in v1.1.4
func (n *NoopBackend) Setup(ctx context.Context, config *logical.BackendConfig) error
func (*NoopBackend) SpecialPaths ¶ added in v1.1.4
func (n *NoopBackend) SpecialPaths() *logical.Paths
func (*NoopBackend) System ¶ added in v1.1.4
func (n *NoopBackend) System() logical.SystemView
func (*NoopBackend) Type ¶ added in v1.1.4
func (n *NoopBackend) Type() logical.BackendType
type PassthroughBackend ¶
PassthroughBackend is used storing secrets directly into the physical backend. The secrets are encrypted in the durable storage and custom TTL information can be specified, but otherwise this backend doesn't do anything fancy.
func (*PassthroughBackend) GeneratesLeases ¶ added in v0.3.0
func (b *PassthroughBackend) GeneratesLeases() bool
type PathRules ¶ added in v0.9.0
type PathRules struct { Path string Policy string Permissions *ACLPermissions IsPrefix bool HasSegmentWildcards bool Capabilities []string // These keys are used at the top level to make the HCL nicer; we store in // the ACLPermissions object though MinWrappingTTLHCL interface{} `hcl:"min_wrapping_ttl"` MaxWrappingTTLHCL interface{} `hcl:"max_wrapping_ttl"` AllowedParametersHCL map[string][]interface{} `hcl:"allowed_parameters"` DeniedParametersHCL map[string][]interface{} `hcl:"denied_parameters"` RequiredParametersHCL []string `hcl:"required_parameters"` MFAMethodsHCL []string `hcl:"mfa_methods"` ControlGroupHCL *ControlGroupHCL `hcl:"control_group"` }
PathRules represents a policy for a path in the namespace.
type PerfStandbyElectionInput ¶ added in v0.11.2
type PerfStandbyElectionInput struct {
// contains filtered or unexported fields
}
func (*PerfStandbyElectionInput) Descriptor
deprecated
added in
v0.11.2
func (*PerfStandbyElectionInput) Descriptor() ([]byte, []int)
Deprecated: Use PerfStandbyElectionInput.ProtoReflect.Descriptor instead.
func (*PerfStandbyElectionInput) ProtoMessage ¶ added in v0.11.2
func (*PerfStandbyElectionInput) ProtoMessage()
func (*PerfStandbyElectionInput) ProtoReflect ¶ added in v1.5.0
func (x *PerfStandbyElectionInput) ProtoReflect() protoreflect.Message
func (*PerfStandbyElectionInput) Reset ¶ added in v0.11.2
func (x *PerfStandbyElectionInput) Reset()
func (*PerfStandbyElectionInput) String ¶ added in v0.11.2
func (x *PerfStandbyElectionInput) String() string
type PerfStandbyElectionResponse ¶ added in v0.11.2
type PerfStandbyElectionResponse struct { ID string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` ClusterID string `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` PrimaryClusterAddr string `protobuf:"bytes,3,opt,name=primary_cluster_addr,json=primaryClusterAddr,proto3" json:"primary_cluster_addr,omitempty"` CaCert []byte `protobuf:"bytes,4,opt,name=ca_cert,json=caCert,proto3" json:"ca_cert,omitempty"` ClientCert []byte `protobuf:"bytes,5,opt,name=client_cert,json=clientCert,proto3" json:"client_cert,omitempty"` ClientKey *ClientKey `protobuf:"bytes,6,opt,name=client_key,json=clientKey,proto3" json:"client_key,omitempty"` // contains filtered or unexported fields }
func (*PerfStandbyElectionResponse) Descriptor
deprecated
added in
v0.11.2
func (*PerfStandbyElectionResponse) Descriptor() ([]byte, []int)
Deprecated: Use PerfStandbyElectionResponse.ProtoReflect.Descriptor instead.
func (*PerfStandbyElectionResponse) GetCaCert ¶ added in v0.11.2
func (x *PerfStandbyElectionResponse) GetCaCert() []byte
func (*PerfStandbyElectionResponse) GetClientCert ¶ added in v0.11.2
func (x *PerfStandbyElectionResponse) GetClientCert() []byte
func (*PerfStandbyElectionResponse) GetClientKey ¶ added in v0.11.2
func (x *PerfStandbyElectionResponse) GetClientKey() *ClientKey
func (*PerfStandbyElectionResponse) GetClusterID ¶ added in v1.2.0
func (x *PerfStandbyElectionResponse) GetClusterID() string
func (*PerfStandbyElectionResponse) GetID ¶ added in v1.2.0
func (x *PerfStandbyElectionResponse) GetID() string
func (*PerfStandbyElectionResponse) GetPrimaryClusterAddr ¶ added in v0.11.2
func (x *PerfStandbyElectionResponse) GetPrimaryClusterAddr() string
func (*PerfStandbyElectionResponse) ProtoMessage ¶ added in v0.11.2
func (*PerfStandbyElectionResponse) ProtoMessage()
func (*PerfStandbyElectionResponse) ProtoReflect ¶ added in v1.5.0
func (x *PerfStandbyElectionResponse) ProtoReflect() protoreflect.Message
func (*PerfStandbyElectionResponse) Reset ¶ added in v0.11.2
func (x *PerfStandbyElectionResponse) Reset()
func (*PerfStandbyElectionResponse) String ¶ added in v0.11.2
func (x *PerfStandbyElectionResponse) String() string
type PhysicalBackendBundle ¶ added in v1.3.0
type PluginCatalog ¶ added in v0.7.1
type PluginCatalog struct {
// contains filtered or unexported fields
}
PluginCatalog keeps a record of plugins known to vault. External plugins need to be registered to the catalog before they can be used in backends. Builtin plugins are automatically detected and included in the catalog.
func (*PluginCatalog) Delete ¶ added in v0.7.1
func (c *PluginCatalog) Delete(ctx context.Context, name string, pluginType consts.PluginType) error
Delete is used to remove an external plugin from the catalog. Builtin plugins can not be deleted.
func (*PluginCatalog) Get ¶ added in v0.7.1
func (c *PluginCatalog) Get(ctx context.Context, name string, pluginType consts.PluginType) (*pluginutil.PluginRunner, error)
Get retrieves a plugin with the specified name from the catalog. It first looks for external plugins with this name and then looks for builtin plugins. It returns a PluginRunner or an error if no plugin was found.
func (*PluginCatalog) List ¶ added in v0.7.1
func (c *PluginCatalog) List(ctx context.Context, pluginType consts.PluginType) ([]string, error)
List returns a list of all the known plugin names. If an external and builtin plugin share the same name, only one instance of the name will be returned.
func (*PluginCatalog) NewPluginClient ¶ added in v1.10.0
func (c *PluginCatalog) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (*pluginClient, error)
NewPluginClient returns a client for managing the lifecycle of a plugin process
func (*PluginCatalog) Set ¶ added in v0.7.1
func (c *PluginCatalog) Set(ctx context.Context, name string, pluginType consts.PluginType, command string, args []string, env []string, sha256 []byte) error
Set registers a new external plugin with the catalog, or updates an existing external plugin. It takes the name, command and SHA256 of the plugin.
func (*PluginCatalog) UpgradePlugins ¶ added in v1.0.0
UpdatePlugins will loop over all the plugins of unknown type and attempt to upgrade them to typed plugins
type Policy ¶
type Policy struct { Name string `hcl:"name"` Paths []*PathRules `hcl:"-"` Raw string Type PolicyType Templated bool // contains filtered or unexported fields }
Policy is used to represent the policy specified by an ACL configuration.
func ParseACLPolicy ¶ added in v0.9.0
ParseACLPolicy is used to parse the specified ACL rules into an intermediary set of policies, before being compiled into the ACL
func (*Policy) ShallowClone ¶ added in v0.11.2
ShallowClone returns a shallow clone of the policy. This should not be used if any of the reference-typed fields are going to be modified
type PolicyCheckOpts ¶ added in v0.9.0
type PolicyEntry ¶ added in v0.2.0
type PolicyEntry struct { Version int Raw string Templated bool Type PolicyType // contains filtered or unexported fields }
PolicyEntry is used to store a policy by name
type PolicyMFABackend ¶ added in v1.10.0
type PolicyMFABackend struct {
*MFABackend
}
func NewPolicyMFABackend ¶ added in v1.10.0
func NewPolicyMFABackend(core *Core, logger hclog.Logger) *PolicyMFABackend
type PolicyStore ¶
type PolicyStore struct {
// contains filtered or unexported fields
}
PolicyStore is used to provide durable storage of policy, and to manage ACLs associated with them.
func NewPolicyStore ¶
func NewPolicyStore(ctx context.Context, core *Core, baseView *BarrierView, system logical.SystemView, logger log.Logger) (*PolicyStore, error)
NewPolicyStore creates a new PolicyStore that is backed using a given view. It used used to durable store and manage named policy.
func (*PolicyStore) ACL ¶
func (ps *PolicyStore) ACL(ctx context.Context, entity *identity.Entity, policyNames map[string][]string, additionalPolicies ...*Policy) (*ACL, error)
ACL is used to return an ACL which is built using the named policies and pre-fetched policies if given.
func (*PolicyStore) DeletePolicy ¶
func (ps *PolicyStore) DeletePolicy(ctx context.Context, name string, policyType PolicyType) error
DeletePolicy is used to delete the named policy
func (*PolicyStore) GetPolicy ¶
func (ps *PolicyStore) GetPolicy(ctx context.Context, name string, policyType PolicyType) (*Policy, error)
GetPolicy is used to fetch the named policy
func (*PolicyStore) ListPolicies ¶
func (ps *PolicyStore) ListPolicies(ctx context.Context, policyType PolicyType) ([]string, error)
ListPolicies is used to list the available policies
type PolicyType ¶ added in v0.9.0
type PolicyType uint32
const ( PolicyTypeACL PolicyType = iota PolicyTypeRGP PolicyTypeEGP // Triggers a lookup in the map to figure out if ACL or RGP PolicyTypeToken )
func (PolicyType) String ¶ added in v0.9.0
func (p PolicyType) String() string
type RawBackend ¶ added in v1.3.0
func NewRawBackend ¶ added in v1.3.0
func NewRawBackend(core *Core) *RawBackend
type RegisterAuthFunc ¶ added in v0.11.2
type RekeyBackup ¶ added in v0.5.0
RekeyBackup stores the backup copy of PGP-encrypted keys
type RekeyResult ¶ added in v0.2.0
type RekeyResult struct { PGPFingerprints []string Backup bool RecoveryKey bool VerificationRequired bool VerificationNonce string }
RekeyResult is used to provide the key parts back after they are generated as part of the rekey.
type RekeyVerifyResult ¶ added in v0.10.2
type ReplicationTokenInfo ¶ added in v0.11.2
type ReplicationTokenInfo struct{}
type RequestForwardingClient ¶ added in v0.6.1
type RequestForwardingClient interface { ForwardRequest(ctx context.Context, in *forwarding.Request, opts ...grpc.CallOption) (*forwarding.Response, error) Echo(ctx context.Context, in *EchoRequest, opts ...grpc.CallOption) (*EchoReply, error) PerformanceStandbyElectionRequest(ctx context.Context, in *PerfStandbyElectionInput, opts ...grpc.CallOption) (RequestForwarding_PerformanceStandbyElectionRequestClient, error) }
RequestForwardingClient is the client API for RequestForwarding service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewRequestForwardingClient ¶ added in v0.6.1
func NewRequestForwardingClient(cc grpc.ClientConnInterface) RequestForwardingClient
type RequestForwardingServer ¶ added in v0.6.1
type RequestForwardingServer interface { ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error) Echo(context.Context, *EchoRequest) (*EchoReply, error) PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, RequestForwarding_PerformanceStandbyElectionRequestServer) error // contains filtered or unexported methods }
RequestForwardingServer is the server API for RequestForwarding service. All implementations must embed UnimplementedRequestForwardingServer for forward compatibility
type RequestForwarding_PerformanceStandbyElectionRequestClient ¶ added in v0.11.2
type RequestForwarding_PerformanceStandbyElectionRequestClient interface { Recv() (*PerfStandbyElectionResponse, error) grpc.ClientStream }
type RequestForwarding_PerformanceStandbyElectionRequestServer ¶ added in v0.11.2
type RequestForwarding_PerformanceStandbyElectionRequestServer interface { Send(*PerfStandbyElectionResponse) error grpc.ServerStream }
type ResponseCounts ¶ added in v1.10.0
type ResponseMonth ¶ added in v1.10.0
type ResponseMonth struct { Timestamp string `json:"timestamp"` Counts *ResponseCounts `json:"counts"` Namespaces []*ResponseMonthlyNamespace `json:"namespaces"` NewClients *ResponseNewClients `json:"new_clients" mapstructure:"new_clients"` }
type ResponseMonthlyNamespace ¶ added in v1.10.0
type ResponseMonthlyNamespace struct { NamespaceID string `json:"namespace_id"` NamespacePath string `json:"namespace_path"` Counts *ResponseCounts `json:"counts"` Mounts []*ResponseMount `json:"mounts"` }
type ResponseMount ¶ added in v1.10.0
type ResponseMount struct { MountPath string `json:"mount_path"` Counts *ResponseCounts `json:"counts"` }
type ResponseNamespace ¶ added in v1.10.0
type ResponseNamespace struct { NamespaceID string `json:"namespace_id"` NamespacePath string `json:"namespace_path"` Counts ResponseCounts `json:"counts"` Mounts []*ResponseMount `json:"mounts"` }
type ResponseNewClients ¶ added in v1.10.0
type ResponseNewClients struct { Counts *ResponseCounts `json:"counts"` Namespaces []*ResponseMonthlyNamespace `json:"namespaces"` }
type RollbackManager ¶
type RollbackManager struct {
// contains filtered or unexported fields
}
RollbackManager is responsible for performing rollbacks of partial secrets within logical backends.
During normal operations, it is possible for logical backends to error partially through an operation. These are called "partial secrets": they are never sent back to a user, but they do need to be cleaned up. This manager handles that by periodically (on a timer) requesting that the backends clean up.
The RollbackManager periodically initiates a logical.RollbackOperation on every mounted logical backend. It ensures that only one rollback operation is in-flight at any given time within a single seal/unseal phase.
func NewRollbackManager ¶
func NewRollbackManager(ctx context.Context, logger log.Logger, backendsFunc func() []*MountEntry, router *Router, core *Core) *RollbackManager
NewRollbackManager is used to create a new rollback manager
func (*RollbackManager) Rollback ¶
func (m *RollbackManager) Rollback(ctx context.Context, path string) error
Rollback is used to trigger an immediate rollback of the path, or to join an existing rollback operation if in flight. Caller should have core's statelock held (write OR read). If an already inflight rollback is happening this function will simply wait for it to complete
func (*RollbackManager) Stop ¶
func (m *RollbackManager) Stop()
Stop stops the running manager. This will wait for any in-flight rollbacks to complete.
type Router ¶
type Router struct {
// contains filtered or unexported fields
}
Router is used to do prefix based routing of a request to a logical backend
func (*Router) LoginPath ¶
LoginPath checks if the given path is used for logins Matching Priority
- prefix
- exact
- wildcard
func (*Router) MatchingAPIPrefixByStoragePath ¶ added in v0.11.2
func (r *Router) MatchingAPIPrefixByStoragePath(ctx context.Context, path string) (*namespace.Namespace, string, string, bool)
MatchingAPIPrefixByStoragePath the api path information for the given storage path
func (*Router) MatchingBackend ¶ added in v0.3.0
MatchingBackend returns the backend used for a path
func (*Router) MatchingMount ¶
MatchingMount returns the mount prefix that would be used for a path
func (*Router) MatchingMountByAPIPath ¶ added in v1.5.0
func (*Router) MatchingMountByAccessor ¶ added in v0.8.0
func (r *Router) MatchingMountByAccessor(mountAccessor string) *MountEntry
MatchingMountByAccessor returns the MountEntry by accessor lookup
func (*Router) MatchingMountByUUID ¶ added in v0.8.0
func (r *Router) MatchingMountByUUID(mountID string) *MountEntry
func (*Router) MatchingMountEntry ¶ added in v0.3.0
func (r *Router) MatchingMountEntry(ctx context.Context, path string) *MountEntry
MatchingMountEntry returns the MountEntry used for a path
func (*Router) MatchingStorageByAPIPath ¶ added in v0.9.0
MatchingStorageByAPIPath/StoragePath returns the storage used for API/Storage paths respectively
func (*Router) MatchingStorageByStoragePath ¶ added in v0.9.0
func (*Router) MatchingStoragePrefixByAPIPath ¶ added in v0.9.0
MatchingStoragePrefixByAPIPath the storage prefix for the given api path
func (*Router) MatchingSystemView ¶ added in v0.3.0
MatchingSystemView returns the SystemView used for a path
func (*Router) Mount ¶
func (r *Router) Mount(backend logical.Backend, prefix string, mountEntry *MountEntry, storageView *BarrierView) error
Mount is used to expose a logical backend at a given prefix, using a unique salt, and the barrier view for that path.
func (*Router) MountConflict ¶ added in v0.9.0
MountConflict determines if there are potential path conflicts
func (*Router) RouteExistenceCheck ¶ added in v0.5.0
func (r *Router) RouteExistenceCheck(ctx context.Context, req *logical.Request) (*logical.Response, bool, bool, error)
RouteExistenceCheck is used to route a given existence check request
func (*Router) Taint ¶
Taint is used to mark a path as tainted. This means only RollbackOperation RevokeOperation requests are allowed to proceed
func (*Router) ValidateMountByAccessor ¶ added in v1.9.0
func (r *Router) ValidateMountByAccessor(accessor string) *ValidateMountResponse
ValidateMountByAccessor returns the mount type and ID for a given mount accessor
type RouterAccess ¶ added in v0.9.0
type RouterAccess struct {
// contains filtered or unexported fields
}
RouterAccess provides access into some things necessary for testing
func NewRouterAccess ¶ added in v0.9.0
func NewRouterAccess(c *Core) *RouterAccess
func (*RouterAccess) StoragePrefixByAPIPath ¶ added in v0.9.0
type RouterTestHandlerFunc ¶ added in v1.1.4
type SSCTokenGenerationCounter ¶ added in v1.10.0
type SSCTokenGenerationCounter struct {
Counter int
}
type Seal ¶ added in v0.6.0
type Seal interface { SetCore(*Core) Init(context.Context) error Finalize(context.Context) error StoredKeysSupported() seal.StoredKeysSupport SealWrapable() bool SetStoredKeys(context.Context, [][]byte) error GetStoredKeys(context.Context) ([][]byte, error) BarrierType() string BarrierConfig(context.Context) (*SealConfig, error) SetBarrierConfig(context.Context, *SealConfig) error SetCachedBarrierConfig(*SealConfig) RecoveryKeySupported() bool RecoveryType() string RecoveryConfig(context.Context) (*SealConfig, error) RecoveryKey(context.Context) ([]byte, error) SetRecoveryConfig(context.Context, *SealConfig) error SetCachedRecoveryConfig(*SealConfig) SetRecoveryKey(context.Context, []byte) error VerifyRecoveryKey(context.Context, []byte) error GetAccess() *seal.Access }
func NewDefaultSeal ¶ added in v0.9.5
func NewTestSeal ¶ added in v0.9.0
func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal
type SealAccess ¶ added in v0.6.0
type SealAccess struct {
// contains filtered or unexported fields
}
SealAccess is a wrapper around Seal that exposes accessor methods through Core.SealAccess() while restricting the ability to modify Core.seal itself.
func NewSealAccess ¶ added in v0.9.0
func NewSealAccess(seal Seal) *SealAccess
func (*SealAccess) BarrierConfig ¶ added in v0.6.0
func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error)
func (*SealAccess) BarrierType ¶ added in v0.11.2
func (s *SealAccess) BarrierType() string
func (*SealAccess) ClearCaches ¶ added in v0.9.0
func (s *SealAccess) ClearCaches(ctx context.Context)
func (*SealAccess) GetAccess ¶ added in v1.4.0
func (s *SealAccess) GetAccess() *seal.Access
func (*SealAccess) RecoveryConfig ¶ added in v0.6.0
func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error)
func (*SealAccess) RecoveryKeySupported ¶ added in v0.6.0
func (s *SealAccess) RecoveryKeySupported() bool
func (*SealAccess) StoredKeysSupported ¶ added in v0.6.0
func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport
func (*SealAccess) VerifyRecoveryKey ¶ added in v0.9.0
func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error
type SealConfig ¶
type SealConfig struct { // The type, for sanity checking Type string `json:"type" mapstructure:"type"` // the N value of Shamir. SecretShares int `json:"secret_shares" mapstructure:"secret_shares"` // SecretThreshold is the number of parts required to open the vault. This // is the T value of Shamir. SecretThreshold int `json:"secret_threshold" mapstructure:"secret_threshold"` // PGPKeys is the array of public PGP keys used, if requested, to encrypt // the output unseal tokens. If provided, it sets the value of // SecretShares. Ordering is important. PGPKeys []string `json:"pgp_keys" mapstructure:"pgp_keys"` // Nonce is a nonce generated by Vault used to ensure that when unseal keys // are submitted for a rekey operation, the rekey operation itself is the // one intended. This prevents hijacking of the rekey operation, since it // is unauthenticated. Nonce string `json:"nonce" mapstructure:"nonce"` // Backup indicates whether or not a backup of PGP-encrypted unseal keys // should be stored at coreUnsealKeysBackupPath after successful rekeying. Backup bool `json:"backup" mapstructure:"backup"` StoredShares int `json:"stored_shares" mapstructure:"stored_shares"` // Stores the progress of the rekey operation (key shares) RekeyProgress [][]byte `json:"-"` // VerificationRequired indicates that after a rekey validation must be // performed (via providing shares from the new key) before the new key is // actually installed. This is omitted from JSON as we don't persist the // new key, it lives only in memory. VerificationRequired bool `json:"-"` // VerificationKey is the new key that we will roll to after successful // validation VerificationKey []byte `json:"-"` // VerificationNonce stores the current operation nonce for verification VerificationNonce string `json:"-"` // Stores the progress of the verification operation (key shares) VerificationProgress [][]byte `json:"-"` }
SealConfig is used to describe the seal configuration
func (*SealConfig) Clone ¶ added in v0.6.0
func (s *SealConfig) Clone() *SealConfig
func (*SealConfig) Validate ¶
func (s *SealConfig) Validate() error
Validate is used to sanity check the seal configuration
type SealStatusResponse ¶ added in v1.6.2
type SealStatusResponse struct { Type string `json:"type"` Initialized bool `json:"initialized"` Sealed bool `json:"sealed"` T int `json:"t"` N int `json:"n"` Progress int `json:"progress"` Nonce string `json:"nonce"` Version string `json:"version"` Migration bool `json:"migration"` ClusterName string `json:"cluster_name,omitempty"` ClusterID string `json:"cluster_id,omitempty"` RecoverySeal bool `json:"recovery_seal"` StorageType string `json:"storage_type,omitempty"` }
type SecurityBarrier ¶
type SecurityBarrier interface { // Initialized checks if the barrier has been initialized // and has a root key set. Initialized(ctx context.Context) (bool, error) // Initialize works only if the barrier has not been initialized // and makes use of the given root key. When sealKey is provided // it's because we're using a new-style Shamir seal, and rootKey // is to be stored using sealKey to encrypt it. Initialize(ctx context.Context, rootKey []byte, sealKey []byte, random io.Reader) error // GenerateKey is used to generate a new key GenerateKey(io.Reader) ([]byte, error) // KeyLength is used to sanity check a key KeyLength() (int, int) // Sealed checks if the barrier has been unlocked yet. The Barrier // is not expected to be able to perform any CRUD until it is unsealed. Sealed() (bool, error) // Unseal is used to provide the unseal key which permits the barrier // to be unsealed. If the key is not correct, the barrier remains sealed. Unseal(ctx context.Context, key []byte) error // VerifyRoot is used to check if the given key matches the root key VerifyRoot(key []byte) error // SetRootKey is used to directly set a new root key. This is used in // replicated scenarios due to the chicken and egg problem of reloading the // keyring from disk before we have the root key to decrypt it. SetRootKey(key []byte) error // ReloadKeyring is used to re-read the underlying keyring. // This is used for HA deployments to ensure the latest keyring // is present in the leader. ReloadKeyring(ctx context.Context) error // ReloadRootKey is used to re-read the underlying root key. // This is used for HA deployments to ensure the latest root key // is available for keyring reloading. ReloadRootKey(ctx context.Context) error // Seal is used to re-seal the barrier. This requires the barrier to // be unsealed again to perform any further operations. Seal() error // Rotate is used to create a new encryption key. All future writes // should use the new key, while old values should still be decryptable. Rotate(ctx context.Context, reader io.Reader) (uint32, error) // CreateUpgrade creates an upgrade path key to the given term from the previous term CreateUpgrade(ctx context.Context, term uint32) error // DestroyUpgrade destroys the upgrade path key to the given term DestroyUpgrade(ctx context.Context, term uint32) error // CheckUpgrade looks for an upgrade to the current term and installs it CheckUpgrade(ctx context.Context) (bool, uint32, error) // ActiveKeyInfo is used to inform details about the active key ActiveKeyInfo() (*KeyInfo, error) // RotationConfig returns the auto-rotation config for the barrier key RotationConfig() (KeyRotationConfig, error) // SetRotationConfig updates the auto-rotation config for the barrier key SetRotationConfig(ctx context.Context, config KeyRotationConfig) error // Rekey is used to change the master key used to protect the keyring Rekey(context.Context, []byte) error // For replication we must send over the keyring, so this must be available Keyring() (*Keyring, error) // For encryption count shipping, a function which handles updating local encryption counts if the consumer succeeds. // This isolates the barrier code from the replication system ConsumeEncryptionCount(consumer func(int64) error) error // Add encryption counts from a remote source (downstream cluster node) AddRemoteEncryptions(encryptions int64) // Check whether an automatic rotation is due CheckBarrierAutoRotate(ctx context.Context) (string, error) // SecurityBarrier must provide the storage APIs logical.Storage // SecurityBarrier must provide the encryption APIs BarrierEncryptor }
SecurityBarrier is a critical component of Vault. It is used to wrap an untrusted physical backend and provide a single point of encryption, decryption and checksum verification. The goal is to ensure that any data written to the barrier is confidential and that integrity is preserved. As a real-world analogy, this is the steel and concrete wrapper around a Vault. The barrier should only be Unlockable given its key.
type SystemBackend ¶
type SystemBackend struct { *framework.Backend Core *Core // contains filtered or unexported fields }
SystemBackend implements logical.Backend and is used to interact with the core of the system. This backend is hardcoded to exist at the "sys" prefix. Conceptually it is similar to procfs on Linux.
func NewSystemBackend ¶
func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend
type TOTPPersister ¶ added in v1.9.0
type TemplateError ¶ added in v0.11.0
type TemplateError struct {
Err error
}
func (*TemplateError) Error ¶ added in v0.11.0
func (t *TemplateError) Error() string
func (*TemplateError) WrappedErrors ¶ added in v0.11.0
func (t *TemplateError) WrappedErrors() []error
type TestCluster ¶ added in v0.6.1
type TestCluster struct { BarrierKeys [][]byte RecoveryKeys [][]byte CACert *x509.Certificate CACertBytes []byte CACertPEM []byte CACertPEMFile string CAKey *ecdsa.PrivateKey CAKeyPEM []byte Cores []*TestClusterCore ID string RootToken string RootCAs *x509.CertPool TempDir string ClientAuthRequired bool Logger log.Logger CleanupFunc func() SetupFunc func() LicensePublicKey ed25519.PublicKey LicensePrivateKey ed25519.PrivateKey // contains filtered or unexported fields }
func NewTestCluster ¶ added in v0.8.0
func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *TestCluster
NewTestCluster creates a new test cluster based on the provided core config and test cluster options.
N.B. Even though a single base CoreConfig is provided, NewTestCluster will instantiate a core config for each core it creates. If separate seal per core is desired, opts.SealFunc can be provided to generate a seal for each one. Otherwise, the provided base.Seal will be shared among cores. NewCore's default behavior is to generate a new DefaultSeal if the provided Seal in coreConfig (i.e. base.Seal) is nil.
If opts.Logger is provided, it takes precedence and will be used as the cluster logger and will be the basis for each core's logger. If no opts.Logger is given, one will be generated based on t.Name() for the cluster logger, and if no base.Logger is given will also be used as the basis for each core's logger.
func (*TestCluster) AttemptUnsealCore ¶ added in v1.8.0
func (c *TestCluster) AttemptUnsealCore(core *TestClusterCore) error
func (*TestCluster) Cleanup ¶ added in v0.8.0
func (c *TestCluster) Cleanup()
func (*TestCluster) EnsureCoresSealed ¶ added in v0.8.2
func (c *TestCluster) EnsureCoresSealed(t testing.T)
func (*TestCluster) Start ¶ added in v0.8.0
func (c *TestCluster) Start()
func (*TestCluster) StartCore ¶ added in v1.5.0
func (cluster *TestCluster) StartCore(t testing.T, idx int, opts *TestClusterOptions)
Restart a TestClusterCore that was stopped, by replacing the underlying Core.
func (*TestCluster) StopCore ¶ added in v1.5.0
func (cluster *TestCluster) StopCore(t testing.T, idx int)
StopCore performs an orderly shutdown of a core.
func (*TestCluster) UnsealCore ¶ added in v1.2.0
func (c *TestCluster) UnsealCore(t testing.T, core *TestClusterCore)
func (*TestCluster) UnsealCoreWithStoredKeys ¶ added in v1.5.0
func (c *TestCluster) UnsealCoreWithStoredKeys(t testing.T, core *TestClusterCore)
func (*TestCluster) UnsealCores ¶ added in v0.10.0
func (c *TestCluster) UnsealCores(t testing.T)
UnsealCores uses the cluster barrier keys to unseal the test cluster cores
func (*TestCluster) UnsealCoresWithError ¶ added in v0.10.2
func (c *TestCluster) UnsealCoresWithError(useStoredKeys bool) error
type TestClusterCore ¶ added in v0.6.1
type TestClusterCore struct { *Core CoreConfig *CoreConfig Client *api.Client Handler http.Handler Address *net.TCPAddr Listeners []*TestListener ReloadFuncs *map[string][]reloadutil.ReloadFunc ReloadFuncsLock *sync.RWMutex Server *http.Server ServerCert *x509.Certificate ServerCertBytes []byte ServerCertPEM []byte ServerKey *ecdsa.PrivateKey ServerKeyPEM []byte TLSConfig *tls.Config UnderlyingStorage physical.Backend UnderlyingRawStorage physical.Backend UnderlyingHAStorage physical.HABackend Barrier SecurityBarrier NodeID string }
func (*TestClusterCore) Seal ¶ added in v1.0.3
func (c *TestClusterCore) Seal(t testing.T)
type TestClusterOptions ¶ added in v0.8.0
type TestClusterOptions struct { KeepStandbysSealed bool SkipInit bool HandlerFunc func(*HandlerProperties) http.Handler DefaultHandlerProperties HandlerProperties // BaseListenAddress is used to explicitly assign ports in sequence to the // listener of each core. It should be a string of the form // "127.0.0.1:20000" // // WARNING: Using an explicitly assigned port above 30000 may clash with // ephemeral ports that have been assigned by the OS in other tests. The // use of explicitly assigned ports below 30000 is strongly recommended. // In addition, you should be careful to use explicitly assigned ports that // do not clash with any other explicitly assigned ports in other tests. BaseListenAddress string // BaseClusterListenPort is used to explicitly assign ports in sequence to // the cluster listener of each core. If BaseClusterListenPort is // specified, then BaseListenAddress must also be specified. Each cluster // listener will use the same host as the one specified in // BaseListenAddress. // // WARNING: Using an explicitly assigned port above 30000 may clash with // ephemeral ports that have been assigned by the OS in other tests. The // use of explicitly assigned ports below 30000 is strongly recommended. // In addition, you should be careful to use explicitly assigned ports that // do not clash with any other explicitly assigned ports in other tests. BaseClusterListenPort int NumCores int SealFunc func() Seal UnwrapSealFunc func() Seal Logger log.Logger TempDir string CACert []byte CAKey *ecdsa.PrivateKey // PhysicalFactory is used to create backends. // The int argument is the index of the core within the cluster, i.e. first // core in cluster will have 0, second 1, etc. // If the backend is shared across the cluster (i.e. is not Raft) then it // should return nil when coreIdx != 0. PhysicalFactory func(t testing.T, coreIdx int, logger log.Logger, conf map[string]interface{}) *PhysicalBackendBundle // FirstCoreNumber is used to assign a unique number to each core within // a multi-cluster setup. FirstCoreNumber int RequireClientAuth bool // SetupFunc is called after the cluster is started. SetupFunc func(t testing.T, c *TestCluster) PR1103Disabled bool // ClusterLayers are used to override the default cluster connection layer ClusterLayers cluster.NetworkLayerSet // InmemClusterLayers is a shorthand way of asking for ClusterLayers to be // built using the inmem implementation. InmemClusterLayers bool // RaftAddressProvider is used to set the raft ServerAddressProvider on // each core. // // If SkipInit is true, then RaftAddressProvider has no effect. // RaftAddressProvider should only be specified if the underlying physical // storage is Raft. RaftAddressProvider raftlib.ServerAddressProvider CoreMetricSinkProvider func(clusterName string) (*metricsutil.ClusterMetricSink, *metricsutil.MetricsHelper) PhysicalFactoryConfig map[string]interface{} LicensePublicKey ed25519.PublicKey LicensePrivateKey ed25519.PrivateKey }
type TestLogger ¶ added in v1.5.0
type TestLogger struct { log.Logger Path string File *os.File // contains filtered or unexported fields }
func NewTestLogger ¶ added in v1.5.0
func NewTestLogger(t testing.T) *TestLogger
func (*TestLogger) StopLogging ¶ added in v1.6.0
func (tl *TestLogger) StopLogging()
type TokenCounter ¶ added in v1.3.0
type TokenCounter struct { // Total is the total number of tokens Total int `json:"total"` }
TokenCounter counts the number of tokens
type TokenStore ¶
TokenStore is used to manage client tokens. Tokens are used for clients to authenticate, and each token is mapped to an applicable set of policy which is used for authorization.
func NewTokenStore ¶
func NewTokenStore(ctx context.Context, logger log.Logger, core *Core, config *logical.BackendConfig) (*TokenStore, error)
NewTokenStore is used to construct a token store that is backed by the given barrier view.
func (*TokenStore) CalculateSignedTokenHMAC ¶ added in v1.10.0
func (ts *TokenStore) CalculateSignedTokenHMAC(marshalledToken []byte) ([]byte, error)
func (*TokenStore) GenerateSSCTokenID ¶ added in v1.10.0
func (ts *TokenStore) GenerateSSCTokenID(innerToken string, walState *logical.WALState, te *logical.TokenEntry) string
GenerateSSCTokenID generates the ID field of the TokenEntry struct for newly minted service tokens. This function is meant to be robust so as to allow vault to continue operating even in the case where IDs can't be generated. Thus it logs errors as opposed to throwing them.
func (*TokenStore) GetSSCTokensGenerationCounter ¶ added in v1.10.0
func (ts *TokenStore) GetSSCTokensGenerationCounter() int
func (*TokenStore) Invalidate ¶ added in v0.8.0
func (ts *TokenStore) Invalidate(ctx context.Context, key string)
func (*TokenStore) Lookup ¶
func (ts *TokenStore) Lookup(ctx context.Context, id string) (*logical.TokenEntry, error)
Lookup is used to find a token given its ID. It acquires a read lock, then calls lookupInternal.
func (*TokenStore) SaltID ¶
SaltID is used to apply a salt and hash to an ID to make sure its not reversible
func (*TokenStore) SetExpirationManager ¶
func (ts *TokenStore) SetExpirationManager(exp *ExpirationManager)
SetExpirationManager is used to provide the token store with an expiration manager. This is used to manage prefix based revocation of tokens and to tidy entries when removed from the token store.
func (*TokenStore) UpdateSSCTokensGenerationCounter ¶ added in v1.10.0
func (ts *TokenStore) UpdateSSCTokensGenerationCounter(ctx context.Context) error
func (*TokenStore) UseToken ¶
func (ts *TokenStore) UseToken(ctx context.Context, te *logical.TokenEntry) (*logical.TokenEntry, error)
UseToken is used to manage restricted use tokens and decrement their available uses. Returns two values: a potentially updated entry or, if the token has been revoked, nil; and whether an error was encountered. The locking here isn't perfect, as other parts of the code may update an entry, but usually none after the entry is already created...so this is pretty good.
func (*TokenStore) UseTokenByID ¶ added in v0.6.2
func (ts *TokenStore) UseTokenByID(ctx context.Context, id string) (*logical.TokenEntry, error)
type TokenStorer ¶ added in v1.9.0
type UIConfig ¶ added in v0.10.0
type UIConfig struct {
// contains filtered or unexported fields
}
UIConfig contains UI configuration. This takes both a physical view and a barrier view because it is stored in both plaintext and encrypted to allow for getting the header values before the barrier is unsealed
func NewUIConfig ¶ added in v0.10.0
func NewUIConfig(enabled bool, physicalStorage physical.Backend, barrierStorage logical.Storage) *UIConfig
NewUIConfig creates a new UI config
func (*UIConfig) DeleteHeader ¶ added in v0.10.0
DeleteHeader deletes the header configuration for the given header
func (*UIConfig) GetHeader ¶ added in v0.10.0
GetHeader retrieves the configured values for the given header
func (*UIConfig) HeaderKeys ¶ added in v0.10.0
HeaderKeys returns the list of the configured headers
type UnimplementedRequestForwardingServer ¶ added in v1.2.0
type UnimplementedRequestForwardingServer struct { }
UnimplementedRequestForwardingServer must be embedded to have forward compatible implementations.
func (UnimplementedRequestForwardingServer) Echo ¶ added in v1.2.0
func (UnimplementedRequestForwardingServer) Echo(context.Context, *EchoRequest) (*EchoReply, error)
func (UnimplementedRequestForwardingServer) ForwardRequest ¶ added in v1.2.0
func (UnimplementedRequestForwardingServer) ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error)
func (UnimplementedRequestForwardingServer) PerformanceStandbyElectionRequest ¶ added in v1.2.0
func (UnimplementedRequestForwardingServer) PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, RequestForwarding_PerformanceStandbyElectionRequestServer) error
type UnsafeRequestForwardingServer ¶ added in v1.9.0
type UnsafeRequestForwardingServer interface {
// contains filtered or unexported methods
}
UnsafeRequestForwardingServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to RequestForwardingServer will result in compilation errors.
type UnsealStrategy ¶ added in v0.11.2
type UnsealStrategy interface {
// contains filtered or unexported methods
}
type ValidateMountResponse ¶ added in v1.9.0
type ValidateMountResponse struct { MountType string `json:"mount_type" structs:"mount_type" mapstructure:"mount_type"` MountAccessor string `json:"mount_accessor" structs:"mount_accessor" mapstructure:"mount_accessor"` MountPath string `json:"mount_path" structs:"mount_path" mapstructure:"mount_path"` MountLocal bool `json:"mount_local" structs:"mount_local" mapstructure:"mount_local"` }
type VaultVersion ¶ added in v1.9.0
Source Files ¶
- acl.go
- acl_util.go
- activity_log.go
- activity_log_testing_util.go
- activity_log_util.go
- audit.go
- audit_broker.go
- audited_headers.go
- auth.go
- barrier.go
- barrier_access.go
- barrier_aes_gcm.go
- barrier_view.go
- barrier_view_util.go
- capabilities.go
- cluster.go
- core.go
- core_metrics.go
- core_util.go
- core_util_common.go
- cors.go
- counters.go
- custom_response_headers.go
- dynamic_system_view.go
- expiration.go
- expiration_testing_util_common.go
- expiration_util.go
- generate_root.go
- generate_root_recovery.go
- ha.go
- identity_lookup.go
- identity_store.go
- identity_store_aliases.go
- identity_store_entities.go
- identity_store_group_aliases.go
- identity_store_groups.go
- identity_store_oidc.go
- identity_store_oidc_provider.go
- identity_store_oidc_provider_util.go
- identity_store_oidc_util.go
- identity_store_oss.go
- identity_store_schema.go
- identity_store_structs.go
- identity_store_upgrade.go
- identity_store_util.go
- init.go
- keyring.go
- lock.go
- logical_cubbyhole.go
- logical_passthrough.go
- logical_raw.go
- logical_system.go
- logical_system_activity.go
- logical_system_helpers.go
- logical_system_paths.go
- logical_system_pprof.go
- logical_system_quotas.go
- logical_system_raft.go
- logical_system_util.go
- login_mfa.go
- managed_key_registry.go
- mfa_auth_resp_priority_queue.go
- mount.go
- mount_util.go
- namespaces.go
- namespaces_oss.go
- password_policy_util.go
- plugin_catalog.go
- plugin_reload.go
- policy.go
- policy_store.go
- policy_store_util.go
- policy_util.go
- raft.go
- rekey.go
- request_forwarding.go
- request_forwarding_rpc.go
- request_forwarding_rpc_util.go
- request_forwarding_service.pb.go
- request_forwarding_service_grpc.pb.go
- request_handling.go
- request_handling_util.go
- rollback.go
- router.go
- router_access.go
- router_testing.go
- seal.go
- seal_access.go
- seal_autoseal.go
- seal_testing.go
- seal_testing_util.go
- sealunwrapper.go
- testing.go
- testing_util.go
- token_store.go
- token_store_util.go
- token_store_util_common.go
- ui.go
- util.go
- vault_version_time.go
- version_store.go
- wrapping.go
- wrapping_util.go